DUO Application On-boarding

# Login to SailPoint.

# Navigate to Applications ---> Application Definition

# Select the Application Type as DUO and provide the required details.

# Navigate to Settings, provide the Duo Connection Credentials and Integration Credentials.

# Navigate to Schema, configure Account and Group object.

# Navigate to correlation and configure the attribute-based account correlation.

Ex: username -->bprLogin 

# Test the connection and preview the accounts

# Save

Note: 

Difference between the DUO Connection Credentials & DUO Integration Credentials :

DUO Connection Credentials : To read the accounts

DUO Integration Credentials  : To integrate with DUo mobile application

 

How to check Log4j version in SailPoint using rule?

 <?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<Rule created="1640624033221" id="ff8080817dee757a017dfcd00dc503e0" language="beanshell" name="Log4j 2 version">

  <Signature>

    <Inputs>

      <Argument name="log">

        <Description>`

          The log object is associated with the SailPointContext.

        </Description>

      </Argument>

      <Argument name="context">

        <Description>

          A sailpoint.api.SailPointContext object that can be used to query the database if necessary.

        </Description>

      </Argument>

    </Inputs>

  </Signature>

  <Source>

  String version = org.apache.logging.log4j.util.PropertiesUtil.class.getPackage().getImplementationVersion();

    return version;

  </Source>

</Rule>

Classic Ports to know

# 22 = SSH (Secure Shell) - log  into a Linux instance

# 21 = FTP (File Transfer Protocol)

# 22 = SFTP (Secure File Transfer Protocol) upload files using SSH

# 80 = HTTP - access unsecured websites

# 443 = HTTPS - access secured websites

# 3389 = RDP (Remote Desktop Protocol) - log into a windows instance

How to set up JVM property for Log4j 2 in SailPoint?

# To fix the Log4j 2 vulnerability, we have to add -Dlog4j2.formatMsgLookups=true in catalina.sh and iiq file.

# Navigate to iiq path

cd /opt/apache/bin

# Update the JAVA options (vi iiq)

JAVA_OPTS="-Xms128m -Xmx256m -Dsun.lang.ClassLoader.allowArraySyntax=true -Djava.awt.headless=true -Dlog4j2.formatMsgLookups=true"

# Save & exit (:wq!)

# Navigate to catalina.sh path

 cd /opt/apache/webapps/idenityiq/WEB-INF/bin

# Update the JAVA options (vi catalina.sh)

rem Register custom URL handlers

rem Do this here so custom URL handles (specifically 'war:...') can be used in the security policy

set "JAVA_OPTS=%JAVA_OPTS% -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dlog4j2.formatMsgLookups=true"

# Save & exit (:wq!)

# Restart the server.

./shutdown.sh

./startup.sh

How to apply E-Fix in SailPoint?

# First copy the ZIP file to identityiq location.

# Check the ZIP file in identityiq whether it is copied or not.

# Extract the ZIP file.

# Update all jars

# Restart the server.

===============================################============================

# cp /home/sudo/idenityiq-8.1-8.1p3-IIQCB-4601.zip /opt/apache/webapps/identityiq

# cd /opt/apache/webapps/identityiq

# ls -ltr

# unzip idenityiq-8.1-8.1p3-IIQCB-4601.zip

# A (Shift+A)

# cd /opt/apache/bin

./shutdown.sh

./startup.sh

How to copy Jar/ZIP file from S3 bucket (AWS-EC2 instance) to Linux server?

# aws s3 cp s3://S3 Bucket Name/Jar File /home/Root User or Any user/

# aws s3 cp s3://iamdir-OIM-dev-vendorbinaries-s3/jd-gui-1.6.6.jar /home/sudo/

Adding extended attributes in Hibernate XML file

Ex:

1. Navigate to the following directory C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\identityiq\WEB-INF\classes\sailpoint\object.

2. Add the following three lines in IdentityExtended.hbm.xml file

<property name="costCenter" type="string" length="450"                                           access="sailpoint.persistence.ExtendedPropertyAccessor" 

index="spt_identity_costCenter_ci"/>

<property name="empId" type="string" length="450"                                           access="sailpoint.persistence.ExtendedPropertyAccessor" 

index="spt_identity_empId_ci"/>

<property name="status" type="string" length="450"                                           access="sailpoint.persistence.ExtendedPropertyAccessor" 

index="spt_identity_status_ci"/>

How to find the number of workgroups and Identities in IIQ?

import sailpoint.object.Filter;

import sailpoint.object.QueryOptions;

QueryOptions qOptions = new QueryOptions();

qOptions.addFilter(Filter.eq("workgroup",false));

int numberOfIdentities = context.countObjects(Identity.class, qOptions);

QueryOptions qOptions = new QueryOptions();

qOptions.addFilter(Filter.eq("workgroup",true));

int numberOfWorkGroups = context.countObjects(Identity.class, qOptions);

String message = "No of identities : "+numberOfIdentities+" No of workgroups : "+numberOfWorkGroups;

log.debug("message : "+message);

Custom logger classes in IIQ?

 logger.WFLog.name=sailpoint.WorkflowTrace

logger.WFLog.level=trace

 logger.RoleLifecycler.name=sailpoint.api.RoleLifecycler

logger.RoleLifecycler.level=trace

 logger.Workflower.name=sailpoint.api.Workflower

logger.Workflower.level=trace

IIQ Console commands

# ./iiq console -j 

# Display the list of console commands:     help (or) ?

# Exit the from IIQ console:   quit

# Delete all identities except spadmin from the IIQ console: delete identity * 

# Export a  single object from the IIQ console using the checkout command:

checkout workflow "Provisioning Approval Subprocess" workflow.xml -clean

# Run the task from the IIQ console using the run command: run "Mighty Run Rule Task"

# Export an object from the IIQ console:

export -clean /usr/binrootsh/Desktop/apps.xml application

# Display the "Test" rule object in XML: get rule TestRule

# list the object: list rule Test*

# To export a single object from the  IdentitytIq console to a file:    

checkout application "Time Tracking" /usr/binrootsh/Desktop/Clarity.xml -clean

# To export an object from the file to an  IdentitytIq console: 

import /usr/binrootsh/Desktop/timetracking.xml

# To run the rule from the IdentityIQ console, use the below command:

rule MightyPedia-Test /bpr/bprasad/LookupRuleArgs.xml

# The Version line lists the IdentityIQ version, patch version, and the build: about

 (./iiq console ---> about)

#  The connectorDebug command will iterate through all accounts for the application:    connectorDebug LDAP iterate 

#  The connectorDebug command will iterate through all groups for the application:    

connectorDebug LDAP iterate group 

How to validate Entitlement in Entitlement Catalog?

