Getting Started with SailPoint IIQ Development

Hello Sailor,

Welcome to SailPoint!

If you are looking to become a SailPoint developer but don’t know where to start, then congratulations, you are in the right place. When I first started working with SailPoint, I didn’t have a proper learning path or a mentor to help guide me. The purpose of this blog is to give beginners a guided tour of SailPoint development.

SailPoint has two products mainly:

IdentityIQ, which is hosted On-Premise

IdentityNow, which is hosted in the cloud

For more product information: https://documentation.sailpoint.com/

IdentityNow shares some of the architecture of IdentityIQ and follows a similar Object Model. If you learn development in IdentityIQ, it will help you in IdentityNow as well.

What is IdentityIQ

  • IdentityIQ aka IIQ (in short form) is a simple WAR file just like a J2EE project.
  • IIQ follows OOPS (Object Oriented Programming Structure), so everything is an object.
  • Every object is represented in XML structure.
  • If you learn about each individual object and how the objects are connected, then you are well on your way to becoming a SailPoint Developer.

Note:

  • IIQ stores all of its objects in a database which is called identityiq.
  • It has ~220 tables; one for every individual object.
  • context is used to connect to the database, which is available by default as an argument in SailPoint code so you don’t need to write code to connect to the DB explicitly.

What skills and technologies do you need to learn

  • Bean Shell Scripting (same as Core Java) - Used to build the core logic in SailPoint.

    You don’t need to learn the entirety of Core Java, just the basics.

    1. OOPS (Object Oriented Programming Structure)
    2. Data types
    3. Branching: If/Else, Ternary
    4. Loops: for, foreach, while, do-while
    5. Exception handling: try/catch
    6. Collections: Iterator, ArrayList, HashMap, TreeSet
    7. File handling
    8. Date
    9. Calendar
  • XML - IIQ objects are represented in XML structure.

  • SQL - Used to build reports or if you are interacting with the database directly. These basic SQL queries will get you very far: INSERT, UPDATE, DELETE and JOIN.

  • HTML - Used to build forms and email templates.

  • Apache Velocity Script - Used to customize email notifications

  • PowerShell - Used to automate Microsoft technologies including AD/Azure AD/Exchange.

  • CSS - Used to add styling to your email notifications content (ex. color, fonts, etc).

  • JavaScript - Used to further customize your email templates.

Object modeling

In order to effectively develop on SailPoint, you need to understand how objects are structured, how to construct objects, and how to read data from an object. Since IIQ is Identity Management tool, let’s start with the Identity object.

The following code snippet can be used in a Beanshell script to get information about a specific identity.

Identity idObj = context.getObjectByName(Identity.class, “123456”);

log.info(idObj.toXml());

IIQ creates a unique ID for every object, so we can use that ID to get an identity object.

Identity idObj = context.getObjectById(Identity.class, “0a57d1f95817dae34a9d7001f”);

log.info(idObj.toXml());

You can use the methods goById() or goByName() (short form) for getting any object from the IIQ DB by changing the object type and table name.

The Java code above can also be represented as SQL using the following query:

SELECT * from TABLE_NAME where user_name = ‘value’;

To log this data, you can use

log.error(idObj.toXml());

You can use return statement to print in the Rule execution output. Please note that return statement terminates the execution and does not continue to next line.

Debug editor

  • Login to debug page http://localhost:8080/identityiq/debug

  • SailPoint IIQ has in built code editor, you don’t get any suggestions on syntax, no auto complete but it recognizes the key words.

  • You can use IDE as well, I have seen people using Eclipse.

  • You can execute The Rule, you can consider it as executing main method(thread) in Java.

    public static void main (String[] args) {
    ......
    .....
    }
    
  • Select object type as Rule

  • Select an action New, which will open blank Rule

  • Please note that SailPoint debug editor won’t generate any default code like boilerplate for HTML in VS code, you need to type everything

  • Alternative is to duplicate the existing Rule by: Open any existing Rule, change the name, remove id value and save it. This will create your rule, open it and update the code in source tag

  • Select the Rule from dropdown before Run Rule, click Run Rule

Identity object

IIQ is about

  • Reading the data called Aggregation or Get in programming
  • Writing the data called Provisioning or Set in programming

Well of course, same any IAM tool.

IIQ Development is about this getter and setter methods also called Beans in Java.

