Custom Target Reconciliation

import Thor.API.Exceptions.tcAPIException;

import Thor.API.Operations.tcProvisioningOperationsIntf;

import Thor.API.Operations.tcUserOperationsIntf;

import com.bea.security.providers.xacml.entitlement.parser.Roles;

import java.io.BufferedReader;

import java.io.FileReader;

import java.io.IOException;

import java.util.ArrayList;

import java.util.Date;

import java.util.HashMap;

import java.util.Hashtable;

import java.util.Map;

import javax.security.auth.login.LoginException;

import oracle.iam.platform.OIMClient;

import oracle.iam.reconciliation.api.BatchAttributes;

import oracle.iam.reconciliation.api.EventAttributes;

import oracle.iam.reconciliation.api.InputData;

import oracle.iam.reconciliation.api.ReconOperationsService;

import oracle.iam.reconciliation.api.ReconciliationResult;

import oracle.iam.scheduler.vo.TaskSupport;

public class TestRecon extends TaskSupport {

static OIMClient client = null;

private tcUserOperationsIntf userOperation = null;

private tcProvisioningOperationsIntf provisionOperation = null;

private ReconOperationsService reconOperation;

private String fileName;

private String ItResource;

private String resourceObjName;

public OIMClient oimConnection() {

oracle.iam.platform.OIMClient oimClient = null;

try {

Hashtable<Object, Object> env = new Hashtable<Object, Object>();

env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL, weblogic.jndi.WLInitialContextFactory");

env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, "t3://:14000");

System.setProperty("java.security.auth.login.config", "");

System.setProperty("OIM.AppServerType", "wls");

System.setProperty("APPSERVER_TYPE", "wls");

oimClient = new oracle.iam.platform.OIMClient(env);

oimClient.login("xelsysadm", "Welcome123".toCharArray());

} catch (LoginException e) {

e.printStackTrace();

} catch (Exception e) {

e.printStackTrace();

}

System.out.print("Successfully Connected with OIM ");

return oimClient;

}

public static void login() throws LoginException {

System.out.println("inside oim login....");

String ctxFactory = "weblogic.jndi.WLInitialContextFactory";

String serverURL = "t3://localhost:14000/identity";

System.setProperty("java.security.auth.login.config", "C:\\Users\\bprasad\\Desktop\\designconsole\\config\\authwl.conf");

System.setProperty("APPSERVER_TYPE", "wls");

String username = "XELSYSADM";

char[] password = "Welcome123".toCharArray();

Hashtable env = new Hashtable();

env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL, ctxFactory);

env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, serverURL);

client = new OIMClient(env);

try {

System.out.println("Logging in");

client.login(username, password);

System.out.println("Login successful..");

} catch (Exception e) {

e.printStackTrace();

System.out.println("Login failed");

}

}

public TestRecon() {

}

public static void main(String[] args) throws LoginException {

// String fileName = "C:\\Users\\Downloads\\OIM\\projects\\workday\\sampleIn.csv";

String itresourceName = "FlatFileTrusted";

String resourceObj = "FlatFileTrusted User";

HashMap<String, String> map = null;

map = new HashMap<String, String>();

map.put("File Name", fileName);

map.put("ITResource Name", itresourceName);

map.put("Resource Object Name", resourceObj);

TestRecon dummyRecon = new TestRecon();

login();

dummyRecon.execute(map);

}

public void execute(HashMap hashMap) {

fileName = hashMap.get("File Name").toString();

ItResource = hashMap.get("ITResource Name").toString();

this.resourceObjName = hashMap.get("Resource Object Name").toString();

initialize();

// getReconData();

triggerRecon();

}

private void initialize() {

this.userOperation = ((tcUserOperationsIntf) client.getService(tcUserOperationsIntf.class));

this.provisionOperation = ((tcProvisioningOperationsIntf) client

.getService(tcProvisioningOperationsIntf.class));

reconOperation = ((ReconOperationsService) client.getService(ReconOperationsService.class));