 

import sailpoint.object.ManagedAttribute;

Boolean entitlementCheck(){

boolean existingEnt = false;

String appName = "SAP";

String entDN = "CN=abc, OU=Pedia, DC=com";

String cn = "Java";

String displayName = null;

Filter managedAttrFilter = Filter.eq("application.name", appName);

managedAttrFilter = Filter.and(managedAttrFilter, filter.eq("value", entDN));

ManagedAttribute managedAttribute = context.getUniueObject(ManagedAttribute.class, managedAttrFilter);

if(managedAttribute != null){

displayName = managedAttribute.getDisplayName();

if(displayName.equals(cn))

existingEnt= true;

}

return existingEnt;

}

How to build a Provisioning plan from Snapshot?

import org.apache.commons.logging.Log;

import org.apache.commons.logging.LogFactory;

import sailpoint.object.Filter;

import sailpoint.object.Identity;

import sailpoint.object.IdentitySnapshot;

import sailpoint.object.LinkSnapshot;

import sailpoint.object.ProvisioningPlan;

import sailpoint.object.ProvisioningPlan.AccountRequest;

import sailpoint.object.QueryOptions;

import sailpoint.tools.GeneralException;

 public List&lt;LinkSnapshot> getIdSnapshot(String identityName) throws GeneralException {

log.debug("Enter into the method : getIdSnapshot");

boolean checkSnapshot = false;

List&lt;LinkSnapshot> linkSnap = new ArrayList&lt;LinkSnapshot>();

QueryOptions qop = new QueryOptions();

qop.addFilter(Filter.eq("identityName", identityName));

qop.setOrderBy("created");

qop.setOrderAscending(false);

Iterator&lt;IdentitySnapshot> it = context.search(IdentitySnapshot.class, qop);

checkSnapshot = it.hasNext();

if (checkSnapshot) {

IdentitySnapshot eachIdentitySnapshot = (IdentitySnapshot) it.next();

linkSnap = eachIdentitySnapshot.getLinks();

}

log.debug("Exiting from the method : getIdSnapshot");

return linkSnap;

}

public ProvisioningPlan buildPlanFromSnapshot(String identityName) throws GeneralException {

log.debug("Enter into the method : buildFromSnapshot");

ProvisioningPlan plan = new ProvisioningPlan();

Identity identity = context.getObjectByName(Identity.class, identityName);

if (plan != null) {

plan.setIdentity(identity);

}

List&lt;LinkSnapshot> linkSnap = new ArrayList&lt;LinkSnapshot>();

linkSnap = getIdSnapshot(identityName);

for (LinkSnapshot ls : linkSnap) {

if (ls.getAttributes().get("IIQDisabled") == null

|| ls.getAttributes().get("IIQDisabled").toString().equals("false")) {

AccountRequest accountRequest = new AccountRequest();

accountRequest.setApplication(ls.getApplicationName());

accountRequest.setInstance(ls.getInstance());

accountRequest.setNativeIdentity(ls.getNativeIdentity());

accountRequest.setOperation(AccountRequest.Operation.Create);

plan.add(accountRequest);

}

}

log.debug("Link plan : " + plan.toXml());

log.debug("Exiting from the method : buildPlanFromSnapshot");

return plan;

}

LCM Provisioning

 Reference: Lifecycle Manager Workflows - Compass (sailpoint.com)

Workflow: LCM Provisioning

# Identity Request Initialize

                Identity Request Violation Review

                Do Provisioning Forms

        Manage Ticket

                Provision with retries

# Provisioning Approval Subprocess       

# Approve and Provision Subprocess

                Provisioning Approval Subprocess

                Manage Ticket

                        Provision with retries

                Identity Request Provision

                        Do Provisioning Forms

                        Provision with retries

                        Check Status of queued items

                Manage Ticket

                        Provision with retries

# Identity Request Notify

# Identity Request Finalize

                Manage Ticket

                        Provision with retries

How to remove Workgroups for the user?

import java.util.ArrayList;

import java.util.List;

import sailpoint.object.Identity;

import sailpoint.api.SailPointContext; 

import sailpoint.tools.GeneralException;

public void removeWorkGroupsAssignment(String name) throws GeneralException{

String methodName = "removeWprkGroupAssignment";

log.debug("Entering into the method : "+methodName);

Identity identityObj = context.getObject(Identity.class, name);

List&lt;Identity idWorkGroups = new ArrayList&lt;Identity>();

idWorkGroups = identityObj.getWorkgroups();

for(Identity workGoup : idWorkGroups){

identityObj.remove(workGoup);

context.saveObject(identityObj);

context.commitTansaction();

}

log.debug("Exiting from the method : "+methodName);

}

Get the Request Objects & Request Object

  <?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<Rule language="beanshell" name="Get Request Objects">

  <Description>

  </Description>

  <Signature>

    <Inputs>

      <Argument name="log">

        <Description>

          The log object associated with the SailPointContext.

        </Description>

      </Argument>

      <Argument name="context">

        <Description>

          A sailpoint.api.SailPointContext object that can be used to query the database if necessary.

