rule

TBD

Move AD account from one OU to another OU

<Source>

  import java.util.*;

  import java.io.IOException;      

  import javax.faces.context.FacesContext;

  import javax.naming.ldap.LdapName;

  import javax.naming.ldap.Rdn;    

  import org.apache.log4j.Logger;

  import sailpoint.api.SailPointContext;

  import sailpoint.api.IdentityService;

  import sailpoint.api.ObjectUtil;

  import sailpoint.api.PersistenceManager;

  import sailpoint.api.Provisioner;

  import sailpoint.connector.ADLDAPConnector;

  import sailpoint.connector.Connector;

  import sailpoint.object.*;

  import sailpoint.object.Application;

  import sailpoint.object.Attributes;

  import sailpoint.object.Custom;

  import sailpoint.object.Filter;

  import sailpoint.object.Identity;

  import sailpoint.object.Link;

  import sailpoint.object.ManagedAttribute;

  import sailpoint.object.ProvisioningPlan;

  import sailpoint.object.ProvisioningPlan.AccountRequest;

  import sailpoint.object.ProvisioningPlan.AttributeRequest;

  import sailpoint.object.QueryOptions;  

  import sailpoint.tools.CloseableIterator;

  import sailpoint.tools.GeneralException;

  import sailpoint.tools.Message;

  import sailpoint.tools.Util;

  import sailpoint.workflow.WorkflowContext;

  // Disable AD Account and Move AD account from one OU to another OU

  public ProvisioningPlan buildMoveADAccountsPlan(WorkflowContext wfc)

    throws GeneralException{

    String methodName = "buildMoveADAccountsPlan";

    Logger ruleLog = Logger.getLogger("RuleLog");

    String nativeIdentity = null;

    String newOU = null;  

    System.out.println("Entering into buildMoveADAccountsPlan rule");

    ruleLog.error("Entering into buildMoveADAccountsPlan rule");

    if (ruleLog.isDebugEnabled()) {ruleLog.error("Entering into buildMoveADAccountsPlan rule");}

    Attributes args = wfc.getArguments();  

    System.out.println("Attributes = "+args);

    ruleLog.error("Attributes = "+args);

    String op = Util.getString(args, "op");

    System.out.println("Operation = "+op);

    ruleLog.error("Operation = "+op);

    if ( op == null ){

      throw new GeneralException("Operation (op) must be specified.");

    }

    ProvisioningPlan plan = new ProvisioningPlan();

    SailPointContext context = wfc.getSailPointContext();

    System.out.println("SailPointContext = "+context);

    ruleLog.error("SailPointContext = "+context);

    //  Custom settings = context.getObjectByName(Custom.class, "Custom Settings");      

    String identityName = Util.getString(args, "identityName");

    System.out.println("identityName = "+identityName);

    ruleLog.error("identityName = "+identityName);

    if (ruleLog.isDebugEnabled()) {

      System.out.println("Processing identity " + identityName);

      ruleLog.error("Processing identity " + identityName);

    }

    Identity identity = context.getObjectByName(Identity.class, identityName);      

    if (null != identity) {

      plan.setIdentity(identity);

      // Get a list of AD applications

      List appList = getADApps();

      System.out.println("appList = "+appList);

      ruleLog.error("appList = "+appList);

      IdentityService identityService = new IdentityService(context);

      for (Application app : appList) {

        List links = identityService.getLinks(identity, app);

        System.out.println("List of links are = "+links);

        ruleLog.error("List of links are = "+links);

        // Application application = context.getObjectByName(Application.class, app);

        String appType = app.getType();

        System.out.println("appType is = "+appType);

        ruleLog.error("appType is = "+appType);

        if ("Active Directory - Direct".equals(app.getType())){

          Attributes attributes = app.getAttributes();

          System.out.println("Attributes are : "+attributes);

          ruleLog.error("Attributes are : "+attributes);

          List searchdns = attributes.getList("searchDNs");

          System.out.println("searchdns are : "+searchdns);

          ruleLog.error("searchdns are : "+searchdns);

          /*  List dn = list.get("searchDN");

          System.out.println("dn are : "+dn);

          ruleLog.error("dn are : "+dn);*/

          Iterator itr = searchdns.iterator();

          while(itr.hasNext()){

            String searchDN = itr.next().get("searchDN").toString();

            System.out.println("Users OU is : "+searchDN);

            ruleLog.error("Users OU is : "+searchDN);

            boolean flag = searchDN.toLowerCase().contains("disabled users");

            //boolean flag = searchDN.toLowerCase().contains("Disabled Users");