}

public HashMap getAttributes() {

return null;

}

public void setAttributes() {

}

private void getReconData() {

String file = this.fileName;

BufferedReader reader = null;

try {

reader = new BufferedReader(new FileReader(file));

int headerFieldCount = 0;

String line = "";

while ((line = reader.readLine()) != null) {

this.data.add(line.split("\\,"));

}

} catch (Exception e) {

e.printStackTrace();

try {

reader.close();

} catch (IOException ioe) {

ioe.printStackTrace();

} catch (Exception e1) {

e1.printStackTrace();

}

} finally {

try {

reader.close();

} catch (IOException e) {

e.printStackTrace();

} catch (Exception e) {

e.printStackTrace();

}

}

}

private void triggerRecon() {

EventAttributes ea = new EventAttributes();

Map reconMap = new HashMap();

reconMap.put("User Login", "Magnus6142");

reconMap.put("First Name", "MagnusF");

reconMap.put("Last Name", "MagnusL");

reconMap.put("Organization", "Skillopedia");

reconMap.put("User Type ", "Employee");

reconMap.put("CPI", "112211");

reconMap.put("Employee Number", "2855");

reconMap.put("WorkdayStatus", "Active");

reconMap.put("status", "Active");

reconMap.put("Role", "EMP");

ea.setEventFinished(true);

ea.setActionDate(null);

long eventKey = reconOperation.createReconciliationEvent(this.resourceObjName, reconMap, ea);

try {

reconOperation.processReconciliationEvent(eventKey);

} catch (tcAPIException e) {

e.printStackTrace();

} catch (Exception e) {

e.printStackTrace();

}

}

}

How to fetch users from group?

private String[] getUsersFromGroup(String groupName){

String[] userLogins = null;

Set retAttrs = new HashSet();

RoleManager roleManager = null;

Role role = null;

try {

roleManager = Platfomr.getService(RoleManager.class);

role = roleManager.getDetails(RoleManagerConstants.ROLE_NAME, groupName, retAttrs);

String roleKey = role.getEntityId();

List <User> listOfUsers = roleManager.getRoleMembers(roleKey, true);

int size = listOfUsers.size();

for (int i = 0; i < size; i++){

User user =  listOfUsers.get(i);

String userLogin = user.getLogin();

userLogins = userLogin;

}

}catch(Exception e) {

e.printStackTrace();

}

return userLogins;

}

How to read values from lookup?

private HashMap<String, String> readLookupEntries(String lookupName){

HashMap<String, String> lookupEntryMap = new HashMap<String, String>();

tcLookupOperationsIntf  lookupOperationsIntf = Platform.getService(tcLookupOperationsIntf.class);

try {

tcResultSet resultSet =  lookupOperationsIntf.getLookupValues(lookupName);

for(int i = 0; resultSet.getRowCount(); i++){

resultSet.goToRow(i);

lookupEntryMap.put(resultSet.getStringValue("Lookup Definition.Lookup Code Information.Code Key"), resultSet.getStringValue("Lookup Definition.Lookup Code Information.Decode") );

}

catch(Exception e){

e.printStackTrace();

}

finally{

lookupOperationsIntf.close();

}

return lookupEntryMap;

How to get userLogin by using email?

Public String getUserLoginByEmail(String email){

Connection connection = null;

PreparedStatement pstatement = null;

ResultSet resultSet = null; 

String sql = "select * from usr where usr_mail = ? AND usr_status = 'Active' ";

try {

connection = Platform.getOperationalDS.getConnection();

pstatement = connection.prepareStatement(sql);

prepareStatement.setString(1,email);

resultSet = prepareStatement.executeQuery();

if (resultSet.next()){

String userLogin = resultSet.getString("user_Login");

}

catch(Exception ex){

ex.printStackTrace();

}

finally{

try{

if(connection != null) {

connection.close();

