To send email notification if a owner of an entitlements get terminated or disabled

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

Hi,

We are trying to setup an email notification, if an entitlement owner get terminated or disabled.
Want to know how to pull owner details and from the entitlement and check whether the owner is active or not, Based on the employement status an email should be notified to the adminstrators with owner and respective entitlemnet name. Any suggestions!!!

2

Hi Hari,
There are 2 ways how you can do that (or actualy 3).

  1. You can implement in your leaver/disablement/termination process a check if the identity you are disabling/terminating has any ManagedAttributes owned. To check this you can just use simple query option with filters
QueryOptions qo = new QueryOptions();
qo.add(Filter.eq("owner.name",identity.getName());
Iterator it = context.search(ManagedAttribute.class,qo);

/// If it.hasNext() is true - means this identity has some entitlements otherwise not

then you can do any other logic to eg. send notification

  1. Similar way you can build population of identities who are disabled but are assigned as owner - and send notifications on schedule to this users

  2. Advanced policy to detect this situations and then assign the violation eg. to the manager of the owner

1 Like
3

Hi Kamil,

Thanks for your input. We already have below rule to notify when an entitlement is created, is it possible to pull the owner from managed attribute and check for the employmentstatus?

  List entitlements = new ArrayList();
  QueryOptions qo = new QueryOptions();
  Date last1DayDate = new Date();
  last1DayDate = DateUtils.addDays(last1DayDate, -1);
  qo.addFilter(Filter.gt("created", last1DayDate));// Filter to Get entitlements created in last 1 day
  IncrementalObjectIterator managedAttrsIterator = new IncrementalObjectIterator(context, ManagedAttribute.class, qo);
  while (managedAttrsIterator.hasNext()) {
    ManagedAttribute managedAttr = (ManagedAttribute) managedAttrsIterator.next();
    if(managedAttr.getDisplayName() != null ){
      entitlements.add(managedAttr);
    }
  }

  if (!entitlements.isEmpty()) {
    sendNewAccountEmail(entitlements);
  }
4

Hi Kamil,

When I tried to modify the code to send notification based on the attribute employmentstatus it give me below error

“Exception running rule: BeanShell script error: bsh.ParseException: Parse error at line 37, column 15. Encountered: ( BSF info: Test-Rule-to-get-Ent-owner at line: 0 column: columnNo”

Below is the full code.

import sailpoint.api.SailPointContext;
import sailpoint.object.EmailOptions;
import sailpoint.object.EmailTemplate;
import sailpoint.object.Filter;
import sailpoint.object.Identity;
import sailpoint.object.ManagedAttribute;
import sailpoint.object.QueryOptions;
import sailpoint.tools.GeneralException;
import java.util.Date;
import org.apache.commons.lang.time.DateUtils; 
import sailpoint.object.ObjectClassification;
import java.util.Date;
import org.apache.commons.lang.time.DateUtils; 
import sailpoint.api.IncrementalObjectIterator;
import sailpoint.api.Terminator;
import sailpoint.api.*;
import sailpoint.tools.Util;
import java.util.Iterator;
import org.apache.commons.logging.LogFactory;
import org.apache.commons.logging.Log;
       

  public void sendNewAccountEmail(List entlist) throws GeneralException {
    EmailTemplate template = context.getObjectByName(EmailTemplate.class, "New Entitlement Notification");
    EmailOptions options = new EmailOptions();
    String workgroupName = "Certification Administrators"; // Workgroup Name
    Identity workgroup = context.getObjectByName(Identity.class, workgroupName);
    List email = sailpoint.api.ObjectUtil.getEffectiveEmails(context, workgroup);
    options.setTo(email);
    Map args = new HashMap();
    args.put("entitlements", entlist);
    options.setVariables(args);
    context.sendEmailNotification(template, options);

  }
  
  
	List entitlements = new ArrayList();

	QueryOptions qo = new QueryOptions();
	qo.add(Filter.eq("owner.name",identity.getName());
	Iterator it = context.search(ManagedAttribute.class,qo)
	while (it.hasNext()) {
        ManagedAttribute managedAttr = (ManagedAttribute) it.next();
    if(managedAttr.getOwner().getEmploymentStatus() equals("T")){
    entitlements.add(managedAttr);
    }
  }

  if (!entitlements.isEmpty()) {
    sendNewAccountEmail(entitlements);
  }
5

Hi Hari,
I believe you have 2 issues here - it should be like that (first one is that getEmploymentStatus method does not exist - you have to take it from the regular attributes map, second is that to execute equals you forgot a dot.

if(managedAttr.getOwner() != null && ("T").equals(managedAttr.getOwner().getStringAttribute("employmentstatus"))){
6

Hi Kamil,

I tried with the same syntax in side if condition but it throws me below error,

Error: The system has encountered a serious error while processing your request. See your system administrator.

In our environment the managedattribute owner setup will have below 3 scenarios

  1. managedattribute owner = null
  2. managedattribute owner = direct owner
  3. managedattribute owner = Workgroup
7

If you have an error than in logs (or syslog) you should have more detailed error message.

8

Hi Kamil,

I have referred the syslog, It’s seems to be an syntax error. “&&” is not accepted in the script instead we can use "&&"

Able to run rule without any issues now. But its not triggering any emails.

	public void sendNewAccountEmail(List entlist) throws GeneralException 
{
    EmailTemplate template = context.getObjectByName(EmailTemplate.class, "New Entitlement Notification");
    EmailOptions options = new EmailOptions();
    String workgroupName = "Certification Administrators"; // Workgroup Name
    Identity workgroup = context.getObjectByName(Identity.class, workgroupName);
    List email = sailpoint.api.ObjectUtil.getEffectiveEmails(context, workgroup);
    options.setTo(email);
    Map args = new HashMap();
    args.put("entitlements", entlist);
    options.setVariables(args);
    context.sendEmailNotification(template, options);
}
  Identity identity = context.getObjectByName(Identity.class, "name");
 if (identity != null) {
	List entitlements = new ArrayList();
	QueryOptions qo = new QueryOptions();
	qo.add(Filter.eq("owner.name", identity.getName()));
	Iterator it = context.search(ManagedAttribute.class, qo);
	while (it.hasNext()) {
    ManagedAttribute managedAttr = (ManagedAttribute) it.next();
    if (managedAttr.getOwner() != null `&&` ("T").equals(managedAttr.getOwner().getStringAttribute("employmentstatus"))) {
    entitlements.add(managedAttr);
    }
}
 }

	if (!entitlements.isEmpty()) {
    sendNewAccountEmail(entitlements);
}
10

Do you provide real name here?
Identity identity = context.getObjectByName(Identity.class, “name”);
or it’s exact code?

11

Its the exact code, I tried to pass the identity name in to the variable identity. But in our case it should check all the identity who are marked as entitlement owner and applies filter to the same.

12

Hi @HARI31,

We have similar scenario in the IdentityIQ environment.
what we are doing is in Termination workflow process we check if the user who is getting terminated is owner of any roles or workgroups or any objects then update these objects to set the terminated users manager as the owner and send an email at the end to the manager in the workflow process. This way no terminated users will be part of any role or workgroup objects.

In the workflow we have rules to determine the logic of who is the next owner and send email accordingly.

image

1 Like
13

Hi Vinod,

Thanks for your inputs, Do we need to create a new variable under termination workflow?
How to find if the user is owner of any entitlements/roles is there any sample method available?

14

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.