Manager certification, Included Applications and include Roles. During runtime how can I delimit the items to only the roles for the included applications?

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

We have made a manager certification. In the basic properties we included some applications, let’s say appl-A and appl-C, and also (only) selected the box [include roles].

When we run the certification we want to delimit the roles in the certification to only the roles that are related to the applications that have been included.
But IdentityIQ doesn’t work that way (for us): for some managers it seems to work, but for other managers there are also roles included that are related to other applications.
We cannot discover why it sometimes seems to work, and why it doesn’t in other cases.

Does anyone have the same experience, or knowledge about why it’s working like this?
And hopefully how we can get this to work like we want to?

Hi Henry,
Starting from the end - you can exclude entries to certify via exclusion rule. I mean you can write a rule to exclude roles not related to the apps.

Regarding question “why?” You would need to add here certification definition so we could take a look on that.

1 Like

Hi @henry_mensink

Welcome to SailPoint Developer Community.

Not sure which Roles you are certifying, Business or IT Roles.

However, IT Roles you can have entitlements from multiple applications. So you need extensive coding to exclude them.

Approach 1:
You can go for Role Membership certification, select all the Roles you would like to certify. Choose certifier as the manager.

Approach 2:
If there are many Roles then it would be difficult to select all of them, it takes a bit more time. Then you can create an extended attribute for Bundle/Role, Application Name. Make it searchable. Once it is searchable, you can pull all the Roles which are tagged to that application. Use Targeted Certification, where you can choose what to certify and who should certify.


1 Like

I believe the Exclusion Rule is the option to go. Find the rule below:

  import sailpoint.object.*;

  CertificationDefinition cd = context.getObjectById(CertificationDefinition.class, certification.getCertificationDefinitionId());
  List appIds = cd.getIncludedApplicationIds();

  if (entity instanceof Identity) {
    Identity identity = (Identity) entity;
    Iterator it = items.iterator();
    while(it.hasNext()) {
      Certifiable certifiable = (Certifiable);
      if(certifiable instanceof Bundle) {

        Bundle bundle = (Bundle) certifiable;

        if (null != appIds && !appIds.isEmpty()) {
          boolean includeApp = false;
          Set bundleApps = bundle.getApplications();
          for (Application bundleApp : bundleApps) {
            if (appIds.contains(bundleApp.getName())) {
              includeApp = true;
          if (!includeApp) {
            explanation.append("Exclude \"" + bundle.getName() + "\" from certification. Role is not related to applications included in the certification.");
  return (0 != explanation.length()) ? explanation.toString() : null;

PS Due to some strange thinking in the ancient past of IdentityIQ, the function getIncludedApplicationIds() of the class CertificationDefinition does not return the IDs of the applications but the names. Hence the check if the application name is in thisList

I hope this helps :slight_smile:

– Remold


thnx Remold, this indeed has solved our issue