Native change detection

IdentityIQ (IIQ) IIQ Discussion and Questions
, , ,
1

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

We are setting up a workflow with the operation of revoke for all connected applications in sailpoint choosing entitlement option and we have a condition of shared entitlement for multiple roles so need suggestions of setting up a provisioning plan for the operation logics.
import sailpoint.api.SailPointContext;
import sailpoint.object.sailpoint.object.NativeChangeDetection;
import sailpoint.tools.Util;import sailpoint.object.ProvisioningPlan;
import sailpoint.object.AccountRequest;

List ops = new ArrayList();

Identity managerIdentity = context.getObjectByName(Identity.class, identityName).getManager();

String managerName = managerIdentity.getName();

EmailOptions emailOptions = new EmailOptions();

if ( event != null ) {

List ncs = event.getNativeChanges();

if ( ncs != null ) {

    for ( NativeChangeDetection nc : ncs ) {

        AccountRequest.Operation op = nc.getOperation();

        String opString;

        if ( op == null ) 

            opString = "Modify";

        else

            opString = op.toString();

        if ( !ops.contains(opString) ) {

            ops.add(opString);

        }

        // If a native change is detected, add a Revoke operation

        // It checks if a native change (nc) has been detected. If nc is not null, it means a native change has been detected.

        if (nc != null) {

        opString = "Remove"; 

        //If a native change is detected, it sets opString to "Remove". This could be indicating that the operation to be performed in response to the native change is a revocation.

        if (!ops.contains(opString)) {

        ops.add(opString);

            }  

        //It then checks if "Remove" is already in the ops list. If it's not, it adds "Remove" to the ops list.
        //This list might be used later in the workflow to perform the operations it contains.
        // Send a notification email to the line manager

            Identity LineManager = identityManager.getManager();

            if (lineManager != null) {

                emailOptions.setTo(Manager.getEmail());

                emailOptions.setTemplate("NotificationEmailTemplate");

                emailOptions.setNotificationVariables(Util.mapOf("identity", identity, "operation", opString));

                context.sendEmailNotification(emailOptions);

            }

        }

    }

}

}
}
}
return Util.listToCsv(ops);

2

@Aradhana_Mohapatra
Can you be more clear on what exactly you are looking for

3

Hi @Aradhana_Mohapatra

Could you provide more information about what process or events you need launch.?

If you want delete the accounts the accouns you can use this code

ProvisioningPlan plan  = new ProvisioningPlan();	
plan.setIdentity(identity);	
		
AccountRequest accReq = new AccountRequest(AccountRequest.Operation.Delete, "Name_APP", null, nativeId);				
accReq.setNativeIdentity(nativeId);
plan.add(accReq);
4

We have shared entitlements for various IT roles . We are setting up a workflow for all connected applications to detect native change with entitlements i.e if any access is getting provisioned locally outside of sailpoint platform.

The NCD process of IIQ works on trigger snapshot concept i.e it will check for any native change before and after aggregation tasks.

For shared entitlement scenario, we are only setting up revoke operation where if native change is detected it will run the operation for modify and then revoke.

Above is the logic for the string operation that we are intending to set up. So I need suggestions on the provisioning plan to run this workflow.

As part of attribute request we can only set up group code .With our set up role name will be difficult to fetch as a single entitlement is shared across various IT roles.

5

As part of trigger event, we want native change to get detected(prior to this we will enable connected application with native change option for entitlements with operations of modify and delete.) With provisioning plan we want the workflow to go through the string operations and remove the detected entitlement from user profile.