Sailpoint provides the capability of extending different entities like identity, entitlement, bundle, link, certification item, below are the allowed types.

• Object Type
  Supported Attribute Types

• Identity
  string, identity

• Bundle
  string, integer, boolean, date, rule, identity

• Link
  string, date, boolean

• Application
  string, integer, boolean, date, rule, identity

• ManagedAttribute
  string, integer, boolean, date, rule, identity

• CertificationItem
  string, date, boolean

Creating CertificationItem Extended Attribute

Usually CertificationItem extended attributes should match Link extended attributes. This allows those extended Link attributes to be included in the detail records of certification access reviews. CertificationItem extended attributes which do not correspond to Link extended attributes will not be populated (unless done so manually through a rule) since there is no way to declare a source for those attributes other than through a Link extended attribute of the same name, but in this article we are exploring the option of creating a Certification extended attribute which doesn’t correspond to a link extended attribute but populated through a custom rule.

For creating a extended attribute CertificationItem for the first time, create the ObjectConfig object as below, if already not present from debug page in SailPoint, provided namedColumn=“true” , if the extended attribute has to be searchable and need in a separate column in database.

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ObjectConfig PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ObjectConfig name="CertificationItem">
<ObjectAttribute displayName="sampleattribute1 Display Name" editMode="Permanent" namedColumn="true"> name="sampleattribute1" type="string">
<Description>Sample Attribute Description</Description>
</ObjectAttribute>
</ObjectConfig>

Add the corresponding entry in the certificationitemextended.hbm.xml file

<property name="sampleattribute1" type="string" length="450" access="sailpoint.persistence.ExtendedPropertyAccessor"

index="spt_certitem_sampleattribute1_ci"/>

Once this is done, execute the iiq console command to fetch the DB scripts to be executed.

C:\IdentityIQ\WEB-INF\bin>iiq extendedSchema

Home directory: C:/IdentityIQ

Generating database scripts for mysql

Generating database scripts for oracle

Generating database scripts for sqlserver

Generating database scripts for db2

This creates the DDL script files: add_identityiq_extensions.[dbms] which can then be run against the database to modify the IdentityIQ tables and indexes.

mysql > source add_identityiq_extensions.mysql

NOTE: All extended attributes defined in any of the .hbm.xml files are included in the DDL scripts, even if they already exist in the database. Consequently, if the generated script is executed without editing it to remove the unnecessary statements, it will report errors for any already existing columns or indexes as it attempts to recreate them; in most cases (e.g. unless you have configured your database to fail the whole operation on any error), these errors do no harm and the messages can be ignored.

Populating the Certification Item Extended attribute during the Certification Task generation.

Create a Custom CertificationEntityCustomization Rule, below is sample snippet.

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Certification Item Customization Rule" type="CertificationEntityCustomization">
<Source>
//import statements
// Add additional conditions to fetch the required Certification Item to update the extended attributes

item.setAttribute("sampleattribute1", "TEST_VALUE");

</Source>
</Rule>

Map this Rule in the System Configuration as below for the entry Key - certificationItemCustomizationRule

<entry key="certificationItemCustomizationRule" value="Certification Item Customization Rule"/>

Now whenever any Certification task is created, this rule is triggered so that extended attributes are set based on the logic.

Populating the Certification Item Extended attribute after the task is created.

There can be cases where we don’t need this rule to be triggered for all kind of Certification tasks or we wanted to set the extended attributes in a async. manner i.e. after the Certification task is created, for doing this you can create a custom rule runner task or plugin to fetch the corresponding certification items and set the extended attributes accordingly, below is the sample snippet.

// Logic to fetch the Certification Item object.  certItemObj

 

certItemObj.setAttribute("sampleattribute1", "TEST_VALUE");
context.saveObject(certItemObj);

context.commitTransaction();
context.decache(certItemObj);

Informative . Thank you, @iamksatish

Hi @iamksatish

I am trying to add a new Column in Targeted Certification which will populate the attributes from classification object.

Is it possible with the method you shared ?

I tried adding a column but not sure how to get the Classification data and also how to populate the same for each item

Thanks
Manisha

@iamksatish - I have added a new extended attribute in LinkExtended.hbm file and using as a namedColumn in object config Link.

While folllowing the steps after I did .iiq extendedSchema and I am running the below query in Database

alter table identityiq.spt_link add attribute_name varchar(450);

How much time it usually take, the count of this table is 198000, I waited for 2/3/4 hours but still it is not added. Am i missing anything?

Thanks
Priyanka

@maniG

It should be possible, try to get the entitlement object first and get corresponding classification details and populate in cert item extended attribute.

@priyanka_jain It shouldn’t take that much time in a ideal case, which environment is this happening, prod or non-prod

Did you try checking with DBA once on this?

It is in non-prod environment. I am an admin for the identityiq database so have read/write access, but yes I can check with DBA once on this and update here.

Thanks for sharing @iamksatish!

This very useful information, thank you for sharing.