How to configure SailPoint IdentityIQ UI Task Servers

Login to the Debug Page and Navigate to the Object Browser ---> Service Definition

Add Servers entry to the Request object: -

<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE ServiceDefinition PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<ServiceDefinition hosts="ABC1, ABC2, ABC3" name="Request">

  <Description>

Service definition for the Request processor service.

    </Description>

</ServiceDefinition>

##############################################################################

Add Servers entry to the Task Object:-

<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE ServiceDefinition PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<ServiceDefinition hosts="ABC1,ABC2,ABC3" name="Task">

  <Description>

Service definition for the Task scheduler service.  

    </Description>

</ServiceDefinition>

How to enable TimeMachine in SailPoint IdentityIQ?

Navigate to the Debug Page and add this entry to the System Configuration object:

<entry key="timeMachineEnabled" value="true"/>

Active Period Rule1

import java.util.Date;

import org.apache.commons.logging.Log;

import sailpoint.api.SailPointContext;

import sailpoint.object.AuditEvent;

import sailpoint.object.Certification;

import sailpoint.tools.GeneralException;

public class ActivePeriodRule1 {

static Log logger = null;

static SailPointContext context = null;

static Certification certification = null;

private static void callActivePeriodRule1() {

String auditTarget = null;

String auditAction = "UserENTCertEvent";

auditTarget = certification.getEntities().get(0).getIdentity();

AuditEvent auditEvent = new AuditEvent();

auditEvent.setSource("User Entitlement Certification Event Trigger");

auditEvent.setAction(auditAction);

auditEvent.setTarget(auditTarget);

auditEvent.setAttributeValue("CN=SailPoint IdentityIQ,OU=Groups,OU=mighty,OU=com");

auditEvent.setCreated(new Date());

try {

context.saveObject(auditEvent);

context.commitTransaction();

context.decache(auditEvent);

} catch (GeneralException e) {

logger.error("GeneralException in ActivePerioRule1 : " + e.getMessage());

}

}

public static void main(String[] args) {

callActivePeriodRule1();

}

}

Exclusion Rule for Entitlement2

import java.util.ArrayList;

import java.util.Iterator;

import java.util.List;

import sailpoint.object.Certifiable;

import sailpoint.object.EntitlementGroup;

public class CertExclusionRule2 {

static List items = null;

static List itemsToExclude = null;

private static String excludeEntitlement() {

String explanation = "";

// String appName = null;

String entName = null;

String entValue = null;

Iterator iterator = null;

List certObjList = new ArrayList();

EntitlementGroup entitlementGroup = null;

iterator = items.iterator();

while (iterator.hasNext()) {

// entitlementGroup = (EntitlementGroup) iterator.next();

Certifiable certifiable = (Certifiable) iterator.next();

if (certifiable instanceof EntitlementGroup && entitlementGroup.getApplicationName() != null

&& entitlementGroup.getAttributeNames().get(0) != null

&& entitlementGroup.getAttributes().get(entName).toString() != null) {

entitlementGroup = (EntitlementGroup) certifiable;

// appName = entitlementGroup.getApplicationName();

entName = entitlementGroup.getAttributeNames().get(0);

entValue = entitlementGroup.getAttributes().get(entName).toString();

if (entValue.contains("SailPoint IdentityIQ")) {

certObjList.add(entValue);

} else {

itemsToExclude.add(certifiable);

iterator.remove();

explanation = "Groups match the exclusion criteria";

}

}

}

return explanation;

}

public static void main(String[] args) {

String message = excludeEntitlement();

}

}

SailPoint Queries

 # Joiner Query:-

SELECT firstname, lastname, name, email FROM spt_identity

WHERE employee_status = "Active" AND needs_joiner = "PROCESSING";

SELECT i.firstname, i.lastname, i.name, i.email, i.type FROM spt_identity i, spt_application a, spt_link l, spt_task_result t

WHERE a.id = l.application

AND l.identity_id = i.id

AND t.target_id = t.target_id

AND i.employee_status = 'Active'

AND a.name = 'Active Directory'

AND l.attributes NOT LIKE 'IIQDisabled'

AND t.name LIKE 'Joiner'