You need to understand IIQ API, learn different classes and their methods

Access IIQ API using http://localhost:8080/identityiq/doc/javadoc

#Get Data from Identity object

You can use getAttribute() method to extract any attribute by passing attribute name

As I mentioned earlier, IIQ represents objects in XML format as <Key, Value> pairs, for example

Rule

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="" id="" language="beanshell" modified="" name="Main-Get Data">
  <Source>
  import sailpoint.object.Identity; //Import Identity class

  Identity identity = context.getObjectByName(Identity.class, "101010"); //construct identity object

  String firstName = identity.getAttribute("firstname");
  String lastName = identity.getAttribute("lastname");
  String email = identity.getAttribute("email");

  log.error("first name is ::"+firstName);
  log.error("last name is ::"+lastName);
  log.error("email is ::"+email);

  return firstName + "\n" + lastName + "\n" + email;

  </Source>
</Rule>

Rule Output

image

#Set the data to Identity Object

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="" id="" language="beanshell" modified="" name="Main-Set Data">
  <Source>
  import sailpoint.object.Identity; //Import Identity class
  
  Identity identity = context.getObjectByName(Identity.class, "101010"); //construct identity object
  
  String locationBefore = identity.getAttribute("location");
  String departmentBefore = identity.getAttribute("department");
  
  String location = "USA";
  String department = "Modelling";
  
  identity.setAttribute("location", location); //set location attribute
  identity.setAttribute("department", department); ////set department attribute
  
  context.saveObject(identity); //Save the object
  context.commitTransaction(); //commit the transaction to DB
  </Source>
</Rule>

After executing the Rule, either checking the Identity object in Debug or in Identity Warehouse or now you know how to get attributes using code

Identity object methods

Below are some of the commonly used methods on Identity object


[/details]

Application object

  • We onboard applications including HR and Target Applications​
  • HR Application aka Authoritative Source – used to create Identities​
  • Target Applications to provision/create accounts/access for identities in that specific app

Application Definition view from UI​

To view this

  • Login to IdentityIQ​
  • Applications​
  • Application Definition​
  • Select App​

Please note that you should have Administrator capability​

Table name for Application is​ spt_application

​Same Application you can view in Debug as an XML​

  • Access Debug page​
  • Object Type: Application​
  • Select App​

  • Please note that you should have Administrator capability​
  • You can edit the app definition and can be saved.​
  • You can create duplicate of this object to create one more application with necessary changes, but you need to remove all id values as it should be unique​
  • You can use this XML object to create same application in other environments like SIT/UAT/PROD​
  • No need to create app from scratch again.​
  • Saves a lot of time.​

Coding on Application Object​

Remember you learnt how to create Identity object, which was​

//goByName
Identity idObj = context.getObjectByName(Identity.class, “101010”);​
//goById
Identity idObj = context.getObjectById(Identity.class, 57daedae34a9d7001f”);​

​Similarly for application​

//goByName
Application appObj = context.getObjectByName(Application.class, “HRApp1”);​
//goById
Application appObj = context.getObjectById(Application.class, “0a0dae117dae320011”);​

​You can find the methods available for Application object from Java doc​


​Coding on Application Object

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="" id="" language="beanshell" modified="" name="Main-Application">
  <Source>
  import sailpoint.object.Application;
  
  Application application = context.getObjectByName(Application.class, "HR App1");
  
  return application.toXml();
  
  </Source>
</Rule>


<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="" id="" language="beanshell" modified="" name="Main-Application">
  <Source>
  import sailpoint.object.Application;
  
  Application application = context.getObjectByName(Application.class, "HR App1");
  
  List schemaList = application.getSchemas();
  String featureString = application.getFeaturesString();
  String type = application.getType();
  
  return type + "\n" + featureString + "\n" + schemaList.get(0).toXml();
  
  </Source>
</Rule>

Link object

Identity – user object​

Account – user details in an application which is called as Link in technical terminology​

  • You can see user accounts in Identity cube for any user (or in other words)​
  • You can see what are all applications user has account/access​
  • If by any mistake some other user account is tagged, then you can simply move to different identity just by selecting the checkbox and click on Move account which will ask you to select the identity​

Table name for link object is spt_link

Link object in Debug​

  • There is no separate object representation for link​
  • You can view link in Identity object itself.​

Coding for Link object

  • Unlike creating Identity/Application object, we don’t create link object.​
  • We fetch link object from an identity​
  • But in case you need to create a link object, then you need to know the id of that link​
  • You will come across this when you are dealing with link objects in Custom forms​
  • Since there is no name for link object, we can’t use goByName method​
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="" id="" language="beanshell" modified="" name="Main-Link">
  <Source>
  import sailpoint.object.Link;
  