            System.out.println("flag... : "+flag);

            ruleLog.error("flag..... : "+flag);

            if(flag){

              System.out.println("Disabled Users OU is... : "+searchDN);

              ruleLog.error("Disabled Users OU is..... : "+searchDN);

            }

          }

        }

        if ((null != links) &amp;&amp; !links.isEmpty()) {

          for (Link link : links) {

            nativeIdentity = link.getNativeIdentity();

            System.out.println("nativeIdentity is : "+nativeIdentity);

            ruleLog.error("nativeIdentity is : "+nativeIdentity);

            // Disable the AD account

            if (ruleLog.isDebugEnabled()){

              ruleLog.error("Disabling account " + link.getNativeIdentity() + " in application " + link.getApplicationName());

            }

            AccountRequest acctReq = new AccountRequest();

            acctReq.setApplication(link.getApplicationName());

            acctReq.setInstance(link.getInstance());

            acctReq.setNativeIdentity(nativeIdentity);

            acctReq.setOperation(AccountRequest.Operation.Disable);        

            //  acctReq.add(new AttributeRequest("IIQDisabled","true"))

            // String dn = link.getAttribute("distinguishedName");

            if(op.equals("Disable")) {

              if (nativeIdentity.toLowerCase().contains("dc=mightypedia,dc=com")) {

                //newOU = "ou=Disabled Users,dc=maxcrc,dc=com";

                newOU="ou=Disabled Users,dc=mightypedia,dc=com";

                //newOU = settings.get("Disabled Users");

                //System.out.println("newOU is : "+newOU);

                System.out.println("cn=" +nativeIdentity+","+"Dynamically getting Disable OU is : "+newOU);

                log.error("cn=" +nativeIdentity+","+"Dynamically getting Disable OU is : "+newOU);

              }

            }

            if(ruleLog.isDebugEnabled()){System.out.println("Moving to : "+newOU);ruleLog.error("Moving to : "+newOU);}

            if(null!=newOU&amp;&amp;!newOU.equalsIgnoreCase(getParentContainerDN(nativeIdentity))){

              AccountRequest acctReq = new AccountRequest();

              acctReq.setApplication(link.getApplicationName());

           //   acctReq.setInstance(link.getInstance());

              acctReq.setNativeIdentity(link.getNativeIdentity());

              acctReq.setOperation(AccountRequest.Operation.Modify);

             // AttributeRequest attReq = new AttributeRequest();

            //  attReq.setName("AC_NewParent");

           //   attReq.setValue(newOU);

           //   attReq.setOp(ProvisioningPlan.Operation.Set);

           //   acctReq.add(attReq);

             acctReq.add(new AttributeRequest ("AC_NewParent", ProvisioningPlan.Operation.Set, newOU));

              plan.setIdentity(identity);

              plan.add(acctReq);

              System.out.println("*************Compiling starts for ProvisioningPlan*******************");

              Provisioner provisioner = new Provisioner(context);

              ProvisioningProject project = provisioner.compile(plan);

              provisioner.execute(project);

              System.out.println("*****************Compilation has completed for ProvisioningPlan *********");                                                                

            }          

          }

        }

      }

    }

    if(ruleLog.isDebugEnabled()){

      System.out.println("Returning plan: "+plan.toXml());ruleLog.error("Returning plan: "+plan.toXml());

    }

    return plan;

  }

  // Get the parent container DN of an LDAP full DN    

  public String getParentContainerDN(String dn) {

    String methodName = "getParentContainerDN";

    System.out.println("Entering into the method : "+methodName);      

    LdapName ln = new LdapName(dn);

    String parentDN = ln.getPrefix(ln.size() - 1).toString();    

    System.out.println("Parent ContainerDN : "+parentDN);        

    System.out.println("Exiting from the method : "+methodName);  

    return parentDN;      

  }

  // Get a list of all the AD applications

  public List getADApps() {

    String methodName = "getADApps";

    Logger ruleLog = Logger.getLogger("rule.RuleLog");

    System.out.println("Entering into the method : " + methodName);

    ruleLog.error("Entering into the method : " + methodName);

    List appList = new ArrayList();

    QueryOptions qo = new QueryOptions();

    qo.addFilter(Filter.eq("connector", "sailpoint.connector.ADLDAPConnector"));

    Iterator it = context.search(Application.class, qo);

    while (it.hasNext()) {

      Application thisApplication = it.next();

      if (ruleLog.isDebugEnabled()) {

        System.out.println("Found AD application " + thisApplication.getName());

        ruleLog.error("Found AD application " + thisApplication.getName());