AND t.created > 1234567890 (yesterday time in epoch)

AND t.created < 1244567890; (today time in epoch)

# Leaver Query:-

SELECT i.firstname, i.lastname, i.name, i.email, i.type FROM spt_identity i, spt_application a, spt_link l

WHERE a.id = l.application

AND l.identity_id = i.id

AND i.employee_status = 'inactive'

AND i.org_name NOT LIKE '%Employees on Layoff%'

AND a.name = ''Active Directory'

AND l.attributes NOT LIKE 'IIQDisabled';

SELECT i.firstname, i.lastname, i.name, i.email, i.type FROM spt_identity i, spt_application a, spt_link l

WHERE a.id = l.application

AND l.identity_id = i.id

AND t.target_id =i.id

AND l.identity_id = t.target_id

AND i.employee_status = 'inactive'

AND i.org_name NOT LIKE '%Employees on Layoff%'

AND a.name = ''Active Directory'

AND l.attributes NOT LIKE 'IIQDisabled'

AND t.name LIKE 'LEAVER'

AND t.created > 1234567890 (yesterday time in epoch)

AND t.created < 1244567890; (today time in epoch)

=================

SELECT * 

FROM identityiq.spt_link

GROUP BY native_identity, application

HAVING COUNT(*) > 1;

GIT Repo Update

# Login to DevOps

# For the first time follow the below step if not skip this step. (Optional)

Navigate to Repos -> Select the current Repo (Ex: SailPoint 8.3p3)

# Create the SailPoint folder in the local machine (For the first time)

# Go To the SailPoint folder where you saved the GIT repository SailPoint folder.

# Right-click on it and select the GIT Bach here.

# For the first time follow the below step if not skip this step.

Click on clone and copy the URL in DevOps

# Type the following command 

git clone https://XYZ

# git checkout master

# git pull

# git checkout -b PR_Clarity

# git pull

# git status

# Place updated/new files in the respective folders

# git status 

(check the status - to know XMLs you updated)

# git add .

# git commit -m "Process Clarity"

# git push

# git remote -v

# git push origin PR_Clarity

# Go To Repos ---> Select the updated repo version name (Ex: PR_Clarity)

# Click on Create Pull Request

# Select the reviewer 

# Scroll down and click on create.

IQService Upgrade Steps

 Pre-requisite:-

IdentityIQ would be installed on the server.

1. Copy the correct version of the IQService.zip from the below path:

C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\identityiq\WEB-INF\bin\win

2. Log into RDP 

3. Navigate to IQService installed path/location (Ex: C\IQService) & take a backup of the current IQService installation on the IQService box.

4. Stop the IQService from Service Applet or run the following command from CMD:

IQService.exe -k

5. Uninstall the existing version by running the following command and delete the IQService folder.

IQService.exe -u

6. Install the latest version by running the following command:

IQService.exe -i

7. Start the service from the command line by running the following command:

IQService -s

8. Validate the version by running the following command:

IQService.exe -v

9. Search the service from Windows and open the service with administrator rights.

Open the SailPoint IQService-Instace1 from the service, navigate to change the Log on to the service account, and add the below user:

xyz (AD Service account username)

10. Register the service account and restart using following command.

IQService.exe -a "XYZ"

11. Test the connection AD connection from the SailPoint AD application.

===============================### THE END ###==========================

Upgrade Steps and Patching Steps

High-Level Steps:-

Pre-requites:-

SSB would be already set up.

Upgrade Steps:-

# Take a backup of the older IIQ war file

# Run the following DDL Scripts for 8.3 DB updates (Upgrade the database scripts)

# Place the zip file in base\ga. Remove any folder version of the zip file present at the location

# Update the IIQ version in the build.properties file (IIQVersion, IIQPatchLevel)

# Update the hostname in the server.properties file

# Update the iiq.properties file

# Run the build command in the GIT hub extracted folder

build.bat clean war

# Stop the Tomcat Server / Service

# Place the identityiq.war file in webapps folder

# Start the Tomcat Server / Service

# Run the upgrade command in the iiq console path

iiq upgrade

##############################==================################################

Patch Steps:-

# Upgrade the database scripts

# Place the zip file in base\patch

# Update the IIQ version in the build.properties file

# Run the build command in the GIT hub extracted folder

build.bat clean war

# Place the identityiq.war file in webApps folder

# Start the Tomcat Server / Service

# Run the patch command in the iiq console path

iiq patch 8.3p3

Note:- We can use any of the following command(s) for building the war file

build.bat clean

build.bat war

(OR)