}

if(pStatement != null) {

pStatement.close();

}

if(resultSet != null) {

resultSet.close();

}

}

catch(Exception ex2) {

System.out.println("Exception is : "+ex2.getMessage());

}

return userLogin;

}

API's Syntax

Application :

Application hrApp = context.getObject(Application.class, "PeopleSoft");

Identity :

Identity identity = context.getObjectByName(Identity.class, identityName);

SailpointContext :

SailPointContext ctx = SailPointFactory.getCurrentContext();

Configuration :

Configuration config = ctx.getObject(Configuration.class,name);

Group Owner Rule (Status and Location)

import sailpoint.object.QueryOptions;

import sailpoint.object.Identity;

QueryOptions qo = new QueryOptions();

qo.addFilter(group.getFilter());

Iterator identities = context.search(Identity.class, qo);

// Find the employee with the lowest employee ID.

Identity emp = null;

String empId = null;

Identity owner = null;

String ownerEmpId = null;

while (identities.hasNext()) {

  emp = identities.next();

  empId = emp.getAttribute("empId");

  if (empId != null && (ownerEmpId == null || empId.compareTo(ownerEmpId) < 0)) {

    owner = emp;

    ownerEmpId = empId;

  }

}

// When all of the employee IDs in the subgroup are null, default to spadmin.

if (owner == null) {

  return "spadmin";

}

return  owner;

WorkGroup and Capability

WorkGroup    :    It is also group of identities. These identities having some kind of special user capabilities (system admin, service account and manager etc.,)

# We can select / use workgroup while creating Application Definition (If you have requirement to assign multiple owners for the Application).

How to create WorkGroup    :

# Login to IIQ and navigate to setup

# Click on Groups and click on Workgroups

# Click on Create New Group

# Then provide the following information like Name, Owner, Group Email, Notification Setting, Capabilities and add the members.

# Click on save

# We can check this workgroup in debug page for xml view. (Login to debug page search for workgroup)

Groups and Populations

# Groups and populations are used to provide sets of identities to include in various activities. For example, the refresh task can be limited to a pre-defined set of identities, or a pre-defined set of identities can be certified.

# We will also be using rules to assign ownership to each group. 

# A rule is used to assign owners to groups generated from a group factory.

# Additionally, we want to use Advanced Analytics to define some populations based on specific criteria. Populations are similar to groups, except that they are driven off of multiple search criteria whereas Groups are statically defined based off a single Identity attribute.

Using Group Factories to Generate Groups    :-

# Navigate to Setup    --->    Groups and click on Create New Group and fill in the following fields    :

# Provide the following information

# Group Owner - Assign Manager    :    return group.getName();

# Click on save.

# Run the task    :    Refresh Groups.

Note    :-

These group themselves are not dynamic. You must run the Refresh Groups task

periodically to update them. Between runs of Refresh Groups, the groups themselves

remain static, but the membership is always based off a dynamic query. 

Generate Populations    :-

Populations can be generated off any of the data that is available via the Advanced Analytics feature

of IdentityIQ.

For our implementation, we want to generate two populations.

• Active Managers who are not Contractors in Asia-Pacific Region only
• All users who have Privileged accounts on any application
• All users who doesn't has Active Directory

1. Navigate to Intelligence --->    Advanced Analytics

2. Under the Identity Search tab, click Clear Search and enter the following search criteria    :

    a. Is Inactive: False

    b. Is Manager: True

    c. Region: Asia-Pacific

    d. Status: Employee

    e. Click Run Search

e. From the Result Options drop down menu, select Save Identities as Population

f. Name: Active Managers - Asia-Pacific

g. Click Save

Create another Population with the following criteria    :

    a. First click Refine Search, then click Clear Search to reset everything 

    b. Privileged Account: True 

    c. Click Run Search 

    d. You should see results showing all users with Privileged accounts 

    e. Save as a Population with the following name: Identities with Privileged Accounts