      }

      appList.add(thisApplication);

    }

    if (appList.isEmpty()) {

      System.out.println("No AD Directory applications found");

      ruleLog.error("No AD Directory applications found");

    }

    System.out.println("Exiting from the method : " + methodName);

    ruleLog.error("Exiting from the method : " + methodName);

    return appList;

  }

  </Source>

Leaver Event Rule

 System.out.println("Entering into Leaver Event Rule : ");

 String status = newIdentity.getAttribute("status");

 System.out.println("status : "+status);

  if(status != null){

    if(status.equalsIgnoreCase("Terminated Employee")){

      boolean flag = true;

      System.out.println("Entering into Leaver Event Rule : "+flag);      

      return flag;

    }

       else {

          boolean flag = false;

         System.out.println("Entering into Leaver Event Rule : "+flag);

               return flag;

       }

 System.out.println("Exiting from the Leaver Event Rule : ");

       }

How to set up OpenLDAP in windows and Onboard OpenLDAP Application in Sailpoint?

 Pre-requisites :

Teach Me How To Get Started: How to Setting LDAP (OpenLDAP) in Windows Development Environment (kukusan-network.blogspot.com)

JXplorer - an open source ldap browser

How to set up vm ware in windows

 Pre-requisites :-

1. Download the VM ware from the following URL:

Download VMware Workstation Player | VMware | IN

Steps: 

1. Go to VM ware software path and right click on VM ware software and select Run as Administrator.

2. Click on Next

3.  Check the box [I accept the terms in license Agreement] and click on Next

4.  Click on Next

5. Uncheck both the check boxes (User experience settings) and click on Next

6. Uncheck Start Menu Program Folder and click on Next

7. Click on Install

8. Click on Finish 

*************************** VM ware set up is completed ****************************

How to connect mysql through cmd

 Steps: 

1. Go to MySQL installation directory then until the bin

Ex: C:\Program Files\MySQL\MySQL Server 8.0\bin

2. Open cmd from the above path 

(OR)

Navigate to the Windows icon, search for cmd, and click on Command Prompt

3. Enter the following command in cmd

cd C:\Program Files\MySQL\MySQL Server 8.0\bin

4. mysql -u root -p (mysql -u reddy -p)

NOTE: root is the default username, if you have used a custom username, as mentioned like above

5. Enter the password: *******

6. show databases;

(this command will display the lists of databases)

======================================================================

• create database trakk;
• show databases;
• use trakk;
• source D:\IDM\Sailpoint\Sailpoint\Sailpoint Documentation\Sailpoint Lab Exercises\Version 7.0\trakk.sql;

My SQL Installation

 Follow the below URL's for installing MYSQL ::-

# How to Install MySQL on Windows 10 (Step-By-Step Guide) (smarttechnicalworld.com)

# Install MySQL on Windows 10 Step by Step | OnlineTutorialsPoint

# How to download and install MySQL on Windows 10? (roseindia.net)

# How To Install MySQL in Windows 10 - Step-By-Step Tutorials - MobyGeek.com

# How To Install MySQL in Windows 10?(Easy Step By Step Guideline) - FixGuider

List of Sailpoint API's

# IdentityService : A service layer that deals with identities.

IdentityService(SailPointContext context) : Constructor.

# WorkflowContext : 

How to Create Domain in Windows Server ?

Pre-requisites:

# VMware Software - Download VMware Workstation Pro

# Windows Server    - Try Windows Server 2019 on Microsoft Evaluation Center

# Install VMware

        Reference: How to install VMware Workstation 15 Pro - XpertsTec

# Install Windows Server

Installing Windows Server 2016 on VMWare in 5 Minutes - YouTube

Steps for Active Directory Domain Services:-

1. Navigate Windows and search for Server Manager

2. Click on Server Manager

3. Click on Add Roles and Features.

4. Select the Role-based or Feature-based Installation option. Click on Next.

5. Select a server from the server pool option. Click on Next.

6. Select the Active Directory Domain Services.

7. Click on Add Features.

8. Click on Next.

9. Restart the destination server automatically if required option. Click on Install.

Steps for Domain Creation :-

1. Navigate Windows and search for Server Manager

2. Click on Server Manager

3. Navigate to the notification symbol (it's available on the top right side corner) and click on it.

4. Click on Promote this server to a domain controller

5. Select  Add a new Forest radio button and enter the domain name

6. Create a new password.

7.Click on Next ---> Next -----> Next ---> Install ---->Restart

BuildMap Rule

 BuildMap Rule    :