build.bat clean war

Required software's/tools for SailPoint IIQ

# Notepad++

# Beyond Software

# Eclipse

# JD-GUI

# SQL - HeidiSQL / etc.,

# VISIO

# Apache Directory Studio / JExplorer / etc.,

# GIT set up / etc.,

Classic Ports to know

 # 22 = SSH (Secure Shell) - log into a Linux instance

# 21 = FTP (File Transfer Protocol)

# 22 = SFTP (Secure File Transfer Protocol) upload files using SSH

# 80 =  HTTP - access unsecured websites

# 443 = HTTPS - access secures websites

# 3389 = RDP (Remote Desktop Protocol) - log into a windows instance

SSB

Audit

Set TaskStatus

import org.apache.commons.logging.Log;

import sailpoint.api.SailPointContext;

import sailpoint.object.TaskResult;

import sailpoint.tools.GeneralException;

public class SetTaskStatus {

static Log log = null;

static SailPointContext context = null;

public static void main(String[] args) {

int count = 316;

TaskResult taskResult = null;

try {

taskResult = context.getObjectByName(TaskResult.class, "Mighty Task");

if (taskResult != null) {

taskResult.addAttribute("count", count);

taskResult.setCompletionStatus(taskResult.getCompletionStatus().Success);

}

} catch (GeneralException e) {

log.error("GeneralException: " + e.getMessage());

taskResult.setCompletionStatus(taskResult.getCompletionStatus().Error);

}

}

}

 

GroupAggregation Rule for Description

import java.util.HashMap;

import java.util.Locale;

import java.util.Map;

import org.apache.commons.logging.Log;

import sailpoint.api.SailPointContext;

import sailpoint.object.Application;

import sailpoint.object.Identity;

import sailpoint.object.ManagedAttribute;

import sailpoint.object.ResourceObject;

import sailpoint.tools.GeneralException;

public class GroupAggrgationRuleForDesc {

static Log log = null;

static SailPointContext context = null;

static Map environment = null;

static ResourceObject obj = null;

static Application groupApplication = null;

static ManagedAttribute accountGroup = null;

public static void main(String[] args) {

Identity workGroup = null;

Map map = new HashMap();

try {

workGroup = context.getObjectByName(Identity.class, accountGroup.getValue());

accountGroup.setOwner(workGroup.getOwner());

accountGroup.setRequestable(false);

map.put(Locale.US.toString(), workGroup.getDescription());

accountGroup.setDescriptions(map);

} catch (GeneralException e) {

log.error("GeneralException: " + e.getMessage());

}

}

}

Exclusion Rule for Entitlement1

import java.util.ArrayList;

import java.util.Iterator;

import java.util.List;

import org.apache.commons.logging.Log;

import sailpoint.api.SailPointContext;

import sailpoint.object.Attributes;

import sailpoint.object.Certifiable;

import sailpoint.object.EntitlementGroup;

import sailpoint.object.Filter;

import sailpoint.object.ManagedAttribute;

import sailpoint.tools.GeneralException;

public class WorkgroupECertExclusionRule {

static SailPointContext context = null;

static Log log = null;

static List items = null;

static List itemsToExclude = null;

static String explanation = null;

static String excludeEntitlement() {

                log.debug("Entering into Exclusion Rule");

ManagedAttribute access = null;

// ManagedAttribute access = null;

String accessCert = null;

Attributes attrs = null;

String appName = null;

String entAttrName = null;

String entAttrVal = null;

Filter masterFilter = null;

