Wednesday, January 22, 2020

Sailpoint Rule - AfterProvisioning Rule

Sailpoint Identity IQ IIQ Rule - AfterProvisioning Rule

Creating a AfterProvisioning Rule and sending the details in email with the details

 Below code will give the below details.

 1. Read all the required constant value from the custom object
2. send the email to the user manager and also to the user with the details once the account creation is successful.
3. send the email to the user and user manager with the error details if the account creation fails
4. this also gives the information about the request ID


<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Active Directory PH Accounts After Provisioning Rule" type="AfterProvisioning">
  <Description>An IdentityIQ server-side rule that is executed after the connector's provisioning method is called. This gives the customer the ability to customize or react to anything in the ProvisioningPlan AFTER it has been sent out to the specific applications. 

    This rule will be called for any application found in a plan that also has a configured 'afterProvisioningRule' configured.</Description>
  <Signature>
    <Inputs>
      <Argument name="log">
        <Description>
          The log object associated with the SailPointContext.
        </Description>
      </Argument>
      <Argument name="context">
        <Description>
          A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
        </Description>
      </Argument>
      <Argument name="plan">
        <Description>
          The ProvisioningPlan object on its way to the Connector.
        </Description>
      </Argument>
      <Argument name="application">
        <Description>
          The application object that references this before/after script.
        </Description>
      </Argument>
      <Argument name="result">
        <Description>
          The ProvisioningResult object returned by the connectors provision method. This can be null and in many cases the connector will  not return a result and instead will annotate the plan's ProvisioningResult either at the plan or account level.        
        </Description>
      </Argument>
    </Inputs>
  </Signature>
  <Source>
  <![CDATA[
  import java.util.Map;
  import java.util.HashMap;
  import sailpoint.object.Identity;
  import sailpoint.object.EmailOptions;
  import sailpoint.object.EmailTemplate;
  import sailpoint.tools.GeneralException;
  import sailpoint.object.ProvisioningPlan; 
  import sailpoint.object.ProvisioningResult;
  import sailpoint.object.ProvisioningPlan.AccountRequest; 
  import sailpoint.object.ProvisioningPlan.AttributeRequest;
  import org.apache.commons.logging.Log;
  import org.apache.commons.logging.LogFactory;


  Log log = LogFactory.getLog("rule.afterProvisioningRule");
  log.debug("Entering After Provisioning Rule");
 

  String email = "";
  String defalutEmail = "";
  String plainPassword = "";
  String trackingID= "";
  String usersAMAccountName = "";
  Identity identity = null;

  log.debug("Plan Source " + plan.getSource());
  if (plan != null &amp;amp;&amp;amp; plan.getSource().equals("LCM")) {
    ProvisioningResult provisioningResult = plan.getResult();
    trackingID = plan.getTrackingId();
    identity = plan.getIdentity();

    if(identity != null){
      log.debug("Identity " + identity);
      String userEmail = identity.getEmail();

      log.debug("userEmail " + userEmail);
      for (AccountRequest accountRequest : plan.getAccountRequests("Active Directory PH Accounts")) {
        ProvisioningPlan.AccountRequest.Operation op = accountRequest.getOperation();
        if (op != null &amp;amp;&amp;amp; accountRequest.getOperation().equals(AccountRequest.Operation.Create)){
          log.debug("Operation " + accountRequest.getOperation());
          log.debug("status " + accountRequest.getResult().getStatus());

          AttributeRequest attrsamAccountName = accountRequest.getAttributeRequest("sAMAccountName");
          if(null != attrsamAccountName) {
            usersAMAccountName = (String) attrsamAccountName.getValue();
            log.debug("sAMAccount Name from the provisioning rule : " + usersAMAccountName);
          }

          if(accountRequest != null &amp;amp;&amp;amp; accountRequest.getResult().getStatus().equalsIgnoreCase("Committed")){

            String identityRequest = plan.get("identityRequestId").toString();
            log.debug("identityRequest of the user from the privilege After Provisioning : "+identityRequest);

            EmailTemplate createTemplate = context.getObjectByName(EmailTemplate.class, "Active Directory PH Accounts Joiner AD Account Creation Notification");
            EmailOptions options = new EmailOptions();
            options.setTo(userEmail);

