Can you pull the project or plan into a policy violation rule. Looking at the workflow Workflow Identity Request Initialize i can see check polices and those arguments there . The creating a rule of type policy i can’t seem to reference project or plan . I see typical context , Identity, policy, constraint. Trying to create a policy that sees if that entitlement is elevated and also has a sunset date applied. If not throw a policy violation. Getting the elevated is simple enough but trying to get the sunset date need a project or plan to drill down.
1 Like
Hi Welcome to Sailpoint Developer Community for your use case i have rule u can build and advanced policy for this and under policy rules You can select rule and then try the rule as below :
import sailpoint.object.Identity;
import sailpoint.object.IdentityEntitlement;
import sailpoint.object.PolicyViolation;
import sailpoint.object.Filter;
import sailpoint.object.QueryOptions;
import java.util.Iterator;
import java.util.Date;
// Configuration
String elevatedMarker = "elevated"; // Can be a tag in entitlement name or application attribute
boolean missingSunset = false;
String violationDetails = "";
String identityName = identity.getName();
log.error("=== [Policy Rule] Checking elevated entitlements for identity: " + identityName);
// Search all IdentityEntitlements for this identity
Filter filter = Filter.eq("identity.name", identityName);
QueryOptions qo = new QueryOptions();
qo.addFilter(filter);
Iterator it = context.search(IdentityEntitlement.class, qo);
while (it.hasNext()) {
IdentityEntitlement entitlement = (IdentityEntitlement) it.next();
String entitlementName = entitlement.getName();
String entitlementDisplay = entitlement.getDisplayName();
Object value = entitlement.getValue();
// Check if the entitlement is "elevated"
boolean isElevated = false;
if (entitlementDisplay != null && entitlementDisplay.toLowerCase().contains(elevatedMarker)) {
isElevated = true;
} else if (entitlementName != null && entitlementName.toLowerCase().contains(elevatedMarker)) {
isElevated = true;
}
if (isElevated) {
log.error(">>> Found elevated entitlement: " + entitlementDisplay);
Date sunset = entitlement.getSunset();
if (sunset == null) {
log.error(">>> Missing sunset date for entitlement: " + entitlementDisplay);
missingSunset = true;
violationDetails += "Missing sunset on: " + entitlementDisplay + "\n";
} else {
log.error(">>> Sunset date is set for entitlement: " + entitlementDisplay + " = " + sunset);
}
}
}
if (missingSunset) {
log.error(">>> Policy violation: Elevated access without sunset.");
PolicyViolation violation = new PolicyViolation();
violation.setIdentity(identity);
violation.setPolicy(policy);
violation.setConstraint(constraint);
violation.setStatus(PolicyViolation.Status.Open);
violation.setActive(true);
violation.setDescription("User has elevated access without a sunset date.\n" + violationDetails);
// Set violation owner
if (identity.getManager() != null) {
violation.setOwner(identity.getManager());
} else {
violation.setOwner(context.getObjectByName(Identity.class, "spadmin")); // fallback
}
Date now = new Date();
violation.setName("Elevated Entitlement Without Sunset - " + now.toString());
return violation;
}
log.error(">>> No elevated entitlements without sunset. Compliant.");
return null;
Fine tune it according to your requiremennt