Problem
Organizations often need to generate reports on account-level attributes (like CN, given name, groups, etc.) for identities across specific applications. SailPoint IdentityIQ’s default reports may not meet all customization requirements, especially when filtering accounts by application or displaying specific attribute fields. There is a need for a tailored reporting solution that provides these capabilities dynamically.
Diagnosis
This can be achieved by creating a custom LiveReport in SailPoint IdentityIQ using HQL (Hibernate Query Language) to query the Link object, which represents external accounts associated with identities. By configuring the LiveReport to accept application input and define specific attribute fields, you can generate a flexible and targeted report.
The XML snippet below defines a custom report named “Account Attributes Report”. It:
• Accepts one or more applications as input.
• Queries the Link objects associated with those applications.
• Displays selected attributes like CN, given name, surname, DN, and groups in the report output.
Solution
You can implement this by adding the following XML configuration to your SailPoint IIQ environment (e.g., via the Debug pages.)
Application Account Attributes Report.xml (2.0 KB)
This XML configuration defines a custom SailPoint report called “Account Attributes Report”. It’s a LiveReport, meaning it dynamically fetches data from the IIQ data model when the report is run. Here’s a breakdown of how it works:
Purpose of the Report
This Live Report is designed to extract account (Link) information for selected applications in SailPoint. It shows user account attributes like CN, Given Name, SN, DN, and Groups stored within the Link object.
Breakdown of the XML
1. Report Type and Basics
- executor=“sailpoint.reporting.LiveReportExecutor” – This tells SailPoint to run this as a Live Report.
- name=“Account Attributes Report” – Report name shown in the UI.
- progressMode=“Percentage” – Displays progress in percentage during execution.
- resultAction=“Rename” – Renames old report if it already exists.
- template=“true” – Indicates this is a reusable report template.
- type=“LiveReport” – Type of report.
2. Report Logic (Data Source)
from Link l where l.application.id in (:application)What This Does:
- objectType=“sailpoint.object.Link” – We are reporting on user accounts (Link objects).
- type=“Hql” – Uses Hibernate Query Language (HQL).
- where l.application.id in (:application) – Only include accounts from selected applications.
- <Parameter argument=“application”…> – The user will select the applications when running the report.
3. Report Columns (Displayed Fields)
Each Column Explained:
- field – Internal field name (not always used).
- header – Column name shown in the report UI.
- property – The actual field pulled from the Link’s attributes (e.g., l.attributes.cn).
- sortable=“true” – You can sort the column in the UI.
- width – Display width in pixels.
4. Report Inputs (Application Selector)
What This Does:
- Prompts the user to select one or more applications when they run the report.
- These values are passed to the HQL query as :application.
Example Output
| CN | Given Name | SN | DN | Groups |
|---|---|---|---|---|
| JDoe | John | Doe | cn=JDoe,dc=sailpoint,dc=com | [IT] |
| JohnD | John | Doe | cn=JohnD,dc=sailpoint,dc=com | [HR] |
Only accounts (Links) for selected applications will be shown.
Summary
| Feature | Description |
|---|---|
| What it shows | User account attributes (Link object attributes) |
| How it filters | Based on applications selected by the user |
| Why useful | Helps verify or audit account data across applications |
| Customizable | Yes, you can add more columns or change filters easily |
Apologies if this isn’t the right place or if I’ve misunderstood anything—I’m still learning and open to feedback or corrections.
Thanks,
Raju