List entitlementList = new ArrayList();

for (Iterator iterator = items.iterator(); iterator.hasNext();) {

try {

Certifiable certifiable = (Certifiable) iterator.next();

if (certifiable instanceof EntitlementGroup) {

EntitlementGroup entitlementGroup = (EntitlementGroup) certifiable;

appName = entitlementGroup.getApplicationName();

attrs = entitlementGroup.getAttributes();

entAttrName = attrs.getKeys().get(0).toString();

entAttrVal = attrs.getString(entAttrName);

masterFilter = Filter.and(new Filter[] { Filter.eq("value", entAttrVal),

Filter.eq("attribute", entAttrName), Filter.eq("application.name", appName) });

access = context.getUniqueObject(ManagedAttribute.class, masterFilter);

accessCert = access.getAttribute("certifiable").toString();

if (!accessCert.equalsIgnoreCase("True")) {

itemsToExclude.add(certifiable);

iterator.remove();

explanation = "No need to certify these items";

}

}

} catch (GeneralException e) {

log.error("GeneralException in exclusion: " + e.getMessage());

}

}

items.addAll(entitlementList);

                log.debug("Exiting from Exclusion Rule");

return explanation;

}

public static void main(String[] args) {

String message = excludeEntitlement();

}

}

Password Generation2

 import java.util.Random;

public class PasswordGeneration2 {

static String passwordGenerator2() {

int length = 15;

String password = "";

String numbers = "1234567890";

String speacialCharacters = "!@#$%";

// String speacialCharacters = "";

String upperCaseLetters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";

String lowerCaseLetters = "abcdefghijklmnopqrstuvwxyz";

String passowrConcat = upperCaseLetters + lowerCaseLetters + speacialCharacters + numbers;

Random random = new Random();

for (int i = 0; i < length; i++) {

int index = random.nextInt(passowrConcat.length());

password += passowrConcat.charAt(index);

}

return password;

}

public static void main(String[] args) {

String retValue = passwordGenerator2();

}

}

Password Generation1

import sailpoint.api.PasswordGenerator;

import sailpoint.api.SailPointContext;

import sailpoint.object.Application;

import sailpoint.object.Identity;

import sailpoint.tools.GeneralException;

import org.apache.commons.logging.Log;

import org.apache.commons.logging.LogFactory;

public class PasswordGeneration1 {

static SailPointContext context = null;

static Application application = null;

static Identity identity = null;

static Log logger = LogFactory.getLog("com.mightypedia.password.rule");

private static String generatePassword() throws GeneralException {

String returnPassword = "";

PasswordGenerator passwordGenerator = null;

try {

passwordGenerator = new PasswordGenerator(context);

returnPassword = passwordGenerator.generatePassword(identity, application);

} catch (GeneralException e) {

logger.error("GeneralException: " + e.getMessage());

returnPassword = passwordGenerator.generatePassword();

}

return returnPassword;

}

public static void main(String[] args) {

try {

String password = generatePassword();

} catch (GeneralException e) {

logger.error("GeneralException: " + e.getMessage());

}

}

}

Account Expiration Notification Rule

import java.text.ParseException;

import java.text.SimpleDateFormat;

import java.util.Calendar;

import java.util.Date;

import java.util.HashMap;

import java.util.List;

import java.util.Map;

import org.apache.log4j.Logger;

import sailpoint.api.IdentityService;

import sailpoint.api.SailPointContext;

import sailpoint.object.Application;

import sailpoint.object.EmailOptions;

import sailpoint.object.EmailTemplate;

import sailpoint.object.Filter;

import sailpoint.object.Identity;

import sailpoint.object.Link;

import sailpoint.object.QueryOptions;

import sailpoint.tools.GeneralException;

public class AccountExpirationRule {

static SailPointContext context = null;

static Logger log = null;

static void sendEmail(String identityName, String emailTemplate, String daysRemaining, Date endDate) {

String company = null;

String mgrFirstName = null;

String mgrLastName = null;

String EMAIL_ADMIN = "reddy@mightypedia.com";

String recipient = null;

String ccRecipient = null;

Map args = null;

EmailOptions options = null;

EmailTemplate eTemp = null;

Identity mgr = null;

Identity identity = null;

try {

identity = context.getObjectByName(Identity.class, identityName);

if (identity.getAttribute("company") != null) {

company = identity.getAttribute("company").toString();

