How to manage start and end dates of entitlements assignments coming from aggregation

Hi Experts

I have a peculiar use case where I have different type of entitlements of a web service application ( doesn’t matter how many types here actually) , from the web service we get the information of entitlements user have and each entitlement assignment has its own start date and end date as well, we have a use case where we have to notify the users if for a particular entitlement assignment end date is approaching, how can we handle , we cannot store it schema level because each user can multiple entitlements and each assignment will have different start and end dates

Any solution for this will be really helpful.

Note - For now I am not looking for a custom table to store this information as this application will have huge users ( may be more than 100k) as well.

Hi Satish,

Can you do something like below, I am not sure weather this is ideal solution, but you can try it.

1. Create an extended attribute on a link like "entitlementExpiryData"
2.  write a customisation rule. Below is something you can try in your customisation rule.
   
    // Process each entitlement from web service response
    List entitlements = webServiceResponse.get("entitlements");
    for (Map entitlement : entitlements) {
        String entName = entitlement.get("name");
        String startDate = entitlement.get("startDate");
        String endDate = entitlement.get("endDate");
        
        // Create JSON string for each entitlement
        String jsonData = String.format(
            "{\"name\":\"%s\",\"startDate\":\"%s\",\"endDate\":\"%s\"}", 
            entName, startDate, endDate
        );
        entitlementDataList.add(jsonData);
    }
   


3. Creating a scheduled task for checking expiring entitlements.

@naveenkumar3
Are you saying extended attribute having a map? If so how would I read or use that data for comparison with current date because we will have 100k users as mentioned , we cannot iterate through each link.

The extended attribute “entitlementExpiryData” is defined as a multi-valued string (not a map). Each value in the list is a JSON string containing the entitlement details (e.g., {"name":"Ent1","startDate":"2024-01-01","endDate":"2024-12-31"} ). This keeps it simple and compatible with IIQ’s schema without needing complex object types.

You can iterate through all Links efficiently—user pagination to achieve this

@naveenkumar3

Thanks for responding, I am not talking about iterating the accounts during aggregation, once you have the data in IIQ, if we have send notifications, we have to iterate through all link objects and within that read the data for each of this entitlement access, as I said we have more than 100k+ accounts, do you still suggest this, how come pagination can help here?

I thought You are talking about aggregation, that’s why I mentioned Pagination. The solutions, which I mentioned is creating a notification task, for checking expiring entitlements. No you do not to iterate over 100k link objects. Give me sometime, i will tell you how you can do that.

okay, I hope now you understand the tricky part here, sure please keep me posted if you find anything

Yeah, I have give a thought, but I think if you want to send the notification, about the expiry, You have to iterate over all the links, considering your requirement. The only think, which we can do is to make the task more efficient.

Hi @iamksatish,
once try this below rule

  import sailpoint.object.Filter;
  import sailpoint.object.QueryOptions;
  import sailpoint.object.Identity;
  import sailpoint.object.IdentityEntitlement;
  import sailpoint.object.EmailTemplate;
  import sailpoint.object.EmailOptions;
  import java.util.Date;
  import java.util.Calendar;
  import java.util.Iterator;
  import java.util.ArrayList;
  import java.util.List;

  QueryOptions qo = new QueryOptions();
  Filter f1 = Filter.not(Filter.isnull("endDate"));
  qo.addFilter(f1);

  Iterator iter = context.search(IdentityEntitlement.class, qo);
  List entitlements = new ArrayList();

  try {
    while (iter.hasNext()) {
      IdentityEntitlement ie = (IdentityEntitlement) iter.next();
      entitlements.add(ie); // store for later processing
    }
  } finally {
    sailpoint.tools.Util.flushIterator(iter);
  }

  EmailTemplate temp = context.getObjectByName(EmailTemplate.class, "End Date Expiration Reminder");

  // Get tomorrow's date (midnight)
  Calendar cal = Calendar.getInstance();
  cal.set(Calendar.HOUR_OF_DAY, 0);
  cal.set(Calendar.MINUTE, 0);
  cal.set(Calendar.SECOND, 0);
  cal.set(Calendar.MILLISECOND, 0);
  cal.add(Calendar.DAY_OF_MONTH, 1);
  Date tomorrow = cal.getTime();
  log.warn("Tomorrow date is : " + tomorrow);

  for (IdentityEntitlement ie : entitlements) {
    Date endDate = ie.getEndDate();
    log.warn("End date is : " + endDate);
    if (endDate != null) {
      // Normalize endDate to midnight for comparison
      Calendar endCal = Calendar.getInstance();
      endCal.setTime(endDate);
      endCal.set(Calendar.HOUR_OF_DAY, 0);
      endCal.set(Calendar.MINUTE, 0);
      endCal.set(Calendar.SECOND, 0);
      endCal.set(Calendar.MILLISECOND, 0);
      Date normalizedEndDate = endCal.getTime();
      log.warn("Normalized date is : " + normalizedEndDate);

      if (normalizedEndDate.equals(tomorrow)) {
        log.warn("Sending notification for: " + ie.getIdentity().getName() + ", EndDate: " + endDate);
        EmailOptions options = new EmailOptions(ie.getIdentity().getEmail(), null);
        context.sendEmailNotification(temp, options);
      }
    }
  }

  context.decache();

Thanks

@Harikrishna_06

How are you going to populate the end date within Identity Entitlement table for entitlements which are updated in target already?

Hi @iamksatish,

When we set sunset date, then it automatically creates endDate attribute in identityEntitlement table. once check below images

image1729×108 8.13 KB

<IdentityEntitlement aggregationState="Connected" assigned="true" assigner="The Administrator" assignmentId="7ea75268a2544627b3ff5b572acd3834" created="1750653309808" endDate="1759429800000" id="c0a8386e97861caf81979b11937008ae" modified="1759291916439" name="accessName" nativeIdentity="EMP1002" significantModified="1759291916439" source="LCM" type="Entitlement" value="IT">

I know this will set but I believe this is during provisioning happened from IIQ, hope you understand my ask is setting something when change happening at target side.

Hi @iamksatish,
I’m not entirely sure, but I was thinking — maybe we could store the expiration date in the description attribute? Just a thought, let me know what you think.

@Harikrishna_06

In what format you wanted to store for each entitlement assignment and in which attribute, Because we are looking a way for not to iterate all the links in system for app considering 100k+ accounts.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.