I have a requirement to create a Advanced policy to handle Role conflicts and One role at a time for an application

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Hi All,

Hope you are doing good.

I have a requirement where if user has a Role “A” should not have access to Role “B” vicevarsa for a particular application and One role at a time for that application. I have tried my best to achieve this but not up to the mark. Could anyone help here.

below are the steps I have followed.

  1. I have created a custom object where I added all roles for an application like below .

image
image941×464 15.7 KB

  1. I have tried below code to achieve this. Please correct me here.

import sailpoint.object.Policy;
import sailpoint.object.PolicyViolation;
import sailpoint.object.Identity;
import sailpoint.object.Entitlement;
import sailpoint.object.Filter;
import sailpoint.object.Apllication;
import sailpoint.object.QueryOptions;
import java.util.List;
import java.util.Iterator;
import java.util.ArrayList;
import java.util.Locale;
import sailpoint.object.Link;
import sailpoint.object.Bundle;
import sailpoint.object.Custom;

log.error(“Inside Policy Violation Asia Group Insurance System SLOCPI”);

PolicyViolation policyViolation = null;
Identity expectedIdentity = identity;
log.error(“Expected Identity:”+expectedIdentity);

Identity oldIdentity = context.getObjectByName(Identity.class, identity.getName());
log.error(“Old Identity:”+oldIdentity);

//String targetApplication= “Asia Group Insurance System SLOCPI”;

boolean isViolation = false;

List allrequestedRoles = expectedIdentity.getAssignedRoles();
log.error(“All Roles New:”+allrequestedRoles);

List allexistingRoles = oldIdentity.getAssignedRoles();
log.error(“All Existing Roles Old:”+allexistingRoles);

if((allrequestedRoles != null && !allrequestedRoles.isEmpty()) && (allexistingRoles != null && !allexistingRoles.isEmpty())) {
allrequestedRoles.removeAll(allexistingRoles);
}
log.error(“All Requested Roles New:”+allrequestedRoles);

List roleList = new ArrayList();

Custom OneRoleAtATimeCustomObject = context.getObjectByName(Custom.class,"SLF - Custom - OneRoleAtATime");

if(OneRoleAtATimeCustomObject != null){
roleList = OneRoleAtATimeCustomObject.get(“Config_Applications”);
}

int requestedRoleSize=0;
int existingRoleSize=0;

for (Bundle role : allrequestedRoles) {
if (role.contains(roleList)){
Set applicationsList = role.getApplications();
if (applicationsList != null && applicationsList.size() > 0){
Iterator it = applicationsList.iterator();
while (it.hasNext()){
Application app = it.next();
String appName = app.getName();
if(appName.contains(targetApplication)){
requestedRoleSize++;

			}
			
			
		}
		
	}

	if(role.contains(allexistingRoles)){
		isViolation = true;			
	}	
}

}

  if ((requestedRoleSize != null && requestedRoleSize>1) || (existingRoleSize != null && existingRoleSize>1) ){
isViolation = true;

}

//if identity have the more than required entitlements then flag violation
if (isViolation) {
policyViolation = new PolicyViolation();
policyViolation.setActive(true);
policyViolation.setIdentity(identity);
policyViolation.setPolicy(policy);
policyViolation.setStatus(sailpoint.object.PolicyViolation.Status.Open);
}

return policyViolation;

Thank you in advance.

2

I want to do below.

//iterator to get a single app list of roiles and then perform the contains also note the count
count > 1 through violation
count = 1 go check old roles for any matching roles within the application
count < 0 don’t do anything