Hi all
Is there a way to get the identityEntitlements for all the bundles with Elevated Access true programmatically. I am creating a custom report and need to get a queryoptions for this
Thanks
You should be able to use something like this. Since identity entitlement is created for every assignment if you have lots of roles marked elevatedaccess and assigned to lots of users this may return large amount of data. In that case you may have to tweak the code a bit to ensure any code efficiency.
List resultlist = new ArrayList();
QueryOptions qops = new QueryOptions();
qops.addFilter(Filter.eq("iiqElevatedAccess",true));
//Get all role names which are marked elevated access
Iterator itr = context.search(Bundle.class, qops,"name");
//Iterate over roles
while(itr.hasNext()){
QueryOptions qps = new QueryOptions();
qps.addFilter(Filter.eq("value",itr.next()[0]));
qps.addFilter(Filter.or(Filter.eq("name","detectedRoles"),Filter.eq("name","assignedRoles")));
//Get list of identity entitlements corresponding to the role
List idnEntitlements = context.getObjects(IdentityEntitlement.class,qps);
for(IdentityEntitlement idenEnt : idnEntitlements){
//You can get all the identity entitlement details you need from the object
resultlist.add(idenEnt.getIdentity().getName()+","+idenEnt.getName()+","+idenEnt.getValue());
}
}
return resultlist;
How do I use this in a report QueryParameters, I also need to get identityEntitlements of privileged or elevated entitlements in addition to the elevated roles. I need to return a queryOptions in this
Hi @maniG ,
If you are using Filter datasource , you can use OptionsScript or OptionsRule which does not require any argument or parameters.
Add the following code to your custom report, it adds the filters if there is already existing QueryOptions object, if there is no QueryOptions object already it, creates one and adds the filters to it and returns it.
<OptionsScript>
<Source>
import sailpoint.object.QueryOptions;
import sailpoint.object.Filter;
import sailpoint.object.Bundle;
import sailpoint.object.IdentityEntitlement;
QueryOptions qo = new QueryOptions();
//to get all the bundles which are having elevatedAccess
qo.addFilter(Filter.eq("iiqElevatedAccess",true));
Iterator itr = context.search(Bundle.class,qo,"name");
while(itr!=null && itr.hasNext()){
Object[] names = (Object[]) itr.next();
//Bundle name is stored as the value in Identity Entitlement
if(names!=null){
String identityEntitlementValue = names[0];
//options variable is an input to the OptionsScript or OptionsRule , it contains the QueryOptions if defined any perviously
if(options!=null){
options.addFilter(Filter.eq("value",identityEntitlementValue));
options.addFilter(Filter.or(Filter.eq("name","detectedRoles"),Filter.eq("name","assignedRoles")));
return options;
}
if(options==null){
QueryOptions queryOptions = new QueryOptions();
queryOptions.addFilter(Filter.eq("value",identityEntitlementValue));
queryOptions.addFilter(Filter.or(Filter.eq("name","detectedRoles"),Filter.eq("name","assignedRoles")));
return queryOptions;
}
}
}
return null;
</Source>
</OptionsScript>
Thanks @Chathurya
I need to return not only the queryOptions for all the elevated access bundles but also for any entitlements which are privileged and elevated
How do I return it using the same queryOptions ?
You can use the sample code to retrieve the IdentityEntitlements which have elevated Access for ManagedAttributes or Bundles.
<OptionsScript>
<Source>
import sailpoint.object.QueryOptions;
import sailpoint.object.Filter;
import sailpoint.object.Bundle;
import sailpoint.object.ManagedAttribute;
import org.apache.log4j.Logger;
import java.util.List;
import java.util.ArrayList;
List elevatedAccessNames = new ArrayList();
QueryOptions qo = new QueryOptions();
qo.addFilter(Filter.eq("iiqElevatedAccess",true));
private Object[] getElevatedAccessNames(Iterator itr){
while(itr!=null && itr.hasNext()){
Object[] names = (Object[]) itr.next();
return names;
}
}
//to get all the bundles and ManagedAttributes which are having elevatedAccess
Iterator entitlementIterator = context.search(ManagedAttribute.class,qo,"value");
Iterator bundleIterator = context.search(Bundle.class,qo,"name");
Object[] elevatedEntitlements = getElevatedAccessNames(entitlementIterator);
Object[] elevatedBundles = getElevatedAccessNames(bundleIterator);
if(elevatedEntitlements!=null){
elevatedAccessNames.add((String)elevatedEntitlements[0]);
}
if(elevatedBundles!=null){
elevatedAccessNames.add((String) elevatedBundles[0]);
}
List identityEntitlementNames = new ArrayList();
identityEntitlementNames.add("detectedRoles");
identityEntitlementNames.add("assignedRoles");
identityEntitlementNames.add("groups"); // attribute name according to applications
//options variable is an input to the OptionsScript or OptionsRule , it contains the QueryOptions if defined any perviously
if(options!=null){
options.addFilter(Filter.in("value",elevatedAccessNames));
options.addFilter(Filter.in("name",identityEntitlementNames));
return options;
}
if(options==null){
QueryOptions queryOptions = new QueryOptions();
queryOptions.addFilter(Filter.in("value",elevatedAccessNames));
queryOptions.addFilter(Filter.in("name",identityEntitlementNames));
return queryOptions;
}
return null;
</Source>
</OptionsScript>
1 Like
Thank you @Chathurya
@maniG No worries, happy to hear it helped!