        </Description>

      </Argument>

    </Inputs>

  </Signature>

  <Source>

import sailpoint.api.SailPointContext;

import sailpoint.object.Request;

// fetch all the request objects

String ruleName = "getResourceObjects";

log.error("Entering into the rule : " + ruleName);

List<Request> requests = context.getObjects(Request.class);

log.error("Exiting from the rule : "+ruleName);

return requests;

</Source>

</Rule>

------------------------------------------------##################-------------------------------------------------

------------------------------------------------##################-------------------------------------------------

 <?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<Rule language="beanshell" name="Get Request Object">

  <Description>

  </Description>

  <Signature>

    <Inputs>

      <Argument name="log">

        <Description>

          The log object associated with the SailPointContext.

        </Description>

      </Argument>

      <Argument name="context">

        <Description>

          A sailpoint.api.SailPointContext object that can be used to query the database if necessary.

        </Description>

      </Argument>

    </Inputs>

  </Signature>

  <Source>

import sailpoint.api.SailPointContext;

import sailpoint.object.Request;

// fetch specific request object

String ruleName = "getResourceObject";

log.error("Entering into the rule : " + ruleName);

String name2 = null;

boolean flag = false;

List<Request> requests = context.getObjects(Request.class);

log.error("Request objects size is : " + requests.size());

for (Request request2 : requests) {

                    String name = request2.getName();

                    flag = name.contains("999999");

if (flag) {

name2 = name;

break;

}

}

log.error("Exiting from the rule : "+ruleName);

return name2;

</Source>

</Rule>

Password Decryption

 <?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<Rule language="beanshell" name="Password Decryption">

  <Description>

  </Description>

  <Signature>

    <Inputs>

      <Argument name="log">

        <Description>

          The log object associated with the SailPointContext.

        </Description>

      </Argument>

      <Argument name="context">

        <Description>

          A sailpoint.api.SailPointContext object that can be used to query the database if necessary.

        </Description>

      </Argument>

    </Inputs>

  </Signature>

  <Source>

import sailpoint.api.SailPointContext;

String password = "1:3XlHok3A4TTAIpnoglhLFg==";

return context.decrypt(password);

</Source>

</Rule>

How to find the percentage (%) burn in client hours?

Total Hours = 850, Burns Hours = 180

Total % left = Total Hours - Burns Hours / (1 % Total Hours) = 850 - 180 / 8.5    =  78.82 %

% Burn = 100 - Total % left = 100 - 78.82 = 21.17

Xyz

rtyrty

Customization Rule

# It's initially designed for non-rule based connectors to add Privileged flag to accounts. It can be used for customization of account attributes as well.

# Build Map equivalent for non-delimited file or JDBC connectors.

# It will runs during Account Aggregations.

e.g    :   

# Manipulating information in the incoming resource object (in place of Build Map rule)

# Determining what accounts are Privileged or System accounts

e.g :    1

import sailpoint.api.*;

import sailpoint.object.*;

String status = object.getAttribute("Status");

// fetching only Active accounts

if(status != null && !status.equalIgnoreCase(false)){

object.put("IIQDisabled","Boolean.FALSE");

object.put("Status","Active");

}

// fetching Inactive accounts

else {

object.put("IIQDisabled","Boolean.TRUE");

object.put("Status","Inactive");

}

return (ResourceObject)object;

rule

TBD

Move AD account from one OU to another OU

<Source>

  import java.util.*;

  import java.io.IOException;      

  import javax.faces.context.FacesContext;

  import javax.naming.ldap.LdapName;

  import javax.naming.ldap.Rdn;    

  import org.apache.log4j.Logger;

  import sailpoint.api.SailPointContext;

  import sailpoint.api.IdentityService;

  import sailpoint.api.ObjectUtil;

  import sailpoint.api.PersistenceManager;

  import sailpoint.api.Provisioner;

  import sailpoint.connector.ADLDAPConnector;

  import sailpoint.connector.Connector;

  import sailpoint.object.*;

  import sailpoint.object.Application;

  import sailpoint.object.Attributes;

  import sailpoint.object.Custom;

  import sailpoint.object.Filter;

  import sailpoint.object.Identity;

  import sailpoint.object.Link;

  import sailpoint.object.ManagedAttribute;

  import sailpoint.object.ProvisioningPlan;

  import sailpoint.object.ProvisioningPlan.AccountRequest;

  import sailpoint.object.ProvisioningPlan.AttributeRequest;

  import sailpoint.object.QueryOptions;  

  import sailpoint.tools.CloseableIterator;

  import sailpoint.tools.GeneralException;

  import sailpoint.tools.Message;

  import sailpoint.tools.Util;

  import sailpoint.workflow.WorkflowContext;

  // Disable AD Account and Move AD account from one OU to another OU

  public ProvisioningPlan buildMoveADAccountsPlan(WorkflowContext wfc)

    throws GeneralException{

    String methodName = "buildMoveADAccountsPlan";

    Logger ruleLog = Logger.getLogger("RuleLog");

    String nativeIdentity = null;

    String newOU = null;  

    System.out.println("Entering into buildMoveADAccountsPlan rule");

    ruleLog.error("Entering into buildMoveADAccountsPlan rule");

    if (ruleLog.isDebugEnabled()) {ruleLog.error("Entering into buildMoveADAccountsPlan rule");}

    Attributes args = wfc.getArguments();  

    System.out.println("Attributes = "+args);

    ruleLog.error("Attributes = "+args);

    String op = Util.getString(args, "op");

    System.out.println("Operation = "+op);

    ruleLog.error("Operation = "+op);

    if ( op == null ){

      throw new GeneralException("Operation (op) must be specified.");

    }

    ProvisioningPlan plan = new ProvisioningPlan();

    SailPointContext context = wfc.getSailPointContext();

    System.out.println("SailPointContext = "+context);

    ruleLog.error("SailPointContext = "+context);

    //  Custom settings = context.getObjectByName(Custom.class, "Custom Settings");      

