Targeted certification exclusion Rule

IdentityIQ (IIQ) IIQ Discussion and Questions
, , , ,
1

Which IIQ version are you inquiring about?

Version 8.0

Share all details related to your problem, including any error messages you may have received.

I’ve been working on implementing an exclusion rule for targeted certification, aiming to exclude detected roles and non-requestable entitlements. While I’ve successfully excluded roles as expected, I’m facing challenges with accurately excluding non-requestable entitlements. For certain users, the exclusion process works for some non-requestable entitlements but not for others. Could someone please help me identify the issue and provide guidance on resolving it?

for (Certifiable certifiable : items) {  // here we iteriating entitlement also 
    //log.error("entering for loop");
    if (certifiable instanceof EntitlementGroup) {
      Attributes attributes = certifiable.getAttributes();
      log.error("managed attribute EntitlementGroup: "+certifiable.toXml());
      log.error("managed attribute attributes: "+attributes);
      if (attributes != null) 
      {
        if (attributes.containsKey("memberOf")) {
          String entitlementGroupName = attributes.get("memberOf");
          Filter myFilter1 = Filter.eq("ManagedAttribute.value", entitlementGroupName);
          QueryOptions queryOption = new QueryOptions(); 
          queryOption.addFilter(myFilter1);
          Iterator itr = null;
          itr = context.search(ManagedAttribute.class, queryOption);
          while (itr.hasNext()) {
            ManagedAttribute managedAttribute=itr.next();
            log.error("Managed Attribute displayName: "+managedAttribute.getDisplayName());
            log.error("Managed Attribute is requestable or not: "+managedAttribute.isRequestable());
            if (managedAttribute == null || !managedAttribute.isRequestable()) {
              log.error("Excluding non-requestable managed attribute: "+managedAttribute.getDisplayName());
              itemsToExclude.add(certifiable);
              explanation = "Excluding non-requestable managed attribute: ";
            }
          }
        }
      }
    }

Thanks,
Ranjith M

2 

for (Certifiable certifiable : items) { // here we iteriating entitlement also
//log.error("entering for loop");
if (certifiable instanceof EntitlementGroup) {
	Attributes attributes = certifiable.getAttributes();
	log.error("managed attribute EntitlementGroup: "+certifiable.toXml());
	log.error("managed attribute attributes: "+attributes);
	if (attributes != null)
	{
		if (attributes.containsKey("memberOf")) {
			String entitlementGroupName = attributes.get("memberOf");
			Filter myFilter1 = Filter.eq("ManagedAttribute.value", entitlementGroupName);
			QueryOptions queryOption = new QueryOptions();
			queryOption.addFilter(myFilter1);
			Iterator itr = null;
			itr = context.search(ManagedAttribute.class, queryOption);
			while (itr.hasNext()) {
				ManagedAttribute managedAttribute=itr.next();
				log.error("Managed Attribute displayName: "+managedAttribute.getDisplayName());
				log.error("Managed Attribute is requestable or not: "+managedAttribute.isRequestable());
				if (managedAttribute == null || !managedAttribute.isRequestable()) {
					log.error("Excluding non-requestable managed attribute: "+managedAttribute.getDisplayName());
					itemsToExclude.add(certifiable);
					explanation = "Excluding non-requestable managed attribute: ";
				}
			}
		}
		else {
			itemsToExclude.add(certifiable);
		}
	}
}

You have to check other type of Group that is not memberOf. May be you will take out cert object then you will see what other type of data is showing.

3

Hi @Ranjith2000

Did you get chance to check this ?

4

Don’t forget to remove the certifiable from the items iterator.

Iterator it = items.iterator();
while(it.hasNext()) {
  Certifiable certifiable = (Certifiable) it.next();
  //log.error("entering for loop");
  if (certifiable instanceof EntitlementGroup) {
	Attributes attributes = certifiable.getAttributes();
	log.error("managed attribute EntitlementGroup: "+certifiable.toXml());
	log.error("managed attribute attributes: "+attributes);
	if (attributes != null)
	{
		if (attributes.containsKey("memberOf")) {
			String entitlementGroupName = attributes.get("memberOf");
			Filter myFilter1 = Filter.eq("ManagedAttribute.value", entitlementGroupName);
			QueryOptions queryOption = new QueryOptions();
			queryOption.addFilter(myFilter1);
			Iterator itr = null;
			itr = context.search(ManagedAttribute.class, queryOption);
			while (itr.hasNext()) {
				ManagedAttribute managedAttribute=itr.next();
				log.error("Managed Attribute displayName: "+managedAttribute.getDisplayName());
				log.error("Managed Attribute is requestable or not: "+managedAttribute.isRequestable());
				if (managedAttribute == null || !managedAttribute.isRequestable()) {
					log.error("Excluding non-requestable managed attribute: "+managedAttribute.getDisplayName());
					it.remove();
					itemsToExclude.add(certifiable);
					explanation = "Excluding non-requestable managed attribute: ";
				}
			}
		}
		else {
			it.remove();
			itemsToExclude.add(certifiable);
		}
	}
}

My 2c,

– Remold

5

Hi Pravin,

After adding the else condition, I realized that “groups” is also one of the attributes , but memberof entitlement is still not being properly excluded for some users . could you please help me on this

Thanks
Ranjith M

6

Hi Remold,

I want to verify the exclusion as well. If we use the line “it.remove();”, we won’t be able to observe the exclusion of certifiable items.

Thanks
Ranjith M

7

In your code, if there is no ManagedAttribute found, the while loop will not execute (its.hasNext() will return false). Also, if itr.hasNext() returns true, itr.next() will not return null, so you do not need to check managedAttribute == null.

1 Like
8

Hi Kevin

My code is functioning correctly now, Kevin. I’ve made some modifications to it

Thanks
Ranjith M

9

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.