Excude inactive account/link for role based certification (CertificationExclusion-Rule)

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

At a client we want to exclude roles (business and IT roles, assigned/detected) from the Manager Certification when the account (Link) is inactive.
(Access to inactive accounts is not possible, so the entitlements on these accounts can not be used)

I know it is possible to exclude inactive identities (this is already enabled and not what we are looking for).
I have found information to exclude inactive accounts for entitlement based certifables, but not for role (Bundle) based :frowning:
An option it to de-correlate inactive accounts or don’t aggregate inactive accounts, but that is not possible (due to other requirements).

Does anyone have an idea how to exclude the roles linked to inactive accounts from a Manager Certifiation?

– Remold

2

Hi @Remold,

I guess you can use the Exclusion Rule to exclude the Bundles. In Manager certification the entity object is the identity, so you will be able to get the inactive links. You can remove those bundles from items to itemsToExclude list. This rule runs for each CertificationEntity, so complex processingcan significantly impact the performance.

3

Hi @Jarin_James,

You are correct, it is possible to exclude bundles, but how to find if the account which hold the entitlements from that bundle (or the required/permitted bundles of this bundle) is active or inactive?

– Remold

4

Hi @Remold

I am confused with your requirement.

Your question title says: to exclude inactive account

Here you say, you want to exclude Roles.

I am a bit lost here, let me ask some basic questions here

  • Who is the certifier: manager
  • What to certify: Roles/Entitlements/Accounts ?
  • What to exclude: ?

So that we can have some possibilities.

5

Hi @Remold,

ITRoles can be connected with Entitlement then Application, but with Business role it can get a bit tricky. If you can have extended attribute on Bundle which denotes the application it is used for, it will be far easier.

6

Hi @Remold –

I understand your use case. From one perspective, you can argue that certification of business roles amounts to certification of that user’s business function, which is independent of the underlying entitlements. For example, if a user is assigned the “Software Engineer 1” business role, it might make sense to certify whether or not that is still an authorized business function; even if they can’t make use of the underlying entitlements at time of certification due to inactive accounts, that underlying access model could change to include entitlements on another application in which the user is active.

That being said, you are asking for practical solutions to your requirement, and I think as per @Jarin_James you will need an Exclusion Rule with some Beanshell to achieve this.

Depending on what assumptions you can make about your role and access model, this could range from moderate to high complexity. For example, if you have a model where each identity has at most one account per application, you could…

  1. Define the List of application names which are inactive for the certified identity using a simple projection search query on Link

  2. For each role assigned to the identity, use the Bundle getApplications() method to retrieve a List of application names to which that role grants access. (The specifics of this will depend on your RBAC configuration. E.g., this could mean first getting all IT roles assigned by a Business Role and taking the union of the application list from each underlying IT role. If you have more complexity like role inheritance, this could become prohibitively complex.)

  3. If the List created in (2) is contained in the List from (1), exclude that role.

If you can’t make the above assumption, your logic will have to be much more complex and I would become more concerned about performance depending on your overall volume of certified access. Definitely let us know if you find a more elegant approach!

Thanks,

Alex King

2 Likes
7

I think I found the solution.

In the exclusion rule:

  if (entity instanceof Identity) {
    Identity identity = (Identity) entity;
    Iterator it = items.iterator();
    while(it.hasNext()) {
      Object item = it.next();
      Certifiable certifiable = (Certifiable) item;
      if(certifiable instanceof Bundle) {
        Bundle bundle = (Bundle) certifiable;

        // get detected roles from identity and if account is inactive exclude the bundle
        List roleDetections = identity.getRoleDetections();

        for(RoleDetection roleDetection : roleDetections) {
          if (bundle.getId().equals(roleDetection.getRoleId())) {
            List roleTargets = roleDetection.getTargets();
            for (RoleTarget roleTarget : roleTargets) {
              Link link = context.getUniqueObject(Link.class, Filter.and(Filter.eq("nativeIdentity",roleTarget.getNativeIdentity()),Filter.eq("application.id", roleTarget.getApplicationId())));
              if (link != null) {
                if (link.isDisabled()) {
                  itemsToExclude.add(bundle);
                  it.remove();
                  explanation.append("Exclude \"" + bundle.getName() + "\" from certification. Account is inactive.\n");
                }
              }
            }
          }
        }
      }
    }
  }

– Remold

3 Likes
8

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.