Saturday, July 17, 2021

Sailpoint IdentityIQ - Policy Violation Rule

 Policy Violation Rule (This rule is used to format a PolicyViolation object)

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="VIS Policy Violation Rule" type="Violation">
  <Description>This rule is used to format a PolicyViolation object.</Description>
  <Signature returnType="PolicyViolation">
    <Inputs>
      <Argument name="log">
        <Description>
          The log object associated with the SailPointContext.
        </Description>
      </Argument>
      <Argument name="context">
        <Description>
          A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
        </Description>
      </Argument>
      <Argument name="identity">
        <Description>
          The Identity in violation.
        </Description>
      </Argument>
      <Argument name="policy">
        <Description>
          The Policy being violated.
        </Description>
      </Argument>
      <Argument name="constraint">
        <Description>
          The Constraint being violated.
        </Description>
      </Argument>
      <Argument name="violation">
        <Description>
          The PolicyViolation object.
        </Description>
      </Argument>
      <Argument name="state">
        <Description>
          A Map containing state information.
        </Description>
      </Argument>
    </Inputs>
    <Returns>
      <Argument name="violation">
        <Description>
          The formatted PolicyViolation object.
        </Description>
      </Argument>
    </Returns>
  </Signature>
  <Source>
  import java.util.List;
  import sailpoint.api.PolicyUtil;
  import sailpoint.api.PolicyUtil.EntitlementSummary;
  import sailpoint.api.PolicyUtil.RoleSummary;
  import sailpoint.api.PolicyUtil.ApplicationSummary;
  import sailpoint.api.PolicyUtil.ItemSummary;
  import org.apache.commons.logging.Log;
  import org.apache.commons.logging.LogFactory;
  import sailpoint.object.Attributes;
  import sailpoint.object.Filter;
  import sailpoint.object.ManagedAttribute;
  import sailpoint.object.QueryOptions;

  public ManagedAttribute getOriginalEntitlementObject(String entitlementDNValue, String appName) {

    customLog.debug("Entering getOriginalEntitlementObject : "+entitlementDNValue+" : "+appName);

    ManagedAttribute managedAttribute = null;
    Filter filterValue = Filter.eq("value",entitlementDNValue);
    Filter filterAppType =Filter.eq("application.name",appName);
    Filter filterAndCond = Filter.and(filterValue,filterAppType);
    QueryOptions qo = new QueryOptions();
    qo.add(filterAndCond);
    List entitlements = context.getObjects(ManagedAttribute.class,qo);
    customLog.debug("Entering getOriginalEntitlementObject : size is" +entitlements.size());
    if(entitlements.size()&gt; 0){
      for(ManagedAttribute entitlement : entitlements){                                            
        managedAttribute = entitlement;
      }
    }
    customLog.debug("Exiting getOriginalEntitlementObject: "+managedAttribute);
    return managedAttribute;
  }

  private summarizeApp(StringBuilder b, ApplicationSummary app) {
    List atts = app.attributes;
    if (atts != null &amp;&amp; atts.size() &gt; 0) {

      customLog.debug("app.name: "+ app.name);
      b.append(" account on: ["+app.name);
      //b.append(": ");
      for (int i = 0 ; i &lt; atts.size() ; i++) {
        ItemSummary as = atts.get(i);
        if (i &gt; 0) b.append(" ");
        // b.append(as.name);
        customLog.debug("as.name: "+ as.name);
        // b.append("=");
        List values = as.values;
        customLog.debug("as.values: "+ as.values);
        if (values == null) {
          b.append("null");
        }
        else if (values.size() &gt; 1) {
          // this will bracket it with []
          b.append(" with entitlements as: '");
          for(int j=0;j &lt; values.size() ; j++){
            ManagedAttribute managedAttribute = getOriginalEntitlementObject(values.get(j).toString(),app.name);
            b.append(managedAttribute.getDisplayName());
            b.append(", ");
          }
          b.append("'");
          //  b.append(values.toString());
        }
        else if(values.size() == 1){
          b.append(" with entitlements as: '");
          //  b.append("'");
          // b.append(values.get(0).toString());
          // b.append("'");
          ManagedAttribute managedAttribute = getOriginalEntitlementObject(values.get(0).toString(),app.name);
          b.append("'");
          customLog.debug("summarizeApp: "+ managedAttribute.getDisplayName());
          b.append(managedAttribute.getDisplayName());
          b.append("'");
        }
        b.append("]");
      }

    }

    List perms = app.permissions;
    if (perms != null &amp;&amp; perms.size() &gt; 0) {
      for (int i = 0 ; i &lt; perms.size() ; i++) {
        ItemSummary ps = perms.get(i);

        b.append(app.name);
        b.append(": ");

        List values = ps.values;
        if (values == null) {
          b.append("none");
        }
        else if (values.size() &gt; 1) {
          // this will bracket it with []
          b.append(values.toString());
        }
        else {
          b.append("'");
          b.append(values.get(i).toString());
          b.append("'");
        }

        b.append(" on ");
        b.append(ps.name);
        b.append(" ");
      }
    }
  }

  private summarizeRole(StringBuilder b, RoleSummary role) {
    if (role.name != null) {
      b.append("Role: ");
      b.append(role.name);
      b.append(" ");
    }
    List apps = role.applications;
    if (apps != null) {
      for (int i = 0 ; i &lt; apps.size() ; i++)
        summarizeApp(b, apps.get(i));
    }
  }

  private summarizeRoles(StringBuilder b, List roles) {
    if (roles != null) {
      for (int i = 0 ; i &lt; roles.size() ; i++) {
        summarizeRole(b, roles.get(i));
      }
    }
  }

  private static Log customLog = LogFactory.getLog("vis.rule.visViolation");
  customLog.debug("Entering Policy Volidation Rule for: "+ identity.getStringAttribute("name"))
	
  EntitlementSummary summary =PolicyUtil.summarizeViolationEntitlements(context, identity,violation, null);

  if (summary != null) {
      StringBuilder b = new StringBuilder();
      summarizeRoles(b, summary.left);
      b.append("--- conflicts with --- ");
      summarizeRoles(b, summary.right);
      violation.setDescription(b.toString());
  }
  </Source>
</Rule>