Managed Entitlement Customization Rule

IdentityIQ (IIQ) IIQ Discussion and Questions
, , , , , , , ,
1

How to set Entitlement owner as application owner and requestable should be true in managed entitlement customization rule.

2

There is a good example in the Rules Whitepaper: https://community.sailpoint.com/t5/Technical-White-Papers/Rules-in-IdentityIQ/ta-p/78176

Look for ‘ManagedAttributeCustomization’

The example in the whitepaper does exactly what you want (if I read you question correctly).

If you need more help, let us know.

– Remold

3

I don’t have access to read this whitepaper.

4

The code from the whitepaper:

This example ManagedAttributeCustomization rule sets the owner as the application owner and sets a description for the managed attribute.

import sailpoint.object.*;
import java.util.Locale;

// set the owner to the app owner.
Identity owner = null;
if ((null != application) && (null != application.getOwner())) {
  owner = application.getOwner();
} else {
  owner = getObjectByName(Identity.class,”spadmin”);
}
attribute.setOwner(owner);

//make attribute requestable
attribute.setRequestable(true);

String description = "friendly description";
// In 6.0+, use this logic to set descriptions for managed attributes
attribute.addDescription(Locale.US.toString(), description);
// In versions prior to 6.0, set description like this:
attribute.setExplanation("default", description);

I hope this helps.

(BTW I though the rules whitepaper is public or don’t you have a Horizon account ?)

– Remold

5

You can search for Rules in IdentityIQ, It gives you PDF document for all the Rules.

Below is the sample Rule Given by SailPoint.

import sailpoint.object.*;
import java.util.Locale;
// set the owner to the app owner.
Identity owner = null;
if ((null != application) && (null != application.getOwner())) {
owner = application.getOwner();
} else {
owner = context.getObjectByName(Identity.class,”spadmin”);
}
attribute.setOwner(owner);
//make attribute requestable
attribute.setRequestable(true);
String description = "friendly description";
// In 6.0+, use this logic to set descriptions for managed attributes
attribute.addDescription(Locale.US.toString(), description);
// In versions prior to 6.0, set description like this:
attribute.setExplanation("default", description);
6

Tried to do with this code also owner in entitlement catalog is blank even I have tried to debug the issue by adding logger but logger is not generating for this rule, for other rules loggers are generating.

Any solution for this?

7

Hi @SDM007,

The ManagedAttributeCustomization rule set values on Managed Attributes only when they are initially created and not on update.
If you are looking to update the existing Managed Attributes, I would suggest using GroupAggregationRefresh rule. It allows customization on both create and update.

To find example rules you can check the below location in IIQ server for the file examplerules.xml .

IIQ_Home/WEB-INF/config/examplerules.xml

Also please find the example rule mentioned in the Rule documentation.

This example GroupAggregationRefresh rule extracts the first DN listed in the account group’s “owner” attribute and parses the user name out of that string to identify the account group owner. It sets the Identity corresponding to that name as the account group owner and returns the account group.

import java.util.List; 
import java.util.ArrayList;
import sailpoint.object.ResourceObject; 
import sailpoint.object.AccountGroup; 
import sailpoint.object.Identity; 
String ownerDN = null;
String ownerName = null;
Identity identity = null;
Object owner = obj.getAttribute("owner");
if(owner instanceof List){
ownerDN = (String)owner.get(0);
}else{
ownerDN = (String)owner;
}
if(ownerDN != null){
ownerName = ownerDN.substring(ownerDN.indexOf("uid=")+4,ownerDN.indexOf(","));
}
if (null != ownerName) { 
identity = context.getObjectByName(Identity.class, ownerName); 
}
if (null != identity) { 
accountGroup.setOwner(identity); 
} 
 
return accountGroup;
8

Sachin,

Another way to set the owner of the entitlement (AD groups only) is to pull in the managedBy value from the AD group and then convert it to an identity. I normally push the AD DN to an identity attribute and make it searchable so that this is easy in the group aggregation rule.

Just another option in case application owner is too simple.

I also have a plugin that lets you subdivide your AD groups into virtual applications.

Keith Smith

9

sample code snippet

String managedBy = (String) group.getAttribute(“managedBy”);
if (managedBy != null) {
if (logADGroup.isTraceEnabled()) {
logADGroup.trace("Found managedBy: " + managedBy);
}
try {
Link link = context.getUniqueObject(Link.class, Filter.eq(“nativeIdentity”, managedBy));
if (link != null) {
Identity owner = link.getIdentity();
if (owner != null) {
if (logADGroup.isTraceEnabled()) {
logADGroup.trace("Owner: " + owner);
}
group.setOwner(owner);

10

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.