Hi All,
This is one of the problems we might face while we are dealing with groups in AD.
If the AD group name is changed (lowercase to uppercase and vice versa), the names don’t get updated in the entitlement catalog after aggregation.
The ‘Display Value’ in the catalog has to be manually updated, whereas the ‘Value’ still holds the old name.
For that, This is one of the ways you can try. What we have to do is explicitly handle it. We have to write logic to detect that and update it in IIQ accordingly. For which we can use the group refresh rule in group aggregation. You can use the below code.
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Rule-ActiveDirectory-GroupAggregationRefresh" type="GroupAggregationRefresh">
<Description>This rule is used to set the owner or modify the account group before it is persisted to the database.</Description>
<Signature returnType="Object">
<Inputs>
<Argument name="log">
<Description>
The log object associated with the SailPointContext.
</Description>
</Argument>
<Argument name="context">
<Description>
A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
</Description>
</Argument>
<Argument name="environment" type="Map">
<Description>
Arguments passed to the aggregation task.
</Description>
</Argument>
<Argument name="obj" type="ResourceObject">
<Description>
A sailpoint.object.ResourceObject generated from the application
and the ProvisioningPlan's ObjectRequest.
</Description>
</Argument>
<Argument name="accountGroup" type="ManagedAttribute">
<Description>
The account group being refreshed.
</Description>
</Argument>
<Argument name="groupApplication" type="Application">
<Description>
Application being aggregated.
</Description>
</Argument>
</Inputs>
<Returns>
<Argument name="accountGroup" type="ManagedAttribute">
<Description>
The refreshed account group object.
</Description>
</Argument>
</Returns>
</Signature>
<Source><![CDATA[import sailpoint.object.*;
import java.util.*;
import org.apache.log4j.Logger;
import org.apache.log4j.Level;
log.debug("Entering into Rule-ActiveDirectory-GroupAggregationRefresh");
//============= For Reflecting Group update in IIQ =============
if(null != accountGroup && null != obj)
{
log.debug("ManagedAttribute object value : "+accountGroup.toXml());
log.debug("ResourceObject object value : "+obj.toXml());
String maEntValue = accountGroup.getValue();
String maDisplayName = accountGroup.getDisplayName();
String objDNValue = obj.getIdentity();
String objDisplayName = obj.getDisplayName();
String objsAMAccountName = obj.getAttributes().getString("sAMAccountName");
String objDistinguishedName = obj.getAttributes().getString("distinguishedName");
String objDescription = obj.getAttributes().getString("description");
if(null != objDNValue && null != maEntValue && null != objDisplayName && null != maDisplayName)
{
if(!(maEntValue.equals(objDNValue)) || !(objDisplayName.equals(maDisplayName)))
{
log.debug("Both values are not equal");
Map attMap = new HashMap();
attMap.put("en_US", objDescription);
accountGroup.setValue(objDNValue);
accountGroup.setDisplayName(objsAMAccountName);
accountGroup.setDescriptions(attMap);
log.debug("Both values are not equal, so setting updated value");
}
else
{
log.debug("Both values are equal");
}
}
else
{
log.debug("Either of maEntValue or objDNValue values are null");
}
}
log.debug("Exit from Rule-ActiveDirectory-GroupAggregationRefresh");
return accountGroup;]]></Source>
</Rule>