For line manager certification we want to set up a exclusion rule which will detect underlying IT roles in business role and remove for certification

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

We are trying to create a exclusion rule which will be applied in line manager certification in which underlying IT roles of a business role will not show for certification. As we are already certifying it through role composition certification so we are trying to not again show underlying IT roles of a business roles

@Aradhana_Mohapatra
Is your need here to exclude all the IT roles of user from the certification or IT roles that are assigned via business roles only? Do you have any mechanism implemented in your system of having IT roles directly without Business roles? If that’s not the case you can have your exclusion rule to exclude the item, if the item is role and of type Bundle, in your system of having IT roles directly without Business roles do let us know.

The need is to exclude IT roles which are mapped under business roles however individual IT roles need to be displayed. Basically we want to greyed out the underlying IT roles of an business role when line manager certification will take place for an user. So manager will be able to see only the business role which is mapped to user profile as we are separately conduction a certification for business role.

Check if below helps







for(Object item:items) {

//Exclude the roles in exclusion list.

if (item instanceof Bundle)

{

Bundle bundle = null;

try 

{

bundle = (Bundle)item;

if (bundle.getType().equalsIgnoreCase("IT"))
{

List permRoles=bundle.getPermits();

// Write a Logic here to check if any of this permitted roles are assigned to user and call the method in below line if so exclude the IT Role. 

boolean bizRolepresent=
if(bizRolepresent){
itemsToExclude.add(bundle);
}

}


}catch(GeneralException e) 

{

// throw your exception here
}

}

}

items.remove(itemsToExclude);


return "This item has been excluded";

I haven’t provided the complete code here, just an idea on how to proceed, but this will help you, let me know if in case of any queires.

Thanks for sharing the solution. Will try with existing script and update

Sure, let me know if this worked or not, and in case of any additional assistance needed.

Hi Aradhana,

You can try to use the following:

  import sailpoint.tools.Util;;
  import sailpoint.object.RoleAssignment;
  import sailpoint.object.RoleDetection;

  StringBuffer explanation = new StringBuffer();

  public List getFlattenedRoles(){
    List<RoleAssignment> assignedRoles = identity.getRoleAssignments();
    List<Bundle> flattenedRoles = new ArrayList<Bundle>();
    if (assignedRoles!=null && assignedRoles.size()>0){
      for (RoleAssignment role : assignedRoles){
        Bundle bun = role.getRoleObject(context);
        flattenedRoles.addAll(bun.getFlattenedPermits());
        flattenedRoles.addAll(bun.getFlattenedRequirements());
      }
    }
    return flattenedRoles;
  }
  
  public List getTobeExcludedRoles(List detectedBundles, List allBundles){
    List tobeExcludedRoles = new ArrayList();
    for (Bundle bun : detectedBundles){
      if (allBundles.contains(bun)){
      	tobeExcludedRoles.add(bun);
      }
    }
    return tobeExcludedRoles;
  }
  
  if (entity instanceof Identity) {
    Identity identity = (Identity) entity;
    Iterator it = items.iterator();

    List<Bundle> allBundles = getFlattenedRoles();
    List<Bundle> detectedBundles = identity.getDetectedRoles();
    List<Bundle> toExclude = getTobeExcludedRoles( detectedBundles,  allBundles);

    while(it.hasNext()) {
      Certifiable certifiable = (Certifiable) it.next();
      if(certifiable instanceof Bundle) {
        Bundle bundle = (Bundle) certifiable;
        if (toExclude.contains(bundle)){
          itemsToExclude.add(bundle);
          it.remove();
          explanation.append("Exclude \"" + bundle.getName() + "\" from certification. Role is part of an assigned Role.\n");
          continue;
        }
      }
    }
  }

  return (0 != explanation.length()) ? explanation.toString() : null;

– Remold

1 Like

Thanks Remold. The above code gave clarity to use iterator to go through the array list.

We are using version 8.2 so getflattenedroles method is not working and I assume it will work for 8.3 version.
I am currently trying with getRequirements, getPermits . Can you suggest some other options to try for 8.2

The getFlattenedRoles is a Beanshell function defined in the provided code. It get the getFlattenedPermits and getFlattenedRequirements for each assiged role (Bundle) for the Identity. So please include this function in your exclusion rule. Please use the complete provided code.

If it is not working, can you show the contents of your exclusion rule ?

BTW getFlattenedPermits and getFlattenedRequirements is available in 8.2 :slight_smile:
The code provided is working in 8.1 and 8.3.

