Service Accounts seen by out Help Desk team

derrickthomasvdot · December 3, 2024, 6:38pm

Which IIQ version are you inquiring about?

8.3

Share all details about your problem, including any error messages you may have received.

We use the OTB Help Desk Quinklink Population for our helpdesk team. But, we would like for the helpdesk to not see certain identities aka Service Accounts when they use the helpdesk user right by way of “Managed Accounts”. Is there a filter I could use to have this completed?

enistri_devo · December 3, 2024, 6:58pm

Hi @derrickthomasvdot,

yes you can define a target population for each quicklink population on Who can members request for? section:

Also, on this page you can find the documentation and an example for each case

derrickthomasvdot · December 3, 2024, 8:11pm

what I am trying to accomplish is to have the helpdesk see everything minus any identities or accounts that start with svc.

enistri_devo · December 3, 2024, 8:15pm

you can create a IdentityFilterGenerator rule marking Match filter rule flag:

there you return the filter that you want

derrickthomasvdot · December 3, 2024, 8:39pm

I’m not seeing any button to create a filter.

Also, when I try to edit a rule, it tells me I do not have the correct privileges’ to do this although I am a system admin rights in sailpoint iiq.

enistri_devo · December 3, 2024, 8:54pm

You can use a filter if enable Match Custom critiria and add this filter:

!(name.startsWithIgnoreCase("svc"))

but if you want a more complex critiria you need to use a rule.
About the permission, meybe you dont have alle the rights or there is a problem on configuration. A workaround is create the rule from debug and later select the rule on quicklink.
This is the template of this type of rule:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Test" type="IdentityFilterGenerator">
  <Description>Identity Filter Generator rules are used by the Quicklink DynamicScopes to determine the identities that a given user can act on behalf of.</Description>
  <Signature returnType="sailpoint.object.Filter">
    <Inputs>
      <Argument name="log" type="org.apache.commons.logging.Log">
        <Description>
          The log object associated with the SailPointContext.
        </Description>
      </Argument>
      <Argument name="context" type="sailpoint.api.SailPointContext">
        <Description>
          A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
        </Description>
      </Argument>
      <Argument name="requester" type="sailpoint.object.Identity">
        <Description>
            The identity that is accessing a Quicklink, and for whom the requestable members are being calculated.
          </Description>
      </Argument>
    </Inputs>
    <Returns>
      <Argument name="filter" type="sailpoint.object.Filter">
        <Description>
            A Filter object that will be used to search for requestable identities.
          </Description>
      </Argument>
    </Returns>
  </Signature>
  <Source></Source>
</Rule>

system · February 1, 2025, 8:55pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.