Certification Rules

 Exclusion Rule    :

# It's used to exclude an Identity's certifiable items (accounts, entitlements, roles etc.,)

# It will run during Certification creation

# This rule is optional

e.g    :

# Exclude consultants or non-company personnel from an organization's certification

e.g    :    1

import sailpoint.object.identity;

private static final Logger LOGGER = Logger.getLogger("Exclusion Rule");

LOGGER.info("Entering into Exclusion Rule");

// If the identity is inactive or Contactor, then add all of the items to the exclude list

if(identity.isInactive() || (identity.getAttribute("status").equals("Contractor"))) {

LOGGER.debug("Identity is Inactive or Contractor : "+ identity.getDisplayName());

LOGGER.debug("Don't certify ");

itemsToExclude.addAll(items);

items.clear();

} else {

// If the identity is Active or Employee then don't add all of the items to the exclude list

LOGGER.debug("Identity is Active and Employee : "+ identity.getDisplayName());

LOGGER.debug("Do certify");

}

// no need to return anything

return null;

--------------------------------------------------********************---------------------------------------------

Escalation Rule    :

It's used to escalate work items, usually in conjunction with Certifications or Remediation's, to additional parties

# It will run at specified escalation point (configuration)

# This rule is optional, Configured with Certification

# Returns : Name of the Identity Object

e.g    :    Escalate certification to someone's manager after a certain time interval

--------------------------------------------------********************---------------------------------------------

Pre-Delegation Rule    :

# It's used delegate Certifications to additional parties

# It will run at Certification creation

# This rule is optional, Configured with Certification

# It returns : 

• Identity object who is the delegate
• Name of the Identity object who is the delegate

e.g    :

Delegate a manager's certification to the subordinate first, so that they can review own access first

e.g    : 1

import sailpoint.object.identity;

private static final Logger LOGGER = Logger.getLogger("Pre-Delegation Rule");

Map results = new HashMap();

LOGGER.info("Entering into Pre-Delegation Rule : ");

LOGGER.debug("Identity being certified = "+ enetity.getIdentity());

Identity certifiedIdentity = context.getObjectName(Identity.class, entity.getIdentity());

if(certifiedIdentity.isInactive()){

LOGGER.debug("Identity is Inactive, so pass delegation off to spadmin user : ");

results.put("recipient", context.getObjectByName(Identity.class, "spadmin"));

results.put("description", "Please certify" + entity.getFullName());

results.put("comments", "Please determine the appropriate access for " + entity.getFullName() + " within the next 5 business days.");

} 

else {

LOGGER.debug("Identity is Active, so proceed with delegation as usual.");

} 

return results;

}

--------------------------------------------------********************---------------------------------------------

Sign-Off Approver Rule    :

# It's used to provide a level of approval in a Certification sing-off

# It will run at Certification completion

# This rule is optional, configured with Certification

e.g    :

Have a Manager Certification signed-off / approved by the manager's boss

--------------------------------------------------********************---------------------------------------------