            Map args = new HashMap();
            args.put("password",plainPassword);
            args.put("identity",identity);
            args.put("samAccountType",usersAMAccountName);
            args.put("userReqID",identityRequest);
            options.setVariables(args);
            context.sendEmailNotification(createTemplate,options);
          }
          if(accountRequest != null &amp;amp;&amp;amp; accountRequest.getResult().getStatus().equalsIgnoreCase("failed")){
            String adError = accountRequest.getResult().getErrors().get(0).getKey();
            EmailTemplate template = context.getObjectByName(EmailTemplate.class, "Active Directory PH Accounts Joiner AD Failure Notification");
            EmailOptions options = new EmailOptions();
            options.setTo(userEmail);
            Map args = new HashMap();
            args.put("adError",adError);
            args.put("identity",identity);
            args.put("samAccountType",usersAMAccountName);
            options.setVariables(args);
            context.sendEmailNotification(template,options);
          }
        }    
      }
    }
  }
  log.debug("Exiting After Provisioning Rule");
   ]]>
  </Source>
</Rule>
Posted by at No comments:
Labels: , , , , , , ,

Sailpoint Rule - FieldValue Rule

Sailpoint Identity IQ  IIQ Rule FieldValue Rule


Creating a FiledValue Rule to populate the value in the provisioning policy . 

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Active Directory PH Accounts Field Value Rule" type="FieldValue">
  <Description>This rule can be used to generate a field value (eg - an account name) using data from the given Identity. If this rule is run in the context of a workflow step then the arguments passed into the step will also be available. Also, any field values that have been processed so far from the policy related to the Application/Role will be available.</Description>

  <Signature returnType="String">
    <Inputs>
      <Argument name="log">
        <Description>
          The log object associated with the SailPointContext.
        </Description>
      </Argument>
      <Argument name="context">
        <Description>
          A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
        </Description>
      </Argument>
      <Argument name="identity" type="Identity">
        <Description>
          The Identity object that represents the user needing the field value.
        </Description>
      </Argument>
      <Argument name="link" type="Link">
        <Description>
          The sailpoint.object.Link that is being acted upon. If the link is not applicable,
          this value will be null.
        </Description>
      </Argument>
      <Argument name="group" type="ManagedAttribute">
        <Description>
          The sailpoint.object.ManagedAttribute that is being acted upon. If the managed attribute
          is not applicable, the value will be null.
        </Description>
      </Argument>
      <Argument name="project" type="ProvisioningProject">
        <Description>
          The provisioning project being acted upon. If a provisioning project is not applicable,
          the value will be null.
        </Description>
      </Argument>
      <Argument name="accountRequest" type="ProvisioningPlan.AccountRequest">
        <Description>
          The account request. If an account request is not applicable, the value will be null.
        </Description>
      </Argument>
      <Argument name="objectRequest" type="ProvisioningPlan.ObjectRequest">
        <Description>
          The object request. If an object request is not applicable, the value will be null.
        </Description>
      </Argument>
      <Argument name="role" type="Bundle">
        <Description>
          The role with the template we are compiling. If the role is
          not applicable, the value will be null.
        </Description>
      </Argument>
      <Argument name="application" type="Application">
        <Description>
          The sailpont.object.Application with the template we are compiling. If the application
          is not applicable, the value will be null.
        </Description>
      </Argument>
      <Argument name="template" type="Template">
        <Description>
          The Template that contains this field.
        </Description>
      </Argument>
      <Argument name="field" type="Field">
        <Description>
          The current field being computed.
        </Description>
      </Argument>
      <Argument name="current" type="Object">
        <Description>
          The current value corresponding to the identity or account attribute that the field represents.
          If no current value is set, this value will be null.
        </Description>
      </Argument>
      <Argument name="operation" type="ProvisioningPlan.Operation">
        <Description>
          The operation being performed.
        </Description>
      </Argument>
    </Inputs>
    <Returns>
      <Argument name="value">
        <Description>
          The string value created.
        </Description>
      </Argument>
    </Returns>
  </Signature>
  <Source>
    import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import sailpoint.object.Field;
 import sailpoint.object.Identity;  
 
 Log log = LogFactory.getLog("rule.fieldValueRule");
 log.debug("Entering FieldValue Rule");
   String value = ""; 
   log.debug("determining value for the field: "+field.getName());

    switch (field.getName()) {

      case "distinguishedName":
          value = "CN="+identity.getDisplayName().replace(",","\\,")+"OU=Accounts,DC=corp,DC=staging"; 
      break;
      
      case "sAMAccountName": 
      value= identity.getStringAttribute("name");      
      break; 

      case "userPrincipalName": 
         value=identity.getStringAttribute("name")+"@corp.staging";
      break; 

      case "password": 
      value= generatePassword();      
      break; 

      case "givenName": 
      value= identity.getFirstname();      
      break; 

      case "sn": 
      value= identity.getLastname();      
      break;  

      case "middleName": 
      value= identity.getStringAttribute(IDENTITY_MIDDLE_NAME);      
      break; 

      case "displayName": 
      value= identity.getDisplayName();    
      break;

      case "cn": 
      value= identity.getDisplayName();
      break;

      case "extensionAttribute1": 
      value = identity.getStringAttribute("employeeNumber");     
      break;

      default: 
      break;
    }
 log.debug("setting value: "+value);  
 log.debug("Exiting FieldValue Rule"); 
 return value;
  </Source>
</Rule>

