IdentityIQ - Role Composition including inheritance

Which IIQ version are you inquiring about?

8.4P2

Please share any images or screenshots, if relevant.

N/A

Please share any other relevant files that may be required (for example, logs).

N/A

Share all details about your problem, including any error messages you may have received.

Hello Developer Community! I’m trying to find an API call which will prevent me from having to recursively walk a Business Role, Associated IT Roles, and inherited roles which will basically give me a list of all entitlements which are composed into role. I’ve been able to find a few flatten methods on the bundle, however they don’t seem to walk the entire role “tree”. Consider this example;

Business Role - Claims Analyst contains three required IT roles (ITRole1, ITRole2 and ITRole3). IT Role 1 leverages multiple levels of inheritance where it Inherits from Base-Role-D. In turn Base-Role-D inherits from Base-Role-C, which in turn Inherits from Base-Role-A. IT Role 1 inherits from Base-Role-B and ITRole3 does not use inheritance. When assigning the Business Role of Claims Analyst, all of the entitlements contained in ITRole1, ITRole2, ITRole3, Base-Role-A, Base-Role-B, Base-Role-C and Base-Role-D will be assigned.

Now, assignment of this role aside, for reporting / reconciliation and possibly rules in Certification Campaigns and Identity Refresh tasks I need to be able to ask the API “what are all of the entitlements which make up the business role Claims Analyst”.

One “thinking outside of the box” thought I had was to create a provisioning plan with the assignment of Claims Analyst to an identity which does not have any assigned Entitlements or Roles and compile the plan. I can then pick apart all of the attribute assignments in the plan to get a full list of entitlements, but I have to imagine there is a better way, I’m just not finding it in the API Docs.

Hi @kevinwoodbury, the BundleProfileRelation objects might have what you need.
See the javadoc, or perhaps look in the spt_bundle_profile_relation table.

Thank-You for this, however when I look at the API JavaDoc for the sailpoint.object.Bundle class I’m not finding a method called getEffectiveRights. Is this an API call for IdentityIQ or ISC? What you wrote sounds very promising, but I’m not seeing the method in the JavaDoc. I tried a small rule to call the method hoping maybe the JavaDoc was just lacking, but I get the error

Method getEffectiveRights() not found in class’sailpoint.object.Bundle’

@kevinwoodbury, I haven’t found an API to do what you want.

I use a database query like this for reconciliation processing:

          with  flattened_roles(child_name, child_id, child_type, child_disabled, parent_name, parent_id, parent_type, parent_disabled)
          as (
            select bundle.name, bundle.id, bundle.type, bundle.disabled, bundle.name, bundle.id, bundle.type, bundle.disabled
            from identityiq.spt_bundle bundle
           union all
            select child.child_name, child.child_id, child_type, child_disabled, parent.name, parent.id, parent.type, parent.disabled
            from flattened_roles child
            join identityiq.spt_bundle_children bc
              on bc.bundle = child.parent_id
            join identityiq.spt_bundle parent
              on parent.id = bc.child
          )
          select fr.child_id, fr.child_name, fr.child_type, fr.child_disabled,
            fr.parent_id, fr.parent_name, fr.parent_type, fr.parent_disabled,
            b1.id bundle_id_1, b1.name bundle_name_1, b1.disabled bundle_disabled_1, b1.type bundle_type_1,
            b1src.id source_bundle_id_1, b1src.name source_bundle_name_1, b1src.disabled source_bundle_disabled_1, b1src.type source_bundle_type_1,
            a1.id application_id, a1.name application_name,
            bpr.type, bpr.attribute, bpr.value
          from identityiq.spt_bundle_profile_relation bpr
            join flattened_roles fr
              on fr.parent_id = bpr.bundle_id
            left join identityiq.spt_bundle b1
              on b1.id = bpr.bundle_id
            left join identityiq.spt_bundle b1src
              on b1src.id = bpr.source_bundle_id
            left join identityiq.spt_application a1
              on a1.id = bpr.source_application
          where
            -- this is necessary to exclude "orphan" records
            not exists (
              select 1
              from identityiq.spt_bundle_profile_relation bpr2
              where bpr2.hash = bpr.hash
              and bpr2.bundle_id = bpr.bundle_id
              and (bpr2.source_bundle_id = bpr.source_bundle_id or bpr2.source_bundle_id is null and bpr.source_bundle_id is null)
              and bpr2.created > bpr.created
            );

It would be great if there was a better way to do this.

I’ve found a REST API that appears to flatten the role, do any of you experts know how I can correlate this REST API to the underlying Java API that is flattening the role?

https://iiqbaseurl.mycompany.com/identityiq/ui/rest/certifications/SomeCertificationGUID/entities//roleDetails/simpleEntitlement

This was viewed by opening a role composition certification, Clicking on the Blue Hyperlink next to the Role Name, and navigating to the Entitlements tab. This REST call requires a CSRF/ XSRF token so I don’t believe I can just call this URL from my java code using HTTP classes. However, this returned JSON would be exactly what I need.

I am not seeing in API doc either.

It looks like an internal api, so no documentation.

Hi @kevinwoodbury ,

I’m afraid that there is no OOTB API endpoint which would fulfill your requirement.

However, as already mentioned by Paul you may want to consider creating a Plugin which gives you back the information from the (relatively new) feature Bundle Profile Relations.

However, please keep in mind, that the feature does not yet work as expected under certain conditions.
You can find more details on the following Compass thread: https://community.sailpoint.com/t5/IdentityIQ-Forum/BundleProfileRelationSynchronizer-maximum-backlog-threshold/m-p/254386#M189383

Best regards,
Daniel