Use Case
The challenges faced by managers in effectively managing Certification Campaigns revolve around the limitations of the default user interface (UI) and filtering options. Here’s a breakdown of the reported challenges and the proposed solutions.
Challenges Reported by Managers:
Limited Customization: The UI lacks support for custom attributes essential for campaign management.
Inefficient Sorting: Without custom attributes, managers must manually sift through numerous certification items to identify relevant ones, consuming valuable time and effort.
Lack of Filtering Flexibility: The absence of custom filters based on specific campaign criteria makes it difficult to quickly sort and prioritize certification items according to campaign objectives.
Proposed Solutions:
Introducing Custom Attributes: Expand the UI to incorporate new custom attributes relevant to the Certification Campaign. This enhancement provides managers with enhanced visibility and organization of certification items.
Enhancing Filtering Options: Integrate custom filters based on the newly introduced attributes to empower managers to efficiently sort and prioritize certification items according to campaign requirements.
Streamlining Process Flow: Improve UI customization and filtering flexibility to streamline the process flow. This optimization enables managers to make informed decisions, allocate resources effectively, and optimize decision-making during the Certification Campaign.
By implementing these solutions, the Certification Campaign management process undergoes a transformative shift. Managers can navigate the vast array of certification items with ease, make informed decisions, and drive successful campaign outcomes.
Implementation Steps
SailPoint IdentityIQ can introduce new extended attributes on several object types such as Identity, Link, Bundle, Application, ManagedAttribute, and CertificationItem. Extended attributes are used for storing implementation-specific data about an object.
Note: As a best practice, take a full backup of the IdentityIQ schema/databases and the current IdentityIQ application directory under the $TOMCAT_HOME/webapps/identityiq
IdentityIQ backup steps:
Navigate to $TOMCAT_HOME/webapps/identityiq
zip -r identityiq_bkp.zip identityiq/
Move this file to backup folder
mv identityiq_bkp.zip $/tmp/SailPoint/Backups/
Database backup steps:
Take a full backup of the IdentityIQ schema/databases by informing the DB admin or following the below query in the SQL server.
Back up the identityiq and identityiqPlugin databases using the following command:
mysqldump -u [username] –p[password] [database_name] > [dump_file.sql]
The parameters of the said command as follows:
[username] - A valid SQL username.
[password] - A valid SQL password for the user.
[database_name] - A valid Database name you want to take backup.
[dump_file.sql] - The name of the backup dump file you want to generate.
Step 1: Create new Entitlement attributes
Create new Entitlement attributes to store the data in the entitlement level in SailPoint IdentityIQ from Active Directory.
Navigate to Global Settings → Entitlement Catalog Attributes → Create new attributes like below
The values for the “Target System” and “Entitlement Type” attributes are sourced from the Active Directory application by the AD admin.
Additionally, there are instances where the IAM admin updates these attribute values. This is achieved by:
- Exporting attribute properties from the Entitlement Catalog.
Navigate to Applications → Entitlement Catalog → Export → Select Application → Active Directory → Export Type → Properties
- Manually updating them.
- Importing the updated attributes through the entitlement catalog.
- Executing a custom rule to push the changes to the Active Directory.
Map newly created attributes in Active Directory Group Schema to fetch the AD extension Attributes and update them in the Entitlements attributes.
Navigate to Applications → Application definition → open the Active Directory application and then navigate to Configuration → Schema → Object Type:group
Values in the Entitlement catalog
Step 2: Create a CertificationItem ObjectConfig object
Note: CertificationItem extended attributes should match Link extended attributes. This allows those extended Link attributes to be included in the detailed records of certification access reviews. CertificationItem extended attributes that do not correspond to Link extended attributes will not be populated (unless done so manually through a rule) since there is no way to declare a source for those attributes other than through a Link extended attribute of the same name.
However, in this blog, we are exploring the option of creating a Certification extended attribute that doesn’t correspond to a link extended attribute but is populated through a customization rule.
Navigate to debug page → Select an object as ObjectConfig - > Create CertificationItem Object like below
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ObjectConfig PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ObjectConfig created="" id="" modified="" name="" significantModified="">
<ObjectAttribute displayName="Source" editMode="Permanent" name="source" namedColumn="true" type="string">
<Description>Entitlement Application</Description>
</ObjectAttribute>
<ObjectAttribute displayName="Target System" editMode="Permanent" name="applicationType" namedColumn="true" type="string">
<Description>Target System Type</Description>
</ObjectAttribute>
<ObjectAttribute displayName="Entitlement Type" editMode="Permanent" name="accessType" namedColumn="true" type="string">
<Description>Entitlement Type</Description>
</ObjectAttribute>
</ObjectConfig>
- Source - Exception Application Name like Active Directory, Azure AD, Biometric, etc.
- Target System - Target authentication system types like Airwatch, Mattermost, etc.
- Entitlement Type - Group type like Distribution List, Password, etc.
Step 3: Add searchable extended attributes
Add searchable extended attributes in the CertificationItemExtended.hbm.xml file.