Create another Population with the following criteria    :

    a. First click Refine Search, then click Clear Search to reset everything 

    b. Click on Advance search    --> Application    is not equal to    Active directory

 

    c. Click Run Search 

    d. You should see results showing all users without Active directory account. 

    e. Save as a Population with the following name: Identities without AD Accounts

# Navigate to Setup    --->    Groups and select the Populations tab

    a. Confirm that you have three populations defined    :

Notes    :-

• By default, these populations are only visible to the user who created them. You can edit the populations and make them Public.
• Populations are dynamic queries, so every time you view a population, you are viewing its current members at that point in time.

SailPoint Administrator Console

How to Check Sailpoint physicial Installation system details like Hostname, CPU, Memory Percentage, Request Threads etc., ?

# Login to IIQ and Navigate to gear icon

# Click on Administrator console

# Click on environment (It's available at top most left side)

# To check the default services and configuration, click on settings option under Host Action

# The following are default available columns :

How to check Provisioning Transaction in SailPoint ?

# Login to IIQ and Navigate to gear icon

# Click on Administrator console

# Click on Provsioning

How to check Active, Scheduled and Completed Tasks in SailPoint?

# Login to IIQ and Navigate to gear icon

# Click on Administrator console

# Click on Tasks

LCM Provisioning

 # IdentityIQ has some default workflows    :

       Modify the variables of the default workflows to achieve the requirement

•    manage approval
•    whom to notify
•    email templates

LCM Provisioning    :

Key steps of the Workflow

1. Initialize

2. Approve

3. Provision

4. Notify

5. Finalize

Policy Rules

 # It's used to define a policy's actions

# Policies can have multiple rules

# Embedded with the Policy object or referenced from the Policy object

# Policy Violations are a result of these Rules

# e.g    :

Segregation of Duties for a given set of entitlements. Rule may state that you can't have Entitlement X with entitlement Y.

Certification Rules

 Exclusion Rule    :

# It's used to exclude an Identity's certifiable items (accounts, entitlements, roles etc.,)

# It will run during Certification creation

# This rule is optional

e.g    :

# Exclude consultants or non-company personnel from an organization's certification

e.g    :    1

import sailpoint.object.identity;

private static final Logger LOGGER = Logger.getLogger("Exclusion Rule");

LOGGER.info("Entering into Exclusion Rule");

// If the identity is inactive or Contactor, then add all of the items to the exclude list

if(identity.isInactive() || (identity.getAttribute("status").equals("Contractor"))) {

LOGGER.debug("Identity is Inactive or Contractor : "+ identity.getDisplayName());

LOGGER.debug("Don't certify ");

itemsToExclude.addAll(items);

items.clear();

} else {

// If the identity is Active or Employee then don't add all of the items to the exclude list

LOGGER.debug("Identity is Active and Employee : "+ identity.getDisplayName());

LOGGER.debug("Do certify");

}

// no need to return anything

return null;

--------------------------------------------------********************---------------------------------------------

Escalation Rule    :

It's used to escalate work items, usually in conjunction with Certifications or Remediation's, to additional parties

# It will run at specified escalation point (configuration)

# This rule is optional, Configured with Certification

# Returns : Name of the Identity Object

e.g    :    Escalate certification to someone's manager after a certain time interval

--------------------------------------------------********************---------------------------------------------

Pre-Delegation Rule    :

# It's used delegate Certifications to additional parties

# It will run at Certification creation

# This rule is optional, Configured with Certification

# It returns : 

• Identity object who is the delegate
• Name of the Identity object who is the delegate

e.g    :

Delegate a manager's certification to the subordinate first, so that they can review own access first

e.g    : 1

import sailpoint.object.identity;

private static final Logger LOGGER = Logger.getLogger("Pre-Delegation Rule");

Map results = new HashMap();

LOGGER.info("Entering into Pre-Delegation Rule : ");

LOGGER.debug("Identity being certified = "+ enetity.getIdentity());