  Link link = context.getObjectById(Link.class, "c0a8b2648a181397818a4c58f3b91620");
  
  return link.toXml();
  
  </Source>
</Rule>

We can fetch all the links(accounts) for a user

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="" id="" language="beanshell" modified="" name="Main-Link">
  <Source>
  import sailpoint.object.Link;
  import sailpoint.object.Identity;
  
  //Link link = context.getObjectBy(Link.class, "c0a8b2648a181397818a4c58f3b91620");
  
  Identity identity = context.getObjectByName(Identity.class, "101010");
  
  return identity.getLinks();
  
  </Source>
</Rule>

Relationship between Identity, Application and Link object

We can fetch link(account) for user on a specific application

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="" id="" language="beanshell" modified="" name="Main-Link">
  <Source>
  import sailpoint.object.Link;
  import sailpoint.object.Identity;
  import sailpoint.object.Application;
  import sailpoint.api.IdentityService;
  
  //Link link = context.getObjectBy(Link.class, "c0a8b2648a181397818a4c58f3b91620");
  
  Identity identity = context.getObjectByName(Identity.class, "101010");
  Application application = context.getObjectByName(Application.class, "HR App1");
  
  IdentityService idSvc = new IdentityService(context);
  
  List links = idSvc.getLinks(identity, application);
  
  return links;  
  
  </Source>
</Rule>

Get specific link for a user

  • Once you fetch a specific link object, you can use SailPoint API to extract specific attributes from link object same as we have seen in Identity/Application​
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="" id="" language="beanshell" modified="" name="Main-Link">
  <Source>
  import sailpoint.object.Link;
  import sailpoint.object.Identity;
  import sailpoint.object.Application;
  import sailpoint.api.IdentityService;
  
  //Link link = context.getObjectBy(Link.class, "c0a8b2648a181397818a4c58f3b91620");
  
  Identity identity = context.getObjectByName(Identity.class, "101010");
  Application application = context.getObjectByName(Application.class, "HR App1");
  
  IdentityService idSvc = new IdentityService(context);
  
  List links = idSvc.getLinks(identity, application);
  
  //return links;
  
  Link link = links.get(0);
  
  String empId = link.getAttribute("EmployeeID");
  String firstName = link.getAttribute("FirstName");
  String lastname = link.getAttribute("LastName");;
  
  return "Employee ID :: " + empId + "\nFirst Name :: " + firstName + "\nLast Name :: " + lastname;
  
  </Source>
</Rule>

Link object methods in Javadoc​

  • Below are the methods that are widely used in day to day activities on Link object​
  • Please note that Application object is used mostly to get specific link associated with Identity, so you don’t need to know much about methods available for application object.​
  • But every object has almost similar get and set methods, if you understand one object, its not a big deal to understand other objects, as it’s basically SailPoint API is about getters and setters​

Summary

So to summarize this,

  • You need to learn Core Java basics and understand IdentityIQ object model.
  • Before you start development, you should have good amount of product knowledge.
  • IIQ development is about bunch of Get methods and Set methods.
  • When you understand Objects and how objects are connected, It is easy to do development.
  • It is not about how much you learn, you need to feel the soul of IIQ.

I have used SailPoint Debug editor, created Rule objects. I have seen and heard many people using IDE like eclipse. They use CI/CD to deploy the code from one environment to another. Every client has their own way of managing their environments and deployment procedures.

It’s completely your choice whether to use SailPoint debug editor or not. But I would say, you should learn product features and offerings first before using external tools or custom solutions.

Personally, I don’t like using IDE. Because, I don’t like to depend on IDE auto suggestions, auto completions. I would like to code like Batman/Ironman in a faster way.

14 Likes

Amazing overview and explanation! :raised_hands:

2 Likes

Great explanation !!

2 Likes

As someone who’s just starting to learn about SailPoint, your blog has been incredibly helpful and encouraging. Thank You!

3 Likes

Good one Krishna ! This will help rookie for sure .

2 Likes

Great article Krishna…!

1 Like

This blog will be Extremely useful to the people who will start learning SailPoint even for someone who is not much aware of it. This blog has truly transformed their career in a remarkable manner. Well done Krishna!!

1 Like

Anything similar for IDN ?

1 Like

Thanks Krishna for sharing such a detailed blog. Will try to share it will my junior colleagues to have a basic understanding.

1 Like

Thank you @MVKR7T . It is very helpful.

2 Likes

I am looking forward to more such informative blogs.