Targeted Cert - Certification Entity Reassign

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

iiq 8.4p1

Share all details about your problem, including any error messages you may have received.

We have scenario where in targeted cert for role owner we are facing self certification for role owner and we want to reassign only that cert entity to its manager. Is it possible to reassign single certificate Entity to new certifier. IF so please help me on this. IF not please help me with other workaround

2

Hi @vatreanchal ,

Certifications are reassigned to self-Certification violation owner if any of the certification is causing self-certification violation other than system and certification administrators

So you can use self-Certification violation owner as role owner manager, if the self-certification is occurring only for one role owner or else you can use ’FallbackWorkItemForward’ rule to reassign the certification entity to role owner’s manager.This rule is also applicable for all types of certifications.

You can configure FallbackWorkItemForward rule in Global Settings → IdentityIQ Configuration → WorkItems.

Here is the sample code

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule  language="beanshell"  name="SelfCertification-Reassigment" type="FallbackWorkItemForward">
  <Source>
  import sailpoint.object.Identity;

  Identity manager;
  if(owner!=null){
    manager = owner.getManager();

  }
  if(manager!=null) {
 
    return manager;
  }
  return "spadmin";
  </Source>
</Rule>
3

Hi @vatreanchal

In Targetted certifications, there is a section labelled Choose Certifier. Under that you can find Advanced Options. Under which you can select the Self Certification Violation Owner
However you can dynamically assign it to owner’s manager. It allows you to select an Identity or Workgroup to act as Self Certification Violation Owner.

image
image1818×573 38.4 KB

4

We came across the same situation and resolved it by using a Self-Certification Forwarding Rule. This ensures that when forwarding would result in self-certification, the work item is reassigned to another valid certifier (or a defined fallback).

Here’s the rule we used, and it worked for us:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="" id="" language="beanshell" modified="" name="Self Certifier Forwarding rule V1" significantModified="" type="FallbackWorkItemForward">
  <Description>A rule used to pick a fallback owner for a work item in case current owner will cause self-certification.</Description>
  <Signature returnType="Object">
    <Inputs>
      <Argument name="log" type="org.apache.commons.logging.Log">
        <Description>
          The log object associated with the SailPointContext.
        </Description>
      </Argument>
      <Argument name="context" type="sailpoint.api.SailPointContext">
        <Description>
          A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
        </Description>
      </Argument>
      <Argument name="item" type="WorkItem">
        <Description>The WorkItem being opened. Note that the not all of the WorkItem arguments may be set.</Description>
      </Argument>
      <Argument name="owner" type="Identity">
        <Description>The Identity that currently owns the work item.</Description>
      </Argument>
      <Argument name="creator" type="String">
        <Description>The name of identity that created the certification belonging to the work item.</Description>
      </Argument>
      <Argument name="certifiers" type="List&lt;String>">
        <Description>A list of certifier names for the certification belonging to the work item.</Description>
      </Argument>
      <Argument name="name" type="String">
        <Description>The name of the certification belonging to the work item. It may be null if certification is not created yet.</Description>
      </Argument>
      <Argument name="type" type="Certification.Type">
        <Description>The type of the certification belonging to the work item.</Description>
      </Argument>
    </Inputs>
    <Returns>
      <Argument name="newOwner">
        <Description>An Identity that should own the work item.  Alternatively, this can be a String that is the name or id of the Identity.</Description>
      </Argument>
    </Returns>
  </Signature>
  <Source>
  import sailpoint.object.Certification;
import sailpoint.object.Identity;

String approver = null;
Identity newUser = context.getObjectByName(Identity.class, "spadmin");

if (name != null &amp;&amp; item.getCertification() != null) {
  Certification cert = context.getObjectById(Certification.class, item.getCertification());
  if (cert != null) {
    approver = cert.getOwner();
  }
}

if (approver == null || approver.equals(owner.getName())) {
  for (String certifier : certifiers) {
    if (!certifier.equals(owner.getName())) {
      return certifier;
    }
  }
}

return newUser;

</Source>
</Rule>

This way, the work item never loops back to the same person for certification.

5

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.