Friday, July 22, 2022

Aggregation Rules

Correlation Rule    :

# It's used to assign or "correlate" an application account to a specific Identity Cube
# It will run during Account Aggregations 
# It's not required but recommended
# IdentityIQ will attempt to correlate based on the Identity attribute
# Otherwise, the accounts will be marked as Orphan

e.g: 1

In this example, we will use the new account's email address to try and locate an existing Identity to hang the new account from. This rule uses the email attribute on the identity object to attempt to find an owner for the incoming link.

Map returnMap = new HashMap();

    String email = account.getStringAttribute("email");
    if ( email != null ) {
        returnMap.put("identityAttributeName", "email");
        returnMap.put("identityAttributeValue", email);
    }
    return returnMap;

e.g : 2 

In this example, we are trying to locate an existing Identity using the "firstname" and "lastname" attributes from the incoming account to generate a firstname.lastname formatted identity name.

Map returnMap = new HashMap();
    String firstname = account.getStringAttribute("firstname");
    String lastname = account.getStringAttribute("lastname");
    if ( ( firstname != null ) && ( lastname != null ) ) {
        String name= firstname + "." + lastname;
        returnMap.put("identityName", name);
    }
    return returnMap;

--------------------------------------------------********************---------------------------------------------

Creation Rule    :

It's used to set attributes on new Identity Cubes when they are created
# Attach for performing customizations at identity Cube creation time
# It will run during Account Aggregations but only on Identity Cube creation (new Identities or Orphaned Identities)
# Not required

NOTE :
Example rule to modify the given user created during aggregation or after a non-correlated pass-through authentication. A non-correlated authentication attempt. In this example, if the account is part of the Administrator group, we give a new Identity the ApplicationAdministrator capability.
e.g: 1

# Assigning passwords, IdentityIQ capabilities dynamically or workgroup definitions

import sailpoint.object.identity;

//  All identities using this creation rule will have their passwords set to Winter$2

identity.setPassword("Winter$2");

e.g: 2

import sailpoint.object.Identity;
import sailpoint.object.Capability;
import sailpoint.object.ResourceObject;

    // change the name to a combination of firstname and lastname

    String firstname = account.getStringAttribute("firstname");
    String lastname = account.getStringAttribute("lastname");
    String name  = firstname + "." + lastname;
    identity.setName(name);

    // add capabilities based on group membership

    List groups = (List)account.getAttribute("memberOf");
    if ( ( groups != null ) && ( groups.contains("Administrator") ) ) {
        identity.add(context.getObjectByName(Capability.class, "ApplicationAdministrator"));
    }

at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Fetch Members from Workgroup

  import java.util.ArrayList;   import java.util.Iterator;   import java.util.List;   import sailpoint.api.ObjectUtil;   import sailpoint.ob...