}

if (identity.getManager() != null) {

mgr = identity.getManager();

if (mgr.getFirstname() != null) {

mgrFirstName = mgr.getFirstname().toString();

}

if (mgr.getLastname() != null) {

mgrLastName = mgr.getLastname().toString();

}

if (mgr.getEmail() != null) {

recipient = mgr.getEmail().trim().toString();

} else {

log.debug("Manager email is null and setting recipient to admin");

recipient = EMAIL_ADMIN;

}

} else {

log.debug("Identity Manager is null and setting recipient to admin");

recipient = EMAIL_ADMIN;

}

SimpleDateFormat formatDate = new SimpleDateFormat("MM/dd/yyyy");

String startDateFor = "";

String endDateFor = null;

if (identity.getAttribute("startDate").toString() != null) {

startDateFor = formatDate.format(identity.getAttribute("startDate").toString());

}

endDateFor = formatDate.format(endDate);

if (identity.getFirstname() != null && identity.getLastname() != null && identity.getEmail() != null

&& startDateFor != null) {

args = new HashMap();

args.put("identity", identity);

args.put("daysRemaining", daysRemaining);

args.put("firstName", identity.getFirstname());

args.put("lastName", identity.getLastname());

args.put("email", identity.getEmail());

args.put("startDate", startDateFor);

args.put("endDate", endDateFor);

args.put("managerFirstName", mgrFirstName);

args.put("managerLastName", mgrLastName);

args.put("company", company);

}

options = new EmailOptions();

options.setVariables(args);

options.setTo(recipient);

options.setCc(ccRecipient);

eTemp = context.getObject(EmailTemplate.class, emailTemplate);

if (eTemp != null) {

context.sendEmailNotification(eTemp, options);

}

} catch (GeneralException e) {

log.error("GeneralException: " + e.getMessage());

} finally {

try {

context.decache(identity);

context.decache(mgr);

context.decache(eTemp);

} catch (GeneralException e) {

log.error("GeneralException: " + e.getMessage());

}

}

}

public static void main(String[] args) {

Date today = null;

Date todayPlus15 = null;

Date todayPlus30 = null;

Date accuntExpDate = null;

Calendar cal = null;

SimpleDateFormat format = null;

String identityName = null;

String accountExpires = null;

String todayPlus15Conversion = null;

String todayPlus30Conversion = null;

String accuntExpDateConversion = null;

String filter = "(inactive == false &amp;&amp; (type == \"consultant\"))";

List<Link> identityLinks = null;

List<Identity> identities = null;

Application application = null;

IdentityService iDS = new IdentityService(context);

QueryOptions ops = null;

try {

application = context.getObjectByName(Application.class, "AD");

ops = new QueryOptions();

Filter identityFilter = Filter.compile(filter);

ops.addFilter(identityFilter);

identities = context.getObjects(Identity.class, ops);

if (identities != null) {

for (Identity identity : identities) {

identityName = identity.getName();

identityLinks = iDS.getLinks(identity, application);

for (Link identityLink : identityLinks) {

Boolean isDisabled = identityLink.isDisabled();

if (!isDisabled) {

if (identityLink.getAttribute("accountExpires") != null

&& !identityLink.getAttribute("accountExpires").equals("") && !identityLink

.getAttribute("accountExpires").toString().equalsIgnoreCase("never")) {

accountExpires = identityLink.getAttribute("accountExpires").toString();

format = new SimpleDateFormat("MM/dd/yyyy HH:mm:ss aa ZZZ");

try {

accuntExpDate = format.parse(accountExpires);

} catch (ParseException e) {

log.error("ParseException: " + e.getMessage());

}

today = new Date();

cal = Calendar.getInstance();

cal.setTime(today);

cal.set(Calendar.HOUR_OF_DAY, 12);

cal.set(Calendar.MINUTE, 0);

cal.set(Calendar.SECOND, 0);

cal.set(Calendar.MILLISECOND, 0);

cal.add(Calendar.DATE, 15);

todayPlus15 = cal.getTime();

cal.add(Calendar.DATE, 15);

todayPlus30 = cal.getTime();

if (accuntExpDate != null) {

todayPlus15Conversion = new SimpleDateFormat("MM/dd/yyyy").format(todayPlus15);

todayPlus30Conversion = new SimpleDateFormat("MM/dd/yyyy").format(todayPlus30);

accuntExpDateConversion = new SimpleDateFormat("MM/dd/yyyy").format(accuntExpDate);

if (todayPlus15Conversion.equals(accuntExpDateConversion)) {

sendEmail(identity.getName(), "Account Expiry", "15", todayPlus15);

