Creating a policy violation such that a user should be in a specific AD group

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

8.3
Hello All the requirement was i wanted to create a policy violation like whenever a user requests a business role, there should be a policy violation if that this user is not in the respective AD group named (Testing), like whoever requests the access he should be in Testing AD group or else policy violation occurs. Can anyone please enlighten.

I have written one rule as :



<Rule language="beanshell" name="CheckADGroupPolicy" type="Policy">
  <Description>Checks if the identity has the required AD group membership. If not, raises a PolicyViolation.</Description>
  <Signature returnType="PolicyViolation">
    <Inputs>
      <Argument name="log"/>
      <Argument name="context"/>
      <Argument name="identity"/>
      <Argument name="policy"/>
      <Argument name="constraint"/>
    </Inputs>
    <Returns>
      <Argument name="violation"/>
    </Returns>
  </Signature>
  <Source><![CDATA[
    import sailpoint.object.Identity;
    import sailpoint.object.IdentityEntitlement;
    import sailpoint.object.PolicyViolation;
    import sailpoint.tools.Filter;
    import sailpoint.tools.QueryOptions;

    String requiredGroup = "CN=AdminStaff,CN=Users,DC=IIQAD,DC=com";
    String identityName = identity.getName();
    boolean foundGroup = false;

    log.error("=== Checking AD group for identity: " + identityName);

    Filter filter = Filter.eq("identity.name", identityName);
    QueryOptions qo = new QueryOptions();
    qo.addFilter(filter);

    Iterator it = context.search(IdentityEntitlement.class, qo);
    while (it.hasNext()) {
        IdentityEntitlement entitlement = (IdentityEntitlement) it.next();

        if ("memberOf".equalsIgnoreCase(entitlement.getName())) {
            Object value = entitlement.getValue();
            log.error("Found entitlement: " + value);

            if (value != null && value.toString().equalsIgnoreCase(requiredGroup)) {
                foundGroup = true;
                break;
            }
        }
    }

    if (!foundGroup) {
        log.error(">>> User is NOT in required AD group. Creating policy violation.");

        PolicyViolation violation = new PolicyViolation();
        violation.setDescription("User is not a member of required AD group: " + requiredGroup);
        violation.setIdentity(identity);
        violation.setStatus(PolicyViolation.Status.Open);
        violation.setPolicy(policy);
        violation.setConstraint(constraint);
        violation.setActive(true);

        if (identity.getManager() != null) {
            violation.setOwner(identity.getManager());
        } else {
            violation.setOwner(context.getObjectByName(Identity.class, "spadmin"));
        }

        Date now = new Date();
        violation.setName("Missing AD Group - " + now.toString());
        violation.setId(now.toString());

        return violation;
    }

    log.error(">>> User is compliant. No violation.");
    return null;
  ]]></Source>
</Rule>

````Preformatted text`

 can anyone help  this is giving errors as Policy Impact Analysis task failed with exception. </EventMessage>
  <Stacktrace>sailpoint.tools.GeneralException: BeanShell script error: bsh.EvalError: Sourced file: inline evaluation of: ``import sailpoint.object.Identity;  import sailpoint.object.IdentityEntitlement;  . . . '' : Typed variable declaration : Class: Filter not found in namespace : at Line: 16 : in file: inline evaluation of: ``import sailpoint.object.Identity;  import sailpoint.object.IdentityEntitlement;  . . . '' : Filter 
 BSF info: rulepolicy at line: 0 column: columnNo
2

I think you can refer below link , it may help

1 Like
4

Your approach is correct but I see you have issues with code in your rule. You have import statement import sailpoint.tools.Filter; which should be import sailpoint.object.Filter;

Please fix the rule and check again.

1 Like
5

Try with some minor fixes,

<Rule language="beanshell" name="CheckADGroupPolicy" type="Policy">
  <Description>Checks if the identity has the required AD group membership. If not, raises a PolicyViolation.</Description>
  <Signature returnType="PolicyViolation">
    <Inputs>
      <Argument name="log"/>
      <Argument name="context"/>
      <Argument name="identity"/>
      <Argument name="policy"/>
      <Argument name="constraint"/>
    </Inputs>
    <Returns>
      <Argument name="violation"/>
    </Returns>
  </Signature>
  <Source><![CDATA[
    import sailpoint.object.Identity;
    import sailpoint.object.IdentityEntitlement;
    import sailpoint.object.PolicyViolation;
    import sailpoint.object.Filter;
    import sailpoint.object.QueryOptions;

    String requiredGroup = "CN=AdminStaff,CN=Users,DC=IIQAD,DC=com";
    String identityName = identity.getName();
    boolean foundGroup = false;

    log.error("=== Checking AD group for identity: " + identityName);

    Filter filter = Filter.eq("identity.name", identityName);
    QueryOptions qo = new QueryOptions();
    qo.addFilter(filter);

    Iterator it = context.search(IdentityEntitlement.class, qo);
    while (it.hasNext()) {
        IdentityEntitlement entitlement = (IdentityEntitlement) it.next();

        if ("memberOf".equalsIgnoreCase(entitlement.getName())) {
            Object value = entitlement.getValue();
            log.error("Found entitlement: " + value);

            if (value != null && value.toString().equalsIgnoreCase(requiredGroup)) {
                foundGroup = true;
                break;
            }
        }
    }

    if (!foundGroup) {
        log.error(">>> User is NOT in required AD group. Creating policy violation.");

        PolicyViolation violation = new PolicyViolation();
        violation.setDescription("User is not a member of required AD group: " + requiredGroup);
        violation.setIdentity(identity);
        violation.setStatus(PolicyViolation.Status.Open);
        violation.setPolicy(policy);
        violation.setConstraint(constraint);
        violation.setActive(true);

        if (identity.getManager() != null) {
            violation.setOwner(identity.getManager());
        } else {
            violation.setOwner(context.getObjectByName(Identity.class, "spadmin"));
        }

        Date now = new Date();
        violation.setName("Missing AD Group - " + now.toString());
        violation.setId(now.toString());

        return violation;
    }

    log.error(">>> User is compliant. No violation.");
    return null;
  ]]></Source>
</Rule>
2 Likes
6

Thanks for your code its getting the logs printed till user is not in required Ad group and then this error is coming

  • An unexpected error occurred: Typed variable declaration : Class: AccessRequest not found in namespace : at Line: 13
7

I do not recommend using the log object that is passed into the rule. I recommend creating a new org.apache.log4j.Logger instance with a different name (anything but log, maybe xlog) and using that. Also I always recommend using org.apache.log4j.Logger not the Log and LogFactory objects.

I also recommend that instead of using xlog.error() method, use xlog.debug() and if you need to force the statement, just add a statement xlog.setLevel(Level.DEBUG). You will also need to include org.apache.log4j.Level.

Kudos on using CDATA. Finally, I also recommend “localizing” the code in your rule, by enclosing all of the code either in try-catch or just begin/end curly braces. Not localizing your code makes it susceptible to objects being persisted in Perm space, and you want all of your code to be gc’d when the rule exits.

Other than that, the code looks ok, although I would have approached the task by checking links on the identity instead of doing a query on the IdentityEntitlement table. Without an index on identity.name this query will be inefficient.

8

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.