NCD Detection Entitlement Exclusion

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

8.4p2

Share all details about your problem, including any error messages you may have received.

We have implemented the native change detection . Some of our app owners ask to exclude some entitlements from NCD Process.
Just wanted to check , what will be the best way to handle this.

2

Hi @pratikparate1999

NCD detection cannot be bypassed for specific values. However, if your lifecycle events (LCE) are configured by rules, you can manage or skip the LCE trigger. To achieve this, you can store the relevant entitlement values in a custom object based on applications. Then, within your LCE rule, retrieve the custom object and check if the entitlement value from NCD is present in the custom object. If it is, return false; otherwise, return true

3

Hi Pratik,

There is no OOTB functionality to exclude the groups during aggregation. The main purpose of Native change detection is to detected all groups which are changing from target system. So, instead you can exclude groups at Native Change trigger workflow level.

I think many clients facing same issue and an idea is created in ideas portal.
https://ideas.sailpoint.com/ideas/IIQ-I-95

4

Hi @pratikparate1999 ,

Welcome to the community . There is no OOTB Feature available , But it can be customized using custom NCD Workflow . below is the step which can be followed -

  1. we can create one custom workflow for NCD.
  2. In Workflow itself , add the step to filter out the Entitlement from the Native change .
  3. Probably create a custom file with the application and entitlement mapping which needs to be excluded.
  4. In workflow , Fetch the NativeChangeDetection object.
  5. Fetch the differences.
  6. Difference will have the entitlement name , Match with custom object and if needs to exclude , drop it.

Below is quick code snippet, These are just samples. Do customize as per your requirement -

Fetch the values from Differences -

 List addedValues = difference.getAddedValues();
	 List removedValues = difference.getRemovedValues();

Add these in Difference object after Matching with the data from custom File , If it exists , Drop that value from above List .

  difference.setAddedValues(addedValues);
  difference.setRemovedValues(removedValues);

Create a copy of NativeChangeDetection object or simply crete new NativeChangeDetection object type and set the values like below -

NativeChangeDetection sampleNcd = new NativeChangeDetection();
    sampleNcd.setApplication(ncd.getApplication());
    sampleNcd.setOperation(ncd.getOperation());
    sampleNcd.setId(ncd.getId());
    sampleNcd.setNativeIdentity(ncd.getNativeIdentity());

add above difference object -
sampleNcd.add(difference);

You can go through below link for more details -

https://community.sailpoint.com/t5/IdentityIQ-Articles/Native-Change-Detection/ta-p/72848

5

Hii @pratikparate1999

For Native Change detection we have 2 OOTB workflows namely-

  1. Lifecycle Event - Email manager for all native changes
  2. Lifecycle Event - Manager Approval for all native changes

There is a variable named event in this Workflows, it is of type IdentityChangeEvent, you can use this to write rule for excluding the groups

For that:

  1. place the excluding group names in the custom object.
  2. In the workflow add Condition and get the Difference object from the IdentityChangeEvent object and check display name with the custom object values.
  3. If the values matched return true, and configure your workflow to end step.

For Instance:
When i try to trace the OOTB workflow i found the event variable xml as:

image
image1465×351 10.8 KB

By following the steps mentioned above you can exclude the groups that matched with the custom object values.

6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.