To set sensitivity for newly added entitlement by default

IdentityIQ (IIQ) IIQ Discussion and Questions
, , ,
1

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

Hi, We have a requirement to set sensitivity for newly added entitlements by default to itsensitive.

We created custom rule to set sensitivity for the entitlements by created date which will be called in task definition

Can anyone suggest do we have inbuilt method to set classification in managed attribute.
ma.setRequestable // used to set requestable
ma.setowner //used to set owner

Likewise do we have any method to set the classification as Itsensitive.

Also, what do we need to send in query options to pull the enitlements on created date as current date. Any suggestions will be helpfull.

2

Hi Preethi,
You have available methots to getClassification, setClassification, addClassification and removeClassification so you can use it.

Screenshot_20231128_235716_VNC Viewer
Screenshot_20231128_235716_VNC Viewer1812Ă—418 115 KB

To set it you can use native IIQ agregation process no need for custom task really.

  1. You can create a customization rule and set it on the app level to set correct classification.
  2. Use groupRefresh rule which can do the same but it is configured in the groups aggregation task xml.

The difference btween this solutions is that no. 1 works only for newly aggregated entitlements thateans sailpoint will not overwrite changes if you do any to the entitlement. Solution no. 2 is fired for every single entitlement during every aggregation that means it will overwritenyour changes.

3

Hi Kamil,

Thanks for your input but our requirement is very specifc for audit purpose. We have to send querry options as created date as current date and mark the sensitivity as itsensitive.
I tried setClassification but it is throwing error method not found. DO we have any import object.
Also, how do we need to send querry options as created date and current date.
Any help will be much usefull

Thanks!

4

Can you show your code?

5

First you need to create classification object based on the guide here (classification from other sources) 8.3 IdentityIQ Classifications Guide - Compass
then you need to retrieve the classification object using context, afterwards you can pass it to the managed attribute.

6

Hi Preethi,

Can you provide your requirement more detailed, which all entitlements you want to do this and what is the condition?

7
<?xml version='1.0' encoding='UTF-8'?> This rule is used to mark sensitivity for newly added entitlment by default import sailpoint.object.*; import sailpoint.object.ManagedAttribute; import sailpoint.object.Application; import sailpoint.object.Identity; import sailpoint.object.Filter; import sailpoint.object.QueryOptions; import sailpoint.api.Terminator; import sailpoint.api.*; import sailpoint.tools.Util; import java.util.Iterator; import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.Log; import sailpoint.tools.Util; import java.util.Iterator;

ManagedAttribute ma = new ManagedAttribute();

QueryOptions qo = new QueryOptions();

           //qo.addFilter(Filter.eq("group",(Boolean)true));

qo.addFilter(Filter.eq(“application.name”,“Veritax”));
Iterator maResult = context.search(ManagedAttribute.class, qo);
log.error(“Querryoptions log error1:::”+qo);
int count = 0;

            int commitLimit = 100;

           while (maResult.hasNext()) {

               ManagedAttribute ma = (ManagedAttribute)maResult.next();
			    List classificationList = ma.getClassifications();
			   log.error("ManagedAttribute log error1:::"+ma);
			   log.error("ClassificationList is log error1:::"+classificationList);
			   
			    if(classificationList == null &amp;&amp; classificationList.isEmpty())
  {
    for(ObjectClassification oc : classificationList)
    {
      oc.setClassification(itsensitive);
	  context.saveObject(oc);   
     
    }
  }

context.commitTransaction();
ma.setRequestable(false);

               context.saveObject(ma);              

               count++;

               if ( (count %  commitLimit) == 0)  {

                           context.commitTransaction(); 

               }
           }
          context.commitTransaction();

          return "Processed  " + count + " objects.";
8

HI Satish,

Our requirement is we need to set sensitivity of newly added entitlements as itsensitive by default.
For which we need to create a custom rule to pass created as current date in querry options and set classification as itsensitive.
How do we pass created date as current date in querry option …Also which method we use to setclassification…
I ahve pasted the code . Can you please have a look. Any suggestions will be helpfull

9

Is Insensitive is name of a Custom Classification you have in your system?

