Password interceptor based on userType

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Which IIQ version are you inquiring about?

Version 8.4

Share all details related to your problem, including any error messages you may have received.

Hello Experts,

I need help for to update password interceptor based on User Type filter.

The filter for Password Interceptor needs to be updated to examine the AD attribute userType and only process password resets with the value of 100 (user accounts) and reject resets for any other userType values. I have working password interceptor workflow for all user with all target system. Can you please help on this or suggest me to add user Type filter.

Thanks

2

Hi Niket,
In Password Intercept workflow there is step called Select Targets
image

By default it does nothing - it’s just a place holder for filtering - so here I would just write short rule to check all account requests in provisioning plan and if any of them has userType different than 100 I’d remove it from the plan.

Something like that

import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;

String typeAttributeName = "userType";
String filterValue = "100"; 

List newAccountRequests = new ArrayList();
List accountRequests = plan.getAccountRequests();
Identity identity = plan.getIdentity();

for(AccountRequest accReq : accountRequests) { 
String nativeIdentity = accReq.getNativeIdentity();
String appName = accReq.getApplicationName();

List links = identity.getLinks();
for(Link link : links) {
if(nativeIdentity.equals(link.getNativeIdentity()) && appName.equals(link.getApplicationName())) {
if(!filterValue.equals(link.getAttribute(typeAttributeName))) {
newAccountRequests.add(accountRequest)
}}}}
plan.setAccountRequests(newAccountRequests);
return plan;

you have to of course pass plan as argument and return it in the step so it goes back to workflow context.

1 Like
3

Yes it is working but noticed that password interceptor workflow is triggering any situation just password is not updating if userType is not matching. is this valid scenario.
Below is my code to run the code based on UserType and exclude the Workday.
also if wkType is false then we are not provisioning and transition to End state

        import java.util.ArrayList;
        import java.util.List;
        import sailpoint.object.Identity;
        import sailpoint.object.Link;

        boolean wkType=false;
        Identity identity = context.getObjectByName(Identity.class,identityName);
        log.error("Identity name is :"+identity);
        List <Link> applicationLinks = identity.getLinks();

        List appList = new ArrayList();
        String WorkerType = identity.getAttribute("employmentType");
        log.error("WorkerType : " +WorkerType);

        if (identity !=null && ( WorkerType.equalsIgnoreCase("Associate") || WorkerType.equalsIgnoreCase("Consultant"))){
        log.error("Inside if loop :");
        	 wkType=true;
        }
        for( Link link : applicationLinks)
        {
        if( !("Workday".equalsIgnoreCase(link.getApplicationName())))
        {
        appList.add(link.getApplicationName());
        }

        }
        log.error("applist : " + appList);
        return appList;
4

That’s correct - I mean workflow is triggered from Password Interceptor service so there’s really no way to avoid it. The only thing you can do here is to filter out accounts which you don’t want to sync.

1 Like
5

Yes Thanks you so much

1 Like
6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.