How do we monitor sensitivity changes to entitlement

Preethi · January 17, 2024, 2:55am

Which IIQ version are you inquiring about?

Version 8.2

Share all details related to your problem, including any error messages you may have received.

Hi,
We have a requirement to monitor whenever sensitivity is changed to an entilement.
For example, consider entitlement A is set as “itsensitive” initally , Later classification has been set to “bssensitive”. Whenever there is a change in classification , we have to capture those entitlement display name and send an mail to Specific workgroup.

Can someone let us know how do we capture old classification value and new classification value. Any suggestions is greatly appreciated.

vinnysail · January 17, 2024, 8:29am

Hi @Preethi,
Whenever there is change in entitlement update with classifications if you have any audit event created then you can write up a rule to check these audit events for the change that you are looking for and if its satisfied then you can send email to the specific workgroup. We did a similar kind of approach for the roles whenever there is a change in some of attributes at the role level.

Please hear in other community members comments as well.

HemantSingh · January 17, 2024, 1:25pm

Workflow “Entitlement Update” executed to update the entitlements when enlistments are updated from Entitlement Catalog. This workflow have the variable with name “changes” and this variable stores the ChangeSummary with the Difference which stores oldValue, newValue and attribute name (attribute) . you can update the step “Check Provisioning Errors” and see if there’s any error or update is successful based on that read the ChangeSummary and then do the Audit for the changes and notification also based on the requirement .
see the below how the changees variable looks like

<ChangeSummary>
  <Differences>
    <Difference attribute="name of attribue1" displayName="displayname of attribue1" newValue="newValue" oldValue="oldValue"/>
    <Difference attribute="name of attribue1" displayName="displayname of attribue1" newValue="newValue" oldValue="oldValue"/>
  </Differences>
</ChangeSummary>

Preethi · January 17, 2024, 8:03pm

Hi Vinod,

Is there any sample rule where do we refer the entitlement old value and new value?

Preethi · January 17, 2024, 8:05pm

Hi Hemant,

We have enabled Monitoring in entitlement update business process. But not sure where exactly we will get the changes. Also ANy sample rule to get entitlement old and new value

HemantSingh · January 17, 2024, 10:42pm

see the sample code below which can be added in Entitlement Update workflow in step Check Provisioning Errors to get the the oldValue, newValue and addedValues, removedValues(in case attribute is multi valued)

import sailpoint.object.ChangeSummary;
		import sailpoint.object.Difference;		
		if(changes !=null){
			List differences = changes.getDifferences();
			for(Difference difference : differences){  
				String attrName = difference.getAttribute();
				if(difference.isMulti()){
					String removedValues = difference.getRemovedValuesCsv();
					String addedValues = difference.getAddedValues();
				}else{
					String newValue = difference.getNewValue();
					String oldValue = difference.getOldValue();					
				}
			}
		}

Preethi · February 29, 2024, 4:49pm

@HemantSingh

I have updated the code in Entitlement update workflow. Which attribute we should use in custom rule to get the entitlement sensitivity change.
Any sample custom rule to fetch the differences.

Thanks!

vishal_kejriwal1 · February 29, 2024, 6:04pm

You can modify entitlement update workflow and add a step to create a custom Audit .
below is the sample

        import sailpoint.object.AuditEvent;
        import sailpoint.object.Difference;
        import sailpoint.server.Auditor;
        import java.util.HashMap;
        import java.util.Map;
        import sailpoint.object.Attributes;

        AuditEvent event = new AuditEvent();
        Attributes attributesMap = new Attributes();
        event.setAction("VishalEntitlementChanges");
        event.setTarget(summaryName);
        String appName = plan.getObjectRequests().get(0).getApplication();
        event.setApplication(appName);
        for(Difference diff : changes.getDifferences()) {
          String changeAuditMsg = diff.getOldValue() + " -> " + diff.getNewValue();
          attributesMap.put(diff.getAttribute(), changeAuditMsg);
        }
        event.setAttributes(attributesMap);

        if(plan.getRequesters() != null &amp;&amp; !plan.getRequesters().isEmpty()) {
            String requester = plan.getRequesters().get(0).getDisplayableName();
            event.setString4("Requester: " + requester);
        }
        if (attributesMap.size() > 0) {
        Auditor.log(event);        
        context.commitTransaction();
        }

system · April 29, 2024, 6:04pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Keep track of changes made on the entitlements IIQ Discussion and Questions identityiq , entitlements	3	217	February 4, 2024
To set sensitivity for newly added entitlement by default IIQ Discussion and Questions apis , rules , identityiq , entitlements	35	326	January 29, 2024
When/how does IIQ update role metadata - like "allowed by"? IIQ Discussion and Questions	5	1672	July 19, 2023
Multiple Role Detection issue with same entitlements IIQ Discussion and Questions identityiq , roles	8	199	March 11, 2024
Question about IIQ Role Management IIQ Discussion and Questions identityiq , roles , connectors	5	221	March 25, 2024

How do we monitor sensitivity changes to entitlement

Which IIQ version are you inquiring about?

Share all details related to your problem, including any error messages you may have received.

Related Topics