Exclusion Rule

import sailpoint.object. Certifiable;

import sailpoint.object.EntitlementGroup ;

import java.util.List;

import java.util.ArrayList;

String description = "";

List certificationObjectList = new ArrayList();

Iterator itr = items.iterator();

while(itr.hasNext()){

Certifiable certificationObject = itr.next();

if(certificationObject instanceOf EntitlementGroup){

EntitlementGroup entitlementGroup = (EntitlementGroup) certificationObject ;

String applicationName = entitlementGroup .getApplicationName();

String entitlementName = entitlementGroup.getAttributeName().get(0);

String entitlementValue = entitlementGroup.getAttributes().get(entitlementName );

if(entitlementValue.contains("SailPoint") || entitlementValue.contains("OIM") || entitlementValue.contains("Java")){

certificationObjectList.add(certificationObject );

} else{

itemsToExclude.add(certificationObject);

itr.remove();

description = "Entitlements matches the exclusion criteria";

}

}

}

return description ;

Connector Rules

Pre-Iterate Rule :

# It's used to perform before a Connector iterates on the data

e.g    : 

# Validating a CSV file to verify that it's in good condition / valid format

# Decrypting/converting a file to another format

e.g:    1

Identity IQ Pre-Iterate Rule to archive CSV file after Aggregation.

import java.io.File;

import java.io.IOException;

import java.io.file.Files;

import java.text.SimpleDateFormat;

import java.util.*;

import org.apache.log4j.Logger;

private static final Logger LOGGER  = Logger.getLogger(“PreIterateCSV”);

LOGGER.debug(“Enterting into PreIterateCSV rule : ”);

String fileName=(String)stats.get(“fileName”);

LOGGER.debug(“Filename : “+fileName);

String filePath=(String)stats.get(“absolutePath”);

String timeStamp = new SimpleDateFormat(“yyyyMMdd_HHmmss”).format(Calendar.getInstance().getTime());

File file =new File(filePath);

File newFile =new File(“Location” + fileName.substring(0,fileName.indexOf(‘.’)) +timeStamp+”.csv”);

try { 

Files.copy(file.toPath(), newFile.toPath());

LOGGER.debug(“File “+fileName+”is copied to Archive folder”);

} catch (IOException ex)

{       

    LOGGER.error(“Exception in Pre-Iterate Rule: “+ex.getMessage());

}

--------------------------------------------------********************---------------------------------------------

Map To Resource Object Rule    :

# It's available for JDBC and Delimited File Connectors

# It's used for converting Map to Resource Object

# It will run during the Account Aggregations

# Provides a hook to control the map to resource object mapping

--------------------------------------------------********************---------------------------------------------

Post-Iterate Rule  :

# It's used to perform duties after a Connector iterates / pulls in data

# It will run during Account Aggregation

# Not required

e.g    :

Deleting, moving, or renaming files on the disk for archival storage

Aggregation Rules

Correlation Rule    :

# It's used to assign or "correlate" an application account to a specific Identity Cube

# It will run during Account Aggregations 

# It's not required but recommended

# IdentityIQ will attempt to correlate based on the Identity attribute

# Otherwise, the accounts will be marked as Orphan

e.g: 1

In this example, we will use the new account's email address to try and locate an existing Identity to hang the new account from. This rule uses the email attribute on the identity object to attempt to find an owner for the incoming link.

Map returnMap = new HashMap();

    String email = account.getStringAttribute("email");

    if ( email != null ) {

        returnMap.put("identityAttributeName", "email");

        returnMap.put("identityAttributeValue", email);

    }

    return returnMap;

e.g : 2 

In this example, we are trying to locate an existing Identity using the "firstname" and "lastname" attributes from the incoming account to generate a firstname.lastname formatted identity name.

