Policy Violation for one role at a time for application. Getting error

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Hi Team,

I am getting error while creating an advanced policy for one role at a time for one of our app. Please help here to get it resolved.

below is the error screenshot.

image
image1903×173 10.4 KB

Below is the piece of code written.

import sailpoint.object.Policy;
import sailpoint.object.PolicyViolation;
import sailpoint.object.Identity;
import sailpoint.object.Entitlement;
import sailpoint.object.Filter;
import sailpoint.object.Apllication;
import sailpoint.object.QueryOptions;
import java.util.List;
import java.util.Iterator;
import java.util.ArrayList;
import java.util.Locale;
import sailpoint.object.Link;

public List getIdentityEntitlements(Identity identity,String appName) {

List applicationLinks = identity.getLinks();
List entitlementList = new ArrayList();

if(applicationLinks != null && applicationLinks.size() >0 ) {

for (Link link:applicationLinks) {
if(appName.equals(link.getApplicationName())) {

entitlementList = link.getEntitlements(Locale.getDefault(),"");

}
}
}
return entitlementList;
}

public boolean isLinkPresent(String identityName, String appName) {

boolean isLinkPresent = false;
QueryOptions qo = new QueryOptions();

qo.addFilter(Filter.eq(“identity.name”, identityName));
qo.addFilter(Filter.eq(“application.name”, appName));
Iterator itr = context.search(Link.class, qo);

if (itr.hasNext()) {
isLinkPresent = true;
}

return isLinkPresent;
}

PolicyViolation policyViolation = null;
Identity expectedIdentity = identity;
Identity oldIdentity = context.getObjectByName(Identity.class, identity.getName());
String appName= “Asia Group Insurance System SLOCPI”;

List expectedEnt = getIdentityEntitlements(expectedIdentity, appName);
List existingEnt = getIdentityEntitlements(oldIdentity, appName);

boolean isViolation = false;
boolean isLinkPresent = isLinkPresent(identity.getName(), appName);

if (expectedEnt != null && expectedEnt.size() >1) {
isViolation = true;
}

//if identity have the more than required entitlements then flag violation
if (isViolation) {
policyViolation = new PolicyViolation();
policyViolation.setActive(true);
policyViolation.setIdentity(identity);
policyViolation.setPolicy(policy);
policyViolation.setStatus(sailpoint.object.PolicyViolation.Status.Open);
}

return policyViolation;

2

Errors got resolved but. Policy is not getting triggered. Please help

3

Try adding some logging in the rule, which might give you an idea where it’s failing.

4

it is giving requested roles a “1” even though I requested for 3.

image
image661×199 6.49 KB

image
image715×188 4.45 KB

5

Run Simulation will disable the rule, make sure whenever running un-check the disabled check box. {dis-select the Disabled check inside Advanced Rule}, make sure policy state is “active” and in Identities refresh task make sure check “Check active Policies”

image
image1230×296 12.5 KB

6

This has been done already. I feel there is an issue with rule itself.

7

Hi All ,

Looking for sample code/logic for Advanced policy violation to restrict and throw Policy Violation when a user is requesting more than 1 Entitlement during Account creation or Modification also.

I am specifically looking for logic on how to retrieve user existing entitlements if an account already exists and new requested entitlements and throwing Policy Violation if requesting more than 1.

And also how to handle logic for new users and existing users in Policy Violation Rule.

Thanks in Advance.