Version 8.3
I want all users details which contains a business role via rule. I am giving example like I have a role “BussinessRole”. I want all the user who contains this role.
Hi
you can use this sql statement to get identities with a business roles:
SELECT
aa.name,
aa.STATUS
FROM
spt_identity aa
LEFT JOIN spt_identity_assigned_roles siar ON siar.identity_id = aa.id
LEFT JOIN spt_bundle sb ON siar.bundle = sb.id
WHERE
siar.identity_id IS NOT NULL;
You can create a rule with following code:
String sqlQuery = "QUERY FROM ABOVE'";
Connection connection = context.getJdbcConnection();
try (ResultSet resultSet = connection.prepareStatement(sqlQuery)
.executeQuery()) {
while (resultSet.next()) {
//here get the informations from result set
}
}
we need rule not for specific DB.
Hi @amanKsingh,
In most rule you will get the identity as a variable (for free).
If you are creating a rule where you don’t have the identity variable you can easily get it using the context which is available in all rules (no real need for direct SQL queries, context uses hibernate which also does caching).
To get an identity with all details:
import sailpoint.object.identity;
Identity identity = context.getObjectByName(Identity.class,"naam of the identity");
log.error(ïdentity = " + identity.toXml());
Please take a look at the available rules in IdentityIQ: https://community.sailpoint.com/t5/Technical-White-Papers/Rules-in-IdentityIQ/ta-p/78176
And also use the JavaDocs. The JavaDocs are included in /<identityiq-location>/doc/javadoc/ in your installation.
– Remold
Thanks for reply. I don’t need specific user details. I need on the behalf of role user details please check my query again.
To get a list of identity with a particular role assigned:
import sailpoint.object.*;
QueryOptions qo = new QueryOptions();
qo.addFilter(Filter.eq("assignedRoles.id", roleId));
qo.setOrderBy("name");
Iterator it = context.search(Identity.class, qo, "name");
while ( (null != it) && (it.hasNext()) ) {
Object [] thisRecord = it.next();
String identityName = (String) thisRecord[0];
log.error("Identity="+ identityName;
}
I hope this answers your question.
– Remold
Hi @amanKsingh ,
There are multiple approaches available, but you need to select the one which is most suitable as per your need additionally that should be performance optimized.
In Sailpoint, we don’t have a direct way to fetch the membership of a particular role. It all depends on How you have assigned the membership of users to the role. for e.g. whether you have assigned a population or filter or custom rule in auto-assignment option while creating the business role.
The Bundle (Role) object looks like below -
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Bundle PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Bundle created="1665370220901" disabled="true" displayName="Accounting Business Role" id="c0a83865838c16e38183bfcce9650059" modified="1706013674377" name="Accounting Business Role" type="business">
<Attributes>
<Map>
<entry key="accountSelectorRules"/>
<entry key="allowDuplicateAccounts" value="false"/>
<entry key="allowMultipleAssignments" value="false"/>
<entry key="mergeTemplates" value="false"/>
<entry key="sysDescriptions">
<value>
<Map>
<entry key="en_US" value="Accounting Business Role"/>
</Map>
</value>
</entry>
</Map>
</Attributes>
<Inheritance>
<Reference class="sailpoint.object.Bundle" id="c0a83865838c16e38183bfc389310037" name="WintelApplication"/>
</Inheritance>
<Owner>
<Reference class="sailpoint.object.Identity" id="c0a84a0382f6191b8182f6f9eb5100eb" name="spadmin"/>
</Owner>
<Requirements>
<Reference class="sailpoint.object.Bundle" id="c0a83865838c16e38183bfc891fa0049" name="Accounting IT Role"/>
</Requirements>
<Selector>
<IdentitySelector>
<PopulationRef>
<Reference class="sailpoint.object.GroupDefinition" id="c0a83865838c16e38183bfd174b10063" name="Accounting population"/>
</PopulationRef>
</IdentitySelector>
</Selector>
</Bundle>
In the above example we have used a population to assign the user membership to this role
If I open the Population, I can see below details -
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE GroupDefinition PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<GroupDefinition created="1665370518705" id="c0a83865838c16e38183bfd174b10063" indexed="true" modified="1665453140105" name="Accounting population" private="true">
<Description></Description>
<GroupFilter>
<CompositeFilter operation="OR">
<Filter operation="EQ" property="jobTitle" value="Accounts Payable Analyst"/>
<Filter operation="EQ" property="jobTitle" value="Accounts Receivable Analyst"/>
</CompositeFilter>
</GroupFilter>
<Index>
<Reference class="sailpoint.object.GroupIndex" id="c0a8386583c41fbb8183c4be28890030" name="Accounting population"/>
</Index>
<Owner>
<Reference class="sailpoint.object.Identity" id="c0a84a0382f6191b8182f6f9eb5100eb" name="spadmin"/>
</Owner>
</GroupDefinition>
The population contains a complex filter i.e. JobTitle equals Accounts Payable Analyst or JobTitle equals Accounts Receivable Analyst -
<CompositeFilter operation="OR">
<Filter operation="EQ" property="jobTitle" value="Accounts Payable Analyst"/>
<Filter operation="EQ" property="jobTitle" value="Accounts Receivable Analyst"/>
</CompositeFilter>
Now taking the above example, If we have assigned the membership via population you can use the same filter to fetch all the users.
example rule -
import sailpoint.object.Filter;
import sailpoint.object.Identity;
import sailpoint.object.QueryOptions;
QueryOptions qo=new QueryOptions();
Filter filter1=Filter.eq("jobTitle","Accounts Payable Analyst");
Filter filter2=Filter.eq("jobTitle","Accounts Receivable Analyst");
Filter filter=Filter.or(filter1,filter2);
qo.addFilter(filter);
List<Identity> identities=context.getObjects(Identity.class,qo);
for(int i=0;i<identities.size();i++)
{
Identity id=identities.get(i);
System.out.println("Name"+id.getName());
}
context.decache();
In similar fashion you can check the assignment criteria in the business role to take your call.
However, @abartkowski also suggested you a nice way to fetch the details.
Now let say if you have a hard constraint not to use db queries even for read purpose, then you need to construct the user filter based on status i.e for active users and fetch the user bundle details from your rule based on your condition.
Something similar,
import sailpoint.object.Filter;
import sailpoint.object.Identity;
import sailpoint.object.QueryOptions;
import sailpoint.object.Bundle;
QueryOptions qo=new QueryOptions();
String roleName="Accounting Business Role";
Bundle bundle = context.getObjectByName(Bundle.class,roleName);
String roleId=bundle.getId();
System.out.println("Role id Fetched as"+roleId);
Filter filter=Filter.eq("assignedRoles.id", roleId);
qo.addFilter(filter);
List<Identity> identities=context.getObjects(Identity.class,qo);
System.out.println("Total users::"+identities.size());
for(int i=0;i<identities.size();i++)
{
Identity id=identities.get(i);
System.out.println("Identity Name::"+id.getName());
}
context.decache();
Mark it as solved, if it helps.
Please be careful when querying identities since it loads all objects into RAM before using them. Instead use context.search() and iterate through the query. A recommendation and best practice is to use Projection Queries wherever possible instead of full object queries. Note that all Iterators opened with context.search() calls must be flushed when Bean Shell code is done using them.
The method context.getObjects() should only be called when you are certain that the list of of what you are retrieving is finite and small, that you must process or iterate through every member of that list, and that you need IdentityIQ and Hibernate to fully de-serialize (or “rehydrate” in different terminology) all of the objects in that list.
– Remold
@Remold - Thanks for your constructive feedback 
. Much Appreciated!!
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.