Identity certifiedIdentity = context.getObjectName(Identity.class, entity.getIdentity());

if(certifiedIdentity.isInactive()){

LOGGER.debug("Identity is Inactive, so pass delegation off to spadmin user : ");

results.put("recipient", context.getObjectByName(Identity.class, "spadmin"));

results.put("description", "Please certify" + entity.getFullName());

results.put("comments", "Please determine the appropriate access for " + entity.getFullName() + " within the next 5 business days.");

} 

else {

LOGGER.debug("Identity is Active, so proceed with delegation as usual.");

} 

return results;

}

--------------------------------------------------********************---------------------------------------------

Sign-Off Approver Rule    :

# It's used to provide a level of approval in a Certification sing-off

# It will run at Certification completion

# This rule is optional, configured with Certification

e.g    :

Have a Manager Certification signed-off / approved by the manager's boss

--------------------------------------------------********************---------------------------------------------

Role Based Access Control (RBAC)

 Role    :

# Role defines a set of tasks that the user can perform

# Role is a collection of entitlements

Default Role Types:-

• Organizational Role
• Business Role
• IT Role
• Entitlement Role (Deprecated now)

Organizational Role:-

• An organizational Role is a container to hold the other types of roles
• Organizes roles in IIQ, easier to navigate different roles
• No functional importance other than giving a nesting structure to the other types of roles
• Other roles are inherited which makes the organizational role is a parent

Business Role:-

• Automatically assigned.
• Business  Roles are requested.
• It represents a job title or functions
• Business Roles are business-friendly role names i.e., Supervisor, Architect, Manager, Team Lead, Writer, Editor, Clerk, etc.,
• The business does not need to know the entitlements needed to get a Business Role
• Identities are associated with a Business Roles using "Assignment Logic" usually attributes or rules like department, job title, etc.,

IT Role:-

• IT Roles are not business-friendly names but IT department-friendly names
• It consists of entitlements from one or more applications (Defined groups of entitlements).
• Detected on identities.

Entitlement Role:-

• It represents a single entitlement on a single application
• It is deprecated in the new version of IIQ
• It is available only for backward compatibility but it's not recommended to create it now

How Roles are Associated to Identities:-

# Assigned Role i.e., Business Role

• Manually
• Assignment Rule

# Detected Role i.e., IT Role

• If all the entitlements of an IT Role are already assigned to an identity
• On refresh, IIQ will detect the IT Role the identity should have as it has already all the entitlements of that IT Role

# Assignment Rule    

• Associates identity with Business Role 
• Assignment logic can be written match list or filter or rule or script or population

# Required Roles    

• The IT Roles required for this Business Role

# Permitted Roles    

• The IT Roles which an identity can have but is not necessary to have
• Must be requested
• Not automatically provisioned

# Inherited Roles

• Select a parent role, this is just for view management and has no functional  importance

# Provisioning Policy

• Role Provision policy takes precedence (with regards to value, rules, and scripts of fields ) over Application provision policy
• By default, the fields of the Role provision policy form and Application provision policy form are merged to create a combined form for LCM provisioning
• To use only Role provisioning policy form, pass "noApplicationTemplates" = true as an argument in step calls compileProvisiongProject method

Configuration of RBAC:-

1. Login to IIQ and navigate to Setup then click on Roles

2. Navigate to New Role then click on Role (Type    ---> Organizational)

        

3. Provide the following details and click on submit (Type    --->    Organizational)

        

4. Navigate to New Role then click on Role (Type    --->     IT)

       

    

# Click on Modify Inheritance and select the TRAKK (Organizational Role) and click on Add then save

# Click on Add under Entitlements and select Application as PRISM and select groups under Add an Entitlement as Manager.

5. Navigate to New Role then click on Role (Type    --->     IT)

 

# Click on Modify Inheritance and select the TRAKK (Organizational Role)and click on Add then save

# Click on Add under Entitlements and select Application as PRISM and select groups under Add an Entitlement as Super.

  

6. Navigate to New Role then click on Role (Type    --->     Business )

# Select the Assignment Rule (Rule or Script or Match list or Filter or Population), Required Roles (IT Roles) and Inherited Roles (Organizational Role).

