Unable to assign PolicyViolation Owner in Advanced Policy

Which IIQ version are you inquiring about?

Version 8.1

Share all details related to your problem, including any error messages you may have received.

Hi All,

Hope everyone is doing well.
I was trying to implement a use-case where customer having the requirement that no contractor should have access to any highly classified entitlements/Role.
To implement the same, I have used the advanced policy using the custom rule. Policy violation is getting detected, and everything looks fine, but unable to set the Policy Violation Owner and the list of entitlements creating the issue.

Currently, this is how the policy violation object gets generated -

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE PolicyViolation PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<PolicyViolation active="true" constraintId="c0a838668d391554818d7c6d34ad0668" constraintName="Custom rule" created="1707272444533" id="c0a838668d391554818d815e1a7506cc" policyId="c0a838668d391554818d7c6d34ad0667" policyName="Custom Policy" status="Open">
  <Description>Contractor Access to sensitive Roles/Entitlements</Description>
  <IdentityRef>
    <Reference class="sailpoint.object.Identity" id="c0a838668c661054818c663ff7d90248" name="1a2a3c4c"/>
  </IdentityRef>
</PolicyViolation>

There are two open questions -

1. How to set the Owner
2. How to put the list of entitlements violating the policy.

Hope these methods mentioned within the PolicyViolation.class might help you can leverage set remediate entitlements and setMitigator to your policy violation.

image1782×483 35.1 KB

image1795×791 72.8 KB

Hi Amit,

I normally set the owner in the Policy configuration via the UI:

The PolicyViolation-object extends the SailPointObject, which has the function: setOwner

It is hard to say how to list the entitlements as it depends on how you detect the violation. In that part of the rule you should have access to the entitlements to decide if it is in violation with the ‘being a contractor’. For most of our clients it is good enough to show the name of the role/entitlement in the violationDescription.

BTW why are you not using the OOTB EntitlementSOD. Here you can use identity Attributes (like isContractor) and entitlements. Put the attribute in the first entitlement Set and the entitlements in the second set. This will also present the violation in a good fashion to the end users

– Remold

@Remold @amansingh - Thanks for your input.

@Remold - The Full use case follows this -
The customer has populated classification data to set of roles and entitlements. In the use case I need to consider roles and entitlements both.

Below is the sample snippet which I’m working with -

PolicyViolation pv=null;
String userType=identity.getType();
Locale locale=new Locale("en","US");
boolean hasViolation=false;
List violatingRoles=new ArrayList();
List violatingEnts=new ArrayList();
if(userType!=null && userType.equalsIgnoreCase("contractor"))
{
	logger.debug("Analyzing the contractor ::"+identity.getName()+" for policy violation");
	//TODO Roles checking //terniary Operation
	List<Bundle> assignedRoles=identity.getAssignedRoles()==null?new ArrayList():identity.getAssignedRoles();
	
	if(!assignedRoles.isEmpty())
	{
		for(int i=0;i<assignedRoles.size();i++){
			Bundle role=assignedRoles.get(i);
			List classificationsNames=role.getClassificationNames()==null?new ArrayList():role.getClassificationNames();
			if(!classificationsNames.isEmpty()){
				if(classificationsNames.contains("Critical")|| classificationsNames.contains("HighRisk"))
				{
					hasViolation=true;
					violatingRoles.add(role.getName());
				}
			}
		}
	}
	//TODO Entitlements checking
	List<Link> links=identity.getLinks()==null?new ArrayList():identity.getLinks();
	
	if(!links.isEmpty()){
		for(int i=0;i<links.size();i++)
		{
			Application app=links.get(i).getApplication();
			List<Entitlement> entitlements=links.get(i).getEntitlements(locale,"")==null?new ArrayList():links.get(i).getEntitlements(locale,"");
			if(!entitlements.isEmpty())
			{
				for(int j=0;j<entitlements.size();j++){
					logger.info("Stating Analyzing the ent - Ent"+entitlements.get(j).getAttributeValue());
					logger.debug("Checking the Entitlement classification for entitlementName ::"+entitlements.get(j).getAttributeName()+" and value::"+entitlements.get(j).getAttributeValue()+" for policy violation");
					ManagedAttribute ma=ManagedAttributer.get(context,app,entitlements.get(j).getAttributeName(),entitlements.get(j).getAttributeValue());
					List classificationNames=null;
					if(ma!=null){
						classificationNames=ma.getClassificationNames();
						logger.info("classificationNames - Ent"+classificationNames);
					}
					if(classificationNames!=null){
						if(!classificationNames.isEmpty()){
							
							if(classificationNames.contains("Critical")|| classificationNames.contains("HighRisk"))
							{
								
								hasViolation=true;
								
								violatingEnts.add(ma.getName());
								
							}
						}
						
					}
				}
			}
		}
	}
}


if(hasViolation)
{

	pv=new PolicyViolation();
	
	pv.setActive(true);
	
	pv.setIdentity(identity);
	
	pv.setConstraint(constraint);
	
	pv.setDescription("Contractor Access to sensitive Roles/Entitlements");

	//pv.setBundleNamesMarkedForRemediation(violatingRoles);
	//
	pv.setStatus(PolicyViolation.Status.Open);
	pv.setMitigator(identity.getManager().getName());

	return pv;
}

return pv;

At this point, I’m confused how to set the violating entitlements and roles for remediation. Also how to set the renderer as I can’t see much info on the documentation side.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.