I have to create one serviceaccount OU in AD in which service accounts will present and we have to create one attribute isServiceAccount or any name and use the flags like if the account belong to this serviceaccount OU then the attribute value be shown as true else false.
Can any one tell me which approach i have to follow and step wise solution with the required code?
Hi Shubhangani,
- Add a schema attribute “isServiceAccount” to your AD schema.
- In your AD application, in the “Rules” tab, look for “Schema rules”, and add an account customization rule.
- The rule would check for the service account OU and add “isServiceAccount” = true to the resource object.
the service accounts in AD are specially account and you can detect those account, checking the type, the UAC or ServicePrincipalName.
Depedening how you want to do, you dont need to create an attribe on AD or in IIQ, you can read directly those attributes or you can create an Account attribute on IIQ with a rule to simplify your process.
There you can find the doc
Can you check this rule :
import sailpoint.object.Identity;
import sailpoint.object.Link;
import sailpoint.api.SailPointContext;
import sailpoint.object.Application;
import java.util.Map;
import org.apache.log4j.Logger;
public class ServiceAccountFlagRule {
public static void execute(SailPointContext context, Identity identity, Link link, Application application) {
Logger log = Logger.getLogger("ServiceAccountFlagRule");
String attributeName = "isServiceAccount";
if (identity.getAttribute(attributeName) == null) {
identity.setAttribute(attributeName, "false"); // Default value
}
String dn = link.getNativeIdentity();
log.info("DN for " + identity.getName() + ": " + dn);
boolean isServiceAccount = dn != null && dn.toLowerCase().contains("ou=serviceaccounts");
identity.setAttribute(attributeName, isServiceAccount ? "true" : "false");
log.error("Set isServiceAccount flag for " + identity.getName() + " as " + isServiceAccount);
}
}
error:
Exception during aggregation. Reason: java.lang.RuntimeException: sailpoint.connector.ConnectorException: class java.lang.Class cannot be cast to class sailpoint.object.ResourceObject (java.lang.Class is in module java.base of loader ‘bootstrap’; sailpoint.object.ResourceObject is in unnamed module of loader org.apache.catalina.loader.ParallelWebappClassLoader @56ace400)
I m getting this error for this rule
Hi Subhangani,
This will be a “ResourceObjectCustomization” rule. At this stage the account attributes are in a ResourceObject, not a Link or Identity. Give this rule a try:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Service Account Flag" type="ResourceObjectCustomization">
<Description>Build the isServiceAccount attribute.</Description>
<Signature returnType="ResourceObject">
<Inputs>
<Argument name="log">
<Description>
The log object associated with the SailPointContext.
</Description>
</Argument>
<Argument name="context">
<Description>
A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
</Description>
</Argument>
<Argument name="object">
<Description>
The ResourceObject built by the connector.
</Description>
</Argument>
<Argument name="application">
<Description>
Application that references the connector.
</Description>
</Argument>
<Argument name="connector">
<Description>
The connector object.
</Description>
</Argument>
<Argument name="state">
<Description>
A Map containing state information.
</Description>
</Argument>
</Inputs>
<Returns>
<Argument name="resourceObject">
<Description>
The updated resource object.
</Description>
</Argument>
</Returns>
</Signature>
<Source>
import org.apache.logging.log4j.LogManager;
import org.apache.log4j.Logger;
Logger log = LogManager.getLogger("ServiceAccountFlagRule");
String isServiceAccount = "false";
String dn = object.getIdentity(); // account distinguished name
if (dn.toLowerCase().contains("ou=serviceaccounts")) {
isServiceAccount = "true";
}
object.setAttribute("isServiceAccount", isServiceAccount);
log.info("Set isServiceAccount flag for " + dn + " as " + isServiceAccount);
return object;
</Source>
</Rule>
Note that if you are adding the rule with the editor on the Edit Application → Rules page, then you just need to insert the code inside the Source tag.