Version 8.3
It is not possible to view in the certifications page a certification automatically triggered, created and launched with a mover event. Why is that?
I know this certification is being created since when I looked for certifications in the debug’s object browser it is possible to view that the certification was created and is active.
It’s hard to say about details - it would be good if you could add the following
Do you have scoping enabled?
Sry for the delayed response.
Here are the details requested:
Certification Definition xml:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE CertificationDefinition PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<CertificationDefinition id="#0000000000000000000000000000001" name="CertificationDefinition-MoversEvent">
<Attributes>
<Map>
<entry key="activePeriodDurationAmount" value="30"/>
<entry key="activePeriodDurationScale" value="Day"/>
<entry key="allowCertificationEntityBulkAccountRevocation" value="false"/>
<entry key="allowCertificationEntityBulkApprove" value="true"/>
<entry key="allowCertificationEntityBulkClearDecisions" value="true"/>
<entry key="allowCertificationEntityBulkRevocation" value="true"/>
<entry key="allowEntityBulkApprove" value="true"/>
<entry key="allowListViewBulkAccountRevoke" value="false"/>
<entry key="allowListViewBulkApprove" value="true"/>
<entry key="allowListViewBulkClearDecisions" value="true"/>
<entry key="allowListViewBulkMitigate" value="false"/>
<entry key="allowListViewBulkReassign" value="true"/>
<entry key="allowListViewBulkRevoke" value="true"/>
<entry key="allowProvisioningMissingRequirements" value="false"/>
<entry key="allowSelfCertification" value="CertificationAdministrator"/>
<entry key="assimilateBulkReassignments" value="false"/>
<entry key="autoSignOffWhenNothingToCertify" value="true"/>
<entry key="automateSignOffOnReassignment" value="true"/>
<entry key="automateSignoffPopup" value="true"/>
<entry key="automaticClosingAction">
<value>
<CertificationStatus>Remediated</CertificationStatus>
</value>
</entry>
<entry key="automaticClosingComments"/>
<entry key="automaticClosingDurationAmount" value="7"/>
<entry key="automaticClosingDurationScale" value="Day"/>
<entry key="automaticClosingEnabled" value="false"/>
<entry key="automaticClosingRuleName"/>
<entry key="automaticClosingSigner" value="name"/>
<entry key="bulkReassignmentEmailTemplate" value="EmailTemplate-FrameworkAccessReviewBulkReassignment"/>
<entry key="certOwner" value="notTheCertOwner"/>
<entry key="certification.remindersAndEscalations"/>
<entry key="certificationActivePhaseEnterRule" value="Rule-CertificationPhaseChange-ActiveMovers"/>
<entry key="certificationActivePhaseExitRule" value="Rule-CertificationPhaseChange-EndMovers"/>
<entry key="certificationAutoApprove" value="false"/>
<entry key="certificationChallengePhaseEnterRule"/>
<entry key="certificationDecisionChallengedEmailTemplate"/>
<entry key="certificationDelegationReview" value="false"/>
<entry key="certificationDisableDelegationForwarding" value="true"/>
<entry key="certificationEmailTemplate" value="EmailTemplate-AccessReview-StartMovers"/>
<entry key="certificationEntityDelegationEnabled" value="true"/>
<entry key="certificationFinishPhaseEnterRule"/>
<entry key="certificationIncludeClassifications" value="false"/>
<entry key="certificationItemDelegationEnabled" value="false"/>
<entry key="certificationLimitReassignments" value="true"/>
<entry key="certificationMitigationDeprovisionEnabled" value="false"/>
<entry key="certificationMitigationEnabled" value="false"/>
<entry key="certificationMitigationPopupEnabled" value="false"/>
<entry key="certificationNameTemplate" value="Certification-Identity-Movers"/>
<entry key="certificationReassignmentLimit" value="4"/>
