I want to implement a advanced policy in sailpoint IIQ

while the user is requesting for access through mange user access page

I want to check the country of the user and the region of the application
for Ex: My Identity has country as Ind and the entitlement application region is al IND policy violation should not occur

but if my country is IND and I am requesting for entitlement application region UAE policy violation should occur

Also I want to know How can we fetch the selected entitlement in real time without the provisioning plan is being created?

Maybe this plugin fits ur use case, you can take a look, or maybe for inspiration?

Validated Access Request Plugin - Compass

I have to make a advanced policy → Violation formatting rule

Best Regards,
Devesh Varma

@deveshrns Formatting rule is to make any modification to violation object post creation. You should use a Policy Rule to evaluate and decide whether the violation should be created or not. This rule have an identity argument which represents the simulated future state of the user. From this identity, you can inspect the updated Links to extract newly requested entitlements. Check the attached article for the sample rule.

Create New RuleSelection method (Rule)

I tried this but its triggering when we are requesting more than one entitlement but after changes done according to my requirement its not triggering

@deveshrns Please share your policy rule.

@deveshrns If your final requirement is not allowing users to submit request for different country/region, you can achieve this using RequestObjectSelector rule in Quicklinks for entitlements which can allow you to hide the items which should not be applicable for the user.

import sailpoint.object.PolicyViolation;
import sailpoint.object.Identity;
import sailpoint.object.Link;
import java.util.List;
import java.util.Locale;
import java.util.*;

log.error(“Hello!”);

PolicyViolation policyViolation = null;

String appName = “Kenya”;

boolean isViolation = false;
log.error(“boolean 1::” + isViolation);

Identity user = identity;

Identity ogiden = context.getObjectByName(Identity.class, user.getName());
log.error(“OG - Iden” + ogiden.toXml());

log.error(“DB Iden” + dbiden);

String opcoShortCode = ogiden.getAttribute(“opcoShortCode”);
log.error(“OpcoShortCode:::” + opcoShortCode);

List applicationLinks = ogiden.getLinks();
log.error(“List application links::” + applicationLinks.size());

if (applicationLinks != null && applicationLinks.size() > 0) {
log.error(“application links found”);

for (Link link : applicationLinks) {
    log.error("Iterating over links");
    
    if (appName.equals(link.getApplicationName())) {
        log.error("Application Name Found");
        
        if (!("KE".equals(opcoShortCode))) {
            log.error("Opco Difference found");

            isViolation = true;
            log.error("boolean 2 inside if::" + isViolation);
        }
    }
}

}

if (isViolation) {

policyViolation = new PolicyViolation();
policyViolation.setActive(true);
policyViolation.setIdentity(identity);
policyViolation.setPolicy(policy);
policyViolation.setStatus(sailpoint.object.PolicyViolation.Status.Open);

context.decache();
return policyViolation;

}

Hi Neel,
I wanted to know why it is not possible with policy violation rule - is there any way we can check this policy violation if the user is requesting access for the first time??

@deveshrns Please enable logs and see if they are getting printed or not. Also, you need to set policyScheme in your LCM Provisioning, if it is set to none, policies will not be evaluated.

If I am understanding it correctly, you want the user to still see the entitlement that they cannot have and request them and then SailPoint should fail the access request? right?

You can use the policy in preventive mode by configuring the access request workflow to fail when violation occurs. You can customize the message the user sees when this happen in the workflow.