ResourceObjectSelector Rule Filter is Not Working

Which IIQ version are you inquiring about?

Version 8.4

Share all details related to your problem, including any error messages you may have received.

I am trying to filter out some entitlements from being requestable within Manage User Access. I have written a rule that is returning a filter that, from what I understand, will give the list of entitlements that can be requested for the given Requestee.

Here is the rule:

      import sailpoint.api.ScopeService;
      import sailpoint.object.Identity;
      import sailpoint.object.Filter;
      import sailpoint.object.Scope;
      import sailpoint.object.QueryOptions;
      import sailpoint.object.QueryInfo;

      ScopeService scopeService = new ScopeService(context);
      QueryInfo scopeQueryInfo;

      if (requestee == null) {
          scopeQueryInfo = new QueryInfo(new QueryOptions());
      } else {
          scopeQueryInfo = scopeService.getAssignedScopeQueryInfo(requestee);
      }
      
      Filter filter = Filter.and(scopeQueryInfo.getFilter(), Filter.not(Filter.contains("value", "_users")));

      return filter;

I am printing the filter and it looks like this:

((assignedScopePath.startsWith("8a89e84b665534a40166553acb8600dc") || assignedScopePath.isNull()) && !(value.contains("_users")))

However, the filter doesn’t do anything. All entitlements with “_users” in them are still returned and are requestable.

Am I missing something obvious on this one?

Thanks,
Vic

Check below sample code for your reference .

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Vishal_Rule_Access_Request_EveryoneEntitlementsOwner" type="RequestObjectSelector">
  <Description>Request Object Selector Rules are used by the Life Cycle Manager to determine the Objects that can be requested by a given user on a given population.  For bulk request this rule is run twice.  The first time the result determines which applications are shown to the requestor.  The second time the result determines whether or not the specified requestee has access to the object.  On the first execution the requestee is always null, so the rule needs to expect and handle that case in order to be usable for bulk requests.
  </Description>
  <Signature returnType="sailpoint.object.QueryInfo">
    <Inputs>
      <Argument name="log" type="org.apache.commons.logging.Log">
        <Description>
          The log object associated with the SailPointContext.
        </Description>
      </Argument>
      <Argument name="context" type="sailpoint.api.SailPointContext">
        <Description>
          A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
        </Description>
      </Argument>
      <Argument name="requestor" type="sailpoint.object.Identity">
        <Description>
          Identity that is making the Life Cycle Manager request.
        </Description>
      </Argument>
      <Argument name="requestee" type="sailpoint.object.Identity">
        <Description>
          Identity on whose behalf the Life Cycle Manager request is being made.  In the case of bulk requests,
          this argument will be set to null when determining the roles that are visible to the requestor.
          It will be provided once a selection has been made in order to determine whether or not the given requestee
          should have access to the selected role.
        </Description>
      </Argument>
    </Inputs>
    <Returns>
      <Argument name="filter">
        <Description>
          A Filter object that will be used to search for accessible request objects.
        </Description>
      </Argument>
    </Returns>
  </Signature>
  <Source>
import sailpoint.object.QueryInfo; 
import sailpoint.object.Filter; 
import java.util.ArrayList;
import java.util.List;
import sailpoint.object.Custom;
import org.apache.log4j.Logger;


		 Custom custObj=context.getObjectByName(Custom.class,"Vishal Custom Common");
		 List&lt;Filter> filters = new ArrayList&lt;Filter>();
		 if(custObj != null){
			 List&lt;String> owners = (List) custObj.get("Access Request Everyone Owner");
       		 if(owners != null){
        	   for(String owner :owners) {
               filters.add(Filter.like("owner.name", owner , Filter.MatchMode.START));
        	   }
        	   if(filters!=null &amp;&amp; filters.size()>0) {
               Filter entFilter = Filter.or(filters);
               QueryInfo finalQueryInfo = new QueryInfo(entFilter, false);
               return finalQueryInfo;
        	   }
        	}
		 }

</Source>
</Rule>
     <entry key="Access Request Everyone Owner">
        <value>
          <List>
            <String>vkejriwal_Business_App_Owner</String>
            <String>vkejriwal1_Business_App_Owner</String>
            <String>vkejriwal2_Business_App_Owner</String>
            <String>ActiveDirectory_EndUser_</String>
          </List>
        </value>
      </entry>

@vic_rinkenberger

Is your requirement any entitlements ending with _users shouldn’t be requested by anyone at all?

