Sailpoint entitlement

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Dear developer,

I have a requirenment where the entitlement owner has update from the getting the value from AD, where in ad application the owner information is stored in the ManagedBy attribute.

i did configured the managedBy attribute in the attribute schema of the application configuration and able to read that information,

now how can I configure or set that managedBy information as entitlement owner inside sailpoint.

so that whenever any managedBy value is change infuture, when user request that entitlement inside sailpoint that request has to go for approval with the update managedBy information.

2

Hi @Riyazuddin99 ,

You can configure the AccountGroup owner using the accountGroupRefreshRule.
To achieve this, include the accountGroupRefreshRule in the Active Directory (AD) group aggregation task.
This rule should contain the logic to update the entitlement owner based on the value of the managedBy attribute in AD.
Please refer the rule.

if(null != accountGroup)
{
String fallBackOwner = "spadmin";
String managedBy = accountGroup.getAttribute("managedBy");
if(null != managedBy)
{
Identity managedByIdentity = context.getObjectByName(Identity.class, managedBy);       
if(null != managedByIdentity)
{
accountGroup.setOwner(managedByIdentity);
}
else
{
Identity fallBackOwnerIdentity = context.getObjectByName(Identity.class, fallBackOwner);
if(null != fallBackOwnerIdentity)
{
accountGroup.setOwner(fallBackOwnerIdentity);
}              
}      	
}      
}

return accountGroup;

Add the rule to AD group aggregation task.

image
image1342×201 17.8 KB

3

Hello @Arun-Kumar ,

Thanks for sharing the input,
it can a greater help to me.
also, thanks for sharing a sample code.

as for my use case, userid inside was ready from cn.
so, I modified that code a bit.

sharing here for other reference.

import sailpoint.object.Identity;
import sailpoint.object.Group;

if (accountGroup != null) {

    String fallBackOwner = "spadmin"; // CHANGE THIS
    String managedBy = accountGroup.getAttribute("managedBy");

    if (managedBy != null) {

        // Extract CN from DN: e.g. "CN=John.Doe,OU=IT,..."
        String cn = null;

        try {
            if (managedBy.startsWith("CN=")) {
                cn = managedBy.split(",")[0].split("=")[1]; // Extract "John.Doe"
            } else {
                cn = managedBy; // Not in DN format, use as-is
            }
        } catch (Exception e) {
            log.error("Error parsing managedBy DN: " + managedBy, e);
        }
        if (cn != null) {
            Identity managedByIdentity = context.getObjectByName(Identity.class, cn);
            if (managedByIdentity != null) {
                accountGroup.setOwner(managedByIdentity);
            } else {
                log.warn("Identity not found by CN: " + cn + " — using fallback owner");
                Identity fallbackIdentity = context.getObjectByName(Identity.class, fallBackOwner);
                if (fallbackIdentity != null) {
                    accountGroup.setOwner(fallbackIdentity);
                }
            }
        }
    } else {
        log.warn("ManagedBy is null, using fallback owner");
        Identity fallbackIdentity = context.getObjectByName(Identity.class, fallBackOwner);
        if (fallbackIdentity != null) {
            accountGroup.setOwner(fallbackIdentity);
        }
    }
}

return accountGroup;

Using the above code to update the entitlement owner, for the AD application group.
where it will read the managedBY/user information from AD and as in sailpoint user information or the displayname/username is configured with the same as cn.

Hence using the CN to work as filter

4

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.