7. Navigate Setup and Tasks then search for Refresh Identity Cube then check the below options

• Processes assignment rule defined in the business role
• Detection defined through an IT Role profile

 

# Click on Save and Execute

Custom Reports

# IdentityIQ includes a reporting architecture that greatly simplifies the process of developing custom reports by allowing the developer to specify the report requirements in a TaskDefinition XML document. 

# The executor uses IdentityIQ's forms API to generate the UI form for parameters specification and creates the report output based on column configurations specified in the TaskDefinition.

# The TaskDefinition XML specifies the below details :

1. The report's Standard Properties values

2. The report-specific parameters

3. The columns that are available for the report

4. How the data is retrieved for inclusion for the report

5. How the report results are laid out in both the detail and summary sections

Structure of TaskDefinition XML (Report)   :-

<TaskDefinition>

        <Description/>

        <RequiredRights/>

         <Atttributes>

                    <Map>

                            <entry key="report">

                                    <value>

                                            <LiveReport>

                                                    <DataSource>

                                                            <QueyParameters>

                                                                    <Parameter/>

                                                            </QueyParameters>

                                                    </DataSource>

                                                    <Coulumns>

                                                            <ReportColumnConfig>

                                                            </ReportColumnConfig>

                                                    </Coulumns>

                                            </LiveReport>

                                    </value>

                            </entry>

                    </Map>

        </Atttributes>

        <Signature>

                <Inputs>

                        <Argument/>

            </Inputs>

        </Signature>

</TaskDefinition>

Tags Description    :

# <TaskDefinition>

In IdentityIQ, a report is essentially executed as a specialized task. The root element of a report is a <TaskDefinition> element.

e.g    :    <TaskDefinition executor="sailpoint.reporting.LiveReportExecutor" name="Uncorrelated Accounts Report" progressMode="Percentage" resultAction="Rename" subType="Identity and User Reports" template="true" type="LiveReport">

# <DataSource>

The  datasource element specifies the From and Where clauses of the query used to fetch data for the report.

e.g    :    <DataSource type="Java" dataSourceClass="sailpoint.reporting.dataSource.SampleDataSource" defaultSort="name">

#<ReportColumnConfig>

The Select portion (the column list) is specified through the <columns> element in the report definition - specifically, the <ReportColumnConfig> s listed within <Columns> element.

e.g    :    <ReportColumnConfig field="applicationName" header="rept_appName" property="application.name" sortable="true">

# <Argument>

The Arguments specify the values that must be passed to the report at runtime to be usedas report filters.

e.g    :    <Argument multi="true" name="applications" type="Application"/>

DataSource    :    Retrieving Report Data

There are three available datasource types    :    Filter, Java, HQL

1. Filter DataSource    :

A filter datasource executes a projection query to retrieve the data required by the ReportColumnConfigs specified for the report. It employs the Sailpoint filter Object to specify the query. The object whose data is being queried is specified as the objectType for the DataSource and the DataSource type is specified as "Filter".

e.g    :    <datsource objectType="sailpoint.object.Link" type="Filter">

2. Java DataSource    :

A Javaclass dataSource is the next most commonly used report datasource type. The XML to specify this is fairly simple and straightforward; the java class it calls can be as simple or as complex as is required the desired report contents.