Hi @iamksatish

My requirement is a bit more complicated, but the rule that I posted is what I’m trying to do. I am planning on checking the identity type and then adding the filter as needed, but yes, I am simply trying to stop all entitlements containing “_users” from showing up in the Manage User Access view. I would like to check the value of the entitlements so that I can look at the full DN of LDAP and AD groups.

Thanks,
Vic

Anyone else have any thoughts on this one? I still don’t have a solution for this issue.

Thanks,
Vic

Try the below role for EveryOne Population and make sure other workgroups or population providing the access

import sailpoint.api.ScopeService;
import sailpoint.object.Identity;
import sailpoint.object.Filter;
import sailpoint.object.Scope;
import sailpoint.object.QueryOptions;
import sailpoint.object.QueryInfo;

import sailpoint.object.Filter;
import sailpoint.object.QueryInfo;

  Filter filter = Filter.like("value", "_users",Filter.MatchMode.START);




return new QueryInfo(filter, false);

Try the below Rule for EveryOne Population and make sure other workgroups or population providing the access

import sailpoint.api.ScopeService;
import sailpoint.object.Identity;
import sailpoint.object.Filter;
import sailpoint.object.Scope;
import sailpoint.object.QueryOptions;
import sailpoint.object.QueryInfo;

import sailpoint.object.Filter;
import sailpoint.object.QueryInfo;

  Filter filter = Filter.like("value", "_users",Filter.MatchMode.START);




return new QueryInfo(filter, false);

@iamksatish

Thanks for the reply. Your filter does work, for values that start with a certain string, but I need to do something like this so that I can search an entire DN for _users.

Filter filter = Filter.like(“value”, “_users”, Filter.MatchMode.ANYWHERE);

Imaging that a bunch of entitlements have values like this:

cn=server1_users,ou=servers,o=company
cn=server2_users,ou=servers,o=company
cn=serverN_users,ou=servers,o=company

It tried the ANYWHERE matchmode, but nothing is ever returned.

Any idea how to make ANYWHERE (or rather, “contains”) work?

Thanks!
Vic

Ideally this should work unless you have any case difference within DNs and the Filter _users you are using, are you sure both are same case

Here is the solution I came up with, with a little help from Expert Services:

  import sailpoint.api.ScopeService;
  import sailpoint.object.Identity;
  import sailpoint.object.Scope;
  import sailpoint.object.QueryOptions;
  import sailpoint.object.QueryInfo;
  import sailpoint.object.Filter;
  import sailpoint.object.Filter.CompositeFilter;

  ScopeService scopeService = new ScopeService(context);
  QueryInfo scopeQueryInfo;

  /*------------------------------------------------------------
     This rule runs at least two times during an access request.
     It runs once when the Entitlements view is shown. 
     On that run, requestee is null if more than one Identity was chosen.
     When at entitlement is selected, the rule runs again, once for each identity.
     During that run, requestee is equal to each identity as it loops through them.
     The rule then determines which identities are allowed to have which entitlements requested for them.
  ------------------------------------------------------------*/

  if (requestee != null) {
    boolean isRotationalAccount = isRotationalAccount(requestee);

    // add a filter for certain account types that excludes certain groups from being requestable
    if (isRotationalAccount) {
      QueryOptions qo = new QueryOptions();
      QueryInfo qi = scopeService.getAssignedScopeQueryInfo(requestee);
      qo.addFilter(Filter.ignoreCase(Filter.not(Filter.like("value", "_admins,ou=unix", Filter.MatchMode.ANYWHERE))));
      qo.addFilter(Filter.ignoreCase(Filter.not(Filter.like("value", "_users,ou=unix", Filter.MatchMode.ANYWHERE))));
      qo.addFilter(qi.getFilter());
      scopeQueryInfo = new QueryInfo(qo);
    }
  // if more than one identity is being requested for, the requestee will be null
  } else if (requestee == null) {
    scopeQueryInfo = new QueryInfo(new QueryOptions());
  }

  return scopeQueryInfo;