    String identityName = Util.getString(args, "identityName");

    System.out.println("identityName = "+identityName);

    ruleLog.error("identityName = "+identityName);

    if (ruleLog.isDebugEnabled()) {

      System.out.println("Processing identity " + identityName);

      ruleLog.error("Processing identity " + identityName);

    }

    Identity identity = context.getObjectByName(Identity.class, identityName);      

    if (null != identity) {

      plan.setIdentity(identity);

      // Get a list of AD applications

      List appList = getADApps();

      System.out.println("appList = "+appList);

      ruleLog.error("appList = "+appList);

      IdentityService identityService = new IdentityService(context);

      for (Application app : appList) {

        List links = identityService.getLinks(identity, app);

        System.out.println("List of links are = "+links);

        ruleLog.error("List of links are = "+links);

        // Application application = context.getObjectByName(Application.class, app);

        String appType = app.getType();

        System.out.println("appType is = "+appType);

        ruleLog.error("appType is = "+appType);

        if ("Active Directory - Direct".equals(app.getType())){

          Attributes attributes = app.getAttributes();

          System.out.println("Attributes are : "+attributes);

          ruleLog.error("Attributes are : "+attributes);

          List searchdns = attributes.getList("searchDNs");

          System.out.println("searchdns are : "+searchdns);

          ruleLog.error("searchdns are : "+searchdns);

          /*  List dn = list.get("searchDN");

          System.out.println("dn are : "+dn);

          ruleLog.error("dn are : "+dn);*/

          Iterator itr = searchdns.iterator();

          while(itr.hasNext()){

            String searchDN = itr.next().get("searchDN").toString();

            System.out.println("Users OU is : "+searchDN);

            ruleLog.error("Users OU is : "+searchDN);

            boolean flag = searchDN.toLowerCase().contains("disabled users");

            //boolean flag = searchDN.toLowerCase().contains("Disabled Users");

            System.out.println("flag... : "+flag);

            ruleLog.error("flag..... : "+flag);

            if(flag){

              System.out.println("Disabled Users OU is... : "+searchDN);

              ruleLog.error("Disabled Users OU is..... : "+searchDN);

            }

          }

        }

        if ((null != links) &amp;&amp; !links.isEmpty()) {

          for (Link link : links) {

            nativeIdentity = link.getNativeIdentity();

            System.out.println("nativeIdentity is : "+nativeIdentity);

            ruleLog.error("nativeIdentity is : "+nativeIdentity);

            // Disable the AD account

            if (ruleLog.isDebugEnabled()){

              ruleLog.error("Disabling account " + link.getNativeIdentity() + " in application " + link.getApplicationName());

            }

            AccountRequest acctReq = new AccountRequest();

            acctReq.setApplication(link.getApplicationName());

            acctReq.setInstance(link.getInstance());

            acctReq.setNativeIdentity(nativeIdentity);

            acctReq.setOperation(AccountRequest.Operation.Disable);        

            //  acctReq.add(new AttributeRequest("IIQDisabled","true"))

            // String dn = link.getAttribute("distinguishedName");

            if(op.equals("Disable")) {

              if (nativeIdentity.toLowerCase().contains("dc=mightypedia,dc=com")) {

                //newOU = "ou=Disabled Users,dc=maxcrc,dc=com";

                newOU="ou=Disabled Users,dc=mightypedia,dc=com";

                //newOU = settings.get("Disabled Users");

                //System.out.println("newOU is : "+newOU);

                System.out.println("cn=" +nativeIdentity+","+"Dynamically getting Disable OU is : "+newOU);

                log.error("cn=" +nativeIdentity+","+"Dynamically getting Disable OU is : "+newOU);

              }

            }

            if(ruleLog.isDebugEnabled()){System.out.println("Moving to : "+newOU);ruleLog.error("Moving to : "+newOU);}

            if(null!=newOU&amp;&amp;!newOU.equalsIgnoreCase(getParentContainerDN(nativeIdentity))){

              AccountRequest acctReq = new AccountRequest();

              acctReq.setApplication(link.getApplicationName());

           //   acctReq.setInstance(link.getInstance());

              acctReq.setNativeIdentity(link.getNativeIdentity());

              acctReq.setOperation(AccountRequest.Operation.Modify);

             // AttributeRequest attReq = new AttributeRequest();

            //  attReq.setName("AC_NewParent");

           //   attReq.setValue(newOU);

           //   attReq.setOp(ProvisioningPlan.Operation.Set);

           //   acctReq.add(attReq);

             acctReq.add(new AttributeRequest ("AC_NewParent", ProvisioningPlan.Operation.Set, newOU));

              plan.setIdentity(identity);

              plan.add(acctReq);

              System.out.println("*************Compiling starts for ProvisioningPlan*******************");

              Provisioner provisioner = new Provisioner(context);

              ProvisioningProject project = provisioner.compile(plan);

              provisioner.execute(project);

              System.out.println("*****************Compilation has completed for ProvisioningPlan *********");                                                                

            }          

          }

        }

      }

    }

    if(ruleLog.isDebugEnabled()){

      System.out.println("Returning plan: "+plan.toXml());ruleLog.error("Returning plan: "+plan.toXml());

    }

    return plan;

  }

  // Get the parent container DN of an LDAP full DN    

  public String getParentContainerDN(String dn) {

    String methodName = "getParentContainerDN";

    System.out.println("Entering into the method : "+methodName);      

    LdapName ln = new LdapName(dn);

    String parentDN = ln.getPrefix(ln.size() - 1).toString();    

    System.out.println("Parent ContainerDN : "+parentDN);        

    System.out.println("Exiting from the method : "+methodName);  

    return parentDN;      

  }

  // Get a list of all the AD applications

  public List getADApps() {

    String methodName = "getADApps";

    Logger ruleLog = Logger.getLogger("rule.RuleLog");

    System.out.println("Entering into the method : " + methodName);

    ruleLog.error("Entering into the method : " + methodName);