Map returnMap = new HashMap();

    String firstname = account.getStringAttribute("firstname");

    String lastname = account.getStringAttribute("lastname");

    if ( ( firstname != null ) && ( lastname != null ) ) {

        String name= firstname + "." + lastname;

        returnMap.put("identityName", name);

    }

    return returnMap;

--------------------------------------------------********************---------------------------------------------

Creation Rule    :

# It's used to set attributes on new Identity Cubes when they are created

# Attach for performing customizations at identity Cube creation time

# It will run during Account Aggregations but only on Identity Cube creation (new Identities or Orphaned Identities)

# Not required

NOTE :

Example rule to modify the given user created during aggregation or after a non-correlated pass-through authentication. A non-correlated authentication attempt. In this example, if the account is part of the Administrator group, we give a new Identity the ApplicationAdministrator capability.

e.g: 1

# Assigning passwords, IdentityIQ capabilities dynamically or workgroup definitions

import sailpoint.object.identity;

//  All identities using this creation rule will have their passwords set to Winter$2

identity.setPassword("Winter$2");

e.g: 2

import sailpoint.object.Identity;

import sailpoint.object.Capability;

import sailpoint.object.ResourceObject;

    // change the name to a combination of firstname and lastname

    String firstname = account.getStringAttribute("firstname");

    String lastname = account.getStringAttribute("lastname");

    String name  = firstname + "." + lastname;

    identity.setName(name);

    // add capabilities based on group membership

    List groups = (List)account.getAttribute("memberOf");

    if ( ( groups != null ) && ( groups.contains("Administrator") ) ) {

        identity.add(context.getObjectByName(Capability.class, "ApplicationAdministrator"));

    }

How to check user exist in specific group or not?

 import sailpoint.object.Filter;

 import sailpoint.object.Identity;

 import sailpoint.object.IdentityEntitlement;

 import sailpoint.object.QueryOptions;

 import sailpoint.tools.GeneralException;

public boolean checkUserENT(String userID, String entValue, String appName) throws GeneralException{

boolean addEntExist = false;

QueryOptions qo = new QueryOptions();

Filter filter = Filter.and(Filter.eq("identity.id", id), Filter.eq("value",entValue), Filter.eq("application.name", appName));

qo.addFilter(filter);

int countObjects = context.countObjects(IdentityEntitlement.class, qo);

if(countObjects  > 0){

addEntExist = true;

}

String appName = "Active Directory";

String entValue = "CN="IdentityIQ, OU=Groups, DC=mightypedia,DC=com";

String user = ""Mary.Johnson;

String userID = context.getObjectByName(Identity.class, user).getId();

boolean checkENT = checkUserENT(userID , entValue ,appName );

return checkENT ;

}

How to convert role from one role to another role?

//Conversion of role from one type to another type & making the roles into inheritance::: -

<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<Rule language="beanshell"  name="Convert-Role">

  <Source>

  import sailpoint.object.Bundle;

  import sailpoint.object.Filter;

  import sailpoint.object.Identity;

  import sailpoint.object.QueryOptions;

  import sailpoint.tools.Util;

  import sailpoint.api.IncrementalObjectIterator;

  List  listofRoles = new ArrayList();

  Bundle container = context.getObjectByName(Bundle.class,"Legacy-Birthright-Roles");

  listofRoles.add(container);

  QueryOptions qo = new QueryOptions();

  qo.addFilter(Filter.eq("type", "IT"));

  //qo.addFilter(Filter.eq("name", "Contractor_BusinessRole"));

  IncrementalObjectIterator iterator = new IncrementalObjectIterator(context, Bundle.class,qo);

  while (iterator != null &amp;&amp; iterator.hasNext()) {

    Bundle bundle = iterator.next();

   // bundle.setType("birthright");

    bundle.setInheritance(listofRoles);

    context.saveObject(bundle);

    context.commitTransaction();

    context.decache();

  }

  Util.flushIterator(iterator);

  </Source>

</Rule>

Delta Aggregation

 The below connectors supports Delta aggregation:

# Active Directory Connector

# Azure Active Directory Connector 

# ADAM, SuneOne and Tivoli Connector

# JDBC Connector

# Lotus Domino

# G suite Connector

Partition Aggregation

 The below connectors supports Partition aggregation:

# JDBC Connector

# Active Directory Connector

# LDAP Connector

# Delimited Connector

# IIBM i Connector

# G suite Connector

# Tivoli Access Manager Connector

# Azure Active Directory Connector

How to get Log4j 2 version using Standalone rule?

 <?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<Rule language="beanshell" name="Log4j 2 version">

  <Signature>

    <Inputs>

      <Argument name="log">

        <Description>

          The log object is associated with the SailPointContext.