10

So i see 3 potential issues

  1. This if statement if classificationList is null or empty then we iterate over it. I believe conditions should be oposite.
			    if(classificationList == null &amp;&amp; classificationList.isEmpty())
  {
    for(ObjectClassification oc : classificationList)
    {
      oc.setClassification(itsensitive);
	  context.saveObject(oc);   
     
    }
  }
  1. Like my predecessor said its important what itsensitive is as method setClassification does not expect string but ObjectClassification object.
  2. You have to set classification on ManagedAttribute object not on ObjectClassification
11

No we have to set it as itsensitive

12

If that is the case, first thing you have to do is create a Classification Object with this name.

Classification is not a attribute like other attributes, you have to create the object and then add this to your entitlements or roles.

Below is the sample Classification object .

<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE Classification PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Classification id="" name="FinancialSensitive" displayName="Financials-Sensitive" origin="MyIndependentDataSource">
 <Attributes>
   <Map>
    <entry key="sysDescriptions">
     <value>
      <Map>
       <entry key="en_US" value="Allows access to sensitive financial data"/>
       <entry key="fr_FR" value="Permet l'accès à des données financières sensibles"/>
     </Map>
    </value>
   </entry>
  </Map>
 </Attributes>
</Classification>

Classifications in IdentityIQ - Compass (sailpoint.com)

This wiki article explains more, once this is created, do let me know , I am working on a code that can help you, will keep you posted

13

@Preethi Use this below code once the classification is created, do let me know if this worked.


  import sailpoint.object.QueryOptions;
  import sailpoint.object.Filter;

  import sailpoint.object.Application;

  import sailpoint.object.Classification;

  import sailpoint.object.ObjectClassification;
  import sailpoint.object.ManagedAttribute;
  import java.util.Date;
  import org.apache.commons.lang.time.DateUtils; 
  import sailpoint.api.IncrementalObjectIterator;


  import org.apache.log4j.Logger;


  String applicationName="Your App Name";


  
  String classificationName="Your Classification Name"; // provide the name, in your case "Insenstive"


  QueryOptions managedQO = new QueryOptions();

  Classification classf=context.getObjectByName(Classification.class, classificationName);




  managedQO.addFilter(Filter.eq("application.name",applicationName)); //Filter the entitlements belonging to a application, if you dont need this you can remove

  Date last1DayDate = new Date();
  last1DayDate= DateUtils.addDays(last1DayDate, -1);


  managedQO.addFilter(Filter.gt("created",last1DayDate));// Filter to Get entitlements created in last 1 day

  IncrementalObjectIterator&lt;ManagedAttribute> managedAttrsIterator = new IncrementalObjectIterator&lt;ManagedAttribute>(context, ManagedAttribute.class, managedQO);


  while (managedAttrsIterator.hasNext()) {

  ObjectClassification objClassf=new ObjectClassification();

  objClassf.setClassification(classf);
    ManagedAttribute managedAttr = (ManagedAttribute) managedAttrsIterator.next();
    managedAttr.addClassification(objClassf);
    context.saveObject(managedAttr);
    context.commitTransaction();




  }
14

Hi Satish,

Thank you for giving me the details.
Already we have the classifcation as below, and I created object classification in my rule and tried to set the classification. But sensitivity is not getting updated and I don’t see any issues. I created one test entitlement yesturday…

image
image1777Ă—176 14 KB

<?xml version='1.0' encoding='UTF-8'?> This rule is used to mark sensitivity for newly added entitlment by default import sailpoint.object.*; import sailpoint.object.ManagedAttribute; import sailpoint.object.Application; import sailpoint.object.Identity; import sailpoint.object.Filter; import sailpoint.object.QueryOptions; import sailpoint.object.Classification;

import sailpoint.object.ObjectClassification;
import java.util.Date;
import org.apache.commons.lang.time.DateUtils;
import sailpoint.api.IncrementalObjectIterator;
import sailpoint.api.Terminator;
import sailpoint.api.*;
import sailpoint.tools.Util;
import java.util.Iterator;
import org.apache.commons.logging.LogFactory;
import org.apache.commons.logging.Log;
import sailpoint.tools.Util;
import java.util.Iterator;

