How does a Reassign Artifacts Rule work?

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

8.3

I’ve seen the example rules provided by sailpoint, but I’m not clear on what is happening. I tried looking up the Java objects in the javadoc, but the javadoc doesn’t actually describe what things are, merely what their methods and fields are. Can someone tell me how these rules work? It seems to create a provisioning plan, and then it returns a ConfiguredLeaverRequest (what is this?). I’ve combed the online docuentation and it’s all very vague. How is this supposed to work? What are the inputs/outputs? And why do these things in a separate rule rather than the leaver workflow?

2

Are you asking for a sample rule, or do you want to know which items can be reassigned? The rule will be used if you want to assign it to a different user other than manager.

3

I have the sample that sailpoint provides:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="1674480845556" language="beanshell" modified="1674481376364" type="LeaverAccountRequests">
  <Source>

  /**
        Example rule for leaver configuration.  The following parameters are passed in:
        context - a SailpointContext
        identityName - the name of the identity that is leaving
        appName - the name of the application for which the config is being requeested
        nativeId - the native id of the account
        requestType - terminate or leaver
        mode - immediate or later
        leaverPlanBuilder - the leaver plan builder
        log - log object, used to write log messages
        */
  import java.util.Map;
  import java.util.List;
  import java.util.HashMap;
  import sailpoint.object.ProvisioningPlan;
  import sailpoint.tools.Util;
  import sailpoint.rapidsetup.plan.*;

  Map additionalArgs = new HashMap();
  additionalArgs.put("requestType", requestType);

  // Create a composite configuration object, and pass in the default configuration provider (forEveryone)
  LeaverAppConfigProvider provider = new CompositeConfigProvider(
    LeaverConfigBuilder
    .forEveryone()
    .setRemoveEntitlements(appName, LeaverAppConfigProvider.OPT_MODE_LATER)
    .setEntitlementDelay(appName, 5)
    .build(context)
  );

  // Create the population specific configuration provider (forPopulation) and
  // add it to the composite configuration object
  provider.add(
    LeaverConfigBuilder
    .forPopulation(context, "Asurion - Leaver Population")
    .setRemoveEntitlements(appName, LeaverAppConfigProvider.OPT_MODE_LATER)
    .setEntitlementDelay(appName, 3)
    .build(context)
  );

  // this returns the individual requests used in the provisioning plans using the passed in configuration objects
  ConfiguredLeaverRequest configuredRequest = BasePlanBuilder
  .leaverPlan(context, identityName, additionalArgs, provider, leaverPlanBuilder.isTerminateIdentity())
  .getAppRequests(context, identityName, appName, mode, nativeId);

  // insert custom processing of leaver requests here
  // this could be for example to add more complex entitlement exclusuion rules.  Just replace
  // the print statements below, with actual processing of the accountRequests.
  // if no additional processing is required, just return configuredRequest
  List accountRequests = configuredRequest.getAccountRequests();

  // walk through the plan account requests and alter the details.
  for(ProvisioningPlan.AccountRequest accountRequest : Util.safeIterable(accountRequests)) {
    print("Account Op: " + accountRequest.getOperation() + "   Application Name: " + accountRequest.getApplicationName());
    print("Attribute request info ...");
    for(ProvisioningPlan.AttributeRequest attributeRequest : Util.safeIterable(accountRequest.getAttributeRequests())) {
      print("  Attribute Op: " + attributeRequest.getOp() + "   Attribute Name: " +
            attributeRequest.getName() + "   Attribute Value: " + attributeRequest.getValue());
    }
  }

  return configuredRequest;

  </Source>
</Rule>

but the java classes involved aren’t explained in the javadoc, and there is little explanation in the comments as to why things are this why. Why are there two plans made (one for ‘Asurion’, and for everyone else, I’m guessing), what is Asurion in this context, what do these different objects represent, why use LeaverPlanBuilder over new PlanProvider, etc. It feels like there is a huge lesson plan that has been omitted.

4

Asurion - Leaver Population" is a dynamic search-based population. You should have a population with this exact name: Asurion - Leaver Population. The population is defined as a GroupDefinition object. You can verify its existence in debug mode, or by checking in SSB (SailPoint Sandbox) or SSD (SailPoint Studio Debugger).

5

How does it work?

  1. Trigger Point:
  • When an identity’s status changes (e.g., disabled, deleted, terminated), SailPoint can trigger a Reassign Artifacts Rule.
  1. Rule Execution:
  • The rule runs and determines who should take over the artifacts owned by the disabled user.
  • You write logic inside the rule to find a replacement user (like their manager, a backup person, or a static user).
  1. Artifacts Covered:
  • Certifications owned by the disabled identity.
  • Access review tasks.
  • Work items (e.g., approvals pending).
  • Any ownership references.
  1. Return Value:
  • The rule should return the Identity object of the person who will now own or handle the reassigned tasks/artifacts.
6

Is there an example of a rule that does that, since the above rule is clearly wrong?

I assume reassign identities works the same way?

7

I’ve written a rule, and as far as I can tell, it isn’t even called by the leaver. It’s on the leaver page (and appears in the dropdown), is there something wrong with it, or do I need to do something else to make certain it gets called?

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="1745855990019" language="beanshell" name="Rapid Setup Leaver Artifact Reassignment Rule" type="LeaverReassignment">
  <Description>
    The rule called by the rapid setup leaver to determine the identity to reassign artifacts to.
  </Description>
  <Signature returnType="Identity">
    <Inputs>
      <Argument name="context">
        <Description>
          A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
        </Description>
      </Argument>
      <Argument name="identityName">
        <Description>
          The name of an Identity object.
        </Description>
      </Argument>
      <Argument name="identity">
        <Description>
          A fully resolved Identity object in case the rule wants to do its own queries to locate the identity.
        </Description>
      </Argument>
    </Inputs>
    <Returns>
      <Argument name="identity">
        <Description>
          The identity to be reassigned to.
        </Description>
      </Argument>
    </Returns>
  </Signature>
  <Source><![CDATA[
    import org.apache.log4j.Logger;
    import sailpoint.object.Identity;

    Logger log = Logger.getLogger("Rapid_Setup_Leaver");
    log.info("Rapid Leaver Artifact Reassignment Rule Entered");

    Identity targetIdentity = null

    if (identity == null && identityName != null)
    {
      identity = context.getObjectByName(Identity.class, identityName);
    }
    
    if (identity != null)
    {
      targetIdentity = identity.getManager();
    }
    else
    {
      log.info("Rapid Leaver Artifact Reassignment Rule could not find reassignment identity for: " + identityName);
    }

    log.info("Rapid Leaver Artifact Reassignment Rule Exited");

    return targetIdentity;
  ]]></Source>
</Rule>
8

The rule looks fine to me, can you share the screenshot of the config where you have added the rule.