        </Description>

      </Argument>

      <Argument name="context">

        <Description>

          A sailpoint.api.SailPointContext object that can be used to query the database if necessary.

        </Description>

      </Argument>

    </Inputs>

  </Signature>

  <Source>

  String version = org.apache.logging.log4j.util.PropertiesUtil.class.getPackage().getImplementationVersion();

    return version;

  </Source>

</Rule>

LifeCycle Event Rule

   System.out.println("Entering into DND Leaver Event Rule : ");

  String status=newIdentity.getAttribute("status");

  System.out.println("status : "+status);

  if(status != null){

    if(status.equalsIgnoreCase("Terminated-N-Non Employee")){

      boolean flag = true;

      System.out.println("Entering into DND Leaver Event Rule : "+flag);      

      return flag;

    }

       else {

          boolean flag = false;

         System.out.println("Entering into DND Leaver Event Rule : "+flag);        

         return flag;

       }

 System.out.println("Exiting from the DND Leaver Event Rule : ");

       }

Customization Rule

  import org.apache.log4j.Logger;

  import org.apache.log4j.Level;

  // If the status has been populated with "Terminated-N-Non Employee" set the account to disabled.

  System.out.println("HR System CustomizationRule");

  Logger log = Logger.getLogger("HR System CustomizationRule");

  log.setLevel((Level) Level.DEBUG);

  String acctName = object.getIdentity();

  System.out.println("Account Name = "+acctName);

  System.out.println("Object = "+object);

  String status = object.getAttribute("Status");

  System.out.println("Status = "+status);

  if ( (null != status) &amp;&amp; (0 != status.length()) ) {

    if ("Terminated-N-Non Employee".equalsIgnoreCase(status)) {

      object.put("IIQDisabled", true);

      System.out.println("The 'status' set to Terminated-N-Non Employee on [" + acctName + "], marking IIQDisabled as true.");

      log.debug("The 'status' set to Terminated-N-Non Employee on [" + acctName + "], marking IIQDisabled as true.");

    }else {

      object.put("IIQDisabled", false);

    }

  } else {

    System.out.println("No 'status' field populated on [" + acctName + "], assuming active account.");

    log.debug("No 'status' field populated on [" + acctName + "], assuming active account.");

  }

  return object;

LDAPConnection suing Java Code

import java.util.Hashtable;

import javax.naming.Context;

import javax.naming.NamingException;

import javax.naming.ldap.InitialLdapContext;

import javax.naming.ldap.LdapContext;

public class LdapConnection {

     public static void main(String[] args) {

          Hashtable env = new Hashtable();

          env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");

          env.put(Context.PROVIDER_URL,"ldap://localhost:389");

          try {

               LdapContext ctx = new InitialLdapContext(env,null);

               System.out.println("LDAP Connection Successful");

               System.exit(0);

          } catch (NamingException e) {

               System.err.println("LDAP Notifications failure. " + e.getMessage());

               System.exit(1);

          }

      }

}

How to set Message/notification in Form?

 <Section label="Please Note" type="datatable">

    <Field>

      <Script>

        <Source>

          StringBuilder sb = new StringBuilder("");

          sb.append("&lt;html>&lt;ul style=\"list-style-type:disc;\">");

          sb.append("&lt;li>Kindly refer &lt;a href=\"oimsailpointpedia.blogspot.com\" target=\"_blank\">How-To-Talk&lt;/a> for further reference&lt;/li>");

          sb.append("&lt;li>Please &lt;a href=\"mailto:xxyz@gmail.com\">Contact Us&lt;/a> more inomtion &lt;/li>");

          sb.append("&lt;/html>");

          return sb.toString();

        </Source>

      </Script>

    </Field>

  </Section>

Form Definition

 The basic elements in a Form definition are:

<Form>

<Attributes>  (entry i.e., map of name/value pairs that influence the form renderer)

<Button>       (determine form processing actions)

<Section>      (subdivision of form; may contain Attributes map and nested Fields)

        <Field>    (may contain Attributes map, Script to set value, Allowed Values Definition script, and               Validation Script)

Forms embedded inside a workflow step do not need any attributes on the Form element itself, though they can have a name attribute.  