Posted by at 1 comment:
Labels: , , , , , , ,

Sunday, January 12, 2020

Sailpoint Identity IQ SQL Quicklink Dynamic Scope and Quicklink Details

Sailpoint Identity IQ SQL Quicklink Dynamic Scope and Quicklink Details 

This query is used to get the details about the Quicklink Population (Dynamic Scope) , Quicklink and the condition for each population ,
the scope for the membership criteria and also the scope for the entitlement , Application and Role.


select SPT_DYNAMIC_SCOPE.NAME AS "Quicklink Population",  
SPT_DYNAMIC_SCOPE.DESCRIPTION AS "Quicklink Population Description",
SPT_DYNAMIC_SCOPE.ALLOW_ALL AS "Membership is ALL",
SPT_DYNAMIC_SCOPE.SELECTOR AS "Membership criteria",
SPT_DYNAMIC_SCOPE.POPULATION_REQUEST_AUTHORITY AS "Who can members request for",
SPT_DYNAMIC_SCOPE.ROLE_REQUEST_CONTROL AS "What can request Role",
SPT_DYNAMIC_SCOPE.APPLICATION_REQUEST_CONTROL AS "What can request Application",
SPT_DYNAMIC_SCOPE.MANAGED_ATTR_REQUEST_CONTROL AS "What can request Entitlements",
SPT_QUICK_LINK.NAME AS "Quicklink Name",
SPT_QUICK_LINK.CATEGORY AS "Quicklink Category",
SPT_QUICK_LINK.ACTION AS "Quicklink Action",
SPT_QUICK_LINK.ARGUMENTS,
SPT_QUICK_LINK_OPTIONS.ALLOW_BULK,
SPT_QUICK_LINK_OPTIONS.ALLOW_OTHER,
SPT_QUICK_LINK_OPTIONS.ALLOW_SELF,
SPT_QUICK_LINK_OPTIONS.OPTIONS
from SPT_DYNAMIC_SCOPE , SPT_QUICK_LINK ,SPT_QUICK_LINK_OPTIONS
where SPT_DYNAMIC_SCOPE.id=SPT_QUICK_LINK_OPTIONS.DYNAMIC_SCOPE 
and SPT_QUICK_LINK_OPTIONS.QUICK_LINK=SPT_QUICK_LINK.ID
and SPT_QUICK_LINK.NAME = 'Request Access'


SPT_DYNAMIC_SCOPE - Quicklink Population Deatils
SPT_QUICK_LINK  - Quciklink Details
SPT_QUICK_LINK_OPTIONS - QuickLink options for each quicklink












Posted by



at







No comments:
  




















Labels:
,
,
,
,
,
,
,
,
,

















          

        

          

        

Monday, January 6, 2020


          

        










Sailpoint IIQ Quicklink External WebPage














Sailpoint Identity IQ Quicklink to call External WebPage





Creating a custom QuickLink population to call external webPage with few input  is fairly straightforward. Below are the the following 4 steps which can be used to successfully setup a quicklink population.





1. Modify the System Configuration object from the debug page to add a separate category (Custom) under menu and in quicklink Population. follow link 



– search for the entry key quickLinkCategories and add the line below as one of the list values.





2.Import the below file using the import Import Utility










<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE sailpoint PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<sailpoint>
<QuickLink name="AustinTemperature" action="external" enabled="true" messageKey="Show Austin Weather"
                  category="Custom">
                  <Attributes>
                    <Map>
                      <entry key="url" value="https://www.yahoo.com/news/weather/united-states/texas/austin-2357536" />
                      <entry key="parameters">
                        <value>
                          <Map>
                            <entry key="w" value="12789690" />
                            <entry key="u" value="f" />
                            <entry key="v">
                            <value>
                              <Script>
                                <Source>
                                  return "script_parameter";
                                </Source>
                              </Script>
                            </value>
                            </entry>
                          </Map>
                        </value>
                      </entry>
                    </Map>
                  </Attributes>
   <QuickLinkOptions allowSelf="true">
      <DynamicScopeRef>
         <Reference class="sailpoint.object.DynamicScope" name="Everyone"/>
      </DynamicScopeRef>
   </QuickLinkOptions>
                </QuickLink>
</sailpoint>






3. logout and login again to see the quicklink under the custom category





























4. Once we click on the Quicklink it will open the external site with the input param 


























Posted by



at







No comments:
  




















Labels:
,
,
,
,
,
,

















        

      









Subscribe to:
Posts (Atom)