Certification Exclusion Rule

mer21 · February 3, 2022, 4:40pm

We are looking at using the Manager Certification instead of a Targeted Certification for Annual Certifications for ERP access. We have a bunch of Entitlements and Roles that we wish to exclude from the Annual Certifications. The Manager Certification expects a Rule for this instead of manually specifying all the exclusions like you do in a targeted certification. Does anyone have an example of a Certification Exclusion Rule or can you point me to an example?

Thanks!

paul_wheeler · February 3, 2022, 7:50pm

Hi @mer21

Please see this document for an example and further information: https://community.sailpoint.com/t5/Technical-White-Papers/Rules-in-IdentityIQ-7-0-7-2/ta-p/78176

adam_creaney · February 4, 2022, 7:40pm

From the docs refrenced by Paul:

import sailpoint.object.Identity;

log.trace("Entering Exclusion Rule.");
String explanation = "";
Identity currentUser = (Identity) entity;
if ( currentUser.isInactive()) {
    log.trace("Inactive User: " + currentUser.getDisplayName()); log.trace("Do not certify.");
    itemsToExclude.addAll(items);
    items.clear();
    explanation = "Not certifying inactive users";
} else if (currentUser.getAttribute("status").equals("Contractor")) { 
    log.trace("Identity is Contractor: " + currentUser.getDisplayName()); log.trace("Do not certify.");
itemsToExclude.addAll(items);
     items.clear();
     explanation = "Not certifying contractors";
} else {
      log.trace("Active Employee: " + currentUser.getDisplayName()); log.trace("Do certify.");
}
return explanation;

So for each Identity (which for a manager cert type the ‘entity’ object contains an ID), you want to look at two lists:

items (contains all certifiable items (Certifiable object type)) that are included in this cert for this Identity
itemsToExclude - a list of items that you do NOT want included.

Iterate the initial ‘list’ and if you see one of our entitlements/roles taht you dont’ want to appear, add them to the ‘itemsToExclude’ list, and remove from the ‘items’ list. The return value of ‘explanation’ is

An optional explanation describing why the entity’s items were excluded; this is shown on the Exclusions list for each item excluded from the certification; if rule excludes items for different entities for different reasons, this can identify the applicable exclusion conditions when the exclusion list is examined

mer21 · February 17, 2022, 1:56pm

Thank you @paul_wheeler and @adam_creaney for your responses. We currently have the exclusion rule working successfully in our QA environment.

Topic		Replies	Views
Exclustion Rule for Certification Event Process IIQ Discussion and Questions rules , identityiq , certifications	5	414	November 19, 2023
Exclude Business Roles from Event Certification IIQ Discussion and Questions rules , identityiq	4	211	April 16, 2024
Certification Exclusion Report IIQ Discussion and Questions	3	1071	July 19, 2023
Targeted certification exclusion Rule IIQ Discussion and Questions rules , identityiq , roles , certifications , entitlements	8	195	April 22, 2024
For line manager certification we want to set up a exclusion rule which will detect underlying IT roles in business role and remove for certification IIQ Discussion and Questions rules , identityiq , certifications	17	358	March 31, 2024

Certification Exclusion Rule

Related Topics