Top-level Form objects do, however, have a couple of important attributes specified within the Form element. 

<Form name="My Custom Form" type="Workflow">

type:

Determines where the form can be referenced in other UI pages;

Automatically set for top-level forms created through the centralized form repository UI (Gear menu -> Global Settings -> Forms)

Workflow forms: type="Workflow"

Application provisioning policy forms: type="Application"

Role provisioning policy forms: type="Role"

Forms that have a type other than these 3 values will not be listed in the centralized form repository. 

Forms with no type will be listed there, but to edit them there, you will have to designate them as one of these 3 types.

Attributes:

pageTitle : Title to render at top of the page (typically larger and a different color than the form title); also displayed in browser window header bar in some cases.

title : Form Title (shown at top of form body).

subTitle : Form subtitle (shown below title).

readOnly : makes form read-only so the fields are rendered as uneditable text or as disabled HTML components.

izWizard : turns the form into a multi-page “wizard”-type form with each Section rendered as a separate page.

Buttons:

Buttons allow the user to indicate what action to take next and how to process the data on the form. They always appear at the bottom of the form. 

Buttons really only apply to Workflow forms.

label : Text to display on the button; can be a hard-coded string value or a message catalog key for localization

action:

        next: save any entered form data and set the work item status to “approved”, running any field validation scripts/rules specified; the work item status can then be used in the Transition logic to advance the workflow to the next step; this action is used to drive OK/Save/Approve/Submit functionality

        back: save entered form data and set the work item status to “rejected”, running any field validation scripts/rules specified; the work item status can then be used in the Transition logic to return to a previous step (or any other appropriate action for a rejection); saved values are redisplayed on the form if the workflow logic progresses back through this step again

        cancel: close the form, suspend the workflow, and return to the previous page in UI (i.e. Dashboard, Manage Work Items page, etc.); this leaves the work item active, awaiting a different action chosen by the user; does not save any data entered in the form

        refresh: save the entered form data and regenerate the form; this is not a state transition – just a redisplay of the form; it is not commonly used, but it can be used when a script needs to be re-run following entry of several data fields together, rather than reprocessing scripts after each field completion

Ex:

<Form>

<Atttributes>

</Attributes>

<Button label='Submit' action='next'/>

<Button label="Suspend" action="cancel"/>

<Button label="Reject" action="back"/>

</Form>

name: Name for the field that can be referenced in code as the variable name in which the field’s value is stored.

displayName: Label for the field; maybe text or a message key

helpKey :Tooltip may be text or a localizable message key

type : Field datatype; influences the display widget used to display the field on a form Valid values are: string, int, long, boolean, date, and SailPoint object types (Identity, Bundle, Permission, Rule, Application, etc.); default is a string.

multi : Boolean indicating whether the field is multi-selectable; only appropriate to drop-down lists, which are then displayed as combo boxes; (used with SailPoint object field types or with a nested AllowedValues / AllowedValuesDefinition element that populates a selection list for the field).

readOnly : Boolean indicating that the field cannot be edited on the form; value is displayed as text, rather than in an editable box.

required : Boolean indicating whether a value is mandatory for the field; required="true" marks field with * on the form to indicate required and prevents form submission without a value for the field

columnSpan : Used when the section is configured with multiple columns; specifies the number of columns the field should span.

filterString : Used for fields where “type” is a SailPointObject class to specify a filter to restrict 

the set of selectable objects presented in the drop-down list; filterString is specified according to the filter string syntax

postBack : Boolean that, when true, causes the form to refresh when the field’s data value changes, running any rules or scripts that run on form reload.

displayType : Forces string fields to display as specified; used only for string fields Valid displayTypes are: radio, combobox, textarea.

dynamic : If dynamic = true is configured then those fields values are recalculated during 

form postback

reviewRequired : ows a default value to be assigned for the field while still including the field on 

the form displayed to a user so the default can be overridden if desired; without reviewRequired="true"specified, template fields with a default value (or value script/rule that returns a value) are omitted from the user-facing form.

and the default value is automatically used

displayOnly : Boolean that indicates that the field should be included on the form but should not be passed to the provisioning plan. This is useful for fields that determine values to display in other fields’ allowed values lists or for fields used as components to build other field's values.