} else if (todayPlus30Conversion.equals(accuntExpDateConversion)) {

sendEmail(identity.getName(), "Account Expiry", "30", todayPlus30);

} else {

log.debug("Criteria is not matched...");

}

}

}

}

}

}

} else {

log.debug("No Identities found...");

}

} catch (GeneralException e) {

log.error("GeneralException: " + e.getMessage());

}

finally {

try {

context.decache(application);

} catch (GeneralException e) {

log.error("GeneralException: " + e.getMessage());

}

}

}

}

Username Generation

import java.util.HashMap;

import java.util.Iterator;

import java.util.List;

import java.util.Map;

import sailpoint.api.SailPointContext;

import sailpoint.connector.Connector;

import sailpoint.connector.ConnectorFactory;

import sailpoint.object.Application;

import sailpoint.object.Filter;

import sailpoint.object.Identity;

import sailpoint.object.QueryOptions;

import sailpoint.tools.Util;

import sailpoint.object.ResourceObject;

import sailpoint.tools.CloseableIterator;

import sailpoint.tools.GeneralException;

import org.apache.commons.logging.Log;

import org.apache.commons.logging.LogFactory;

public class UsernameGeneration{

static SailPointContext context = null;

static Identity identity = null;

static Log log = LogFactory.getLog("com.mighty.rule");

static boolean issAMAccountNameUniueInAD2(SailPointContext context, String sAMAccountName) {

if (sAMAccountName == null || sAMAccountName.isEmpty()) {

log.debug("sAMAccountName is null / empty");

return false;

}

boolean unique = true;

String searchDN = null;

String appConnName = null;

Application application = null;

Application appCopy = null;

String searchFilter = "(sAMAccountName=" + sAMAccountName + ")";

List dnList = null;

Map setUpMap = new HashMap();

Connector appConnector = null;

CloseableIterator iterator = null;

try {

application = context.getObjectByName(Application.class, "AD");

appCopy = (Application) application.deepCopy(context);

appCopy.setPasswordPolicies(null);

appConnName = appCopy.getConnector();

if (appCopy.getAttributes().getMap().get("domainSettings").get(0).get("domainDN") != null) {

searchDN = appCopy.getAttributes().getMap().get("domainSettings").get(0).get("domainDN");

}

setUpMap.put("searchDN", searchDN);

setUpMap.put("searchFilter", searchFilter);

dnList.add(0, setUpMap);

appCopy.setAttribute("searchDN", dnList);

appCopy.setAttribute("referral", "ignore");

appCopy.setAttribute("useHasMoreElements", true);

appCopy.setCustomizationRule(null);

appConnector = ConnectorFactory.getConnector(appCopy, null);

iterator = appConnector.iterateObjects(Connector.TYPE_ACCOUNT, null, null);

try {

if (iterator != null && iterator.hasNext()) {

ResourceObject user = (ResourceObject) iterator.next();

unique = false;

}

} catch (Exception e) {

}

} catch (GeneralException e) {

log.error("GeneralException: " + e.getMessage());

} finally {

if (iterator != null) {

iterator.close();

}

}

return unique;

}

static boolean issAMAccountNameUniueInAD(SailPointContext context, String sAMAccountName) {

if (sAMAccountName == null || sAMAccountName.isEmpty()) {

log.debug("sAMAccountName is null / empty");

return false;

}

boolean unique = true;

String appConnName = null;

Application application = null;

Application appCopy = null;

int i = 0;

String searchFilter = "(sAMAccountName=" + sAMAccountName + ")";

List<HashMap> dnList = null;

Map setUpMap = new HashMap();

