ExclusionRule to exclude managed attributes on Role comp certification

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

We are setting up Certifications and would like to get some inputs.
The certifiers do not want to see all managed attributes from being displayed to them on Role composition. Instead they only want to display the ones that matters.
Can you use Exclusion rules to exclude certain MA’s on Role composition certification? If so how do you achieve them?
I tried to iterate the items from the rule and could not make it work.

Any help is much appreciated.

The Managed Attributes are Additional Entitlement which are grouped in Entitlement Groups per application. To exclude them you need to check if the certifiable item is of type EntitlementGroup.

Here a small code snippet which might bring you further:

if (entity instanceof Identity) {
  Identity identity = (Identity) entity;
  Iterator it = items.iterator();
  while(it.hasNext()) {
    Certifiable certifiable = (Certifiable) it.next();
    if(certifiable instanceof EntitlementGroup) {
      EntitlementGroup entitlementGroup = (EntitlementGroup) certifiable;
      if (log.isDebugEnabled()) log.debug("Exclusion rule - entitlementGroup ="+ entitlementGroup.toXml());
      // Place here your logic to exclude the EntitlementGroup
      // if ...
      // to remove the item:
      explanation.append("Exclude entitlements of \"" + entitlementGroup.getDisplayName() + "\" of application \"" + entitlementGroup.getApplicationName() + "\" from certification.\n");

Please look at the javadoc for the functions to use on the EntitlementGroup oobject :slight_smile:

– Remold

I used similar logic in the exclusion rule and it did not work.
Even worst, I wrote a log.warn(“Entering Exclusion rule”) statement at the beginning of the rule with out any logic and it didn’t print that one.

This was my code before. The rule did not hit step 1 :frowning:

    import sailpoint.object.Attributes;
    import sailpoint.object.Certifiable;
    import sailpoint.object.Entitlements;
    import sailpoint.object.Link;
    import sailpoint.object.Identity;
    import java.util.Iterator;
    import java.util.*;
    log.warn("Cert testing Step 1 - Entering exclusion rule \n");
    String explanation = null;

    Iterator it = items.iterator();

    log.warn("Cert testing Step 2 \n");

    while (it.hasNext()) {
      log.warn("Cert testing Step 3 \n" + it);

Can you validate the exclusion rule is configured correctly via debug?

  • Goto the debug pages
  • Object type: CertificationDefinition
  • Open de certifciation definition and search for entry key="exclusionRuleName" value=...

What happened to me in the beginning (and still does): In the UI create a new exclusion rule, but forgot to select it after creation.

Can you also change the log.warn to log.error?
Warning might have been filtered out in the log4j2.properties, so erros gives a better change. Also log.warn() is dependent on the Log-class used, some Log-classes use warn, some use warning. Erros is thesame for all Loggers :stuck_out_tongue_winking_eye:

– Remold

Yes, the certification definition has the rule.
I tried with log.error, still nothing. :sweat_smile:

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.