Hi All,
i need to get the entitlements from roles ?
can anyone please help this
Thanks
Ranjith
Hi @Ranjith,
Can you please provide more information on your requirement? As if what you are trying to achieve, why and how? This will help everyone to understand the issue better and can try providing you with a proper solution.
Hi @Jarin_James
if user already have the entitlement A but he again raise the request for entitlement A means sailpoint will never allow to submit the request it shows "this item you are already assigned " but my sceanrio , the user already have the role A which contains entitlement A and i have the other role B which also contains entitlement A , so when i raise the request for role b "i need to block him "
Thanks in advance
Ranjith
Curious question, why does multiple Roles has same entitlement, check if you can avoid.
However, you need to implement Policy violations to prevent the request.
Thanks
Krish
Hi @MVKR7T
yeah that i can achieve in policy violation only
Curious question, why does multiple Roles has same entitlement, check if you can avoid.? in my requirement i have this kind of things so i need to sortout
if i can get the entitlement from bundles so i can move forward
Thanks in advance
Ranjith
- Execute Role Composition report to see what entitlements are there in each Role
- Consolidate the Roles, where user cannot request for more than one
- Configure Role SOD Policy
In case if you think, these Roles will be dynamic in terms of entitlements then go for advanced policy.
for reference, see this post:
Thanks
Krish
Hi @Ranjith2000
If you are same entitlement different role, that might won’t be the right approach. If both the roles are only having the same entitlements, then it will be a problem in your case. Both the roles will be showing up on the identity as Detected if the user having the entitlement. Hence a Policy Violation might trigger violation whenever the policies are scanned.
sorry for my confusion
here demo-role two times assigned so i need to restrict this when user raise the request for demo-role again
Thanks in advance
Ranjith
Hi @Ranjith2000,
I doubt Sailpoint will allow the user to raise the role which he is already having. Check and confirm how the role was assigned to the user .
Hi @Jarin_James
usualy sailpoint will never allow that but this bundle dont have any inherited roles or enitilement so that it will allow , its little weird requirement so i have to block the roles
Thanks in advance
Ranjith
Open the Role in Debug and check entry for allowMultipleAssignments
in this link they are using get the user selecting roles from plan but
i need to get the users selectiong roles in advances policy .(because advanced policy dont have the argument plan object)
Thanks in advance
Ranjith
Below is the code I have posted in community couple of years back. I am getting Roles from identity not plan. Policies work with optimistic provisioning concept. So your identity (optimistic identity) will have the requested roles as well.
Policy violation executes 2 times.
1st time without considering the Roles you requested
2nd time by considering the Roles you requested
Just to make sure that you don’t have any policy violations before this request, so you need to write code accordingly so that policy violation will be thrown in 2nd execution.
import sailpoint.object.Identity;
import sailpoint.object.PolicyViolation;
import java.util.List;
import java.util.ArrayList;
PolicyViolation violation = null;
Identity futureId = identity;
boolean vflag = false;
if(null != futureId){
List existingIdRoles = new ArrayList();
List futureIdRoles = new ArrayList();
Identity existingId = context.getObjectByName(Identity.class, futureId.getName());
if(null != existingId){
existingIdRoles = existingId.getAssignedRoles();
futureIdRoles = futureId.getAssignedRoles();
futureIdRoles.removeAll(existingIdRoles); //now futureIdRoles will contain only requested roles
if(futureIdRoles.size()>1)
vflag = true;
}
}
if(vflag){
violation = new PolicyViolation();
violation.setActive(true);
violation.setIdentity(identity);
violation.setPolicy(policy);
violation.setConstraint(constraint);
violation.setDescription("You are not allowed to request more than 1 Role);
violation.setStatus(sailpoint.object.PolicyViolation.Status.Open);
}
return violation;
Hi @MVKR7T
we are working this rule so far but futureIdRoles.removeAll(existingIdRoles); instead of this line i need to get users selecting roles
thanks in advance
Ranjith
Hello Ranjith, according to your use case you need to stop users who have Role A to request Role B. In this case you can use Krishna’s code but instead of removing existing from future roles. You can check whether the existing role list consist of Role A and future contains Role A and Role B. If yes, then set the policy flag to true.This will stop users from requesting role B when they have role A.
Hello @Ranjith2000
If you have to check for a particular role then once you have the existing and the future role you will should do this
existingIdRoles = existingId.getAssignedRoles();
futureIdRoles = futureId.getAssignedRoles();
futureIdRoles.removeAll(existingIdRoles);
if(futureIdRoles.size()>1 && futureIdRoles.contains("your particular role"))
/*This is just a reference code, make sure you correctly check for this role. I think this roles list will contain role objects, so get the name of the role object and then compare the name with your role name. If its your role then go in the loop.*/
{
//Rest of your code
}
The idea should be that you check that a role has been requested and the requested role is the particular role which you are looking for
This line of code subtract Roles in database identity and optimistic identity.
1st time execution: This line will return empty (As first time it executes without considering Request)
2nd time execution: This line will return requested Roles
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.