CloseableIterator iterator = null;

try {

application = context.getObjectByName(Application.class, "AD");

appCopy = (Application) application.deepCopy(context);

appCopy.setPasswordPolicies(null);

appConnName = appCopy.getConnector();

dnList = (List) appCopy.getAttributes().getMap().get("domainSettings");

for (HashMap domain : dnList) {

String searchDN = domain.get("domainDN").toString();

setUpMap.put("searchDN", searchDN);

setUpMap.put("searchFilter", searchFilter);

dnList.add(i, domain);

i++;

}

appCopy.setAttribute("searchDN", dnList);

appCopy.setAttribute("referral", "ignore");

appCopy.setAttribute("useHasMoreElements", true);

appCopy.setCustomizationRule(null);

Connector appConnector = sailpoint.connector.ConnectorFactory.getConnector(appCopy, null);

iterator = appConnector.iterateObjects(Connector.TYPE_ACCOUNT, null, null);

try {

if (iterator != null && iterator.hasNext()) {

ResourceObject user = (ResourceObject) iterator.next();

unique = false;

}

} catch (Exception e) {

}

} catch (GeneralException e) {

log.error("GeneralException: " + e.getMessage());

} finally {

if (iterator != null) {

iterator.close();

}

}

return unique;

}

static boolean isNameUniueInIIQ(SailPointContext context, String cubeName) {

if (cubeName == null || cubeName.isEmpty()) {

return false;

}

boolean unique = true;

Identity identityLookup = null;

try {

identityLookup = context.getObjectByName(Identity.class, cubeName);

if (identityLookup != null) {

unique = false;

return unique;

} else {

return unique;

}

} catch (GeneralException e) {

log.error("GeneralException" + e.getMessage());

}

return false;

}

static boolean isNameUniueInHR(SailPointContext context, String userName) {

if (userName == null || userName.isEmpty()) {

return false;

}

boolean unique = true;

Filter filter = null;

QueryOptions ops = new QueryOptions();

filter = Filter.eq(userName, userName);

try {

Iterator iterator = context.search(Identity.class, ops);

if (null != iterator && iterator.hasNext()) {

unique = false;

return unique;

} else {

return unique;

}

} catch (GeneralException e) {

log.error("GeneralException: " + e.getMessage());

}

return false;

}

static String generateUserName(SailPointContext context, Identity identity) {

String retVal = null;

String type = "";

String firstName = null;

String lastName = null;

String firstNameSub = null;

String lastNameSub = null;

int firstLength = 0;

int lastLenght = 0;

int index = 1;

if (null != identity && null != identity.getAttribute("userType")) {

type = identity.getAttribute("userType").toString();

if (type.equalsIgnoreCase("Employee")) {

if (Util.isNotNullOrEmpty(identity.getFirstname()) && Util.isNotNullOrEmpty(identity.getLastname())) {

firstName = identity.getFirstname().toLowerCase();

lastName = identity.getLastname().toLowerCase();

firstLength = firstName.length();

lastLenght = lastName.length();

firstNameSub = firstName;

lastNameSub = lastName;

if (lastLenght > 11) {

lastNameSub = lastNameSub.substring(0, 11);

}

retVal = firstName.substring(0, 1) + lastNameSub;

if (retVal != null) {

String baseName = retVal;

while (issAMAccountNameUniueInAD(context, retVal)) {

if (firstLength >= (++index)) {

retVal = firstName.substring(0, index) + lastNameSub;

if (retVal.length() > 12) {

retVal = retVal.substring(0, 12);

}

} else {

return null;

}

}

while (isNameUniueInIIQ(context, retVal)) {

if (firstLength >= (++index)) {

retVal = firstName.substring(0, index) + lastNameSub;

if (retVal.length() > 12) {

retVal = retVal.substring(0, 12);

}

} else {

return null;

}

}

while (isNameUniueInHR(context, retVal)) {

if (firstLength >= (++index)) {

retVal = firstName.substring(0, index) + lastNameSub;

if (retVal.length() > 12) {

retVal = retVal.substring(0, 12);

}

} else {

return null;

