Extending the IdentityIQ Object Model

Content Community Blog
1

Tutorials-Blue
Tutorials-Blue2401Ă—1354 213 KB

Object Relational Mapping

In the context of SailPoint IdentityIQ, Object-Relational Mapping (ORM) is a crucial technique facilitated by Hibernate, a leading ORM framework. This process maps internal IdentityIQ objects to the underlying database, allowing developers to interact with these objects directly using methods like context.getObject in Beanshell code. Consequently, developers are spared from writing complex SQL queries, simplifying data access and manipulation. By leveraging ORM through Hibernate, IdentityIQ enhances productivity, reduces the likelihood of errors, and streamlines the integration of custom logic within the IdentityIQ framework, making identity governance and administration more efficient and robust.

image
image1295Ă—655 43.8 KB

Standard Identity IQ Classes

SailPoint IdentityIQ comes with several pre-defined classes that are available out of the box, facilitating a wide range of identity governance and administration tasks. Here are some of the key standard classes:

  • Identity: This class represents the users within the IdentityIQ system. It includes attributes such as name, email, and role assignments, and is central to managing user identities, access rights, and certifications.
  • Managed Attribute: This class is used to represent attributes that are managed within IdentityIQ, such as entitlements, roles, or any other attribute that needs to be controlled and audited. It allows for fine-grained access management and policy enforcement.
  • Application: The Application class defines the various applications and systems integrated with IdentityIQ for identity and access management. It includes configuration details, connectors, and schemas necessary for connecting to and managing external systems.
  • Bundle: This class is used to group multiple entitlements or roles into a single, manageable unit. Bundles simplify the assignment and management of access rights by allowing related permissions to be granted or revoked together.

This list of standard classes is generally closed, meaning that these are the primary classes provided by IdentityIQ for its core functionality. While customization and extensions are possible, the closed nature of this list establishes boundaries on how these classes can be used.

Use Case 1 - Business Application

In SailPoint IdentityIQ, extending the Hibernate data model with custom classes can significantly enhance the system’s flexibility and functionality. One practical use case for this extension is the creation of a custom Business Applications class. This allows for the representation of “virtual” business applications within IdentityIQ as separate, distinct objects.

By defining a custom Business Applications class, organizations can:

  • Reflect Virtual Business Applications: Custom classes enable the modeling of complex business applications that may not have a direct physical counterpart. These virtual applications can encompass various resources, processes, and entitlements that are managed collectively.
  • Enhanced Integration and Management: Once created, these business application objects can be seamlessly integrated into IdentityIQ’s workflows, policies, and reporting mechanisms. This ensures that business applications are managed with the same rigor and oversight as traditional applications.
  • Custom Attributes and Relationships: Custom classes allow the definition of specific attributes and relationships that are unique to an organization’s needs. For example, attributes like business owner, criticality, and compliance status can be added to the Business Applications class.
  • Reuse Across the System: These custom objects can then be used across various parts of IdentityIQ, including certification campaigns, access reviews, and provisioning processes. This reuse supports more comprehensive and cohesive identity governance strategies.

image
image1306Ă—588 126 KB

Use Case 2 - Locations Database

Another practical use case for this extension is the creation of a custom Locations class. This allows IdentityIQ to serve as a central repository for location data, integrating geographical and organizational locations into the identity governance framework.

By defining a custom Locations class, organizations can:

  • Unified Location Management: Enable IdentityIQ to act as a centralized database for all location-related information, such as office buildings, data centers, or geographical regions. This centralization simplifies location management and ensures consistency across the organization.
  • Streamlined Workflows and Policies: Integrate location objects into IdentityIQ’s workflows, policies, and reporting mechanisms to ensure location data is used consistently and accurately throughout the system.
  • Tailored Attributes and Relationships: Define specific attributes and relationships unique to your organization’s needs, such as address, regional manager, and capacity, enhancing the detail and relevance of the location data managed.
  • System-Wide Utilization: Utilize these custom location objects across various parts of IdentityIQ, such as user profiles, access policies, and compliance reports.

image
image1305Ă—574 106 KB

Why? How? When? - How to extend the Data Model

Step 1: Prepare the Data Model

To extend the data model in SailPoint IdentityIQ, the first step involves creating your data model class and setting up the corresponding Hibernate configuration. Below are the details for each part of this process:

  1. Create the Data Model Class:

    • Define your custom data model class, such as the Business Application class. This class will represent the business application objects within IdentityIQ. You can see the snippet of this class on the left.