Applies to application and role provisioning policies only

authoritative ; Boolean that specifies whether the field value should completely replace the current value rather than be merged with it; applicable only for multi-valued attributes

value : Sets the default/initial value for the field

Form Models

# Form models allow the specification of a map through which a set of variables can be handed to the form by the workflow.  

# The model is defined in the workflow (or a pre-defined model is used), allowing the workflow and form to pass a collection of variables all at one time through a specified model. 

# Since actions in workflows often center on Identities, a map for the Identity object, called IdentityModel, is prebuilt in IdentityIQ.  

# A workflow library method – getIdentityModel – can be called by a workflow step to create an IdentityModel map to use in a subsequent step that renders a form.

Using the Identity Model in Workflow Forms::-

1. Define identityModel process variable.

2. Populate IdentityModel

Forms

Forms Definition: 

Forms are used to seek/request user input in several areas of IdentityIQ. 

Forms Types:-

# Application provisioning policies

# Role provisioning policies

# Identity provisioning policies (only applicable for installations using Lifecycle Manager)

# # Workflow Forms (Data entry and approvals in workflow steps)

# Report filter specification

# Application Provisioning Policies

Setup -> Applications -> choose application -> Provisioning Policies

(OR)

Gear menu -> Global Settings -> Forms

# Role provisioning policies

Setup -> Roles -> choose role -> Provisioning Policies

                                                                                (OR)

Gear menu -> Global Settings -> Forms

# Identity provisioning policies (only applicable for installations using Lifecycle Manager)

Gear menu -> Lifecycle Manager -> Identity Provisioning Policies

# Workflow Forms

Setup -> Business Processes -> choose business process and right-click a step -> Add Form/Edit Form -> Create Form

                                                                               (OR)

Gear menu -> Global Settings -> Forms

# Report filter specification

None (can only be specified in XML and imported)

How to create AD group using beanshell?

 <?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<Rule created="1645024143138" id="402880e97e7e66fa017f0314672202d8" language="beanshell" modified="1645024242981" name="Create AD Group">

  <Description>

Create AD Group.

  </Description>

  <Signature>

    <Inputs>

      <Argument name="log">

        <Description>

          The log object is associated with the SailPointContext.

        </Description>

      </Argument>

      <Argument name="context">

        <Description>

          A sailpoint.api.SailPointContext object that can be used to query the database if necessary.

        </Description>

      </Argument>

    </Inputs>

  </Signature>

  <Source>

import java.util.ArrayList;

import java.util.List;

import sailpoint.api.Provisioner;

import sailpoint.object.ProvisioningPlan;

import sailpoint.object.ProvisioningPlan.ObjectRequest;

ObjectRequest objectRequest = new ObjectRequest();

objectRequest.setOp(ProvisioningPlan.ObjectOperation.Create);

objectRequest.add(new ProvisioningPlan.AttributeRequest("GroupType", ProvisioningPlan.Operation.Set, "Security"));

objectRequest.add(new ProvisioningPlan.AttributeRequest("SamAccountName", ProvisioningPlan.Operation.Set, "Test"));

objectRequest.setApplication("Active Directory");

objectRequest.setNativeIdentity("CN=Test,ou=Groups,dc=mightypedia,dc=com");

objectRequest.setType("group");

List objReqList = new ArrayList();

objReqList.add(objectRequest);

ProvisioningPlan plan = new ProvisioningPlan();

plan.setObjectRequests(objReqList);

Provisioner provisioner  = new Provisioner(context);

provisioner.execute(plan);

  return plan;

  </Source>

</Rule>

IQ Service

IQ Service provides writing capability on Active Directory like create, updated, and delete.

# Installation Command of IQ Service: IQService.exe -i

# Default port IQ Service is 5050

# Useful commands of IQ Service are :

 -? | h : This help output

-d : run in console mode

-i : Install a service

-k : stop the service

-n : (Optional) name of IQService for installing multiple instances. Default: IQService-Instancex, where x is an incremental integer value.

-p : (Optional) unique available port number specified at the time of IQService installation. Default: 5050. Incremental based on the next available port.