<entry key="certificationRemediationPhaseEnterRule"/>
<entry key="certificationRequired.remindersAndEscalations">
<value>
<NotificationConfig>
<Configs>
<ReminderConfig before="true" emailTemplateName="EmailTemplate-FrameworkAccessReviewReminder" millis="1209600000" once="true"/>
<EscalationConfig before="true" emailTemplateName="EmailTemplate-FrameworkAccessReviewDelinquent" millis="604800000"/>
</Configs>
</NotificationConfig>
</value>
</entry>
<entry key="certificationRequiredDurationScale" value="Hour"/>
<entry key="certificationShowRecommendations" value="false"/>
<entry key="certificationSignOffApprovalEmailTemplate"/>
<entry key="certificationSignatureType"/>
<entry key="certificationType" value="Identity"/>
<entry key="certifiedDurationScale" value="Hour"/>
<entry key="certifier" value="notTheCertifier"/>
<entry key="certifierOwnerAccount" value="ApplicationOwner"/>
<entry key="certifierOwnerEntitlement" value="ApplicationOwner"/>
<entry key="certifierOwnerRole" value="RoleOwner"/>
<entry key="certifierType" value="Manual"/>
<entry key="certifyAccounts" value="false"/>
<entry key="certifyEmptyAccounts" value="false"/>
<entry key="challengeAcceptedEmailTemplate"/>
<entry key="challengeDecisionExpirationEmailTemplate"/>
<entry key="challengeExpirationEmailTemplate"/>
<entry key="challengeGenerationEmailTemplate"/>
<entry key="challengePeriodDurationAmount" value="1"/>
<entry key="challengePeriodDurationScale" value="Week"/>
<entry key="challengePeriodEnabled" value="false"/>
<entry key="challengePeriodEndEmailTemplate"/>
<entry key="challengePeriodStartEmailTemplate"/>
<entry key="challengeRejectedEmailTemplate"/>
<entry key="completeCertificationHierarchyEnabled" value="false"/>
<entry key="continuous" value="false"/>
<entry key="electronicSignatureRequired" value="false"/>
<entry key="enableAccountRevokeAction" value="false"/>
<entry key="enableApproveAccountAction">
<value>
<Boolean/>
</value>
</entry>
<entry key="enableEntitlementAssignments" value="false"/>
<entry key="entitlementGranularity" value="Value"/>
<entry key="excludeBaseAppAccounts" value="false"/>
<entry key="excludeInactive" value="false"/>
<entry key="exclusionRuleName"/>
<entry key="filterLogicalEntitlements">
<value>
<Boolean/>
</value>
</entry>
<entry key="flattenManagerCertificationHierarchy" value="false"/>
<entry key="includeAdditionalEntitlements" value="true"/>
<entry key="includeCapabilities" value="false"/>
<entry key="includePolicyViolations" value="false"/>
<entry key="includeRoleHierarchy" value="false"/>
<entry key="includeRoles" value="false"/>
<entry key="includeScopes" value="false"/>
<entry key="includeTargetPermissions" value="false"/>
<entry key="includedApplications" value="%%Apps%%"/>
<entry key="mitigationDurationAmount" value="1"/>
<entry key="mitigationDurationScale" value="Month"/>
<entry key="mitigationExpirationEmailTemplate"/>
<entry key="nameTemplate" value="Template name [${fullDate}]"/>
<entry key="notifyRemediation">
<value>
<Boolean/>
</value>
</entry>
<entry key="overdue.remindersAndEscalations">
<value>
<NotificationConfig>
<Configs>
<ReminderConfig before="true" emailTemplateName="EmailTemplate-FrameworkAccessReviewReminder" millis="1209600000" once="true"/>
<EscalationConfig before="true" emailTemplateName="EmailTemplate-FrameworkAccessReviewDelinquent" millis="604800000"/>
</Configs>
</NotificationConfig>
</value>
</entry>
<entry key="owners" value="notTheOwner"/>
<entry key="preDelegationRuleName" value="Rule-CertificationPreDelegation-Movers"/>
<entry key="processRevokesImmediately" value="false"/>
<entry key="remediation.remindersAndEscalations">
<value>
<NotificationConfig enabled="true">
<Configs>