  2. Create Hibernate Object Mapping File:

    • Next, create a Hibernate object mapping file for your new class. This file needs to be placed in $IIQ_HOME/WEB-INF/classes/Sailpoint/object/BusinessApplication.hbm.xml. The snippet for this mapping file is visible at the top of the right snippet.

  3. Add Mapping File to Hibernate Configuration:

    • Finally, update the hibernate.cfg.xml file to include your newly created mapping file. This file is typically located at $IIQ_HOME/WEB-INF/classes/hibernate.cfg.xml. The configuration for adding the mapping file is shown at the bottom of the right snippet.

By following these steps, you will have successfully prepared the data model for the Business Application class, allowing IdentityIQ to manage and utilize these custom objects effectively.

image
image1317Ă—670 185 KB

Step 2: Generate and Apply the Extended Database Schema

After preparing your data model, the next step involves generating and applying the extended database schema. This ensures that your custom class is properly represented in the database.

  1. Generate the Extended Database Schema:

    • Use the IIQ Console Schema generator to generate the database schema for your new class. This will create the necessary database files. The command for this operation can be executed via the IIQ Console, as shown in the left snippet.

  2. Access Generated Database Files:

    • Once the schema generation is complete, the database files will be available in $IIQ_HOME/WEB-INF/database. These files contain the Data Definition Language (DDL) scripts needed to create the required tables and structures in the database.

  3. Execute DDL in the Database:

    • The final step is to execute the generated DDL script in your database to create the necessary table for your custom class. The DDL script, shown in the right snippet, should be run in your database management system.

By completing these steps, you will have extended the database schema to include your new Business Application class, ensuring that IdentityIQ can store and manage these objects effectively.

image
image1299Ă—629 143 KB

Step 3: Utilize the New Class

After extending the data model and updating the database schema, the final step is to restart the application server and start using the new class within IdentityIQ.

  1. Restart the Application Server:
  • Restart the IdentityIQ application server to load the new class definitions and updated schema configurations. This ensures that IdentityIQ recognizes and can interact with the newly created class.
  1. Create and Save New Objects:
  • After the server restart, the new class is available for usage. You can now create new objects of this class and save them into the context. An example rule for creating and saving a new Business Application object is shown in the picture.

image
image1307Ă—679 159 KB

  1. Using the Created Business Application Object:
  • On the below picture, it is shown how to use an already created Business Application object, including how to get it from the context and perform various operations on it.

image
image1297Ă—671 164 KB

Code Snippets

All the code snippets mentioned in the steps above, including the creation of the data model class, the Hibernate object mapping file, the Hibernate configuration update, and the example rules for creating and using the Business Application object, are available for reference and usage.

These snippets are available in a CoLab repository for easy access and testing. You can find the complete code and additional instructions in the GitHub repository linked below:

CoLab Repository with Code Snippets

By accessing this repository, you can explore the provided code examples, adapt them to your specific needs, and implement the described extensions within your SailPoint IdentityIQ environment.

Risk vs Benefit

Risks

  1. Upgrade Challenges:
  • With each upgrade of SailPoint IdentityIQ, developers must be vigilant about changes made to Hibernate configurations and mappings. Custom modifications can be overwritten during upgrades, leading to potential system issues.
  • Patches and upgrades must be thoroughly tested in a staging environment before being applied to production systems to ensure that custom extensions remain intact and function correctly.
  1. Maintenance of Objects:
  • Custom processes must be established to manage and maintain the lifecycle of custom objects. This includes ensuring that these objects are correctly created, updated, and deleted as needed.
  • Without proper maintenance processes, there is a risk of data inconsistency and potential system malfunctions.

Benefits

  1. Flexibility:
  • Extending the data model provides significant flexibility, allowing the implementation of almost any business requirement. This adaptability is crucial for organizations with complex and unique identity governance needs.
  • Custom classes enable the reflection of complex data structures within IdentityIQ, facilitating comprehensive identity and access management solutions.
  1. Custom Object Creation:
  • The ability to create custom objects tailored to specific business needs enhances the functionality of IdentityIQ. This includes modeling complex business applications, managing location data, and other bespoke requirements that standard classes cannot address.
  • Custom objects can be seamlessly integrated into IdentityIQ workflows, policies, and reports, providing a more robust and tailored identity governance framework.

In conclusion, while extending the data model in SailPoint IdentityIQ offers substantial benefits in terms of flexibility and the ability to meet complex requirements, it also introduces risks that need careful management. Thorough testing and diligent maintenance are essential to ensure the stability and integrity of the system.

7 Likes