All,
I am not familiar nor do not know how to create rules. But, I am looking for a way for the “manager” quicklink population to only request access for specific entitlements. Does anyone have a way without creating a rule to do this? The only thing I have found is under “What can members request?” But, it is asking for a rule which is confusing me a bit. please help and assist…
Hi Derrick,
The first question to ask is:
Do you want to use an entitlement attribute for it (i.e. allowedToRequest=true or entitlementBelongsTo=“department a”), is it based on scoping, is based on an application (i.e. only allowed for app x and y).
Based on this we can find a good solution for you.
Don’t worry about writing a rule, we are here to help and I know a few Ambassadors who can writ rules in their sleep 
– Remold
I would be nice if it was based on the following attributes:
1.Application
and
2a.Value
or
2b. Display value
I added a screenshot in my UAT environment as an example.
It can be based on:
1.Application
and
2a.Value
or
2b. Display value
But than you need to maintain lists in a rule which is not really maintainable when this list grows big. Plus every manager would have the same entitlements (which might not be a problem).
If the allowed to be requested entitlements is the same for all managers, I would make all the other entitlements ‘not requestable’.
Can you elaborate a bit more on your requirements?
– Remold
The quicklink I have made is only for a specific type of manager and also my leadership let me know that the attribute would need to only be the display value. If this is the case, what I am wanting in the quicklink population is for this particular type of manager to only be able to request entitlement A or entitlement B, but I need the following to do it located under the “What can members request for” which is the rule needed under entitlements
Ok.
I can create a skeleton rule for you (after I have made and have diner). Or if anyone else wants to create it, be my guest 
– Remold
And where exactly would I be importing this rule into?
That would be great. So this rule would be imported and should go into the rules object correct?
Copy the rule below and save it as XML file (using Notepad, Notepad++, vi, emacs, …)
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Specific Entitlemens for Specific Managers" type="RequestObjectSelector">
<Source>
import sailpoint.object.Filter;
import sailpoint.object.Identity;
import sailpoint.object.QueryOptions;
import sailpoint.object.QueryInfo;
Filter entFilt1 = Filter.and(Filter.eq("application.name", "ApplicationName"),Filter.eq("value", "EntitlementValue"));
Filter entFilt2 = Filter.and(Filter.eq("application.name", "ApplicationName"),Filter.eq("displayName", "EntitlementDisplayValue"));
Filter orFilter = Filter.or(entFilt1,entFilt2);
QueryInfo finalQueryInfo = new QueryInfo(orFilter, false);
return finalQueryInfo;
</Source>
</Rule>
This contains a filter for 2 entitlement, where the 1st is based on ApplicationName and EntitlementValue. The 2nd based on ApplicationName and DisplayValue.
You can change the filters to your liking.
In this example you need to change the values :
AplicatioName with the name of the applicationEntitlementValue with the valueEntitlementDisplayValue with the DisplayNameIf you want more than 2 entitlements, change the orFilter to something like:
Filter orFilter = Filter.or(entFilt1,Filter.or(entFilt2,Filter.or(entFilt3,entFilt4)));
When you have updated the file, it can be imported via: Gear->Global Settings->Import from File
If you want to change it later, you need to do this via debug (there is no UI option)
After import, you should be able to select it in the QuickLink config.
I have not tested it, but assume this to be working as expected.
– Remold
Just to add on @Remold said. You can use Custom Object to store the entitlements. This way you don’t have to change the rule every time. You can update the Custom Object.
Please find the snippet for using Custom Object
Custom customObject = context.getObjectByName(Custom.class, "Entitlement List");
List filterList = new ArrayList();
for(String key : customObject.getAttributes().getKeys()) {
for(String displayName: (List<String>)customObject.get(key)) {
Filter f = Filter.and(Filter.eq("application.name", key),Filter.ne("displayName", displayName));
filterList.add(f);
}
}
Filter filter = Filter.or(filterList);
Please find the Sample Custom Object below
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Custom PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Custom name="Entitlement List">
<Attributes>
<Map>
<entry key="Apex">
<value>
<List>
<String>execute</String>
</List>
</value>
</entry>
<entry key="PRISM">
<value>
<List>
<String>Manager1</String>
<String>User1</String>
</List>
</value>
</entry>
</Map>
</Attributes>
</Custom>
where <entry key="Apex"> and <entry key="PRISM"> represents the application Name and the List denotes the values/display names of entitlements of that application
What about a rule with just the Display value? Can that be written?
Sure, that is possible too
From @Jarin_James example, chaange:
Filter f = Filter.and(Filter.eq("application.name", key),Filter.ne("displayName", displayName));
to
Filter f = Filter.eq("displayName", displayName);
Note: ne stands for ‘Not Equal’ and eq for ‘Equal’. It looks like Jarin made a small mistake here
– Remold
Hi there,
I made the rule as what is below in my UAT environment:
<?xml version='1.0' encoding='UTF-8'?>import sailpoint.object.Filter;
import sailpoint.object.Identity;
import sailpoint.object.QueryOptions;
import sailpoint.object.QueryInfo;
Filter entFilt1 = Filter.and(Filter.eq(“application.name”, “Active Directory - Statewide/Central Office”),Filter.eq(“value”, “CN=Fake Cerberus,OU=Enterprise,OU=Security Groups,OU=OTUAT-Groups,DC=otuat,DC=vdot,DC=org”));
Filter entFilt2 = Filter.and(Filter.eq(“application.name”, “Active Directory - Statewide/Central Office”),Filter.eq(“displayName”, “Fake Cerberus”));
Filter orFilter = Filter.or(entFilt1,entFilt2);
QueryInfo finalQueryInfo = new QueryInfo(orFilter, false);
return finalQueryInfo;
But it is still not working, when I go to Manage Access, it is still giving the options of all roles and entitlements.
Have you checked the logged on user is not part of any other QuickLink Population?
The special/specific manager should only be in 1 QuckLink Population.
You can use the Impersonate Plugin to easily switch to another logged on user:
https://community.sailpoint.com/t5/Plugin-Framework/Impersonate-Plugin/ta-p/74702
This plugin is very very handy to test what other users can see and do. So you can use it to switch to such a special/specific manager.
Note: Do not install this in production environments
– Remold
All,
The manager was in 2 Quicklinks at the same time, the regular “Manager” and the newly made “Entitlement Manager 1”. Besides going into the manager population and putting the user into the Excluded Identities list, is there anything else I can do to override this situation to where SailPoint sees the identity only in the Entitlement manager 1 population?
You can create a workgroup for the special/specific managers.
Use this workgroup for the QuickLink population of the Special QuickLink Population and exclude the same from the manager QuickLink Population.
This is the simplest solution. To change IdentityIQ to allow specific identities to be part of only 1 QuickLink population is not really doable IMHO.
BTW we use workgroups for many other things, to make more dynamic without changing configurations (like application and role owners). So no worries to introduce a new ‘concept’
– Remold
This great news as I can add managers into only that group but will still have to remove those said managers from the manager quicklink which is fine.
Jarin,
Where exactly do I paste the custom object in what needed object in debug and where?
The workgroup can be excluded from the Manager QuickLink Population. See picture above.
The custom object can be added via debug (https://<servername>/identityiq/debug)
Go to Object Type: Custom
The simplest way to create a custom object is to open an existing object:
<Attributes> and </Attributes> with the content for your new attributeOr:
Scroll up and copy/paste the Sample Custom Object shared by @Jarin_James into an xml-file and use ‘Import from File’ to import the Custom Object xml-file
– Remold