Navigate to $TOMCAT_HOME/webapps/identityiq/WEB-INF/classes/sailpoint/object/CertificationItemExtended.hbm.xml
Open the CertificationItemExtended.hbm.xml file and add the required custom searchable attributes like below
<property name="source" type="string" length="450" access="sailpoint.persistence.ExtendedPropertyAccessor" index="spt_certitem_source_ci"/>
<property name="applicationType" type="string" length="450" access="sailpoint.persistence.ExtendedPropertyAccessor" index="spt_certitem_applicationType_ci"/>
<property name="accessType" type="string" length="450" access="sailpoint.persistence.ExtendedPropertyAccessor" index="spt_certitem_accessType_ci"/>
Step 4: Generate database scripts
Note: Take a full backup of the IdentityIQ schema/databases by informing the DB admin or following the above Database backup steps.
Generate the DDL SQL scripts to generate database scripts to update the custom attributes in the respective CertificationItem table.
Navigate to $TOMCAT_HOME/webapps/identityiq/WEB-INF/bin/
Run the ./iiq extendedSchema command
This creates the DDL script files for various database vendors. Depending on your database vendor, you can run the DDL script file against the database to modify the IIQ tables and indexes.
Execute the SQL scripts in the Database with the help of DB admin.
All extended attributes defined in any of the .hbm.xml files are included in the DDL scripts, even if they already exist in the database. Consequently, if the generated script is executed without editing it to remove the unnecessary statements, it will report errors for any already existing columns or indexes as it attempts to recreate them; in most cases (e.g. unless you have configured your database to fail the whole operation on any error), these errors do no harm and the messages can be ignored.
Step 5: UI Config changes
Add the following columns in the UI Config object to view the attributes in the required certification pages.
- certificationItemTableColumns
- uiCertificationItemWorksheetColumns
- uiCertificationItemDetailViewColumns
- uiCertificationItemReturnedItemsColumns
- uiCertificationItemDetailViewReturnedItemsColumns
<ColumnConfig dataIndex="applicationType" groupProperty="applicationType" headerKey="Target System" property="applicationType" sortProperty="applicationType" sortable="true" stateId="applicationType"/>
<ColumnConfig dataIndex="accessType" groupProperty="accessType" headerKey="Entitlement Type" property="accessType" sortProperty="accessType" sortable="true" stateId="accessType"/>
Step 6: Populate the certification item extended attribute
Populate the certification item extended attribute in each Certification Item during the Certification campaign generation. To do this, develop a CertificationEntityCustomization rule as shown below.
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Rule_CertificationItemCustomization" type="CertificationEntityCustomization">
<Description>
A CertificationEntity customization rule is run when a certification is
generated to allow the CertificationEntity to be customized. For example,
default values can be calculated for the custom fields.
</Description>
<Signature>
<Inputs>
<Argument name="context">
<Description>
A sailpoint.api.SailPointContext to use.
</Description>
</Argument>
<Argument name="certification">
<Description>
The sailpoint.object.Certification to which the item is being added.
</Description>
</Argument>
<Argument name="certifiable">
<Description>
The sailpoint.object.Certifiable item for which the item is being
created.
</Description>
</Argument>
<Argument name="certifiableEntity">
<Description>
The sailpoint.object.AbstractCertifiableEntity from which the
certifiable was retrieved.
</Description>
</Argument>
<Argument name="certContext">
<Description>
The sailpoint.api.CertificationContext that is being used to build the
certification.
</Description>
</Argument>
<Argument name="state">
<Description>
A Map that can be used to store and share data between executions of this rule during a single certification generation process; rules executed in the same certification generation share this state map, allowing data to be passed between them
</Description>
</Argument>
<Argument name="item">
<Description>
The sailpoint.object.CertificationItem to be customized.
</Description>
</Argument>
</Inputs>
</Signature>
<Source>
import sailpoint.object.*;
import sailpoint.object.ManagedAttribute;
import sailpoint.tools.GeneralException;
import sailpoint.api.ManagedAttributer;
import sailpoint.api.*;
EntitlementSnapshot snapshot = item.getExceptionEntitlements();
Application appObj=null;
ManagedAttribute ma=null;
try {
if(snapshot!=null && snapshot.getApplication()!=null && snapshot.getAttributeName()!=null && snapshot.getAttributeValue()!=null) {
String appName = (String) snapshot.getApplication();
String attrName = (String) snapshot.getAttributeName();
String attrValue = (String) snapshot.getAttributeValue();
if(appName!=null && appName.equalsIgnoreCase("Active-Directory")){
//Fetch the application name value from ManagedAttribute and set it in item level
item.setAttribute("source", appName);
appObj = context.getObjectByName(Application.class, appName);
if(context!=null && appObj!=null && attrName!=null && attrValue!=null){
ma = ManagedAttributer.get(context, appObj, attrName, attrValue);
if(ma!=null){
if(ma.getAttribute("extensionAttribute1")!=null){
//Fetch the extensionAttribute1 value from ManagedAttribute and set it in item level
item.setAttribute("applicationType", ma.getAttribute("extensionAttribute1"));
}
if(ma.getAttribute("extensionAttribute2")!=null){
//Fetch the extensionAttribute2 value from ManagedAttribute and set it in item level
item.setAttribute("accessType", ma.getAttribute("extensionAttribute2"));
}
}
}
}
}
}catch (GeneralException e) {
e.printStackTrace();
}
</Source>
</Rule>
A CertificationEntity customization rule is run when a certification is generated to allow the CertificationEntity to be customized.
Update the rule in the SystemConfiguration object like below.
<entry key="certificationItemCustomizationRule" value="Rule_CertificationItemCustomization"/>
Please note that whenever certification is created then this rule will trigger and set the custom extended attribute values in each Customization Item.
Access Reviews Filters:
