Saturday, August 31, 2019

Hiding Filter Attributes From Request Access , Manage Access Page Sailpoint Identity IQ


Hiding the Filter Attributes from the Request Access --> Manage Access Page using the Plugin .
We need to create the below folder structure and copy the required codes in each of the files as given below , here in expAccessSerachFilter.js we have written the JS to hide few OOTB Attributes such as the Role Type , Entitlement Attribute and Entitlement Owner. This can be even used to hide any of the Extended Attribute from the Managed Attribute.

│  
├───AccessRequestAccessFilter
│   │   manifest.xml
│   │  
│   ├───jars
│   └───ui
│       ├───images
│       └───js
│               expAccessSerachFilter.js

                

manifest.xml

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Plugin PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Plugin name="AccessRequestAccessFilter" displayName="AccessRequestAccessFilter" disabled="false" version="0.0.1.0" minSystemVersion="7.1" maxSystemVersion="7.4"
  certificationLevel="None">
  <Attributes>
    <Map>
      <entry key="snippets">
        <value>
          <List>
            <Snippet regexPattern=".*" rightRequired="">
              <Scripts>
                <String>ui/js/expAccessSerachFilter.js</String>
              </Scripts>
            </Snippet>
          </List>
        </value>
      </entry>
    </Map>
  </Attributes>
</Plugin>


expAccessSerachFilter.js

jQuery(document).ready(function(){
var MutationObserver = window.MutationObserver || window.WebKitMutationObserver || window.MozMutationObserver;
var observer = new MutationObserver(function(mutations) {  
 mutations.forEach(function(mutation){
   for(var i =0;i < mutation.addedNodes.length;i++){
   if($("[id*='itemsFilterPanel']").length) {
    if(jQuery(mutation.addedNodes[i]).find("sp-object-suggest[sp-button-aria-label='Role Type']").length)
     {
      $("sp-object-suggest[sp-button-aria-label='Role Type']").parent().parent().parent().hide();
     }
    if(jQuery(mutation.addedNodes[i]).find("sp-object-multi-suggest[sp-button-aria-label='Entitlement Attribute']").length)
     {
      $("sp-object-multi-suggest[sp-button-aria-label='Entitlement Attribute']").parent().parent().parent().hide();
     }
    if(jQuery(mutation.addedNodes[i]).find("sp-object-suggest[sp-button-aria-label='Entitlement Owner']").length)
     {
      $("sp-object-suggest[sp-button-aria-label='Entitlement Owner']").parent().parent().parent().hide();
     }     
   }
   }
    });
 });
observer.observe(document,{childList:true,subtree:true,attributes:false});
});

create the zip folder with above structure and install the same as the plugin in UI. 
Login into Identity IQ --> Gear --> Plugins -->New -->Drag and drop a file or click in this box to install a plugin
Once we have installed logout and login and see the changes . Below UI shows and have hidden the required attributes.



Friday, August 30, 2019

SQL ACCESS REVIEW CERTIFICATION DETAILS SAILPOINT IDENTITY IQ

This Query can be used to get the Access review details which is assigned to the Reviewer. This will contain the basic information of the Access Review  and will not contain any information related to the identity details which is to be reviewed.

SELECT
   SPT_CERTIFICATION_DEFINITION.NAME AS "CERTIFICATION DEFINITION NAME",
   SHORT_NAME AS "CERTIFICATION NAME",
   (
      TO_DATE('1970-01-01 00', 'YYYY-MM-DD HH24') + (ACTIVATED) / 1000 / 60 / 60 / 24
   )
   AS "CREATE DATE",
   (
      TO_DATE('1970-01-01 00', 'YYYY-MM-DD HH24') + (EXPIRATION) / 1000 / 60 / 60 / 24
   )
   AS "EXPIRATION DATE",
   (
      TO_DATE('1970-01-01 00', 'YYYY-MM-DD HH24') + (SIGNED) / 1000 / 60 / 60 / 24
   )
   AS "SIGNED DATE",
   SPT_CERTIFICATION.MANAGER AS "ASSIGNED TO USER",
   SPT_IDENTITY.EMAIL AS "ASSIGNED USER EMAIL",
   SPT_CERTIFICATION.TOTAL_ENTITIES AS "TOTAL IDENTITY INCLUDED",
   SPT_CERTIFICATION.EXCLUDED_ENTITIES AS "TOTAL IDENTITY EXCLUDED",
   SPT_CERTIFICATION.COMPLETED_ENTITIES AS "COUNT ACTION TAKEN ON IDENTITY",
   SPT_CERTIFICATION.PERCENT_COMPLETE AS "PERCENTAGE ACTION TAKEN ON IDENTITY",
   SPT_CERTIFICATION.CERTIFIED_ENTITIES,
   SPT_CERTIFICATION.TOTAL_ITEMS AS "TOTAL ITEMS ASSIGNED",
   SPT_CERTIFICATION.EXCLUDED_ITEMS AS "TOTAL ITEMS EXCLUDED",
   SPT_CERTIFICATION.COMPLETED_ITEMS AS "COUNT ACTION TAKEN ON ITEM",
   SPT_CERTIFICATION.ITEM_PERCENT_COMPLETE AS "PERCENTAGE ACTION TAKEN ON ITEM",
   SPT_CERTIFICATION.CERTIFIED_ITEMS,
   SPT_CERTIFICATION.REMEDIATIONS_KICKED_OFF,
   SPT_CERTIFICATION.REMEDIATIONS_COMPLETED 
FROM
   SPT_CERTIFICATION,
   SPT_IDENTITY,
   SPT_CERTIFICATION_GROUPS,
   SPT_CERTIFICATION_GROUP,
   SPT_CERTIFICATION_DEFINITION 
WHERE
   SPT_IDENTITY.NAME = SPT_CERTIFICATION.MANAGER
   AND SPT_CERTIFICATION_DEFINITION.ID = SPT_CERTIFICATION_GROUP.CERTIFICATION_DEFINITION
   AND SPT_CERTIFICATION_GROUP.ID = SPT_CERTIFICATION_GROUPS.GROUP_ID 
   AND SPT_CERTIFICATION_GROUPS.CERTIFICATION_ID = SPT_CERTIFICATION.ID 
   AND SPT_CERTIFICATION_DEFINITION.ID = SPT_CERTIFICATION.CERTIFICATION_DEFINITION_ID 
   AND SPT_CERTIFICATION_GROUP.NAME = '<CERTIFICATION NAME>'


Same Query can be modified and can be used to get the data with more details like extended attribute from Identity and other deatils.

SPT_CERTIFICATION_DEFINITION - Certification Definition 
SPT_CERTIFICATION_GROUP - Certification Details
SPT_CERTIFICATION_GROUPS - Link Certification and Access Review 
SPT_CERTIFICATION - Access Review details doesn't include the Actioned Identity details

Thursday, August 29, 2019

SQL IDENTITY ENTITLEMENT DETAILS SAILPOINT IDENTITY IQ

This will get list of all the Entitlement details for the particular user

Select  SPT_IDENTITY.NAME AS "USER ID" ,SPT_APPLICATION.NAME AS "APPLICATION NAME", 
        SPT_IDENTITY_ENTITLEMENT.NATIVE_IDENTITY AS "ACCOUNT ID", 
        SPT_IDENTITY_ENTITLEMENT.VALUE  AS "ENTITLEMENT VALUE"
        from SPT_IDENTITY_ENTITLEMENT , 
             SPT_MANAGED_ATTRIBUTE , 
             SPT_APPLICATION ,
             SPT_IDENTITY 
        where 
            SPT_MANAGED_ATTRIBUTE.APPLICATION=SPT_IDENTITY_ENTITLEMENT.APPLICATION and
            SPT_MANAGED_ATTRIBUTE.VALUE = SPT_IDENTITY_ENTITLEMENT.VALUE and 
            SPT_IDENTITY_ENTITLEMENT.IDENTITY_ID = SPT_IDENTITY.ID and
            SPT_APPLICATION.ID=SPT_MANAGED_ATTRIBUTE.APPLICATION and
            SPT_IDENTITY.CORRELATED ='1' and
            SPT_IDENTITY.NAME=<NAME ATTRIBUTE>



This will get list of all the Entitlement details for the all the user's

Select  SPT_IDENTITY.NAME AS "USER ID" ,SPT_APPLICATION.NAME AS "APPLICATION NAME", 
        SPT_IDENTITY_ENTITLEMENT.NATIVE_IDENTITY AS "ACCOUNT ID", 
        SPT_IDENTITY_ENTITLEMENT.VALUE  AS "ENTITLEMENT VALUE"
        from SPT_IDENTITY_ENTITLEMENT , 
             SPT_MANAGED_ATTRIBUTE , 
             SPT_APPLICATION ,
             SPT_IDENTITY 
        where 
            SPT_MANAGED_ATTRIBUTE.APPLICATION=SPT_IDENTITY_ENTITLEMENT.APPLICATION and
            SPT_MANAGED_ATTRIBUTE.VALUE = SPT_IDENTITY_ENTITLEMENT.VALUE and 
            SPT_IDENTITY_ENTITLEMENT.IDENTITY_ID = SPT_IDENTITY.ID and
            SPT_APPLICATION.ID=SPT_MANAGED_ATTRIBUTE.APPLICATION and

            SPT_IDENTITY.CORRELATED ='1' and


Same Query can be modified and can be used to get the data with more details like extended attribute from Entitlement catalog or the Identity Attributes.


SPT_IDENTITY_ENTITLEMENT --> Contain relation between the Identity and Identity Entitlement.
SPT_MANAGED_ATTRIBUTE --> Contains the managed attributes details
SPT_APPLICATION --> Contain the Application related details
SPT_IDENTITY --> Contains all the User Identity Attributes

Saturday, August 3, 2019

FeaturesString Available in Sailpoint IdenityIQ


Connector Features Supported 


The Application object also has a Feature enumeration, specified as the FeaturesString attribute of the application definition, which is used to control the functionality available through the connector.it tell what all the operation idenityIQ is configured to support for this connector.

Below are the list of the value that are possible for the FeaturesString
Application. Feature
Description
ACCOUNT_ONLY_REQUEST
The application supports requesting accounts without entitlements.
ADDITIONAL_ACCOUNT_REQUEST
The application supports requesting additional accounts.
AUTHENTICATE
The application supports pass through authentication.
COMPOSITE
The application supports composite application creation.
CURRENT_PASSWORD
Some application types support verification of the current password
DIRECT_PERMISSIONS
The application supports returning DirectPermissions.
DISCOVER_SCHEMA
The application supports discovering schemas for users and groups.
ENABLE
The application supports reading if an account is enabled or disabled.
GROUPS_HAVE_MEMBERS
The application models group memberships with a member
attribute on the group object rather than a groups attribute on
the account object.
MANAGER_LOOKUP
The application supports looking up managers as they are
encountered in a feed.
NO_AGGREGATION
An application that does not support aggregation.
NO_PERMISSIONS_PROVISIONING
Indicates that the connector cannot provision direct or target
permissions for accounts.
NO_RANDOM_ACCESS
The application does not support random access and the getObject()
methods should not be called and expected to perform.
PASSWORD
The application can provision password changes.
PROVISIONING
The application can both read and write accounts.
PROXY
The application can serve as a proxy for another application.
SEARCH

SYNC_PROVISIONING
The application can provision accounts synchronously.
UNLOCK
The application supports reading if an account is locked or unlocked.
UNSTRUCTURED_TARGETS
The application supports returning unstructured Targets.
Below are the List of the featurestring value when we configure OOTB Active Directory Connector
featuresString
PROVISIONING
SYNC_PROVISIONING
AUTHENTICATE
MANAGER_LOOKUP
SEARCH
UNSTRUCTURED_TARGETS
UNLOCK
ENABLE
PASSWORD
CURRENT_PASSWORD