    List appList = new ArrayList();

    QueryOptions qo = new QueryOptions();

    qo.addFilter(Filter.eq("connector", "sailpoint.connector.ADLDAPConnector"));

    Iterator it = context.search(Application.class, qo);

    while (it.hasNext()) {

      Application thisApplication = it.next();

      if (ruleLog.isDebugEnabled()) {

        System.out.println("Found AD application " + thisApplication.getName());

        ruleLog.error("Found AD application " + thisApplication.getName());

      }

      appList.add(thisApplication);

    }

    if (appList.isEmpty()) {

      System.out.println("No AD Directory applications found");

      ruleLog.error("No AD Directory applications found");

    }

    System.out.println("Exiting from the method : " + methodName);

    ruleLog.error("Exiting from the method : " + methodName);

    return appList;

  }

  </Source>

Leaver Event Rule

 System.out.println("Entering into Leaver Event Rule : ");

 String status = newIdentity.getAttribute("status");

 System.out.println("status : "+status);

  if(status != null){

    if(status.equalsIgnoreCase("Terminated Employee")){

      boolean flag = true;

      System.out.println("Entering into Leaver Event Rule : "+flag);      

      return flag;

    }

       else {

          boolean flag = false;

         System.out.println("Entering into Leaver Event Rule : "+flag);

               return flag;

       }

 System.out.println("Exiting from the Leaver Event Rule : ");

       }

How to set up OpenLDAP in windows and Onboard OpenLDAP Application in Sailpoint?

 Pre-requisites :

Teach Me How To Get Started: How to Setting LDAP (OpenLDAP) in Windows Development Environment (kukusan-network.blogspot.com)

JXplorer - an open source ldap browser

How to set up vm ware in windows

 Pre-requisites :-

1. Download the VM ware from the following URL:

Download VMware Workstation Player | VMware | IN

Steps: 

1. Go to VM ware software path and right click on VM ware software and select Run as Administrator.

2. Click on Next

3.  Check the box [I accept the terms in license Agreement] and click on Next

4.  Click on Next

5. Uncheck both the check boxes (User experience settings) and click on Next

6. Uncheck Start Menu Program Folder and click on Next

7. Click on Install

8. Click on Finish 

*************************** VM ware set up is completed ****************************

How to connect mysql through cmd

 Steps: 

1. Go to MySQL installation directory then until the bin

Ex: C:\Program Files\MySQL\MySQL Server 8.0\bin

2. Open cmd from the above path 

(OR)

Navigate to the Windows icon, search for cmd, and click on Command Prompt

3. Enter the following command in cmd

cd C:\Program Files\MySQL\MySQL Server 8.0\bin

4. mysql -u root -p (mysql -u reddy -p)

NOTE: root is the default username, if you have used a custom username, as mentioned like above

5. Enter the password: *******

6. show databases;

(this command will display the lists of databases)

======================================================================

• create database trakk;
• show databases;
• use trakk;
• source D:\IDM\Sailpoint\Sailpoint\Sailpoint Documentation\Sailpoint Lab Exercises\Version 7.0\trakk.sql;

My SQL Installation

 Follow the below URL's for installing MYSQL ::-

# How to Install MySQL on Windows 10 (Step-By-Step Guide) (smarttechnicalworld.com)

# Install MySQL on Windows 10 Step by Step | OnlineTutorialsPoint

# How to download and install MySQL on Windows 10? (roseindia.net)

# How To Install MySQL in Windows 10 - Step-By-Step Tutorials - MobyGeek.com

# How To Install MySQL in Windows 10?(Easy Step By Step Guideline) - FixGuider

List of Sailpoint API's

# IdentityService : A service layer that deals with identities.

IdentityService(SailPointContext context) : Constructor.

# WorkflowContext : 

How to Create Domain in Windows Server ?

Pre-requisites:

# VMware Software - Download VMware Workstation Pro

# Windows Server    - Try Windows Server 2019 on Microsoft Evaluation Center

# Install VMware

        Reference: How to install VMware Workstation 15 Pro - XpertsTec

# Install Windows Server

Installing Windows Server 2016 on VMWare in 5 Minutes - YouTube

Steps for Active Directory Domain Services:-

1. Navigate Windows and search for Server Manager

2. Click on Server Manager

3. Click on Add Roles and Features.

4. Select the Role-based or Feature-based Installation option. Click on Next.

5. Select a server from the server pool option. Click on Next.

6. Select the Active Directory Domain Services.

7. Click on Add Features.

8. Click on Next.

9. Restart the destination server automatically if required option. Click on Install.

Steps for Domain Creation :-

1. Navigate Windows and search for Server Manager

2. Click on Server Manager

3. Navigate to the notification symbol (it's available on the top right side corner) and click on it.

4. Click on Promote this server to a domain controller

5. Select  Add a new Forest radio button and enter the domain name

6. Create a new password.

7.Click on Next ---> Next -----> Next ---> Install ---->Restart

BuildMap Rule

 BuildMap Rule    :

# It's available for JDBC and Delimited File Connectors

# It's used for manipulating or changing schema attributes during iterations of file reading

# It will run during the Account Aggregations

e.g    : Changing or parsing account attributes (i.e., lastLogin ) to meet a specific date format

e.g    :    1

import sailpoint.object.Schema;

import sailpoint.connector.Connector;

import sailpoint.connector.DelimitedFileConnector;

private static final Logger LOGGER  = Logger.getLogger(“BuildMap Rule”);

if(schema.getObjectType().compareTo(Connector.TYPE_ACCOUNT) ==0)

{

HashMap map = DelimitedFileConnector.defaultBuildMap(cols,record);

LOGGER.debug("\n BuildMap before changing : "+map);

//Employee Rule sets EmployeeStatus to "Employee"

map.put("status","Employee");

LOGGER.debug\n BuildMap after changing : "+map);

return map;