-r : remove the service

-s : Start the service

-t : Restart (stop/start) the service

-u : Uninstall the service. Removes the service components and clears the registry entries

-v : Print version information

Path of the IQService.zip :    C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\identityiq\WEB-INF\bin\win\IQService.zip

Install & Register the IQService:

1. Create a folder/directory in which to download the service.

2. Copy the IQService.zip file from the identityiq/WEB-INF/bin/win into a new directory.

3. Extract the IQService.zip

4. Run IQService.exe -i -p 5050 to install a Windows service named IQService

   Give a different port if 5050 is already in use

5. Search Regedit and go to the following path to set the log related attributes

 HKEY_LOCAL_MACHINE\SOFTWARE\SailPoint\IQService. 

 The following keys are used:

      1. port - port on which to listen

      2. tracefile - path to the trace file

      3. tracelevel - 0 (off), 3 (verbose)

      4. maxTraceFiles - maximum number of trace log files

      5. traceFileSize: maximum file size of a trace file in bytes

 

6. Search services and open SailPoint IQService-Instances1 

Open the SailPoint IQService-Instance from the services and change the Log On to the service account 

mightypedia\Administrator 

7. Start the service from the Windows Services Applet or from the command line by running

IQService.exe -s

8. Register the service account and restart

IQService.exe -a "mightypedia\Administrator"

9. Turn off the Windows Firewall

Search Control Panel ---> Category ---> small icons

                   ---> Click on Windows Defender Firewall 

                                   ---> Click on Windows Defender Firewall on or off ---> turn off all firewalls

Upgrade IQService:

# Take the correct version of the IQService.zip from C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\identityiq\WEB-INF\bin\win\IQService.zip

# Take a backup of the current IQService installation on the IQService box / VM

# Stop the IQService from Services Applet or run the following command from cmd

    IQService.exe  -k

# Uninstall the existing version by running the following command

    IQService.exe  -u

# Install the latest version by running the following command

IQService.exe -i     (OR)    IQService.exe -i -p 5050

# Start the service from the command line by running 

    IQService.exe -s

# Check the version by running the following command

    IQService.exe -v

Note:

The IQService version must match the IdentityIQ server version including patch versions. When you upgrade one, you must upgrade the other.

Basics of AD

Group Type: Group type defines how a group is used within Active Directory.

Group Scope: The group scope controls which objects the group can contain. 

Group scopes available in an Active Directory domain include domain local groups, global groups, and universal groups.

Distribution Groups: Distribution groups are Nonsecurity-related groups created for the distribution of information to one or more persons.

Security Groups: Security groups are Security-related groups created for granting resource access permissions to multiple users.

QuickLink

What is QuickLink?

The QuickLink object is the core object for defining custom Dashboard links. It specifies everything from the text to display, to the grouping category under which it should be listed, to the action to take when it is clicked. 

# action 

• external: navigate to the specified URL – an external website(requires URL attribute in attributes map to be set to indicate the desired external web address) 

• workflow: launch the specified workflow (requires workflow name attribute in 

the attributes map to be set to indicate which workflow to launch) 

• The value of a <from-outcome> within a <navigation-case> object inside the 

WEB-INF/faces-config.xml file: navigate to that IdentityIQ UI page.

# bulk 

Allow multiple identity selection if it's true.

# category 

The link appears under this category on the dashboard

# disabled 

The boolean attribute used to disable the QuickLink and prevent it from displaying in the UI

# name 

Unique name of the object.

# ordering 

Attribute for specifying the display order of the QuickLink relative to other QuickLinks in the same Dashboard UI category.

# messageKey 

Text to display for the link in the UI; this can be a hard-coded string or can be a message catalog key that can be localized according to each user’s browser language settings

# forceAllowOthers :

Boolean attribute that makes the link present an identity selector page 

when the link is clicked Adds the For Others link if For Me also applies 

The selected identities id will be available in workflow with the variable name : quickLinkIdentityIds

# forceAllowSelf :

Boolean attribute that makes the link allow requests for self 

Adds the For Me link if For Others also applies, 

The selected identity id will be available in workflow with the variable name : quickLinkIdentityId

