8.4p1
I am looking into the plausibility of utilizing the ManagedBy tab within Active Directory and correlating this back to the owner of an entitlement within SailPoint.
I dont see a group correlation piece in the AD application connector at all.
Would this need a custom rule to correlate these fields?
Yes, you will have to use a custom rule to add the owner information. You can use the group refresh rule to get the managedBy field value and then use that to find the owner identitty and then set that as owner using .setOwner(identity).
Let me know if you need a sample rule or code snippet.
If you have any sample code, that would be very helpful!
I had the initial ask flipped. We would want the ManagedBy field to drive the ownership within SailPoint. Would that be possible with a similar custom rule?
Here you go
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import com.client.iiq.constant.EntitlementObjectModel;
import com.client.iiq.constant.clientGlobalConstants;
import sailpoint.object.Filter;
import sailpoint.object.Identity;
import sailpoint.object.Link;
import sailpoint.object.ManagedAttribute;
import sailpoint.tools.GeneralException;
import sailpoint.tools.Util;
Log logADGroup = LogFactory.getLog(“client.rule.GroupAggregationRefresh-AD”);
ManagedAttribute group = (ManagedAttribute) accountGroup;
if (group != null) {
String riskLevel = (String) group.getAttribute(EntitlementObjectModel.ATT_RISK_LEVEL);
if (Util.isNullOrEmpty(riskLevel)) {
if (logADGroup.isTraceEnabled()) {
logADGroup.trace("Setting default risk level for group: " + group.getDisplayableName());
}
group.setAttribute(EntitlementObjectModel.ATT_RISK_LEVEL,
clientGlobalConstants.RISK_LEVEL_HIGH);
}
String managedBy = (String) group.getAttribute(“managedBy”);
if (managedBy != null) {
if (logADGroup.isTraceEnabled()) {
logADGroup.trace("Found managedBy: " + managedBy);
}
try {
Link link = context.getUniqueObject(Link.class, Filter.eq(“nativeIdentity”, managedBy));
if (link != null) {
Identity owner = link.getIdentity();
if (owner != null) {
if (logADGroup.isTraceEnabled()) {
logADGroup.trace("Owner: " + owner);
}
group.setOwner(owner);
} else {
logADGroup.error(“Owner returned by search is null”);
}
} else {
logADGroup
.error("Could not find identity with AD account associated with DN: " + managedBy);
}
} catch (GeneralException e) {
logADGroup.error(“Error retrieving owner object:”, e);
}
} else {
logADGroup.info(“managedBy for " + group.getDisplayableName() + " is null”);
}
} else {
logADGroup.error(“Group retrieved from accountGroup is null”);
}
return group;
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.