}

}

}

}

} else if (type.equalsIgnoreCase("Consultant")) {

if (Util.isNotNullOrEmpty(identity.getFirstname()) && Util.isNotNullOrEmpty(identity.getLastname())) {

firstName = identity.getFirstname().toLowerCase();

lastName = identity.getLastname().toLowerCase();

firstLength = firstName.length();

lastLenght = lastName.length();

firstNameSub = firstName;

lastNameSub = lastName;

if (lastLenght > 9) {

lastNameSub = lastNameSub.substring(0, 9);

}

retVal = "c-" + firstName.substring(0, 1) + lastNameSub;

if (retVal != null) {

String baseName = retVal;

while (!issAMAccountNameUniueInAD(context, retVal)) {

if (firstLength >= (++index)) {

retVal = firstName.substring(0, index) + lastNameSub;

if (retVal.length() > 10) {

retVal = retVal.substring(0, 10);

}

} else {

return null;

}

}

while (!isNameUniueInIIQ(context, retVal)) {

if (firstLength >= (++index)) {

retVal = firstName.substring(0, index) + lastNameSub;

if (retVal.length() > 10) {

retVal = retVal.substring(0, 10);

}

} else {

return null;

}

}

while (!isNameUniueInHR(context, retVal)) {

if (firstLength >= (++index)) {

retVal = firstName.substring(0, index) + lastNameSub;

if (retVal.length() > 12) {

retVal = retVal.substring(0, 12);

}

} else {

return null;

}

}

}

}

} else {

return null;

}

}

return retVal;

}

public static void main(String[] args) {

String sAMAccountName = null;

generateUserName(context, identity);

issAMAccountNameUniueInAD2(context, sAMAccountName);

}

}

Logs

import org.apache.commons.logging.Log;

import org.apache.commons.logging.LogFactory;

Log log = LogFactory.getLog("mighty.rule.TestLoggers");

log.info("Hi");

log.debug("Hello");

log.trace("Dear");

log.error("Something serious");

Note: Log naming convention is project.objectType.Unique Identifier

Bulk roles import from a CSV file..

Ref: Bulk import roles from a CSV file - Compass (sailpoint.com)

Workflow Libraries

  What is a workflow library?

• Workflow Libraries are sets of compiled Java methods accessible to workflows.

What are the workflow default libraries?

• Identity
• Role
• PolicyViolation
• LCM libraries

IdentityLibrary: This is used to

• getManager()
• activate, de-activate role assignment
• Refresh Identities
• Compiling Provisioning plan
• Build, Assimilate Provisioning Forms
• Auditing etc.,

IdentityRequestLibrary: This is used to

• Create Identity Request, update Identity Request state
• Refresh Identity Request afterApproval and Provisioning etc.,

ApprovalLibrary: This is used to

• Get Object(Approval) owner and name
• Get NewObject(Approval) owner and name
• Checks whether it's a self-Approval or not etc.,

Policy Violation Library: This is used to

• Get the remediateViolation: Remediate SOD violations by removing roles named in the remediations argument.
• Delete the current approval object associated with this workflow.

Role Library: This is used to invoke the methods

• Enable the role
• Disable the role
• buildOwnerApproval

LCM Library: All the methods are moved to a handler

• audit
• addLaunchMessage
• Commit

Sailpoint provided the following rule libraries:

Workflow Library: This is mostly used to get the properties of an identity

which are like displayName, email, managerName, managerEmail, and getting

value of a system configuration property.

LCM Workflow Library: This is used for assimilating WorkItem

ApprovalSet, performs auditing for actions like forward, comment on workItem

and for filtering ApprovalSet.

Approval Library: This is used for getting a list of Approval owners, Role

owner, manager from a provisioning plan, etc.,

LCM Top-Level Workflows

The following workflows are default LCM workflows:

1. LCM Provisioning
2. LCM Manage Passwords
3. LCM Create and Update
4. LCM Registration

 

Reference URL's

 IdentityIQ 8.3 Overview (sailpoint.com)

IdentityIQ Best Practices - Compass (sailpoint.com)

Sequence of Aggregation Rules

• Pre-Iterate Rule
• BuildMap Rule
• Managed Entitlement Customization Rule
• Customization rule
• Correlation rule
• Manager correlation rule
• Creation rule
• PostIterate Rule