How should i get the entitlements from Roles?

Hi All,

i need to get the entitlements from roles ?

can anyone please help this

Thanks
Ranjith

Hi @Ranjith,

Can you please provide more information on your requirement? As if what you are trying to achieve, why and how? This will help everyone to understand the issue better and can try providing you with a proper solution.

Hi @Jarin_James

if user already have the entitlement A but he again raise the request for entitlement A means sailpoint will never allow to submit the request it shows "this item you are already assigned " but my sceanrio , the user already have the role A which contains entitlement A and i have the other role B which also contains entitlement A , so when i raise the request for role b "i need to block him "

Thanks in advance
Ranjith

Curious question, why does multiple Roles has same entitlement, check if you can avoid.

However, you need to implement Policy violations to prevent the request.

Thanks
Krish

Hi @MVKR7T

yeah that i can achieve in policy violation only

Curious question, why does multiple Roles has same entitlement, check if you can avoid.? in my requirement i have this kind of things so i need to sortout

if i can get the entitlement from bundles so i can move forward

Thanks in advance
Ranjith

  1. Execute Role Composition report to see what entitlements are there in each Role
  2. Consolidate the Roles, where user cannot request for more than one
  3. Configure Role SOD Policy

In case if you think, these Roles will be dynamic in terms of entitlements then go for advanced policy.

for reference, see this post:

Solved: Advanced Policy: Extracting Requested Roles/Entitles When Submitting Requests Through Manage Access - Page 2 - Compass (sailpoint.com)

Thanks
Krish

Hi @Ranjith2000

If you are same entitlement different role, that might won’t be the right approach. If both the roles are only having the same entitlements, then it will be a problem in your case. Both the roles will be showing up on the identity as Detected if the user having the entitlement. Hence a Policy Violation might trigger violation whenever the policies are scanned.

Hi @MVKR7T @Jarin_James

sorry for my confusion

here demo-role two times assigned so i need to restrict this when user raise the request for demo-role again

Thanks in advance
Ranjith

Hi @Ranjith2000,

I doubt Sailpoint will allow the user to raise the role which he is already having. Check and confirm how the role was assigned to the user .

Hi @Jarin_James

usualy sailpoint will never allow that but this bundle dont have any inherited roles or enitilement so that it will allow , its little weird requirement so i have to block the roles

Thanks in advance
Ranjith

Open the Role in Debug and check entry for allowMultipleAssignments

Hi @Ranjith2000

I agree with @MVKR7T , try changing allowMultipleAssignments to false.

hi @MVKR7T @Jarin_James

in this link they are using get the user selecting roles from plan but
i need to get the users selectiong roles in advances policy .(because advanced policy dont have the argument plan object)

Thanks in advance
Ranjith

Below is the code I have posted in community couple of years back. I am getting Roles from identity not plan. Policies work with optimistic provisioning concept. So your identity (optimistic identity) will have the requested roles as well.

Policy violation executes 2 times.

1st time without considering the Roles you requested
2nd time by considering the Roles you requested

Just to make sure that you don’t have any policy violations before this request, so you need to write code accordingly so that policy violation will be thrown in 2nd execution.

import sailpoint.object.Identity;

import sailpoint.object.PolicyViolation;

import java.util.List;

import java.util.ArrayList;


PolicyViolation violation = null;

Identity futureId = identity;

boolean vflag = false;

if(null != futureId){

List existingIdRoles = new ArrayList();

List futureIdRoles = new ArrayList();

Identity existingId = context.getObjectByName(Identity.class, futureId.getName());

if(null != existingId){

existingIdRoles = existingId.getAssignedRoles();

futureIdRoles = futureId.getAssignedRoles();

futureIdRoles.removeAll(existingIdRoles); //now futureIdRoles will contain only requested roles

if(futureIdRoles.size()>1)

vflag = true;

}

}

if(vflag){

violation = new PolicyViolation();

violation.setActive(true);

violation.setIdentity(identity);

violation.setPolicy(policy);

violation.setConstraint(constraint);

violation.setDescription("You are not allowed to request more than 1 Role);

violation.setStatus(sailpoint.object.PolicyViolation.Status.Open);

}

return violation;

Hi @MVKR7T

we are working this rule so far but futureIdRoles.removeAll(existingIdRoles); instead of this line i need to get users selecting roles

thanks in advance
Ranjith

Hello Ranjith, according to your use case you need to stop users who have Role A to request Role B. In this case you can use Krishna’s code but instead of removing existing from future roles. You can check whether the existing role list consist of Role A and future contains Role A and Role B. If yes, then set the policy flag to true.This will stop users from requesting role B when they have role A.

Hi @aishwaryagoswami

in my requirement ,im dealing with single role

Thanks in advance
Ranjith

Hello @Ranjith2000
If you have to check for a particular role then once you have the existing and the future role you will should do this

existingIdRoles = existingId.getAssignedRoles();
futureIdRoles = futureId.getAssignedRoles();
futureIdRoles.removeAll(existingIdRoles);
if(futureIdRoles.size()>1 && futureIdRoles.contains("your particular role"))
/*This is just a reference code, make sure you correctly check for this role. I think this roles list will contain role objects, so get the name of the role object and then compare the name with your role name. If its your role then go in the loop.*/
{
//Rest of your code
}

The idea should be that you check that a role has been requested and the requested role is the particular role which you are looking for

This line of code subtract Roles in database identity and optimistic identity.

1st time execution: This line will return empty (As first time it executes without considering Request)
2nd time execution: This line will return requested Roles

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.