Extra Entitlements Show Up in Access Request Search

chrisk · September 17, 2024, 9:03pm

Version - IdentityIQ 8.3

We are trying to setup a quicklink population for HelpDesk to be able to perform Access Requests for only certain Roles and Entitlements.
I’ve gotten far on this thanks to several posts I’ve found from @Remold !!

When I Impersonate one of the HelpDesk users and go to ‘Manage User Access’ I can choose from the users and move onto adding Roles/Entitlements. Once in the screen to search, if I just hit the search button with nothing in the search box – it provides me with exactly what I would expect! (I would expect only the two Entitlements and the one Role specified in the Rules below)

However, if I type something in the search box, it returns items that are not explicitly granted in the Rules. (Extra Entitlements returned are all from the AD Application listed in the Rule)

I’ve checked the Identity ‘User Rights’ tab for this HelpDesk user and there are no extra memberships other than the one Workgroup that belongs to the quicklink population.

What can members request?
Roles-

import java.util.List;
import sailpoint.object.Filter;

List<String> allowedRoles = new ArrayList();
allowedRoles.add("CORP2 AD.b");
return Filter.in("name", allowedRoles);

Entitlements-

 import sailpoint.object.Identity;
 import sailpoint.object.QueryOptions;
 import sailpoint.object.QueryInfo; 

  Filter entFilt1 = Filter.and(Filter.eq("application.name", "CORP2 AD"),Filter.eq("displayName", "CORP2\\DEVF"));

  Filter entFilt2 = Filter.and(Filter.eq("application.name", "CORP2 AD"),Filter.eq("displayName", "CORP2\\DEVF2"));

  Filter orFilter = Filter.or(entFilt1,entFilt2);

  QueryInfo finalQueryInfo = new QueryInfo(orFilter, false);
  return finalQueryInfo;

Any ideas where I’m going wrong on this? Thanks!

enistri_devo · September 17, 2024, 9:15pm

Hi @chrisk,

it very strange like first check if the user that you choose has other quicklinks populations. In this case SP apply the less resctrictive policy.

chrisk · September 17, 2024, 9:23pm

Hi @enistri_devo - The only other Population the user would fall under is the ‘Everyone’ Population. For this Population I have changed settings to “Objects Owned by the Requester” just to make sure nothing else would slip thru.

Thanks!

chrisk · September 18, 2024, 6:49pm

I’m trying it another way, both ways of doing this I found here - Creating a way for a manager to only request specific entitlements and roles - #9 by Remold

This route was posted by @Jarin_James in that thread - maybe you can take a quick peak?

Here is my new Rule -

import sailpoint.object.Filter;
import sailpoint.object.Identity;
import sailpoint.object.QueryOptions;
import sailpoint.object.QueryInfo; 
import sailpoint.object.Custom;

Custom customObject = context.getObjectByName(Custom.class, "Access Manager Entitlement List");
    List filterList = new ArrayList();
    for(String key : customObject.getAttributes().getKeys()) {
      for(String displayName: (List<String>)customObject.get(key)) {
        Filter f = Filter.eq("displayName", displayName);
        filterList.add(f);
      }
      
    }
    Filter filter = Filter.or(filterList);

Should there be something added to bottom of the above code that returns the list?

Here is my Custom Object -

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Custom PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Custom name="Access Manager Entitlement List">
  <Attributes>
    <Map>
      <entry key="CORP2 AD">
        <value>
          <List>
            <String>Entitlement 1</String>
            <String>Entitlement 2</String>
          </List>
        </value>
      </entry>
    </Map>
  </Attributes>
</Custom>

I now get this error in SYSLOG -

sailpoint.tools.GeneralException: BeanShell script error: bsh.ParseException: Parse error at line 10, column 44. Encountered: ) BSF info: Rule_Yardi_AccessManager_EntitlementSelector at line: 0 column: columnNo

I’d like to get either of these methods to work, hope someone is able to assist.

Thank you!

vishal_kejriwal1 · September 18, 2024, 9:51pm

check below sample rule

Custom object :

	   <entry key="Access Request Additional Applications">
        <value>
          <Map>
            <entry key="A2 Support" value="A1"/>
            <entry key="A2 Support" value="A2"/>
            <entry key="A3 Support" value="A3"/>
            <entry key="A4 Support" value="A4"/>
          </Map>
        </value>
      </entry>
     <entry  key="Access Request Application Everyone">
        <value>
          <List>
            <String>X1</String>
            <String>X2</String>
            <String>X3</String>
          </List>
        </value>
      </entry>

Rule :

import sailpoint.object.QueryInfo; 
import sailpoint.object.Filter; 
import java.util.ArrayList;
import java.util.List;
import sailpoint.object.Custom;
import org.apache.log4j.Logger;


		 Custom custObj=context.getObjectByName(Custom.class,"Custom Common");
		 List&lt;Filter> filters = new ArrayList&lt;Filter>();
		 if(custObj != null){
			 List&lt;String> applications = (List) custObj.get("Access Request Everyone Owner");
       		 if(applications != null){
        	   for(String application :applications) {
        		   // filters.add(Filter.eq("owner.name", application));
               filters.add(Filter.like("owner.name", application , Filter.MatchMode.START));
       
        	   }
        	   if(filters!=null &amp;&amp; filters.size()>0) {
               Filter applicationFilter = Filter.or(filters);
               QueryInfo finalQueryInfo = new QueryInfo(applicationFilter, false);
               return finalQueryInfo;
        	   }
        	}
		 }

import sailpoint.object.QueryInfo; 
import sailpoint.object.Filter; 
import java.util.ArrayList;
import java.util.List;
import sailpoint.object.Custom;
import org.apache.log4j.Logger;


		 Custom custObj=context.getObjectByName(Custom.class,"Custom Common");
		 List&lt;Filter> filters = new ArrayList&lt;Filter>();
		 if(custObj != null){
			 List&lt;String> applications = (List) custObj.get("Access Request Application Everyone");
       		 if(applications != null){
        	   for(String application :applications) {
        		    filters.add(Filter.eq("name", application));
        	   }
        	   if(filters!=null &amp;&amp; filters.size()>0) {
               Filter applicationFilter = Filter.or(filters);
               QueryInfo finalQueryInfo = new QueryInfo(applicationFilter, false);
               return finalQueryInfo;
        	   }
        	}
		 }

vishal_kejriwal1 · September 18, 2024, 9:51pm

When you write rule for both entitlement and application is always give result as union of both the results .

chrisk · September 20, 2024, 4:10pm

Thanks for all of the help, much appreciated.

I had Professional Services take a look at the issue and in turned out that -

“I noticed that the search/fulltext index is using “displayableName” and not “displayName” column () even when both columns exist in the ManagedAttribute table.”

So changed displayName to displayableName in the filter and the extra entitlements stopped appearing upon search.

Thanks again.

system · November 19, 2024, 4:10pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to configure to request for entitlement only in the access request page in IIQ? IIQ Discussion and Questions identityiq , access-requests	8	140	August 20, 2024
Issue with Web service application onboarding IIQ Discussion and Questions identityiq , provisioning	10	65	November 23, 2024
How to fliter entitlements in mange user access page based on the application selection IIQ Discussion and Questions identityiq	7	829	August 1, 2023
How should i get the entitlements from Roles? IIQ Discussion and Questions identityiq , roles , entitlements	19	1052	December 1, 2023
Custom Rule -to fetch the entitlements and identity IIQ Discussion and Questions identityiq , reports , entitlements	6	483	September 20, 2024

Extra Entitlements Show Up in Access Request Search

Related topics