}

e.g    :    2

import sailpoint.object.Schema;

import sailpoint.connector.Connector;

import sailpoint.connector.DelimitedFileConnector;

private static final Logger LOGGER  = Logger.getLogger(“BuildMap Rule”);

if(schema.getObjectType().compareTo(Connector.TYPE_ACCOUNT) ==0)

{

HashMap map = DelimitedFileConnector.defaultBuildMap(cols,record);

LOGGER.debug("\n BuildMap before changing : "+map);

//Employee Rule sets EmployeeStatus to "Contractor"

map.put("status","Contractor");

LOGGER.debug\n BuildMap after changing : "+map);

return map;

}

Move AD account from People OU to Disable OU & vice versa (Enable) in IIQ

public ProvisioningPlan buildMoveADAccountsPlan(WorkflowContext wfc) 

        throws GeneralException {

        Logger ruleLog = Logger.getLogger("RuleLog");

        if (ruleLog.isDebugEnabled()) ruleLog.debug("Entering into buildMoveADAccountsPlan rule");

        Attributes args = wfc.getArguments();      

        String op = Util.getString(args, "op");

        if ( op == null ){

           throw new GeneralException("Operation (op) must be specified.");

   }    

        Custom settings = context.getObjectByName(Custom.class, "Custom Settings");

        ProvisioningPlan plan = new ProvisioningPlan();

        String identityName = Util.getString(args, "identityName");

        if (ruleLog.isDebugEnabled()) ruleLog.debug("Processing identity " + identityName);

        Identity identity = context.getObjectByName(Identity.class, identityName);        

        if (null != identity) {

           plan.setIdentity(identity);         

           // Get a list of AD applications 

           List appList = getADApps();       

           IdentityService identityService = new IdentityService(context);

           for (Application app : appList) {

              List links = identityService.getLinks(identity, app);

              if ((null != links) &amp;&amp; !links.isEmpty()) {

                for (Link link : links) {

                   String nativeIdentity = link.getNativeIdentity();

                   String newOU = null;

                   if (op.equals("Disable")) {

                      if (nativeIdentity.toLowerCase().endsWith("dc=mightypedia,dc=com")){

                         newOU = settings.get("pediaADDisabledUsersOU");

}                 

                   } 

      }

             }

                   if (ruleLog.isDebugEnabled()) {

   ruleLog.debug("Moving to " + newOU);

   }

                   if (null != newOU &amp;&amp; ! newOU.equalsIgnoreCase(getParentContainerDN(nativeIdentity))) {

                      AccountRequest acctReq = new AccountRequest();

                      acctReq.setApplication(link.getApplicationName());

                      acctReq.setInstance(link.getInstance());

                      acctReq.setNativeIdentity(link.getNativeIdentity());

                      acctReq.setOperation(AccountRequest.Operation.Modify);

      AttributeRequest attReq = new AttributeRequest();

                      attReq.setName("AC_NewParent");

                      attReq.setValue(newOU);

                      attReq.setOp(ProvisioningPlan.Operation.Set);

                      acctReq.add(attReq);

                      plan.add(acctReq);

                   }           

                }

             }

           }

        }

        if (ruleLog.isDebugEnabled()) {

ruleLog.debug("Returning plan: " + plan.toXml());

}

        return plan;

    }

---------------------------------------------################----------------------------------------------

 public List getADApps() {    

        Logger ruleLog = Logger.getLogger("RuleLog");

        List appList = new ArrayList();

        QueryOptions qo = new QueryOptions();

        qo.addFilter(Filter.eq("connector", "sailpoint.connector.ADLDAPConnector"));      

        Iterator it = context.search(Application.class, qo);

        while (it.hasNext()) {

           Application thisApplication = it.next();

           if (ruleLog.isDebugEnabled()) ruleLog.debug("Found Active Directory application " + thisApplication.getName());

           appList.add(thisApplication);

        }         

        if (appList.isEmpty()) {

           ruleLog.warn("No Active Directory applications found");

        }

        return appList;

    }

How to Enable TimeMachine in IIQ?

 Steps : 

1. Login to debug page

2. Navigate to Configuration Objects and click on System Configuration

search for syslog_extension then add entry

<entry key="timeMachineEnabled" value="true"/>

3. Search following URL in browser :

SailPoint IdentityIQ - Time Machine

Custom Tasks

High Level Steps of developing Custom Tasks :-

1. Create TaskDefinition.xml file then import into IIQ

Note : Define a task definition with input and return arguments

2. Develop a Java code and place it in following path :

C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\idenityiq\WEB-INF\classes\sailpoint

public class Demo extends AbstractTaskExecutor {

      public void execute(SailPointContext sailpointContext, TaskSchedule taskSchedule, TaskResult taskResult, Attributes args) throws Exception {

            String output = "output";

            String appName = (String) args.get("application");

            result.setAttribute(output, "This is Prasad Reddy" + appName);

      }

      public boolean terminate() {

            return false;

      }

NOTE : Create custom directory in above path then place the java file in custom directory.

3. Restart the application server (Apach Tomcat Server)

Workflow Element Attributes

 The Workflow tag identifies the name and type of the workflow.

<Workflow explicitTransitions="true" name="WF-Training Hello World Workflow"

type="IdentityUpdate">

Workflow Variables

# name: Specifies the name of the variable

# initializer: Used to calculate the default value of the variable

# required: The business process will not launch if an initial value for this variable is not 

supplied

# editable: Specifies the variable that can be edited during business process execution

# input: If it is set to true, just we are explicitly saying to the workflow handler that we 

didn’t initialize this variable else the variable initialized by the user

# output: An output variable and the final value are copied into the task results

# trigger : The IdentityTrigger

# event : The IdentityChangeEvent.  It can be used to build the provisioning plan but does not need to be persisted with the case, so marked as transient.

