Hi All,
I hope all doing well.
I am looking for sample code/logic for Advanced policy violation to restrict and throw Policy Violation when a user is requesting more than 1 Entitlement during Account creation and Modification.
I am specifically looking for logic on how to retrieve user existing entitlements if an account already exists and new requested entitlements and throwing Policy Violation if requesting more than 1.
And also how to handle logic for new users and existing users in Policy Violation Rule.
Thanks in Advance.
I already developed a code. But it is now getting triggered even though I selected more than 1 role for the same user at a time. Could anyone help me with this please.
Below is the piece of code.
import sailpoint.object.Policy;
import sailpoint.object.PolicyViolation;
import sailpoint.object.Identity;
import sailpoint.object.Entitlement;
import sailpoint.object.Filter;
import sailpoint.object.Apllication;
import sailpoint.object.QueryOptions;
import java.util.List;
import java.util.Iterator;
import java.util.ArrayList;
import java.util.Locale;
import sailpoint.object.Link;
public List getIdentityEntitlements(Identity identity,String appName) {
List applicationLinks = identity.getLinks();
List entitlementList = new ArrayList();
if(applicationLinks != null && applicationLinks.size() >0 ) {
for (Link link:applicationLinks) {
if(appName.equals(link.getApplicationName())) {
entitlementList = link.getEntitlements(Locale.getDefault(),"");
}
}
}
return entitlementList;
}
public boolean isLinkPresent(String identityName, String appName) {
boolean isLinkPresent = false;
QueryOptions qo = new QueryOptions();
qo.addFilter(Filter.eq(“identity.name”, identityName));
qo.addFilter(Filter.eq(“application.name”, appName));
Iterator itr = context.search(Link.class, qo);
if (itr.hasNext()) {
isLinkPresent = true;
}
return isLinkPresent;
}
PolicyViolation policyViolation = null;
Identity expectedIdentity = identity;
Identity oldIdentity = context.getObjectByName(Identity.class, identity.getName());
String appName= “Asia Group Insurance System SLOCPI”;
List expectedEnt = getIdentityEntitlements(expectedIdentity, appName);
List existingEnt = getIdentityEntitlements(oldIdentity, appName);
boolean isViolation = false;
boolean isLinkPresent = isLinkPresent(identity.getName(), appName);
if (expectedEnt != null && expectedEnt.size() >1) {
isViolation = true;
}
//if identity have the more than required entitlements then flag violation
if (isViolation) {
policyViolation = new PolicyViolation();
policyViolation.setActive(true);
policyViolation.setIdentity(identity);
policyViolation.setPolicy(policy);
policyViolation.setStatus(sailpoint.object.PolicyViolation.Status.Open);
}
return policyViolation;