I’m using Powershell to generate XMLs out of an Oracle DB to upload classifications and entitlement-classification relations, according to the Classifications Docs PDF, which works pretty well for single-value key-value pairs.
Now I’m struggling though trying to associate more than one classification with a single entitlement, which is no problem using the GUI. The docs give no example though how a usable XML would like like that allows you to associate more than one classification with an entitlement via XML.
I tried all sorts of XML schemas, which all got uploaded without an error but obviously did not get parsed correctly - either only the very last classification is being used or none at all.
Hopefully some good soul can shed some light into this issue.
Making a guess, but it’s most likely an XML file formatting issue. If you’re populating all the custom Classifications that you want to import into a single XML file, the root element should be sailpoint instead of Classification. Here’s a sample XML file with 2 custom Classifications that will correctly import both. Sample Classifications.xml (959 Bytes)
Hi Brian,
thanks for your answer!
But looking at it, I guess that’s not exactly what I’m trying to do - I have already imported all classifications (some hubndred), so far so good.
I want to associate more than one classificvation with a certain entitlement of a connected application.
This works fine as long as I associate only one classification per entitlement, but not for more than one.
The reason I pack all these associations into one custom object, is that this gives me the change to delete all in one go through the debug interface by just deleting the custom object.
Apologies, I likely misread your question. The association between an Entitlement (ManagedAttribute object) and Classifications is referenced in the ManagedAttribute object itself.
The best way to generally handle associating classifications to entitlements is by leveraging a GroupAggregationRefresh rule (a rule run during group aggregation that can modify the ManagedAttribute). In this rule, you’d have code that would load your Custom object and resolve the classifications to set on the entitlement, and manage the classifications that way (putting this logic into a Rule Library method assignClassifications(ManagedAttribute ma) would make this a lot easier to implement across all your connected apps). Using the void setClassifications(java.util.List<ObjectClassification> classifications) method will allow you to ensure that the complete collection of linked Classifications is maintained accurately according to your Custom Object.
In the event you want to strip classifications, that would be accomplished by using something like setClassifications method with an empty List.
Thanks Brian,
I got it working meanwhile.
Not the way I wanted to implement it, i.e. via a custom object (would be easier to delete if needed), but good enough for the time being.
Glad to hear it! Would you mind sharing your solution or marking the post that provided the solution or direction you went so that others that might come later can see how you addressed your issue?
For a single classification per entitlement you can create one custom object and put everyting in it. Here’s an example:
'<?xml version="1.0" encoding="UTF-8"?>
'
The advantage is, that you can go into the debug interface, delete this custom object and all is gone.
In case yoy want multiple classifications per enttlement, you need something like this:
'<?xml version="1.0" encoding="UTF-8"?>
'
Here you have to delete either each and ever classification assigment or you go to the debu page and delete all classifications themself and reload everything with the updated assignments - probably a lot more work …
Btw.: I faild to produce a working XML to delete classification assignments.
Looking at sailpoint.dtd the ReferencedClassification tag either wants an Reference or a null tag:
’ ’
But how to write a null tag?
I tried the following:
’
’
results in error: “org.hibernate.exception.ConstraintViolationException: could not execute statement”
I also tried:
’
’
all the above result in an empty error message … weird …
Any thoughts on that?
pls. disregard my last post and forget it asap
The proposed solution sort of works, bhas some unwanted side effects.
The way to do it properly is to use the “List”-tag, then you can even put everyting nicely into a custom object - see attached listing.
Sorry for the confusion - my bad!
