Connector Rules

Pre-Iterate Rule :

# It's used to perform before a Connector iterates on the data

e.g    : 

# Validating a CSV file to verify that it's in good condition / valid format

# Decrypting/converting a file to another format

e.g:    1

Identity IQ Pre-Iterate Rule to archive CSV file after Aggregation.

import java.io.File;

import java.io.IOException;

import java.io.file.Files;

import java.text.SimpleDateFormat;

import java.util.*;

import org.apache.log4j.Logger;

private static final Logger LOGGER  = Logger.getLogger(“PreIterateCSV”);

LOGGER.debug(“Enterting into PreIterateCSV rule : ”);

String fileName=(String)stats.get(“fileName”);

LOGGER.debug(“Filename : “+fileName);

String filePath=(String)stats.get(“absolutePath”);

String timeStamp = new SimpleDateFormat(“yyyyMMdd_HHmmss”).format(Calendar.getInstance().getTime());

File file =new File(filePath);

File newFile =new File(“Location” + fileName.substring(0,fileName.indexOf(‘.’)) +timeStamp+”.csv”);

try { 

Files.copy(file.toPath(), newFile.toPath());

LOGGER.debug(“File “+fileName+”is copied to Archive folder”);

} catch (IOException ex)

{       

    LOGGER.error(“Exception in Pre-Iterate Rule: “+ex.getMessage());

}

--------------------------------------------------********************---------------------------------------------

Map To Resource Object Rule    :

# It's available for JDBC and Delimited File Connectors

# It's used for converting Map to Resource Object

# It will run during the Account Aggregations

# Provides a hook to control the map to resource object mapping

--------------------------------------------------********************---------------------------------------------

Post-Iterate Rule  :

# It's used to perform duties after a Connector iterates / pulls in data

# It will run during Account Aggregation

# Not required

e.g    :

Deleting, moving, or renaming files on the disk for archival storage

Aggregation Rules

Correlation Rule    :

# It's used to assign or "correlate" an application account to a specific Identity Cube

# It will run during Account Aggregations 

# It's not required but recommended

# IdentityIQ will attempt to correlate based on the Identity attribute

# Otherwise, the accounts will be marked as Orphan

e.g: 1

In this example, we will use the new account's email address to try and locate an existing Identity to hang the new account from. This rule uses the email attribute on the identity object to attempt to find an owner for the incoming link.

Map returnMap = new HashMap();

    String email = account.getStringAttribute("email");

    if ( email != null ) {

        returnMap.put("identityAttributeName", "email");

        returnMap.put("identityAttributeValue", email);

    }

    return returnMap;

e.g : 2 

In this example, we are trying to locate an existing Identity using the "firstname" and "lastname" attributes from the incoming account to generate a firstname.lastname formatted identity name.

Map returnMap = new HashMap();

    String firstname = account.getStringAttribute("firstname");

    String lastname = account.getStringAttribute("lastname");

    if ( ( firstname != null ) && ( lastname != null ) ) {

        String name= firstname + "." + lastname;

        returnMap.put("identityName", name);

    }

    return returnMap;

--------------------------------------------------********************---------------------------------------------

Creation Rule    :

# It's used to set attributes on new Identity Cubes when they are created

# Attach for performing customizations at identity Cube creation time

# It will run during Account Aggregations but only on Identity Cube creation (new Identities or Orphaned Identities)

# Not required

NOTE :

Example rule to modify the given user created during aggregation or after a non-correlated pass-through authentication. A non-correlated authentication attempt. In this example, if the account is part of the Administrator group, we give a new Identity the ApplicationAdministrator capability.

e.g: 1

# Assigning passwords, IdentityIQ capabilities dynamically or workgroup definitions

import sailpoint.object.identity;

//  All identities using this creation rule will have their passwords set to Winter$2

identity.setPassword("Winter$2");

e.g: 2

import sailpoint.object.Identity;

import sailpoint.object.Capability;

import sailpoint.object.ResourceObject;

    // change the name to a combination of firstname and lastname

    String firstname = account.getStringAttribute("firstname");

    String lastname = account.getStringAttribute("lastname");

    String name  = firstname + "." + lastname;

    identity.setName(name);

    // add capabilities based on group membership

    List groups = (List)account.getAttribute("memberOf");

    if ( ( groups != null ) && ( groups.contains("Administrator") ) ) {

        identity.add(context.getObjectByName(Capability.class, "ApplicationAdministrator"));

    }

How to check user exist in specific group or not?

 import sailpoint.object.Filter;

 import sailpoint.object.Identity;

 import sailpoint.object.IdentityEntitlement;

 import sailpoint.object.QueryOptions;

 import sailpoint.tools.GeneralException;

public boolean checkUserENT(String userID, String entValue, String appName) throws GeneralException{

boolean addEntExist = false;

QueryOptions qo = new QueryOptions();

Filter filter = Filter.and(Filter.eq("identity.id", id), Filter.eq("value",entValue), Filter.eq("application.name", appName));

qo.addFilter(filter);

int countObjects = context.countObjects(IdentityEntitlement.class, qo);

if(countObjects  > 0){

addEntExist = true;

}

String appName = "Active Directory";

String entValue = "CN="IdentityIQ, OU=Groups, DC=mightypedia,DC=com";

String user = ""Mary.Johnson;

String userID = context.getObjectByName(Identity.class, user).getId();

boolean checkENT = checkUserENT(userID , entValue ,appName );

return checkENT ;

}

How to convert role from one role to another role?

//Conversion of role from one type to another type & making the roles into inheritance::: -

<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<Rule language="beanshell"  name="Convert-Role">

  <Source>

  import sailpoint.object.Bundle;

  import sailpoint.object.Filter;

  import sailpoint.object.Identity;

  import sailpoint.object.QueryOptions;

  import sailpoint.tools.Util;

  import sailpoint.api.IncrementalObjectIterator;

  List  listofRoles = new ArrayList();

  Bundle container = context.getObjectByName(Bundle.class,"Legacy-Birthright-Roles");

  listofRoles.add(container);

  QueryOptions qo = new QueryOptions();

  qo.addFilter(Filter.eq("type", "IT"));

  //qo.addFilter(Filter.eq("name", "Contractor_BusinessRole"));

  IncrementalObjectIterator iterator = new IncrementalObjectIterator(context, Bundle.class,qo);

  while (iterator != null &amp;&amp; iterator.hasNext()) {

    Bundle bundle = iterator.next();

   // bundle.setType("birthright");

    bundle.setInheritance(listofRoles);

    context.saveObject(bundle);

    context.commitTransaction();

    context.decache();

  }

  Util.flushIterator(iterator);

  </Source>

</Rule>