Is there anyway to skip account provisioning for few entitlements and allow provisioning for other

@milinaphalke

Glad it worked.

Please feel free to mark the solution if that resolved your issue

Hi @MVKR7T
I had tried creating an Advanced policy, to check if an identity does not have an Active Directory account then create a policy violation object. However this does not work out. When the role is requested, due to Create AD provisioning policy, the plan created and shows that an AD account will be created and hence it does not result in any violation.

PolicyViolation polVil = null;
boolean isViolation = true;

if (identity != null) {
String identityName = identity.getName();
List links = identity.getLinks();

if(links != null && links.size() > 0){
String appName;
List entitlements;
String entVal;

for (Link link : links) { 
  if (link != null && !link.isDisabled()) { 
    appName = link.getApplicationName(); 
    if (appName != null && appName.equalsIgnoreCase("Active Directory")) { 
	  isViolation = false;; 
    } 
  } 
} 

}
}
//==Check for Violation
if (isViolation) {
log.debug(" Test SOD : Inside Violation —");
polVil = new PolicyViolation();
polVil.setActive(true);
polVil.setIdentity(identity);
polVil.setPolicy(policy);
polVil.setDescription(“User does not have an AD account”);
}
return polVil;

Try the below code.

import sailpoint.object.Identity;
import sailpoint.object.Bundle;
import sailpoint.object.PolicyViolation;
import java.util.List;
import sailpoint.object.Link;


PolicyViolation violation = null;
boolean vflag = false;
String desc = null;

Identity reqIdentity = identity;
Identity dbIdentity = context.getObjectByName(Identity.class, identity.getName());

List reqIdLinks = reqIdentity.getLinks();
List dbIdLinks = dbIdentity.getLinks();

reqIdLinks.removeAll(dbIdLinks);

boolean adFlag = false;

if (!reqIdLinks.isEmpty()) {

	for (Link link : reqIdLinks) {
		if (link.getApplicationName().equalsIgnoreCase("AD app")) {
			adFlag = true;
			break;
		}
	}

	if (adFlag) {
		vflag = true;
		desc = "You should have AD Account already before requesting for AD Groups";
	}
}

if (vflag) {
    violation = new PolicyViolation();
    violation.setActive(true);
    violation.setIdentity(identity);
    violation.setPolicy(policy);
    violation.setConstraint(constraint);
    violation.setDescription(desc);
    violation.setStatus(sailpoint.object.PolicyViolation.Status.Open);
  }
  return violation;

To understand how this works, check this post

Thanks
Krish

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.