I want to disable access request for the some applications ,bascially User should not get the application access on manage my access.
For this I have write a rule in QUICKLINK POPULATION
log.error("disableee ");
Filter filter = Filter.eq(“application.name”,“applicationName”);
return Filter.not(filter);
But I think this is not even triggering because logs are not printing for this rule
@Shubhangani_Kharayat You can also mark all entitlements for that application as non requestable, then also it will not come.
can you try configuring Rule only for “Application” section and remove from “Entitlements” section.
Also, you can add logs before returning object. Please login as ormal user instead of spadmin or user with admin rights to check functionality.
But there are so many entitlements
@Shubhangani_Kharayat If for your application, you don;t want any entitlements to be requestable, you can write a group refresh rule with line: accountGroup.setRequestable(false).. so this will mark all entitlements of that app as non requestable and it’ll not show up in Access Request page.
The easier solution would be you write a rule and make the entitlement non-request able for that particular application. Please use the below rule this works fine, and i have been using it, just put the app name, and it will make all the entitlement for that app non-requestable.
import sailpoint.object.*;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import sailpoint.tools.Util;
appName = "APP NAME";
Logger log = Logger.getLogger("org.rpc.rules");
log.setLevel(Level.DEBUG);
log.debug("We process");
int counter = 0;
int decacheNumber = 10;
Iterator iter = null;
try {
log.debug("We process app:" + appName);
QueryOptions opsMan = new QueryOptions();
opsMan.addFilter(Filter.eq("application.name", appName));
opsMan.addFilter(Filter.eq("requestable", true));
opsMan.setCloneResults(true);
iter = context.search(ManagedAttribute.class, opsMan);
while (iter.hasNext()) {
ManagedAttribute ma = (ManagedAttribute) iter.next();
ma.setRequestable(false);
context.saveObject(ma);
counter++;
// Commit every few records.
if (0 == (counter % decacheNumber)) {
context.commitTransaction();
context.decache();
log.debug("We decache");
}
}
} catch (Exception e) {
log.debug(e);
} finally {
context.commitTransaction();
context.decache();
if (iter != null) Util.flushIterator(iter);
}
log.debug("We processed:" + counter);
Please do not implement complicated rules. A simple way is to make the entitlement non-requestable for a specific application.
Hi Sumit,
This is not a complicated rule, it is a straightforward rule, there are only two solutions to make entitlement requestable, either in group aggregation, we write a one liner to make it false or via the rule, if the other one is not effeicent.
Thanks Naveen it’s working.
@Shubhangani_Kharayat Glad this work.
However, would recommend you to review and have a group aggregation rule where it is a one line code and you have all objects available, and no need to do context.saveObject or commitTransaction. This is a clean approach which you run at the time regular group aggregation task and it is a better approach as compare to a rule runner.
Rule Runner job is only for adhoc purpose where your regular scheduled aggregation tasks are not working and you still want to make changes to managed attributes.
I have replied to the original post. There I am referring to that, rather than creating a complex Quicklink population rule, go with making entitlement as non-requestbale for specific applications.
Now it is up to the developer how to make entitlement non-requestable.
He/she can use a custom code (can refer to your code)
Or if the entitlement count is less, they can do it manually.
Thanks Neelmadhav for your suggestion and support .
Thanks Sumit for your suggestions