Rule- Filer users By entitlement

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Which IIQ version are you inquiring about?

Version 8.2

Share all details related to your problem, including any error messages you may have received.

Hello

I am trying to create a rule to give me the identities that have the entitelemt “XY” of an app

I have this but its not working. I dont have results

Filter filterEntitlement = Filter.and(Filter.and(Filter.eq("application.name", appAD),
										Filter.eq("name", "memberOf"), 
										Filter.eq("aggregationState", AggregationState.Connected),
										Filter.eq("value", "XY")));

			Filter filter = Filter.collectionCondition("identityEntitlements", filterEntitlement);
			QueryOptions qo = new QueryOptions();
			qo.addFilter(filter);


      List ids = context.getObjects(Identity.class, qo);
2

This is the example how filter should look like

  <Filter operation="COLLECTION_CONDITION" property="identityEntitlements">
    <CollectionCondition>
      <CompositeFilter operation="AND">
        <CompositeFilter operation="AND">
          <Filter operation="EQ" property="application.name" value="Active Directory"/>
          <Filter operation="EQ" property="name" value="memberOf"/>
          <Filter operation="EQ" property="value" value="CN=AccountsPayable,OU=Groups,OU=Demo,DC=seri,DC=sailpointdemo,DC=com"/>
        </CompositeFilter>
      </CompositeFilter>
    </CollectionCondition>
  </Filter>
</CompositeFilter>

Easiest way to generate it is to click through population of identities you need in Advanced Analytics, then save it as population and you can always refer to it in your Beanshell rules.

1 Like
3 
     QueryOptions qo = new QueryOptions();
     qo.setCloneResults(true);
     qo.addFilter(Filter.eq("value","<Entitlement value>"));
     qo.addFilter(Filter.eq("application.name","<AppName>"));
     Iterator itr = context.search(IdentityEntitlement.class,qo,"identity.name");
     List memberName = new ArrayList();
     while(itr.hasNext()){
       Object[] obj = (Object[]) itr.next();
       memberName.add(obj[0]);
     }
     System.out.println(memberName);
5

Hi and Helo,

Here is a revised version of your query with some of these suggestions:

String applicationName = “appAD”; // Make sure this is set correctly to your application’s name
String entitlementValue = “XY”;
String entitlementName = “memberOf”;

// Constructing the filter for querying entitlements
Filter filterEntitlement = Filter.and(
Filter.eq(“application.name”, applicationName),
Filter.eq(“name”, entitlementName),
Filter.eq(“aggregationState”, AggregationState.Connected),
Filter.eq(“value”, entitlementValue)
);

// Using the correct attribute name for the collection condition
Filter filter = Filter.collectionCondition(“entitlements”, filterEntitlement);

// Preparing the query options
QueryOptions qo = new QueryOptions();
qo.addFilter(filter);

// Execute the query
List identities = context.getObjects(Identity.class, qo);

// Check the size of the result to confirm if identities are found
if (identities.isEmpty()) {
System.out.println(“No identities found with the specified entitlement.”);
} else {
for (Identity identity : identities) {
System.out.println("Found identity: " + identity.getName());
}
}

Regards,
Adam

3 Likes
6

Hello guys
Thank you all based your answers I did my query/rule.
I already have the users and the information of the users account (appAD)
But but based on this, How can I Change the users OU .
Basically all users catch in this rule I want to move them to OU = Users so the distinguished names will be something like Cn = YYY, OU = Users insted of Cn = YYY, OU = OLD_OU

Can you help me ?

7

@RIsidoro
If you have users AD DN already please use the below code in the rule and perform the movement of accounts
Iterate through your AD link objects and perform below

for(Link activeDirectoryLink: adLinks){

ProvisioningPlan plan = new ProvisioningPlan();




AccountRequest acct = new AccountRequest();

acct.setOperation(ProvisioningPlan.AccountRequest.Operation.Modify);

acct.setApplication("<give your AD App Name>");

acct.setNativeIdentity(activeDirectoryLink.getNativeIdentity());

acct.add(new AttributeRequest("AC_NewParent",ProvisioningPlan.Operation.Set, "<Give your New Comple OU"));

plan.add(acct);

try {       

          Provisioner provisioner = new Provisioner(context);