– Remold

1 Like

These are my initial contents

</Source>
  import sailpoint.object.Certifiable;
  import sailpoint.object.Bundle;
  import java.util.List;
  import java.util.Iterator;
  import java.util.ArrayList;

  //Iterate through certification items
  Iterator it = items.iterator();
  while ( it.hasNext() )
  {
    Certifiable certifiable = (Certifiable) it.next();
    //Exclude Roles
    if (certifiable instanceof Bundle)
    {
      Bundle role = (Bundle) certifiable;
      rolename = role.getFullName();
      //Exclude underlying IT roles
      if(rolename.startsWith("Business"))
      {
        it.remove();
        itemsToExclude.add(certifiable);
        }
      }
    }
 </Source>
</Rule>

Can you replace your complete contents with:

  import sailpoint.tools.Util;
  import sailpoint.object.Bundle;
  import sailpoint.object.Certifiable ;
  import sailpoint.object.Identity;
  import sailpoint.object.RoleAssignment;
  import sailpoint.object.RoleDetection;

  StringBuffer explanation = new StringBuffer();

  public List getFlattenedRoles(){
    List<RoleAssignment> assignedRoles = identity.getRoleAssignments();
    List<Bundle> flattenedRoles = new ArrayList<Bundle>();
    if (assignedRoles!=null && assignedRoles.size()>0){
      for (RoleAssignment role : assignedRoles){
        Bundle bun = role.getRoleObject(context);
        flattenedRoles.addAll(bun.getFlattenedPermits());
        flattenedRoles.addAll(bun.getFlattenedRequirements());
      }
    }
    return flattenedRoles;
  }
  
  public List getTobeExcludedRoles(List detectedBundles, List allBundles){
    List tobeExcludedRoles = new ArrayList();
    for (Bundle bun : detectedBundles){
      if (allBundles.contains(bun)){
      	tobeExcludedRoles.add(bun);
      }
    }
    return tobeExcludedRoles;
  }
  
  if (entity instanceof Identity) {
    Identity identity = (Identity) entity;
    Iterator it = items.iterator();

    List<Bundle> allBundles = getFlattenedRoles();
    List<Bundle> detectedBundles = identity.getDetectedRoles();
    List<Bundle> toExclude = getTobeExcludedRoles( detectedBundles,  allBundles);

    while(it.hasNext()) {
      Certifiable certifiable = (Certifiable) it.next();
      if(certifiable instanceof Bundle) {
        Bundle bundle = (Bundle) certifiable;
        if (toExclude.contains(bundle)){
          itemsToExclude.add(bundle);
          it.remove();
          explanation.append("Exclude \"" + bundle.getName() + "\" from certification. Role is part of an assigned Role.\n");
        }
      }
    }
  }

  return (0 != explanation.length()) ? explanation.toString() : null;

I just tested this in my environment and the IT role which was assinged via a BR role was excluded from the certification. (validated by starting the certification in staged mode twice, with and without exclusion rule).

– Remold

1 Like

Do we need to also mention the variable “roles to be excluded” in below new array list?

import sailpoint.object.Bundle;

import java.util.ArrayList;

// Create an ArrayList to hold the Bundle objects

ArrayList bundleList = new ArrayList();

// Retrieve Bundle objects from the context

Bundle role1 = context.getObjectByName(Bundle.class, “Role1”);

Bundle role2 = context.getObjectByName(Bundle.class, “Role2”);

Bundle role3 = context.getObjectByName(Bundle.class, “Role3”);

// Add the Bundle objects to the ArrayList

bundleList.add(role1);

bundleList.add(role2);

bundleList.add(role3);

Can you elaborate a bit on what you want to achieve? The code you showed is just added 3 roles to a list and I have no idea what you want to do or how this is related to the exclusion rule.

– Remold

We are trying to define the below array list named items considering it will retrieve the items from the "new array list "for the exclusion rule to execute.

In this if role is “business”, it retrieves all the required roles for that role and adds their names to the “rolesToBeExcluded” list. However not sure if we need to put this condition as we are just thinking retrieve details from the array list only.
The code then creates an Iterator to iterate over the “items” list again.

Will further test in lower environment if the logics are working fine.

import java.lang.Object;
  import java.util.Iterator;
  import java.util.ArrayList;
  import sailpoint.object.Bundle;
 
  
  
  Bundle role1 = context.getObjectByName(Bundle.class, "Business Role 1");
  Bundle role2 = context.getObjectByName(Bundle.class, "Business Role 2");
  Bundle role3 = context.getObjectByName(Bundle.class, "Business Role 3");
  Bundle role4 = context.getObjectByName(Bundle.class, "Business Role 4");
  
  ArrayList items = new ArrayList();
  
  items.add(role1);
  items.add(role2);
  items.add(role3);
  items.add(role4);
  
  
  ArrayList rolesToBeExcluded = new ArrayList();
  
  for(Bundle i : items){
    if(i.getType().equalsIgnoreCase("business")){
      for(Bundle requiredRole : i.getRequirements()){
        rolesToBeExcluded.add(requiredRole.getName());
      }
    }
  }
  
   Iterator it = items.iterator();
  
    while(it.hasNext()){

      Object item = it.next();
      
      // Assuming item is not excluded
      boolean excluded = false;

      if(item instanceof sailpoint.object.Bundle){

        // Cast item to bundle object.
        Bundle role = (Bundle)item;
        
        if(rolesToBeExcluded.contains(role.getName())){
          excluded = true;
      	}
      }
      
      if (excluded){
        if(Log.DebugEnabled()) Log.debug("Excluded: "+item.getName());
        it.remove();
        itemsToExclude.add(item);
      }
      
    }
                 
	</Source>
</Rule>

Hi @ Aradhana_Mohapatra,

Do you have an update on this topic? Do you require additional help?

– Remold

Hello @Remold

This is in deployment stage as we are upgrading to 8.3 and further analysing with test cases. Will notify once deployed.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.