Hello Sailors,
We are using logiplex connector adaptor mode for Active Directory to create sub application via split rule. We have a requirement to create application based on the extensionAttribute which aggregates during group aggregation.I have some questions
Thanks
Hi @sboinaverisign,
This has been done before by customers. The trick here is to ensure that groups are aggregated first. In the split rule you can already apply the logic to the groups using the extensionAttribute.
ManagedAttribute object matching the main application or any of the applications that has the main application as its proxy, and matches the attribute name and value. Then, you can get the application from that ManagedAttribute.List filters = new ArrayList();
filters.add(
Filter.or(
Filter.eq("application.name", "MyMainApp"),
Filter.eq("application.proxy.name", "MyMainApp"),
),
Filter.eq("type", object.getObjectType()),
Filter.eq("value", object.getIdentity())
);
Hello @menno_pieters ,
I have updated the logic to something below. Can you please let me know if you see any issues
import sailpoint.tools.Util;
import sailpoint.object.ResourceObject;
import sailpoint.object.Custom;
import sailpoint.object.Filter;
import sailpoint.object.ManagedAttribute;
public String resolveApplication(String extAttr) {
log.error("entering resolve application ======");
if (Util.isNotNullOrEmpty(extAttr)) {
return app.toUpperCase();
}
log.error("appName=====>>"+application.getName());
return application.getName();
}
String applicationName = application.getName();
Map map = new HashMap();
if ("account".equals(object.getObjectType())) {
List groups = object.getStringList("memberOf");
if (groups != null && !groups.isEmpty()) {
Map groupMap = new HashMap();
groupMap = util.updateListMap(groupMap, applicationName, null);
for (String group: groups) {
log.error("group===>>>"+group);
Filter f1 = Filter.eq("value", group);
ManagedAttribute ma = context.getUniqueObject(ManagedAttribute.class, f1);
if(ma != null){
String extAttr = ma.getAttribute("msExchExtensionAttribute24");
if (Util.isNotNullOrEmpty(extAttr)) {
String appName = resolveApplication(extAttr);
log.error("appName: in if "+ appName);
if (Util.isNotNullOrEmpty(appName)) {
groupMap = util.updateListMap(groupMap, appName, group);
}
}else{
String appName = resolveApplication(extAttr);
log.error("appName: in else "+ appName);
if (Util.isNotNullOrEmpty(appName)) {
groupMap = util.updateListMap(groupMap, appName, group);
}
}
}
}
Set keys = groupMap.keySet();
if (!keys.isEmpty()) {
for (String key: keys) {
List appGroups = groupMap.get(key);
ResourceObject cloneObject = object.deepCopy(context);
if (!Util.isEmpty(appGroups)) {
cloneObject.put("memberOf", appGroups);
} else {
cloneObject.remove("memberOf");
}
map.put(key, cloneObject);
}
} else {
map.put(applicationName, object);
}
} else {
map.put(applicationName, object);
}
} else if ("group".equals(object.getObjectType())) {
String nativeIdentity = object.getIdentity();
String extAttr = object.getAttribute("msExchExtensionAttribute24");
if(extAttr != null){
String appName = resolveApplication(extAttr);
map.put(appName, object);
}else{
String appName = resolveApplication(extAttr);
map.put(appName, object);
}
} else {
map.put(applicationName, object);
}
Thanks,
Shiva
This will only work if the group name can exist in only application. Otherwise, as I mentioned, you should add the application name filters and perhaps the object type filters. If there is no unique object, the method will otherwise not return the desired value.
For my case since i’m using adapter mode myMainApp in the logic you sent is Active Directory. But didn’t understand what will that filters list return?
Can you please help me update the logic which i sent?
See my first response. What you need to look for is a ManagedAttribute object that belongs to the main app or a sub-app (main app is proxy), a matching object type and the name.
There should only be one value, but instead of using getUniqueObject(...), you could also use search(...) and a limit on the number of results.
According to the documentation for getUniqueObject:
Retrieve an object matching a Filter. If more than one object matches the filter null is returned.
If you create a QueryOptions object, you can use the method setResultLimit(1) to set the maximum number of results to one. If you also use a projection search, meaning you specify the attribute that you need (application.name) the search will be a little more efficient and you always get a result. By setting a sort order (name, creation date, etc.), you can also force the results to be returned in the same order.
Use Util.flushIterator(...) to ensure the database iterator is exhausted.
Hi @menno_pieters,
We are using AD-LogiPlex connector with classic mode in production. Since last couple of years it has been working as expected, whereas we have incrementally onboarded AD group based applications using this framework.
We have recently started facing an issue wherein LogiPlex account aggregation fails with an error - LDAP Connection has been closed after processing the particular account let’s say around 1212 accounts.
Here is link to my community post: AD-LogiPlex Connector Aggregation Issue - LDAP Connection has been closed
Please share if any pointers.
Thanks,
Pallavi