# It's available for JDBC and Delimited File Connectors

# It's used for manipulating or changing schema attributes during iterations of file reading

# It will run during the Account Aggregations

e.g    : Changing or parsing account attributes (i.e., lastLogin ) to meet a specific date format

e.g    :    1

import sailpoint.object.Schema;

import sailpoint.connector.Connector;

import sailpoint.connector.DelimitedFileConnector;

private static final Logger LOGGER  = Logger.getLogger(“BuildMap Rule”);

if(schema.getObjectType().compareTo(Connector.TYPE_ACCOUNT) ==0)

{

HashMap map = DelimitedFileConnector.defaultBuildMap(cols,record);

LOGGER.debug("\n BuildMap before changing : "+map);

//Employee Rule sets EmployeeStatus to "Employee"

map.put("status","Employee");

LOGGER.debug\n BuildMap after changing : "+map);

return map;

}

e.g    :    2

import sailpoint.object.Schema;

import sailpoint.connector.Connector;

import sailpoint.connector.DelimitedFileConnector;

private static final Logger LOGGER  = Logger.getLogger(“BuildMap Rule”);

if(schema.getObjectType().compareTo(Connector.TYPE_ACCOUNT) ==0)

{

HashMap map = DelimitedFileConnector.defaultBuildMap(cols,record);

LOGGER.debug("\n BuildMap before changing : "+map);

//Employee Rule sets EmployeeStatus to "Contractor"

map.put("status","Contractor");

LOGGER.debug\n BuildMap after changing : "+map);

return map;

}

Move AD account from People OU to Disable OU & vice versa (Enable) in IIQ

public ProvisioningPlan buildMoveADAccountsPlan(WorkflowContext wfc) 

        throws GeneralException {

        Logger ruleLog = Logger.getLogger("RuleLog");

        if (ruleLog.isDebugEnabled()) ruleLog.debug("Entering into buildMoveADAccountsPlan rule");

        Attributes args = wfc.getArguments();      

        String op = Util.getString(args, "op");

        if ( op == null ){

           throw new GeneralException("Operation (op) must be specified.");

   }    

        Custom settings = context.getObjectByName(Custom.class, "Custom Settings");

        ProvisioningPlan plan = new ProvisioningPlan();

        String identityName = Util.getString(args, "identityName");

        if (ruleLog.isDebugEnabled()) ruleLog.debug("Processing identity " + identityName);

        Identity identity = context.getObjectByName(Identity.class, identityName);        

        if (null != identity) {

           plan.setIdentity(identity);         

           // Get a list of AD applications 

           List appList = getADApps();       

           IdentityService identityService = new IdentityService(context);

           for (Application app : appList) {

              List links = identityService.getLinks(identity, app);

              if ((null != links) &amp;&amp; !links.isEmpty()) {

                for (Link link : links) {

                   String nativeIdentity = link.getNativeIdentity();

                   String newOU = null;

                   if (op.equals("Disable")) {

                      if (nativeIdentity.toLowerCase().endsWith("dc=mightypedia,dc=com")){

                         newOU = settings.get("pediaADDisabledUsersOU");

}                 

                   } 

      }

             }

                   if (ruleLog.isDebugEnabled()) {

   ruleLog.debug("Moving to " + newOU);

   }

                   if (null != newOU &amp;&amp; ! newOU.equalsIgnoreCase(getParentContainerDN(nativeIdentity))) {

                      AccountRequest acctReq = new AccountRequest();

                      acctReq.setApplication(link.getApplicationName());

                      acctReq.setInstance(link.getInstance());

                      acctReq.setNativeIdentity(link.getNativeIdentity());

                      acctReq.setOperation(AccountRequest.Operation.Modify);

      AttributeRequest attReq = new AttributeRequest();

                      attReq.setName("AC_NewParent");

                      attReq.setValue(newOU);

                      attReq.setOp(ProvisioningPlan.Operation.Set);

                      acctReq.add(attReq);

                      plan.add(acctReq);

                   }           

                }

             }

           }

        }

        if (ruleLog.isDebugEnabled()) {

ruleLog.debug("Returning plan: " + plan.toXml());

}

        return plan;

    }

---------------------------------------------################----------------------------------------------

 public List getADApps() {    

        Logger ruleLog = Logger.getLogger("RuleLog");

        List appList = new ArrayList();

        QueryOptions qo = new QueryOptions();

        qo.addFilter(Filter.eq("connector", "sailpoint.connector.ADLDAPConnector"));      

        Iterator it = context.search(Application.class, qo);

        while (it.hasNext()) {

           Application thisApplication = it.next();

           if (ruleLog.isDebugEnabled()) ruleLog.debug("Found Active Directory application " + thisApplication.getName());

           appList.add(thisApplication);

        }         

        if (appList.isEmpty()) {

           ruleLog.warn("No Active Directory applications found");

        }

        return appList;

    }

How to Enable TimeMachine in IIQ?