# identityName : The name of the identity

# identityDisplayName : The displayName of the identity being updated

# plan : The provisioning plan, which is built by a service method

# optimisticProvisioning : Set to true to enable optimistic provisioning.  This will cause changes to the entitlements compiled from role assignments to be applied immediately to the identity cube rather than waiting for the next refresh/reaggregation after the provisioning system completes the request.

# foregroundProvisioning : Normally provisioning is done in a step that uses the background option to force the workflow to be suspended and resumed in a background task thread. This prevents the browser session from hanging since provision can sometimes take a long time. For demos and testing it can be better to do this in the foreground so that provisioning will have been performed when control is returned to the user. This prevents having to run the Perform Maintenance task to see the results of the request.

# fallbackApprover : A String that specifies the name of the Identity that will be assigned any approvals where the owner of the approver cannot be resolved. For example if the scheme is owner and the application does not specify an owner.

# source : String version of sailpoint.object.Source to indicate where the request originated.  Defaults to LCM

# trace : Used for debugging this workflow and when set to true trace will be sent to stdout.

# project : ProvisioningProject which is just a compiled version of the ProvisioningPlan.

# identityRequestId : The sequence id of the Identity request object which is stored in the name field of the identity request.

# cart : This variable includes all ApprovalItems that are part of the request process and is updated during the AfterScript of the approval process by assimilating the decisions and comments from the Approvals copy of the ApprovalItem.

# workItemPriority : The String version of a WorkItem.Priority. This variable is used to set the priority on all of the workitems generated as part of this workflow and also set on the IdentityRequest object.

# flow : 

# notifyAdmins : If this gets set to true we need to notify a workgroup of IdentityIQ admins that the person has left. 

# directReports : List of identity names of people who report directly to the leaver.

# appOwnerList : List of names of applications for which the leaver is the owner.

# appSystemAdminList : List of names of applications for which the leaver is the System Administrator.

# appSystemAdminList : List of names of applications for which the leaver is the System Administrator

# workgroupMembershipList : List of workgroups of which the leaver is a member.

# appDAList : List of names of applications for which the leaver is a delegated authority.

# roleDAList : List of roles for which the leaver is a delegated authority.

# entitlementDAList : List of entitlements (including the attribute name, attribute value, and application) for which the leaver is a delegated authority.

# appContactPersonList : List of names of applications for which the leaver is the Contact Person.

# roleOwnerList : List of names of roles for which the leaver is the owner.

# appRemediatorList : List of names of applications for which the leaver is a remediator.

OOTB Tasks Purpose

The task types are:

# Account Aggregation — scan all applications, discover users and entitlements on those applications, and then correlate those users and entitlements with roles.

#Account Group Aggregation — scans applications and aggregates account groups and application object types. These are then used for group certification (either permissions or membership) or for displaying group information in identity certifications.

# Activity Aggregation — scan all applications, discover activity on the applications, and then correlate that activity with identity cubes. This enables you to track and monitor all activity for possible policy violations.

# Alert Aggregation — scan applications and aggregates alerts from a set of Alert Collectors. These are then used to generate alert actions.

# Alert Processor — process the aggregated alerts against the alert definitions and launch the appropriate action.

#Application Builder — create multiple IdentityIQ applications or update the attribute map of an existing IdentityIQ application.

# ArcSight Data Export — export data for HP ArcSight Database Connector to an external database table.

# Data Export — generate a de-normalized data report to export to an external database table.

# Effective Access Indexing — generate an index of any indirect access that was granted through another object. For example a nested group, an unstructured target, or another role.

# Encrypted Data Synchronization Task —re-encrypt data with user-generated encryption key.

# Entitlement Role Generator — scans the entitlements in the system and automatically generates a simple role and appropriates a profile for each one that it finds.

# FIM Application Creator — automatically discover and create FIM Management Agent Applications.

# IQService Public Key Exchange — change the public keys that are used for IQService communications

# ITIM Application Creator — inspect the IBM Tivoli Identity Manager (ITIM) and retrieve information about the ITIM services (applications). This task auto-generates an application for each service defined in ITIM. 

# Identity IQ Cloud Gateway Synchronization — Synchronize the specified objects to the Cloud Gateway.

# Identity Refresh — scan all applications, including the IdentityIQ application, to ensure that all identity information is up-to-date and accurate. Refresh identity scans are also used to detect and report on policy violations and trigger event certifications.

# Identity Request Maintenance — scan for completed Lifecycle Manager access requests.

# Missing Managed Entitlements Scan — scan the selected application to create entitlement objects for items added after the application was last aggregated

# Novell Application Creator — inspect the Novell IDM application and retrieve information about all connected applications.

# OIM Application Creator — inspect the OIM application and retrieve information about all connected applications.

# Policy Scan — runs policies against identity cubes and update identity score cards with any policy violations discovered.

# Propagate Role Changes — refreshes identities who have an assigned role whose associated entitlements have changed.

# Refresh Logical Accounts — is used to refresh composite accounts for all identities that could, potentially, have a composite account on the composite applications selected.

# Role Index Refresh — updates all role information and creates the indexes needed to perform role searches. You must run this task before performing any role searching.

#  Run Rule — runs the specified rule with name/value pairs.

# Sequential Task Launcher — launches the specified tasks in the order defined. This enables you to launch tasks that must be run sequentially in the proper order without having to schedule each separately based on estimated run times.

# "System Maintenance" — tasks designed to run in the background.

# Target Aggregation — scan selected applications for activity targets. 

How To Create a New Workflow (or) How To Use an Existing Workflow to Create a New Business Process

 How To Create a New Workflow ::-

1. Navigate to Setup -> Business Processes.

2. Click New to create a new workflow and then enter a name for your process.

3. Specify a name and description for the workflow. Use a short descriptive name for the workflow and use a

the description that provides an overview of the workflow function.

4. In the Type field:

a. Select from the drop-down list of predefined workflow types. The available types are restricted to

the process options related to the workflow.

b. To enter a custom type, manually enter the type name in the box instead of selecting one from the

list. See the Workflow Basics chapters for any limitations to custom types.