          ProvisioningProject project = provisioner.compile(plan);

          provisioner.execute(project);

}

catch (Exception e)

{

      System.out.println(e.getMessage());

}

}
8

In order for testing I am doing

String newOU = "OU=Teste,OU=Utilizadores";
  
nativeId = "CN=XYZ,OU=OLD";



ProvisioningPlan plan = new ProvisioningPlan();




AccountRequest acct = new AccountRequest();

acct.setOperation(ProvisioningPlan.AccountRequest.Operation.Modify);

acct.setApplication("APP_AD");

//acct.setNativeIdentity(activeDirectoryLink.getNativeIdentity());
    
acct.setNativeIdentity(nativeId);    

acct.add(new AttributeRequest("AC_NewParent",ProvisioningPlan.Operation.Set, newOU));

plan.add(acct);
    
  
  	log.debug(newOU);
  log.debug(nativeId);

    log.debug(plan);
  
    

try {       

          Provisioner provisioner = new Provisioner(context);

          ProvisioningProject project = provisioner.compile(plan);

          provisioner.execute(project);
  
  				log.debug("Teste1");

}

catch (Exception e)

{

      System.out.println(e.getMessage());
  log.debug(e.getMessage());
  		log.debug("Teste2");

}

I am having some errors “Missing identity” .
It might be something wrong in code or AD connection ?

9

My Bad,

Please set the Identity Object

Get your Identity Object and set for the plan

plan.setIdentity(identtiyObj);

10

Hello

String newOU = "OU=Teste,OU=Utilizadores";
  
nativeId = "CN=XYZ,OU=OLD";

//NEW LINE

	idobj = "sailpoint.object.Identity@123[id=123,name=XYZ]";

ProvisioningPlan plan = new ProvisioningPlan();




AccountRequest acct = new AccountRequest();

acct.setOperation(ProvisioningPlan.AccountRequest.Operation.Modify);

acct.setApplication("APP_AD");

//acct.setNativeIdentity(activeDirectoryLink.getNativeIdentity());
    
acct.setNativeIdentity(nativeId);    

//NEW LINE
plan.setIdentity(idobj);

acct.add(new AttributeRequest("AC_NewParent",ProvisioningPlan.Operation.Set, newOU));

plan.add(acct);
    
  
  	log.debug(newOU);
  log.debug(nativeId);

    log.debug(plan);
  
    

try {       

          Provisioner provisioner = new Provisioner(context);

          ProvisioningProject project = provisioner.compile(plan);

          provisioner.execute(project);
  
  				log.debug("Teste1");

}

catch (Exception e)

{

      System.out.println(e.getMessage());
  log.debug(e.getMessage());
  		log.debug("Teste2");

}

do you mean something like this ?

11 
String newOU = "OU=Teste,OU=Utilizadores,DC=Company,DC=com";
  
nativeId = "CN=XYZ,OU=OLD,DC=Company,DC=com";

//NEW LINE

	idobj = context.getObjectByName(Identity.class,<yourIdentityName>);

ProvisioningPlan plan = new ProvisioningPlan();




AccountRequest acct = new AccountRequest();

acct.setOperation(ProvisioningPlan.AccountRequest.Operation.Modify);

acct.setApplication("APP_AD");

//acct.setNativeIdentity(activeDirectoryLink.getNativeIdentity());
    
acct.setNativeIdentity(nativeId);    

//NEW LINE
plan.setIdentity(idobj);

acct.add(new AttributeRequest("AC_NewParent",ProvisioningPlan.Operation.Set, newOU));

plan.add(acct);
    
  
  	log.debug(newOU);
  log.debug(nativeId);

    log.debug(plan);
  
    

try {       

          Provisioner provisioner = new Provisioner(context);

          ProvisioningProject project = provisioner.compile(plan);

          provisioner.execute(project);
  
  				log.debug("Teste1");

}

catch (Exception e)

{

      System.out.println(e.getMessage());
  log.debug(e.getMessage());
  		log.debug("Teste2");

}

Yes, slightly modified to make it more clear.

12

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.