Certification Exclusion Rule

Explanation of the Certification Exclusion Rule Code

Introduction

The provided XML code defines a certification exclusion rule in the SailPoint system, which is used for identity and access management. This rule aims to remove specific certifiable items from the certification process if the identity being certified is marked as inactive.

Code Structure

  1. Rule Element

Rule language=“beanshell” name=“Rule-Exclusion” type=“CertificationExclusion”

  • The language attribute specifies the scripting language used (beanshell in this case).
  • The name attribute assigns a name to the rule (Rule-Exclusion).
  • The type attribute indicates the type of rule (CertificationExclusion).
  1. Rule Description

This rule is an example Certification Exclusion rule that removes all of the certifiable items from a certification if the identity being certified is marked as inactive.

  1. Rule Inputs

  1. Source Code
   import java.util.Iterator;
   import java.util.List;
   import sailpoint.object.Bundle;
   import sailpoint.object.Certifiable;
   import sailpoint.object.Identity;
   import org.apache.log4j.Logger;
   import java.lang.StringBuilder;

   Logger log = Logger.getLogger("project.iiq.development");

   log.debug("--------------------Step Start certification exclude-------------------------");

   StringBuilder explanation = new StringBuilder();

   if (entity instanceof Identity) {
       Identity identity = (Identity) entity;

       Iterator it = items.iterator();
       while (it.hasNext()) {
           Object item = it.next();
           Certifiable certifiable = (Certifiable) item;
           if (certifiable instanceof Bundle) {
               Bundle bundle = (Bundle) certifiable;
               if ("ROLE NAME TO EXLUDE".equals(bundle.getName())) {
                   itemsToExclude.add(bundle);
                   it.remove();
                   explanation.append("Exclude \"")
                              .append(bundle.getName())
                              .append("\" from certification. Role name is \"ROLE NAME TO EXLUDE\".\n");
               }
           }
       }
   }
   log.debug("Explanation: " + explanation.toString());

   log.debug("--------------------Step End certification exclude--------------------------");

Code description

  • Imports the necessary libraries and classes.
  • Initializes a logger to record actions.
  • Begins logging the operation.
  • Creates a StringBuilder object for generating explanations.
  • Checks if the entity is an instance of Identity.
  • Iterates through the certifiable items (items).
  • Checks if the item is an instance of Bundle and if its name matches "ROLE NAME TO EXLUDE".
  • If so, moves the item from items to itemsToExclude and adds the appropriate explanation.
  • Logs the generated explanation.
  • Ends logging the operation.

Summary

This rule automates the process of excluding specific roles from certification based on the role name and the state of the identity. By using beanshell and SailPoint classes, the rule provides flexibility and customization to meet the organization’s specific needs.

Regards,
Adam

7 Likes