ManagedAttribute ma = new ManagedAttribute();

String classificationName=“itSensitive”; //

QueryOptions qo = new QueryOptions();

Classification classf=context.getObjectByName(Classification.class, classificationName);

ObjectClassification objClassf=new ObjectClassification();

objClassf.setClassification(classf);
Date last1DayDate = new Date();
last1DayDate= DateUtils.addDays(last1DayDate, -1);
qo.addFilter(Filter.eq(“application.name”,“Veritax”));
qo.addFilter(Filter.gt(“created”,last1DayDate));// Filter to Get entitlements created in last 1 day
log.error (“qo list is :”+qo);
IncrementalObjectIterator<ManagedAttribute> managedAttrsIterator = new IncrementalObjectIterator<ManagedAttribute>(context, ManagedAttribute.class, qo);
log.error (“Entitlement list is :”+managedAttrsIterator);

while (managedAttrsIterator.hasNext()) {

ManagedAttribute managedAttr = (ManagedAttribute) managedAttrsIterator.next();
log.error ("managedAttr list is :"+managedAttr);
managedAttr.addClassification(objClassf);
context.saveObject(managedAttr);
context.commitTransaction();

}

classification:

<?xml version='1.0' encoding='UTF-8'?>
15

Also If i pass Created date in querry options it is not fetching the entitlements that are created yesturday,

16

Hi Kamil,

As per your suggestion the code has been modified. But sensitivity is not getting updated.

<?xml version='1.0' encoding='UTF-8'?> This rule is used to mark sensitivity for newly added entitlment by default import sailpoint.object.*; import sailpoint.object.ManagedAttribute; import sailpoint.object.Application; import sailpoint.object.Identity; import sailpoint.object.Filter; import sailpoint.object.QueryOptions; import sailpoint.object.Classification;

import sailpoint.object.ObjectClassification;
import java.util.Date;
import org.apache.commons.lang.time.DateUtils;
import sailpoint.api.IncrementalObjectIterator;
import sailpoint.api.Terminator;
import sailpoint.api.*;
import sailpoint.tools.Util;
import java.util.Iterator;
import org.apache.commons.logging.LogFactory;
import org.apache.commons.logging.Log;
import sailpoint.tools.Util;
import java.util.Iterator;

ManagedAttribute ma = new ManagedAttribute();

String classificationName=“itSensitive”; //

QueryOptions qo = new QueryOptions();

Classification classf=context.getObjectByName(Classification.class, classificationName);

ObjectClassification objClassf=new ObjectClassification();

objClassf.setClassification(classf);
Date last1DayDate = new Date();
last1DayDate= DateUtils.addDays(last1DayDate, -1);
qo.addFilter(Filter.eq(“application.name”,“Veritax”));
//qo.addFilter(Filter.gt(“created”,last1DayDate));// Filter to Get entitlements created in last 1 day
log.error (“qo list is :”+qo);
IncrementalObjectIterator<ManagedAttribute> managedAttrsIterator = new IncrementalObjectIterator<ManagedAttribute>(context, ManagedAttribute.class, qo);
log.error (“Entitlement list is :”+managedAttrsIterator);

while (managedAttrsIterator.hasNext()) {

ManagedAttribute managedAttr = (ManagedAttribute) managedAttrsIterator.next();
log.error ("managedAttr list is :"+managedAttr);
managedAttr.addClassification(objClassf);
   context.saveObject(managedAttr);
context.commitTransaction();
  log.error ("saved managedAttr list is :"+managedAttr);

}
context.commitTransaction();

17

This is the way how IIQ is assigning classification itself

image
image1162Ă—109 7.39 KB

what I see is missing here is ownerID which should be ID of the managedAttribute object and also ownerType which should be set to managedAttribute. It would be also good to set source but I think it’s not required.

18

SO do we need to set ownertype in Managed attribute.

19

No, as you can see on the screenshot ownerId and ownerType are part of the ObjectClassification object and this is where you have to set it.

20

I agree. Owner type and owner id are part of object classification. But Ownerid is auto generated guid . How can we set that …