How should i get the users selected entitlement in advanced policies?

Hi All,

i have to write a code for advanced policy .so that I tried many ways but i cant get the users selecting entitlement which before access request submit the request . can you please suggest any idea or can you have any sample code for that

getExceptions() - i tried this medhod ,so iam getting existing entitlement for that user

Thanks,
Ranjith

Hi @Ranjith2000

Can you provide the exact requirement?

Hi @rajeshs
here the requirement is if ABC entitlement from XYZ application is selected

Need to check whether the selected user is having the XYZ application or not
a. if the user have an application then allow the request
b. If the user don’t have the application link then block him saying "please raise request for “Role A” and get the account created.
Please check the below code . in this code i need to get users selecting entitlement
futureIDExceptions=futureID.getExceptions(); - but iam getting existing entitlement for that user . can you please give any suggest for this

import sailpoint.object.;
import java.util.
;
import java.text.*;
import org.apache.log4j.Logger;
import org.apache.log4j.Level;
boolean roleViolation = true;
PolicyViolation violation = null;
String appName;
boolean isViolation = false;
boolean rasieRequest = false;
boolean hasApp = false;
Identity futureID=identity;
if(null != futureID && null != existingID)
{
List existingIDExceptions = new ArrayList();
List futureIDExceptions = new ArrayList();
Identity existingID=context.getObjectByName(Identity.class,futureID.getName());
List links = existingID.getLinks();
for(Link link : links)
{
if(link.getApplicationName().equals(“Application Name”))
{
hasApp = true;
break;
}
}
if(!hasApp)
{
if(null!=futureID){
existingIDExceptions=existingID.getExceptions();
futureIDExceptions=futureID.getExceptions();
if(existingIDExceptions!=null && existingIDExceptions.size()>0){
for (EntitlementGroup entitlementGroup : existingIDExceptions) {
String entitlementAppName = entitlementGroup.getApplicationName();
if(entitlementAppName.equalsIgnoreCase(“Application Name”)) {
//rasieRequest = true;
}
}
}
if(futureIDExceptions!=null && futureIDExceptions.size()>0){
for (EntitlementGroup entitlementGroup : futureIDExceptions) {
String entitlementAppName = entitlementGroup.getApplicationName();
if(entitlementAppName.equalsIgnoreCase(“Application Name”)) {
rasieRequest = true;
}
}
}
if(rasieRequest)
{
String blockingMsg =“You cannot request Application Name Entitlement without Application Name”;
violation = new PolicyViolation();
violation.setActive(true);
violation.setIdentity(identity);
violation.setPolicy(policy);
constraint.setName(blockingMsg);
violation.setConstraint(constraint);
violation.setDescription(blockingMsg);
violation.setStatus(sailpoint.object.PolicyViolation.Status.Open);
}
}
}
}Preformatted text
return violation;

1 Like

Hi @Ranjith2000,

You can find the entitlements raised by the user by finding the difference of entitlements by the provided identity object and existing identity, in your case existingID and futureID. Also, you can use the below code snippet to get the entitlements from new and old identity object.

  public List fetchIdentityEnt(Identity identity, String applicationName) {
  List applicationLinks = identity.getLinks();
  List entitlementList = null;
  if (applicationLinks != null && applicationLinks.size() > 0) {
    for (Link singleIdentityLink : applicationLinks) {
      if (applicationName.equals(singleIdentityLink.getApplicationName())) {
        try {
          entitlementList = singleIdentityLink.getEntitlements(Locale.getDefault(), "");
        } catch (GeneralException e) {
          //logger.error("The Error is: " + e);
        }
      }
    }
  }
  return entitlementList;
  }

Hello,

would like to add some thoughts here:

  1. While defining the Policy, normally we shall evaluate during both Manage User Access (Preventive) and Identity Refresh (Detective). As we noticed the Policy Rule (or same as Policy Executor), it will passed the simulated identity (future identity), which we can verify whether there is any violation. I would say why dont we just verify the simulated identity only, and we simply scan through the entitlements and verify whether it requires any dependent application.
  2. If we only want preventive policy violation, then simply configure which policies needed to be checked under the Identity Refresh arguments.
  3. We may also consider to use application dependencies here, means that we shall automatically include the provisioning for “Role A”, you may also reference the post here.

I have implemented this many times, I have posted the solution here
Solved: Advanced Policy: Extracting Requested Roles/Entitles When Submitting Requests Through Manage Access - Page 2 - Compass (sailpoint.com)

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.