 Steps : 

1. Login to debug page

2. Navigate to Configuration Objects and click on System Configuration

search for syslog_extension then add entry

<entry key="timeMachineEnabled" value="true"/>

3. Search following URL in browser :

SailPoint IdentityIQ - Time Machine

Custom Tasks

High Level Steps of developing Custom Tasks :-

1. Create TaskDefinition.xml file then import into IIQ

Note : Define a task definition with input and return arguments

2. Develop a Java code and place it in following path :

C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\idenityiq\WEB-INF\classes\sailpoint

public class Demo extends AbstractTaskExecutor {

      public void execute(SailPointContext sailpointContext, TaskSchedule taskSchedule, TaskResult taskResult, Attributes args) throws Exception {

            String output = "output";

            String appName = (String) args.get("application");

            result.setAttribute(output, "This is Prasad Reddy" + appName);

      }

      public boolean terminate() {

            return false;

      }

NOTE : Create custom directory in above path then place the java file in custom directory.

3. Restart the application server (Apach Tomcat Server)

Workflow Element Attributes

 The Workflow tag identifies the name and type of the workflow.

<Workflow explicitTransitions="true" name="WF-Training Hello World Workflow"

type="IdentityUpdate">

Workflow Variables

# name: Specifies the name of the variable

# initializer: Used to calculate the default value of the variable

# required: The business process will not launch if an initial value for this variable is not 

supplied

# editable: Specifies the variable that can be edited during business process execution

# input: If it is set to true, just we are explicitly saying to the workflow handler that we 

didn’t initialize this variable else the variable initialized by the user

# output: An output variable and the final value are copied into the task results

# trigger : The IdentityTrigger

# event : The IdentityChangeEvent.  It can be used to build the provisioning plan but does not need to be persisted with the case, so marked as transient.

# identityName : The name of the identity

# identityDisplayName : The displayName of the identity being updated

# plan : The provisioning plan, which is built by a service method

# optimisticProvisioning : Set to true to enable optimistic provisioning.  This will cause changes to the entitlements compiled from role assignments to be applied immediately to the identity cube rather than waiting for the next refresh/reaggregation after the provisioning system completes the request.

# foregroundProvisioning : Normally provisioning is done in a step that uses the background option to force the workflow to be suspended and resumed in a background task thread. This prevents the browser session from hanging since provision can sometimes take a long time. For demos and testing it can be better to do this in the foreground so that provisioning will have been performed when control is returned to the user. This prevents having to run the Perform Maintenance task to see the results of the request.

# fallbackApprover : A String that specifies the name of the Identity that will be assigned any approvals where the owner of the approver cannot be resolved. For example if the scheme is owner and the application does not specify an owner.

# source : String version of sailpoint.object.Source to indicate where the request originated.  Defaults to LCM

# trace : Used for debugging this workflow and when set to true trace will be sent to stdout.

# project : ProvisioningProject which is just a compiled version of the ProvisioningPlan.

# identityRequestId : The sequence id of the Identity request object which is stored in the name field of the identity request.

# cart : This variable includes all ApprovalItems that are part of the request process and is updated during the AfterScript of the approval process by assimilating the decisions and comments from the Approvals copy of the ApprovalItem.

# workItemPriority : The String version of a WorkItem.Priority. This variable is used to set the priority on all of the workitems generated as part of this workflow and also set on the IdentityRequest object.

# flow : 

# notifyAdmins : If this gets set to true we need to notify a workgroup of IdentityIQ admins that the person has left. 

# directReports : List of identity names of people who report directly to the leaver.

# appOwnerList : List of names of applications for which the leaver is the owner.

# appSystemAdminList : List of names of applications for which the leaver is the System Administrator.

# appSystemAdminList : List of names of applications for which the leaver is the System Administrator

# workgroupMembershipList : List of workgroups of which the leaver is a member.

# appDAList : List of names of applications for which the leaver is a delegated authority.

# roleDAList : List of roles for which the leaver is a delegated authority.

# entitlementDAList : List of entitlements (including the attribute name, attribute value, and application) for which the leaver is a delegated authority.

# appContactPersonList : List of names of applications for which the leaver is the Contact Person.

# roleOwnerList : List of names of roles for which the leaver is the owner.

# appRemediatorList : List of names of applications for which the leaver is a remediator.