<ReminderConfig before="true" emailTemplateName="EmailTemplate-FrameworkAccessReviewReminder" millis="86400000" once="true"/>
<EscalationConfig before="true" emailTemplateName="EmailTemplate-FrameworkAccessReviewDelinquent" escalationRuleName="Rule-FrameworkInactiveWorkItemEscalation" maxReminders="5" millis="604800000"/>
</Configs>
</NotificationConfig>
</value>
</entry>
<entry key="remediationPeriodDurationAmount" value="10"/>
<entry key="remediationPeriodDurationScale" value="Day"/>
<entry key="remediationPeriodEnabled" value="false"/>
<entry key="requireApprovalComments" value="false"/>
<entry key="requireBulkCertifyConfirmation">
<value>
<Boolean>true</Boolean>
</value>
</entry>
<entry key="requireMitigationComments" value="false"/>
<entry key="requireReassignmentCompletion" value="false"/>
<entry key="requireRemediationComments" value="true"/>
<entry key="saveExclusions" value="false"/>
<entry key="sendPreDelegationCompleteEmails" value="false"/>
<entry key="shortNameTemplate"/>
<entry key="signOffApproverRuleName"/>
<entry key="stagingEnabled" value="false"/>
<entry key="subordinateCertificationEnabled" value="true"/>
<entry key="suppressEmailWhenNothingToCertify" value="true"/>
<entry key="suppressInitialNotification" value="false"/>
<entry key="triggerId" value="0a00020f7cbc1f9b817cbda3a5700297"/>
</Map>
</Attributes>
<Owner>
<Reference class="sailpoint.object.Identity" name="notTheName"/>
</Owner>
</CertificationDefinition>
Identity Trigger xml:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Rule-IdentityTrigger-Mover" type="IdentityTrigger">
<Description>This rule detects when a User is considered a Mover.</Description>
<Signature returnType="boolean">
<Inputs>
<Argument name="log">
<Description>
The log object associated with the SailPointContext.
</Description>
</Argument>
<Argument name="context">
<Description>
A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
</Description>
</Argument>
<Argument name="previousIdentity">
<Description>
The identity before the refresh/aggregation (this will be null when an identity is created).
</Description>
</Argument>
<Argument name="newIdentity">
<Description>
The identity after the refresh/aggregation (this will be null when an identity is deleted).
</Description>
</Argument>
</Inputs>
<Returns>
<Argument name="result">
<Description>
A boolean describing the result of the rule.
</Description>
</Argument>
</Returns>
</Signature>
<Source><![CDATA[
import java.util.Map;
import java.util.HashMap;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchResult;
import javax.naming.NamingEnumeration;
import sailpoint.api.IdentityService;
import sailpoint.object.Application;
import sailpoint.object.Identity;
import sailpoint.object.Link;
import custom.utils.LDAPUtils;
private boolean verifyDomain(String name, Identity newIdentity, Identity previousIdentity) {
///verifying domains
}
private boolean verifyextMover(String name, Identity newIdentity, Identity previousIdentity) {
///verifying if it is mover and returning new values, according to changes
}
// By default there is no change, i.e. no Mover event
if(newIdentity != null && previousIdentity != null) {
String name = newIdentity.getName();
if(!newIdentity.isInactive()) {
// Verify if identity is ext or int
String type = newIdentity.getAttribute("type");
// If value is null or empty, do nothing
if(type == null || type.isEmpty()) {
return false;
}
Boolean isGenericMover = verifyDomain(name, newIdentity, previousIdentity);
if(type.equals("ext")) {
if(isGenericMover) {
return verifyextMover(name, newIdentity, previousIdentity);
} else {
return false;
}
} else if(type.equals("int")) {
return isGenericMover;
} else {
return false;
}
}
} else {
return false;
}
return false;
]]></Source>
</Rule>
Snapshot of the mover event creating the certification:
