Certification Exclusion Rule

mer21 · February 3, 2022, 4:40pm

We are looking at using the Manager Certification instead of a Targeted Certification for Annual Certifications for ERP access. We have a bunch of Entitlements and Roles that we wish to exclude from the Annual Certifications. The Manager Certification expects a Rule for this instead of manually specifying all the exclusions like you do in a targeted certification. Does anyone have an example of a Certification Exclusion Rule or can you point me to an example?

Thanks!

paul_wheeler · February 3, 2022, 7:50pm

Hi @mer21

Please see this document for an example and further information: https://community.sailpoint.com/t5/Technical-White-Papers/Rules-in-IdentityIQ-7-0-7-2/ta-p/78176

adam_creaney · February 4, 2022, 7:40pm

From the docs refrenced by Paul:

import sailpoint.object.Identity;

log.trace("Entering Exclusion Rule.");
String explanation = "";
Identity currentUser = (Identity) entity;
if ( currentUser.isInactive()) {
    log.trace("Inactive User: " + currentUser.getDisplayName()); log.trace("Do not certify.");
    itemsToExclude.addAll(items);
    items.clear();
    explanation = "Not certifying inactive users";
} else if (currentUser.getAttribute("status").equals("Contractor")) { 
    log.trace("Identity is Contractor: " + currentUser.getDisplayName()); log.trace("Do not certify.");
itemsToExclude.addAll(items);
     items.clear();
     explanation = "Not certifying contractors";
} else {
      log.trace("Active Employee: " + currentUser.getDisplayName()); log.trace("Do certify.");
}
return explanation;

So for each Identity (which for a manager cert type the ‘entity’ object contains an ID), you want to look at two lists:

items (contains all certifiable items (Certifiable object type)) that are included in this cert for this Identity
itemsToExclude - a list of items that you do NOT want included.

Iterate the initial ‘list’ and if you see one of our entitlements/roles taht you dont’ want to appear, add them to the ‘itemsToExclude’ list, and remove from the ‘items’ list. The return value of ‘explanation’ is

An optional explanation describing why the entity’s items were excluded; this is shown on the Exclusions list for each item excluded from the certification; if rule excludes items for different entities for different reasons, this can identify the applicable exclusion conditions when the exclusion list is examined

mer21 · February 17, 2022, 1:56pm

Thank you @paul_wheeler and @adam_creaney for your responses. We currently have the exclusion rule working successfully in our QA environment.

Topic		Replies	Views
Manager Certification With an Exclusion Rule IIQ Discussion and Questions rules , identity-security-cloud , identityiq	5	903	June 22, 2023
Exclustion Rule for Certification Event Process IIQ Discussion and Questions rules , identityiq , certifications	5	510	November 19, 2023
Certification Exclusion Rule IIQ Community Knowledge Base rules , identityiq , certifications	0	401	June 25, 2024
Exclusion rule to remove IT roles mapped to business roles for certification review IIQ Discussion and Questions identityiq , certifications	17	190	September 3, 2024
Manager Certification - Detected Roles and Assigned Roles IIQ Discussion and Questions identityiq	7	51	November 8, 2024

Certification Exclusion Rule

Related topics