8.3p3
Hello all,
I need some help on how to implement native change detection for entitlements.
the requirement is for AD application & when entitlements got changed on account level, then we need to monitor what is there before & after and then create a custom audit events with the information we captured.
Thanks,
Deepak
@vedeepak
Create a life cycle event with native change as type and within the custom workflow create a custom audit event with the data of native changes detected
@iamksatish Do you have an example for the use case
Create a lifecycle event based Native change, within the corresponding workflow
You can get the Native Changes happened using below API
List natChangeList = event.getNativeChanges();
if(null != natChangeList) {
for(NativeChangeDetection ncd : natChangeList ) {
// Perform the checks or code that you wanted here, you can actually get the Application name and differences using below APIs
String appName=ncd.getApplicationName();
List diff=ncd.getDifferences() ;
// Note - Please check the NativeChangeDetection API doc for the apis
}
}
Thanks for the response
Hi @vedeepak ,
Can you try with the code in AD group aggregation refresh rule? change or write the logic according to your requirements for custom audit. I hope this works.
//============= Checking Group update in IIQ =============
if(null != accountGroup && null != obj)
{
log.error("inside if of checking obj and accountGroup starting");
log.error("ManagedAttribute object value : "+accountGroup.toXml());
log.error("ResourceObject object value : "+obj.toXml());
String maEntValue = accountGroup.getValue();
String maDisplayName = accountGroup.getDisplayName();
String objDNValue = obj.getIdentity();
String objDisplayName = obj.getDisplayName();
String objsAMAccountName = obj.getAttributes().getString("sAMAccountName");
String objDistinguishedName = obj.getAttributes().getString("distinguishedName");
String objDescription = obj.getAttributes().getString("description");
log.error("ma entitlement value: "+maEntValue);
log.error("ma displayname: "+maDisplayName);
log.error("obj group DN value: "+objDNValue);
log.error("obj group disaplayname: "+objDisplayName);
log.error("obj group SamAccountName: "+objsAMAccountName);
log.error("obj group distinguishedName: "+objDistinguishedName);
log.error("obj group description: "+objDescription);
if(null != objDNValue && null != maEntValue && null != objDisplayName && null != maDisplayName && null != objDescription && null != accountGroup.getDescriptions().get("en_US"))
{
if(!(maEntValue.equals(objDNValue)) || !(objDisplayName.equals(maDisplayName)) || !(objDescription.equals(accountGroup.getDescriptions().get("en_US"))))
{
log.error("Both values are not equal");
//write lgic for custom audit events with the information we captured
log.error("Both values are not equal, so creating audit");
}
else
{
log.error("Both values are equal");
}
}
else
{
log.error("Either of maEntValue or objDNValue values are null");
}
log.error("inside if of checking obj and accountGroup ending");
}
Hi Satish,
Thanks for the response. I have Created a identity trigger with type Native change and configured custom wf. As per the technical document I have unchecked the “disabled optimization” option and check the “process events” option in refresh identity cube.
I see the below results. Events processed are related to rehire wf’s. I am not sure about one thing is related to “workflows launched is ~10k”. But I do not see any workflows launched in task results and I do not see any logs from the wf which I created for Native change.
Could you please advise?
Share your custom workflow and Identity trigger xml once
and also I believe your goal is to audit any external Entitlement additions for AD Accounts outside SailPoint, let me know if this is not the correct understanding
Find the attached files and you’re correct about the expectation.
Workflow-NativeChangeDetection.xml (1.8 KB)
NativeIdentityTrigger.xml (1005 Bytes)
Is there any way to test it easily without changing entitlements natively? I tried to remove one entitlement on the identity object and trigger the Refresh Identity Cube task for that user, but it didn’t help me because the deleted entitlement came back again on the identity object.
I have a question regarding the Native Identity trigger. While it is working correctly, I was wondering if there is a way to trigger the native change workflow in case the workflow fails for some reason. Is there an option to manually initiate the workflow if it encounters an error and does not complete successfully?
Missed this completely, you can actually remove or add an entitlement from identity from debug page and run aggregation so that Sailpoint assumes a change happened at target side for Native changes to trigger.
@vedeepak
I dont think you will have a direct way to do this , but which part of workflow do you think you can have a failure, In the initial step itself you can actually log a audit event to store old and new changes and have a particular attribute which can be updated post processing of your other steps
If the workflow failed in any of the post processing steps, write a stand-alone custom rule which can actually find such failures and re-do those steps. This is one approach but if you can provide more details, that can help if something else can suggested.
I have tried this method already. But, when I executed the refresh identity cube task, the previously deleted entitlement coming back into identity object and events are not getting triggered. I ended up changing in target system and use single account aggregation for faster testing.
Got it, anyhow above suggestion should work for failure scenario , please check and let me know if you have any other issue with that
Sorry a bit of a hijack. We had native change detection on in our environment for AD entitlements and it ended up generating false alerts / NCDs, as in we were getting NCDs for actions based of roles being provisioned or actions being taken in reviews/certifications from IIQ.
How do you prevent that from happening?
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
