import sailpoint.object.Application; import sailpoint.object.Identity; import sailpoint.object.ProvisioningPlan; import sailpoint.object.ProvisioningPlan.Operation; import sailpoint.object.ProvisioningPlan.AccountRequest; import sailpoint.object.ProvisioningPlan.AccountRequest.Operation; import sailpoint.object.ProvisioningPlan.AttributeRequest; import sailpoint.rule.IdnRuleUtil; import sailpoint.rule.Account; import sailpoint.object.Filter; import sailpoint.tools.Util; import sailpoint.object.Link; import sailpoint.object.*; import sailpoint.rule.*; import java.util.*; import java.util.List; import java.util.ArrayList; import java.util.regex.Pattern; import java.util.Iterator; import java.util.Date; import java.text.DateFormat; import java.text.SimpleDateFormat; /** * *This Rule sets "reason" and "number" values in Active Directory by getting these values from OTestSourceName when disable/enable of identity happens. * WHen LCS is 'terminate' ( after user is in delete state for x days it gets terminated) then move OU of user to disable users OU. * set email of OTest to Company~FirstName.LastName~YYYYMMDD~ANumber@test.XXXX.YYY */ log.info( "Entering Custom Active Directory Before Provisioning Rule." ); public String appendingString( String stringWithAtSign, String company, String ANumber ){ log.info( "Custom Active Directory Before Provisioning Rule::Appending String." ); if (stringWithAtSign.contains( "@" ) ) { int indexOfAtSign = stringWithAtSign.indexOf("@"); DateFormat simpleDateFormat = new SimpleDateFormat( "yyyyMMdd" ); Date today = new Date(); return (company != null ? company : "DoIT" ) + "~" + stringWithAtSign.substring( 0, indexOfAtSign ) + "~" + simpleDateFormat.format( today ) + "~" + ANumber + "@test.XXXX.YYY"; } else { DateFormat simpleDateFormat = new SimpleDateFormat( "yyyyMMdd" ); Date today = new Date(); return ( company != null ? company : "DoIT" ) + "~" + stringWithAtSign + "~" + simpleDateFormat.format( today ) + "~" + ANumber + "@test.XXXX.YYY"; } } if (plan != null && plan.getAccountRequests() != null) { List accountRequests = plan.getAccountRequests(); if (accountRequests != null) { for (AccountRequest accountRequest : accountRequests) { AccountRequest.Operation op = accountRequest.getOperation(); if (op == null) { continue; } String currentLCS = null; String disabledOU = "OU=DisabledUsers,OU=OTest,DC=test,DC=XXXX,DC=YYY"; String nativeIdentity = accountRequest.getNativeIdentity(); String OTestSourceName = "OTest Preview IDP [source]"; Identity identity = plan.getIdentity(); String idN = identity.getName(); String ADSourceName = "XXXX.YYY test AD [source]"; String OTestNativeIdentity = idn.getFirstAccountNativeIdentity(OTestSourceName, idN); String currentActiveDirectoryAccount = idn.getFirstAccountNativeIdentity(ADSourceName, idN); String reason_new = idn.getAccountAttribute(OTestSourceName, OTestNativeIdentity, "reason"); String number_new = idn.getAccountAttribute(OTestSourceName, OTestNativeIdentity, "number"); String disable_delete = idn.getAccountAttribute(OTestSourceName, OTestNativeIdentity, "OTest_disable_delete" ); String mail = idn.getAccountAttribute(ADSourceName, currentActiveDirectoryAccount, "mail"); String appendingCompany = idn.getAccountAttribute(ADSourceName, currentActiveDirectoryAccount, "company"); if (identity != null) { currentLCS = (String) identity.getAttribute("cloudLifecycleState"); } Account currentOTestAccount = idn.getFirstAccount(OTestSourceName, idN); AccountRequest OTestAccountRequest = plan.getAccountRequest(OTestSourceName,OTestNativeIdentity); if (op.equals(AccountRequest.Operation.Disable)) { log.info( "Custom Active Directory Before Provisioning Rule:: Inside Disable Lifecycle State" ); accountRequest.add(new AttributeRequest("INFO", ProvisioningPlan.Operation.Set, "Adios:" + reason_new)); accountRequest.add(new AttributeRequest("description", ProvisioningPlan.Operation.Set, "Adios:" + number_new)); AccountRequest OTestAccountRequest = new AccountRequest(); if ( OTestAccountRequest == null ) { if (currentOTestAccount.isDisabled() ) { log.info( "OTest account was already disabled." ); OTestAccountRequest.setOperation( ProvisioningPlan.AccountRequest.Operation.Modify ); } else { OTestAccountRequest.setOperation( ProvisioningPlan.AccountRequest.Operation.Disable ); } OTestAccountRequest.setApplication(OTestSourceName); OTestAccountRequest.setNativeIdentity(OTestNativeIdentity); OTestAccountRequest.add( new AttributeRequest("OTest_disable_delete", ProvisioningPlan.Operation.Set, disable_delete + "-Complete" ) ); plan.add(OTestAccountRequest); break; } } if ((op.equals(AccountRequest.Operation.Enable)) && ("active".equals(currentLCS))) { log.info( "Custom Active Directory Before Provisioning Rule:: Inside enable/Active Lifecycle State" ); accountRequest.add(new AttributeRequest("INFO", ProvisioningPlan.Operation.Set, "Adios:" + reason_new)); accountRequest.add(new AttributeRequest("description", ProvisioningPlan.Operation.Set, "Adios:" + number_new)); AccountRequest OTestAccountRequest = new AccountRequest(); if ( OTestAccountRequest == null ) { if (currentOTestAccount.isEnabled() ) { log.info( "OTest account was already enabled." ); OTestAccountRequest.setOperation( ProvisioningPlan.AccountRequest.Operation.Modify); } else { OTestAccountRequest.setOperation(ProvisioningPlan.AccountRequest.Operation.Enable); } OTestAccountRequest.setApplication(OTestSourceName); OTestAccountRequest.setNativeIdentity(OTestNativeIdentity); OTestAccountRequest.add( new AttributeRequest( "OTest_disable_delete", ProvisioningPlan.Operation.Set, disable_delete + "-Complete" ) ); plan.add(OTestAccountRequest); break; } } if ((op.equals(AccountRequest.Operation.Enable)) && ("delete".equals(currentLCS))) { log.info( "Custom Active Directory Before Provisioning Rule :: Inside Delete Lifecycle State" ); accountRequest.add(new AttributeRequest("INFO", ProvisioningPlan.Operation.Set, "Adios:" + reason_new)); accountRequest.add(new AttributeRequest("description", ProvisioningPlan.Operation.Set, "Adios:" + number_new)); accountRequest.add(new AttributeRequest("Disabled", ProvisioningPlan.Operation.Set,"true")); AccountRequest OTestAccountRequest = new AccountRequest(); if ( OTestAccountRequest == null ) { if (currentOTestAccount.isDisabled() ) { log.info( "OTest account was already disabled." ); OTestAccountRequest.setOperation( ProvisioningPlan.AccountRequest.Operation.Modify ); } else { OTestAccountRequest.setOperation( ProvisioningPlan.AccountRequest.Operation.Disable ); } OTestAccountRequest.setApplication(OTestSourceName); OTestAccountRequest.setNativeIdentity(OTestNativeIdentity); OTestAccountRequest.add( new AttributeRequest( "OTest_disable_delete", ProvisioningPlan.Operation.Set, disable_delete + "-Complete" ) ); plan.add(OTestAccountRequest); break; } } if ((op.equals(AccountRequest.Operation.Enable)) && ("terminate".equals(currentLCS))) { log.info( "Custom Active Directory Before Provisioning Rule:: Inside terminate Lifecycle State." ); accountRequest.add(new AttributeRequest("INFO", ProvisioningPlan.Operation.Set, "Adios:" + reason_new)); accountRequest.add(new AttributeRequest("description", ProvisioningPlan.Operation.Set, "Adios:" + number_new)); accountRequest.add(new AttributeRequest("Disabled", ProvisioningPlan.Operation.Set,"true")); //Account not currently in the proper OU. Put them there accountRequest.add(new AttributeRequest("AC_NewParent", ProvisioningPlan.Operation.Set,disabledOU)); accountRequest.add(new AttributeRequest("AC_NewName", ProvisioningPlan.Operation.Set, "CN=" + nativeIdentity.substring(3, nativeIdentity.indexOf(",OU=")))); AccountRequest OTestAccountRequest = new AccountRequest(); if ( OTestAccountRequest == null ) { if ( currentOTestAccount.isDisabled() ) { log.info( "OTest account was already disabled." ); OTestAccountRequest.setOperation( ProvisioningPlan.AccountRequest.Operation.Modify ); } else { OTestAccountRequest.setOperation(ProvisioningPlan.AccountRequest.Operation.Disable ); } OTestAccountRequest.setApplication(OTestSourceName); OTestAccountRequest.setNativeIdentity(OTestNativeIdentity); if (mail != null && number_new != null) { OTestAccountRequest.add(new AttributeRequest("email", ProvisioningPlan.Operation.Set,appendingString(mail,appendingCompany,number_new))); OTestAccountRequest.add(new AttributeRequest("OTest_disable_delete", ProvisioningPlan.Operation.Set, disable_delete + "-Complete" ) ); } else{ continue; } plan.add(OTestAccountRequest ); break; } } } } log.info( "EXITING Custom Active Directory Before Provisioning Rule" ); } ]]>