5. Navigate through each of the process tabs and specify workflow data.

6. Click Save.

How To Use an Existing Workflow to Create a New Business Process ::-

1. Navigate to Setup -> Business Processes.

2. Select an existing workflow from the Edit an Existing Process list.

3. Navigate through each of the process tabs to view or modify the workflow data.

4. Click Save As and enter a unique name for the workflow.

Important Workflow Objects

Provisioning Plan : 

# It contains a list of requested changes to an identity.

# Identity or IdentityName variable will be present most of the time in workflow

# Provisioning plan is created for each identity.( One provisionig plan <==> Identity <===> Workflow case)

Enabling Lifecycle Manager

Navigate to the C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\identityiq\WEB-INF\bin directory

Launch the iiq console by running this command:  iiq console

The console is running when you see a > symbol in the command prompt.

In the IdentityIQ console, run this command:  

import init.xml

import init-lcm.xml

a. Notice the types of objects being imported into IdentityIQ

b. List two that you are familiar with:

When the import is complete, type quit to exit from the IdentityIQ console.

Setting Top Level Workflows

Starting in version 7.0, the top-level workflows used by LCM are configured on the Gear ===> Lifecycle Manager ===> Business Processes page in the IdentityIQ user interface.

There are four main default LCM workflows which are applied to complete the required provisioning actions, depending on the origin of the provisioning request:

LCM Provisioning

LCM Manage Passwords

LCM Create and Update

LCM Registration

As shown here, the same workflow can be used to drive provisioning in response to different starting events.  

For example, by default, LCM Provisioning handles requests coming from the Request Access LCM option (role and entitlement requests) as well as Manage Accounts requests (new accounts or enable/disable/unlock/delete requests), among others.

#Implementing a custom workflow for any of these functional areas in a specific customer implementation requires creating the workflow (often by cloning and modifying these core workflows) and pointing IdentityIQ to the custom workflow through this user interface page.

#Understanding how the default workflows work is critical to successfully modifying the processes to meet specific customer needs.

Configure a Quicklink Population and Applications to Support Account Requests

 1. Configure the Manager Quicklink population to allow account only requests.

a. Navigate to ===> Global Settings ===>  Quicklink Populations and open the Manager

population

b. Click the Quicklinks tab and next to Manage Accounts, click Config…

 The default Quicklink Populations used to determine who can make

different types of requests are:

# The user themselves (designated as Self Service)

# Manager (make requests for direct reports)

# Help Desk (users with help desk capability who can request items for populations)

# Everyone (control what can be done by all users not fitting into the above categories)

Often, as the result of these requests, we must provision the appropriate accounts and entitlements

to the target systems. 

c. Turn on Allow requesting new accounts as shown here and Save the Manage Accounts Options

d. Save the Quicklink Population

2. Configure the applications that allow account only requests.

a. Navigate to ===> Lifecycle Manager

b. Scroll down to the Manage Accounts Options and in the drop down selection box that says:

Applications that support account only requests add AD and OUD to the list:

        c. Click Save

OOTB Tasks Purpose

 Prune Identity Cubes task ::

 The purpose of the Prune Identity Cubes task is to delete non-authoritative Identity Cubes that house no accounts. 

 As long as the new identity obtains access (the Identity Cube has correlated accounts) by this date,

 it won’t be pruned; if access is not obtained by this date, it will be pruned. 

 This value can be set in the LCM configuration.

Business Process (or) Workflow

What is Workflow / Business Process? 

# A sequence (or) series of steps (or) operations that are launched to perform work

NOTE: Workflow is similar to Orchestration in OIM

Process Details: Specify Name, Type, and Description of the workflow. 

Process Variables: Specify any variables that apply to the workflow. Variables in any input variables, return values, and working variables for use within the process's steps. 

Process Designer: To graphically represent the process, specify the actions involved in each step, and provide the evaluation conditions for moving from one step to another. 

Process Metrics: Review statistics gathered for the process as it launches. 

The following events can trigger a workflow:

• Role creation or modification

• Account Group creation or modification

• Identity update

• Identity refresh

• Identity correlation

• Deferred role assignment, de-assignment

• Deferred role activation, deactivation

• Any Lifecycle Manager event

• Any Lifecycle Event (marked by changes to an Identity's attributes)

Custom workflows can be defined to do a wide variety of processing tasks. You can use:

• IdentityIQ workflow library methods and rules.

• Custom BeanShell scripts and rules.

Customizing or creating workflows generally involves a combination of XML and Java/BeanShell programming. 

How many ways to implement Business Process?

# 2 ways

# One way is from UI (Business Process)

# Other way is to implement workflow in XML file then we can import that XML file into IIQ

How to delete a workflow in IIQ?

# Login to Debug page

# Search workflow or select from workflow drop-down menu under Object Browser

# Then search with a specific workflow name and select it

# Right side corner selects an action which drops down after that click on Delete.

LCM Workflow Process and Structure::-

#To promote code reuse, the core functions needed across multiple processes have been encapsulated in subprocesses which can be called by each of the main "top-level" workflows. 

#This allows the main workflows to include their needed variances while maximizing uniformity across the processes.  

#The organization of these subprocesses also makes it easy to customize the workflows for individual customer needs by using the desired modules and skipping others.

The overall process flow for the default LCM workflows is this, with each of these process steps being controlled by a separate subprocess workflow:

(This workflow follows the full core process for LCM Workflows, which includes these key steps)

Initialize: Compile the provisioning plan, set up the identity request, perform initial auditing, check policies, do pre-approval data gathering

Approve: Gather approvals from the appropriate parties and filter the provisioning project to remove non-approved items

Provision: Do post-approval data gathering and complete the provisioning actions to update the target systems

Notify: Send emails to interested parties informing them of the final status of the provisioning request

Finalize: Mark the identity request with the final status of the provisioning request, perform final auditing