Hi All,
here im using getSelectedEntitlements medhod but that medhod is not present in iiq . So can anyone please suggest me to how should i get the user selecting entitlement ( when user raise the request)
List selectedEntitlements = identity.getSelectedEntitlements();
how can i get the entitlements which user selecting entitlement in manager user access before access request submitted?
Thanks
Ranjith Murugan
Hi @Ranjith2000,
May i know you requirement in detail please, as getSelectedEntitlements is not a method in Identity Class. if we may know what you want to achieve probably we can help.
Hi @dheerajk27
here the requirement is if ABC entitlement from XYZ application is selected
Need to check whether the selected user is having the XYZ application or not
a. if the user have an application then allow the request
b. If the user don’t have the application link then block him saying "please raise request for “Role A” and get the account created.
Thanks in advance
Thi @Ranjith2000 ,
For this requirement you will have to check plan in LCM Provisioning Workflow at start step get the ApplicationName from Account request and then check if user has link of the Application, if true translation to Initialize or send it to a validation step to show validation message.
Hi @Ranjith2000
As @dheerajk27 mentioned method getSelectedEntitlements is not available. The Policies are used in general format in IIQ both as Detective policy via Identity Refresh and Preventive Policy via Access Request. Hence it will be difficult to get the Entitlements selected by user in the request via Access Request in Policy Rule. But you can define the rule based on the identity object provided in the Rule. SailPoint will consider scenario where if the user is provided with the access, what will be the identity look like. This identity object available in Policy Rule can determine whether there is a Policy Violation or not.
Please check the below sample code which would throw a policyViolation if a user requested for ABC entitlement from XYZ and but doesn’t have Active Directory Account
import java.util.List;
import java.util.Locale;
import sailpoint.api.IdentityService;
import sailpoint.api.SailPointContext;
import sailpoint.object.Application;
import sailpoint.object.Entitlement;
import sailpoint.object.GenericConstraint;
import sailpoint.object.Identity;
import sailpoint.object.Link;
import sailpoint.object.Policy;
import sailpoint.object.PolicyViolation;
import sailpoint.tools.GeneralException;
private String policyMessage = "Please raise request for Role A and get Active Directory Account created";
private static final String REQUIRED_APP_NAME = "Active Directory";
private static final String ENTITLEMENT_APP_NAME = "XYZ";
public PolicyViolation generatePolicyViolation(Identity identity, Policy policy,
GenericConstraint constraint, String policyDescrptn) {
PolicyViolation policyViolation = new PolicyViolation();
policyViolation.setActive(true);
policyViolation.setIdentity(identity);
policyViolation.setPolicy(policy);
policyViolation.setConstraint(constraint);
policyViolation.setDescription(policyDescrptn);
policyViolation.setStatus(sailpoint.object.PolicyViolation.Status.Open);
return policyViolation;
}
public List fetchIdentityEnt(Identity identity, String applicationName) {
List applicationLinks = identity.getLinks();
List entitlementList = null;
if (applicationLinks != null && applicationLinks.size() > 0) {
for (Link singleIdentityLink : applicationLinks) {
if (applicationName.equals(singleIdentityLink.getApplicationName())) {
try {
entitlementList = singleIdentityLink.getEntitlements(Locale.getDefault(), "");
} catch (GeneralException e) {
//logger.error("The Error is: " + e);
}
}
}
}
return entitlementList;
}
public boolean isPolicyViolated(Identity identity) throws GeneralException {
boolean isPolicyViolated = false;
boolean entitlementExist = false;
IdentityService identityService = new IdentityService(context);
Application application = context.getObjectByName(Application.class, REQUIRED_APP_NAME);
List links = identityService.getLinks(identity, application);
List entitlementList = fetchIdentityEnt(identity, ENTITLEMENT_APP_NAME);
for(Entitlement entitlement : entitlementList){
if(entitlement.getAttributeValue().equals("ABC")){
entitlementExist = true;
break;
}
}
if(links.isEmpty() && entitlementExist){
isPolicyViolated = true;
}
return isPolicyViolated;
}
boolean isPolicyViolated = false;
PolicyViolation appPolicyViolation = null;
try {
if (identity != null) {
isPolicyViolated = isPolicyViolated(identity);
}
if (isPolicyViolated) {
appPolicyViolation = generatePolicyViolation(identity, policy, constraint, policyMessage);
}
} catch (GeneralException e) {
//logger.error("The Error is: " + e);
}
return appPolicyViolation;
Hi @Jarin_James
Thank you so much for your code . it would be understanding and very helpfull for me @Jarin_James
thanks,
Ranjith Murugan
Hi @Jarin_James , @dheerajk27
Please check the below code . in this code i need to get users selecting entitlement
futureIDExceptions=futureID.getExceptions(); - but iam getting existing entitlement for that user . can you please give any suggest for this
import sailpoint.object.;
import java.util.;
import java.text.*;
import org.apache.log4j.Logger;
import org.apache.log4j.Level;
boolean roleViolation = true;
PolicyViolation violation = null;
String appName;
boolean isViolation = false;
boolean rasieRequest = false;
boolean hasApp = false;
Identity futureID=identity;
if(null != futureID && null != existingID)
{
List existingIDExceptions = new ArrayList();
List futureIDExceptions = new ArrayList();
Identity existingID=context.getObjectByName(Identity.class,futureID.getName());
List links = existingID.getLinks();
for(Link link : links)
{
if(link.getApplicationName().equals(“Application Name”))
{
hasApp = true;
break;
}
}
if(!hasApp)
{
if(null!=futureID){
existingIDExceptions=existingID.getExceptions();
futureIDExceptions=futureID.getExceptions();
if(existingIDExceptions!=null && existingIDExceptions.size()>0){
for (EntitlementGroup entitlementGroup : existingIDExceptions) {
String entitlementAppName = entitlementGroup.getApplicationName();
if(entitlementAppName.equalsIgnoreCase(“Application Name”)) {
//rasieRequest = true;
}
}
}
if(futureIDExceptions!=null && futureIDExceptions.size()>0){
for (EntitlementGroup entitlementGroup : futureIDExceptions) {
String entitlementAppName = entitlementGroup.getApplicationName();
if(entitlementAppName.equalsIgnoreCase(“Application Name”)) {
rasieRequest = true;
}
}
}
if(rasieRequest)
{
String blockingMsg =“You cannot request Application Name Entitlement without Application Name”;
violation = new PolicyViolation();
violation.setActive(true);
violation.setIdentity(identity);
violation.setPolicy(policy);
constraint.setName(blockingMsg);
violation.setConstraint(constraint);
violation.setDescription(blockingMsg);
violation.setStatus(sailpoint.object.PolicyViolation.Status.Open);
}
}
}
}Preformatted text
return violation;
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.