"Policy Violation Workflow" Sample

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

Version 8.4

Share all details related to your problem, including any error messages you may have received.

Hi All,

I want a sample workflow which we can use for violation processing. I have seen that there is an example workflow in the config for this but it is mostly having placeholder.

Is there any sample workflow that you have which can help for violation representation in the workitem and then other actions expansion.

Thanks

2

Here you can see example of SERI - Risk Policy Handler - it is used generaly to start certification when violation happens.

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Workflow PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Workflow explicitTransitions="true" name="Risk Policy Handler" type="PolicyViolation">
  <Variable input="true" name="violator">
    <Description>The identity that has violated the policy</Description>
  </Variable>
  <Variable initializer="string:true" name="trace">
    <Description>
      Used for debugging this workflow and when set to true trace
      will be sent to stdout.
    </Description>
  </Variable>
  <Description>Workflow to initiate certification of an individual identity. The workflow is triggered by a Risk Policy rule.</Description>
  <RuleLibraries>
    <Reference class="sailpoint.object.Rule" name="Demo - Workflow RuleLibrary"/>
  </RuleLibraries>
  <Step icon="Start" name="Start" posX="49" posY="129">
    <Transition to="Generate Certification For High Risk User"/>
  </Step>
  <Step name="Generate Certification For High Risk User" posX="264" posY="129">
    <Description>Generate a certification for the user captured by the risk policy</Description>
    <Script>
      <Source>
        import sailpoint.object.Identity;
        import sailpoint.object.PolicyViolation;
        import sailpoint.api.CertificationScheduler;
        import sailpoint.web.certification.CertificationScheduleDTO;
        import sailpoint.object.CertificationDefinition;
        import sailpoint.object.TaskSchedule;
        import sailpoint.object.Certification;

        serilog=org.apache.commons.logging.LogFactory.getLog("SERI.Workflow.RiskPolicyHandler.GenCert");

        // Get the identity causing the violation
        Identity requestor = context.getObject(Identity.class, launcher);
        Identity identity = (Identity) context.getObject(Identity.class, violator);

        //Define manager object
        Identity manager;

        //Get the manager's identity
        String managerId   = identity.getAttribute("manager");
        if(null != managerId) {
        manager = (Identity) context.getObject(Identity.class, managerId);
        }
        else {
        manager = (Identity) context.getObject(Identity.class, "spadmin");
        }

        // Build and configure a certification schedule
        CertificationScheduler scheduler = new CertificationScheduler(context);
        CertificationSchedule schedule = scheduler.initializeScheduleBean(requestor, Certification.Type.Identity);
        schedule.setRunNow(true);

        // Build the certification definition
        CertificationDefinition definition = schedule.getDefinition();
        definition.setCertifierSelectionType(CertificationDefinition.CertifierSelectionType.Manual);

        // Set the cert names
        definition.setNameTemplate("Risk Review of " + identity.getDisplayName() + " for " + manager.getDisplayName());
        definition.setShortNameTemplate("Risk Review of " + identity.getDisplayName());
        definition.setName("Risk Review : " + identity.getDisplayName() + " [" + new Date().toString() + "]");

        // Set the behaviour
        definition.setProcessRevokesImmediately(true);
        definition.setAllowItemDelegation(true);
        definition.setIncludePolicyViolations(false);
        definition.setAutomaticClosingEnabled(true);
        definition.setAutomaticClosingSigner(manager);
        definition.setDisplayEntitlementDescriptions(true);
        definition.setAutomateSignoffPopup(true);
        definition.setElectronicSignatureRequired(true);
        definition.setElectronicSignatureName("RiskCertificationSigning");
        definition.setCertPageListItems(Util.atob("false"));

        // Set the target identity in the cert
        List identities = new ArrayList();
        identities.add(identity.getName());
        definition.setIdentitiesToCertify(identities);
        definition.setCertifierName(manager.getName());

        // Figure out the cert owner
        Identity certGroupOwner = context.getObjectByName(Identity.class, "IT Security");
        if (null == certGroupOwner) {
        certGroupOwner = context.getObjectByName(Identity.class, "spadmin");
        }

        definition.setCertificationOwner(certGroupOwner);
        definition.setCertificationNameTemplate("Risk-Initiated Access Review : " + identity.getDisplayName());

        // Schedule it
        TaskSchedule taskSchedule = scheduler.saveSchedule(schedule, false);

        // Log that risk cert was started
        serilog.debug("Risk Policy Handler Workflow: Cert initiated for identity " + identity.getDisplayName() + " manager " + manager.getDisplayName());
      </Source>
    </Script>
    <Transition to="end"/>
  </Step>
  <Step icon="Stop" name="end" posX="490" posY="128"/>
</Workflow>
3

Is there a way by which I can represent policy violation details like conflicting entitlement, owner etc. in the approval step?

4

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.