Share all details about your problem, including any error messages you may have received.
How do we aggregate only directly assigned roles to the users in SAP-Direct connector?
“COL_FLAG” attribute from the table AGR_USERS (Refer image attached) determines the assignment of roles to the users. Hence just want to aggregate the COL_FLAG value which is blank (directly assigned).
If COL_FLAG=X, it is indirectly assigned (which we need to ignore for aggregation)
Use BeforeAggregation Rule to achieve the requirement.
Rule Logic:
If COL_FLAG is ‘X’ (or not blank/empty), you will return null or an empty object from the rule. This signals to IdentityIQ that this specific role assignment record should be ignored and not aggregated.
If COL_FLAG is blank (direct assignment), you will return the original object, allowing it to be processed and aggregated.
Example BeforeAggregation Rule :
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule name="SAP Direct BeforeAggregation - Filter Indirect Roles - COL_FLAG" type="BeforeAggregation">
<Description>
This rule filters out indirectly assigned roles from SAP during aggregation based on the COL_FLAG attribute
from the AGR_USERS table.
If COL_FLAG is 'X', the role assignment is ignored.
</Description>
<Source>
<![CDATA[
import org.apache.log4j.Logger;
import java.util.Map;
import sailpoint.object.ResourceObject; // For group aggregation, 'object' might be a ResourceObject or a Map
Logger log = Logger.getLogger("sailpoint.connector.SAPDirectBeforeAggregationRule");
// The 'object' variable holds the raw data for the current record being processed.
// For group/role aggregation in SAP Direct Connector, this is typically a Map
// containing the attributes of the role assignment.
// If it's an IdentityIQ ResourceObject for accounts, you'd access attributes differently.
if (object != null) {
String colFlag = null;
// Attempt to get COL_FLAG, handling potential case variations of the attribute name
// Check for "COL_FLAG" first (common if schema attribute name matches DB column)
if (object.containsKey("COL_FLAG")) {
colFlag = (String) object.get("COL_FLAG");
} else if (object.containsKey("colFlag")) { // Also check for camelCase
colFlag = (String) object.get("colFlag");
}
// You might add more checks if your schema mapping uses a very different name.
// Trim any whitespace from the COL_FLAG value for accurate comparison
if (colFlag != null) {
colFlag = colFlag.trim();
}
// Check if COL_FLAG is 'X' (case-insensitive) or contains 'X'
if (colFlag != null && colFlag.equalsIgnoreCase("X")) {
String userName = (String) object.get("UNAME"); // As per your screenshot
String roleName = (String) object.get("AGR_NAME"); // As per your screenshot
log.debug("Skipping indirectly assigned role for user [" + (userName != null ? userName : "N/A") +
"] and role [" + (roleName != null ? roleName : "N/A") + "] due to COL_FLAG = 'X'.");
return null; // Returning null instructs IdentityIQ to skip this record
} else {
// If COL_FLAG is blank or not 'X', it's a direct assignment.
// Log and return the object to allow it to be aggregated.
String userName = (String) object.get("UNAME");
String roleName = (String) object.get("AGR_NAME");
log.debug("Aggregating directly assigned role for user [" + (userName != null ? userName : "N/A") +
"] and role [" + (roleName != null ? roleName : "N/A") + "]. COL_FLAG value: '" + (colFlag != null ? colFlag : "<blank>") + "'");
return object; // Return the original object to process it
}
}
// If for some reason the object is null (shouldn't happen for valid records),
// or if the COL_FLAG attribute is not found, return the object to avoid issues,
// though typically you'd want to ensure COL_FLAG is present for this logic.
return object;
]]>
</Source>
</Rule>