3. HQL DataSource

An HQL dataSource is used in rare circumstances but is available for implements who need to execute queries that hit Hibernate directly.

e.g    :    <DataSource type="Hql">

<Query> from ManagedAttribute m where group=true</Query>

</DataSource>

IdentityIQ Terminologies

 Internal                                                            User Interface

IdentityRequest                                                    Access Request

Certification                                                         Access Review

Link                                                                      Account                                                    

Workflow                                                             Business Process

CertificationGroup                                               Certification

ManagedAttribute                                                 Entitlement

Bundle                                                                   Role

TaskDefinition                                                      Task

Assigned Roles                                                      Business Roles

Detected Roles                                                       IT Roles

Custom Tasks

 # Custom Tasks can be a powerful way to extend Sailpoint's functionality to perform certain actions that can't be achieved using default tasks or OOTB configurations.

# Custom tasks speeds up the process if the code is written accurately.

Steps to build custom task    :

1. Create a task definition

2. Create java class to define the method for custom task

3. Deploy the custom task and execute it

1. Create a task definition    

e.g :

Below information is Task Definition :

The task definition with required parameters (I/P and O/P) needs to be created first, which is required for the custom class java method which executes in background.

Login to Debug page, navigate to Object browser    --->    select  Task definition    ---> select appropriate task

<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE TaskDefinition PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<TaskDefinition executor="sailpoint.task.MultiAggregation" name="CustomMultiAggregation" 

progressInterval="5000" progressMode="String" template="true" resultAction="Delete" type="Generic">

  <Description>Task template for application group scanning</Description>

  <Signature>

    <Inputs>

      <Argument name="application" required="true" type="Application">

        <Prompt>Search Application</Prompt>

      </Argument>      

    </Inputs>

    <Returns>

      <Argument name="output" type="String">

        <Prompt>Result</Prompt>

      </Argument>

    </Returns>

  </Signature>

</TaskDefinition>

Task Definition Object    -    Explanation    :

# TaskDefinition executor ="sailpoint.custom.MutliAggregation" this defines the name of the class which will be execute the task>

# template="true"    -    template="true" is set to get the TaskDefinition listed in “New Task” List

# <Argument name="application" required="true" type="Application"> this defines the I/P parameter of the task. the custom java code MultiAggregation will take I/P parameters as "application" variable. The type="Application" will create a drop down for application. similarly you can have a type text for simple text I/P.

# <Prompt>Search Application</Prompt>  this defines the text which will be displayed in UI to the user.

# <Returns> <Argument name = "output" type="String"> this defines the output parameter, in the custom java code all output result will be passed to this output string.

2. Create java class to define the method for custom task

import sailpoint.api.SailPointContext;

import sailpoint.object.Attributes;

import sailpoint.object.TaskResult;

import sailpoint.object.TaskSchedule;

import sailpoint.AbstractTaskResult;

public class MultiAggregation extends AbstractTaskExecutor {

    public void execute (SailPointContext context, TaskSchedule tsch, TaskResult result, Attributes args) throws Exception {

            String output = "output";

            String appname = (String) args.get(application);

             result.setAttribute(output,"Custom task executed : " + appname);

             }

public boolean terminate(){

           return false;

    }

}

Execute :    

Terminate    : go to Task Results

While task is running we can terminate

NOTE :

AbstractTaskExecutor    -    class will override two methods i.e., execute () and terminate()

SailPointContext    -    starting point contains (identities, accounts and applications etc.,)

TaskSchedule    -    we can schedule task in code itself

TaskResult    -    we will set output in Sailpoint

Attributes    -    contain I/P parameters (HashMap in Scheduler (OIM))

3. Deploy the custom task

# To deploy the custom task, the TaskDefinition file needs to be imported into IIQ. This can be done in two ways.

1. Login to IIQ.

    Navigate to Global settings    --->    Import from file    --->    choose xml file    --->    click on import

2. From within IIQ console. use the import command    :    import ReportTask.xml

    IIQ console path    :    C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\idenityiq\WEB-INF\bin\

# After importing the TaskDefinition, the java class file has to be placed in the appropriate location.

# The java class file needs to be placed in the classes.sailpoint.custom directory on the IIQ server.

   Finally the application server needs to be restarted (bounce the server) and the custom task is ready to execute