We have a requirement where a user should be able to select only one entitlement for a specific application (Through Manage User Access).
This restriction should apply only to that particular application, not to all applications.
If the user tries to select more than one entitlement for that application, the system should display a popup message informing the user that only one entitlement can be selected.
@satishbabu Please check this thread: Custom Message Popup on Manage User Access Screen - #11 by Peddapolu
I shared a sample plugin that blocks the request flow if items are more than certain number. I believe this should work in your case as well, where instead of checking all the line items, you can check for specific apps and throw the popup.
please let me know if it help, i can share the sample plugin over chat.
Hi @neel193 Thanks for your response i didn’t see any Plugin Related codes in the shared thread!
@satishbabu Code is not there in the post. I shared it for the context. If your requirement is like the other thread, i can share the details over chat.
Create a small plugin to achieve it. In manage user access page, are we doing any filtering?? is yes, which filter you are using?? Please confirm. This should be a simple plugin to achieve.
Hi @satishbabu
We’ve got a similar requirement earlier and we’ve dealt it with Advanced Policy.
In Advanced policy you can write the policy violation rule and return violation based on your conditions
Hi Harshith thanks for the input. Could you please share a sample rule if you have one?
Please find it below
import sailpoint.api.SailPointContext;
import sailpoint.api.IdentityService;
import sailpoint.object.*;
import sailpoint.tools.*;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
boolean checkIdentityHasApplicationLink(String identityName, String appName)
{
boolean hasAccess = false;
Identity identity = context.getObjectByName(Identity.class,identityName);
if(null != identity)
{
IdentityService ids = new IdentityService(context);
Application app = context.getObjectByName(Application.class, appName);
if(null != app)
{
List links = ids.getLinks(identity,app);
if(Util.nullSafeSize(links) > 0){
hasAccess = true;
}
}
}
return hasAccess;
}
boolean violate = false;
boolean isPendingRoleConflict = false;
boolean hasApplicationAccess = false;
PolicyViolation v = null;
String appName = "Your App name";
String entitlementName = "ROLES";
Application app = context.getObjectByName(Application.class, appName);
List entitlementsList = new ArrayList();
entitlementsList.add("ROLES");
boolean hasApplicationAccess = checkIdentityHasApplicationLink(identity.getName(), appName);
if( app != null )
{
IdentityService ids = new IdentityService(context);
if( ids != null )
{
List listLink = ids.getLinks(identity,app);
if( listLink != null )
{
for(Link l : listLink)
{
Attributes atts = l.getEntitlementAttributes();
if( atts != null )
{
Object entitlements = atts.get(entitlementName);
if( entitlements != null )
{
if(entitlements != null && entitlements instanceof ArrayList &&
((entitlements.size() > 1 && !hasApplicationAccess) ||
(entitlements.size() > 2 && hasApplicationAccess) ||
(entitlements.size() > 1 && atts.size()> 2 && hasApplicationAccess)))
{
violate = true;
break;
}
else
{
violate = false;
}
}
}
}
}
}
}
if (violate)
{
v = new PolicyViolation();
v.setActive(true);
v.setIdentity(identity);
v.setPolicy(policy);
v.setConstraint(constraint);
v.setDescription("Single access SOD for: " + appName);
v.setStatus(sailpoint.object.PolicyViolation.Status.Open);
}
return v;