# hideAllowOthers : 

Boolean attribute that suppresses the identity selector page where it would 

normally be displayed for the user to select a target Identity (e.g. QuickLinks 

in the Manager, HelpDesk, or GeneralPopulation groupings) 

# hideAllowSelf :

Boolean attribute that suppresses the request-for-self option and does not 

pass the logged-in user’s identity to the link’s target 

Only applies to QuickLinks in the SelfService SystemConfiguration grouping

# workflowName 

specifies the name of the workflow object to run Only applicable when the QuickLink action = “workflow” 

# workflowSuccess 

Specifies the message to display when the workflow is launched successfully Only applicable when the QuickLink action= “workflow” 

# parameters 

A <Map> of key/value pairs for passing arguments to an external website; these are appended to the url (ex: ?a=1&b=2) 

# URL 

Specifies the fully qualified name of the external web URL to open (example: http://www.google.com) 

Only applicable when the QuickLink action = “external” 

# displayText 

Boolean attribute that determines whether the return value from the textScript (attribute 

described below) is displayed as part of the link text; if true, the text will be displayed in 

parentheses appended to the end of the link messageKey text 

# textScript 

Contains a BeanShell script that returns the text for display with the QuickLink. This text will 

be appended to the messageKey value, printed in parentheses. 

Life Cycle Management (LCM)

Default Lifecycle Events in SailPoint :-

# Joiner : This event will occur when a new Identity comes(creates).

# Leaver : This event will occur when an Identity Leaves the Organization.

# Manager Transfer : This event will trigger when the user manager changes.

# Reinstate : This event trigger when the user is rehired.

Sailpoint provides default these four events with minimum functionality. We will customize the 

relevant workflows based on our requirements.

Event Types :-

# Create: when a new identity is created

# ManagerTransfer: when user manager is changed

# AttributeChange: when an identity attribute changes

# Rule: evaluated for each identity and if rule returns true event will be triggered 

otherwise not.

Note :-

To Trigger, these process events option should be enabled during the identity refresh 

cube task

How to launch workflow using java (API's)?

# Map object to pass as variables to workflow

HashMap launchArgsMap = new HashMap();

launchArgsMap.put(“identityName”,”Prasad”);

launchArgsMap.put(“managerName”,”Santosh”);

# Getting workflow object

Workflow workflow = (Workflow)context.getObjectByName(Workflow.class,"workflowName"); 

# Creating workflowLaunch object

WorkflowLaunch wfLaunch = new WorkflowLaunch(); 

wfLaunch.setWorkflowName(workflow.getName()); 

wfLaunch.setWorkflowRef(workflow.getName()); 

wfLaunch.setCaseName("LCM Provisioning"); 

wfLaunch.setVariables(launchArgsMap); //pass values to workflow 

# Create Workflower and launch workflow from WorkflowLaunch

Workflower workflower = new Workflower(context); 

WorkflowLaunch launch = workflower.launch(wfLaunch); 

Note: 

A class for managing the lifecycle and side effects of Workflows and WorkItems.

For developers outside of SailPoint, the primary methods that should be used are the ones for launching workflows. 

The methods for managing the lifecycle of WorkItems are normally only used by the UI, though it is permissible to finish WorkItems in custom code.

# print workflowCase ID

String workFlowId = launch.getWorkflowCase().getId(); 

System.out.println("workFlowId: "+workFlowId); 

How to schedule the workflow?

Request request = new Request(); 

RequestDefinition requestdefinition = context.getObject(RequestDefinition.class, "Workflow Request"); 

request.setDefinition(requestdefinition); 

request.setEventDate( new Date( launchTime ) ); 

request.setOwner(id); 

request.setName(caseName); 

request.setAttributes(requestdefinition , reqArgs); 

//Request args is map to pass the values to workflow.

RequestManager.addRequest(context, request);

// Schedule the workflow via the request manager. 

# What is Request API?

A model to represent a request for a single target object. A list of these is found within a Plan object. 

Usually the target is a user account, but it could be a group or some other object managed by this connector.

Note: 

Model - Model represents an object or JAVA POJO carrying data.

# What is RequestDefinition API?

An object describing a background request.

# what is RequestManager API?

A class providing an API for managing the request processor and submitting asynchronous requests.

Note:  

The asynchronous process defines a process that is operated independently with other processes.