Share all details related to your problem, including any error messages you may have received.
Hi All,
Hope everyone is doing well.
I was trying to implement a use-case where customer having the requirement that no contractor should have access to any highly classified entitlements/Role.
To implement the same, I have used the advanced policy using the custom rule. Policy violation is getting detected, and everything looks fine, but unable to set the Policy Violation Owner and the list of entitlements creating the issue.
Currently, this is how the policy violation object gets generated -
Hope these methods mentioned within the PolicyViolation.class might help you can leverage set remediate entitlements and setMitigator to your policy violation.
I normally set the owner in the Policy configuration via the UI:
The PolicyViolation-object extends the SailPointObject, which has the function: setOwner
It is hard to say how to list the entitlements as it depends on how you detect the violation. In that part of the rule you should have access to the entitlements to decide if it is in violation with the ‘being a contractor’. For most of our clients it is good enough to show the name of the role/entitlement in the violationDescription.
BTW why are you not using the OOTB EntitlementSOD. Here you can use identity Attributes (like isContractor) and entitlements. Put the attribute in the first entitlement Set and the entitlements in the second set. This will also present the violation in a good fashion to the end users
@Remold - The Full use case follows this -
The customer has populated classification data to set of roles and entitlements. In the use case I need to consider roles and entitlements both.
Below is the sample snippet which I’m working with -
At this point, I’m confused how to set the violating entitlements and roles for remediation. Also how to set the renderer as I can’t see much info on the documentation side.