Wednesday, January 22, 2020

Sailpoint Rule - AfterProvisioning Rule

Sailpoint Identity IQ IIQ Rule - AfterProvisioning Rule

Creating a AfterProvisioning Rule and sending the details in email with the details

Below code will give the below details.

1. Read all the required constant value from the custom object
2. send the email to the user manager and also to the user with the details once the account creation is successful.
3. send the email to the user and user manager with the error details if the account creation fails
4. this also gives the information about the request ID


<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Active Directory PH Accounts After Provisioning Rule" type="AfterProvisioning">
  <Description>An IdentityIQ server-side rule that is executed after the connector's provisioning method is called. This gives the customer the ability to customize or react to anything in the ProvisioningPlan AFTER it has been sent out to the specific applications. 

    This rule will be called for any application found in a plan that also has a configured 'afterProvisioningRule' configured.</Description>
  <Signature>
    <Inputs>
      <Argument name="log">
        <Description>
          The log object associated with the SailPointContext.
        </Description>
      </Argument>
      <Argument name="context">
        <Description>
          A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
        </Description>
      </Argument>
      <Argument name="plan">
        <Description>
          The ProvisioningPlan object on its way to the Connector.
        </Description>
      </Argument>
      <Argument name="application">
        <Description>
          The application object that references this before/after script.
        </Description>
      </Argument>
      <Argument name="result">
        <Description>
          The ProvisioningResult object returned by the connectors provision method. This can be null and in many cases the connector will  not return a result and instead will annotate the plan's ProvisioningResult either at the plan or account level.        
        </Description>
      </Argument>
    </Inputs>
  </Signature>
  <Source>
  <![CDATA[
  import java.util.Map;
  import java.util.HashMap;
  import sailpoint.object.Identity;
  import sailpoint.object.EmailOptions;
  import sailpoint.object.EmailTemplate;
  import sailpoint.tools.GeneralException;
  import sailpoint.object.ProvisioningPlan; 
  import sailpoint.object.ProvisioningResult;
  import sailpoint.object.ProvisioningPlan.AccountRequest; 
  import sailpoint.object.ProvisioningPlan.AttributeRequest;
  import org.apache.commons.logging.Log;
  import org.apache.commons.logging.LogFactory;


  Log log = LogFactory.getLog("rule.afterProvisioningRule");
  log.debug("Entering After Provisioning Rule");
 

  String email = "";
  String defalutEmail = "";
  String plainPassword = "";
  String trackingID= "";
  String usersAMAccountName = "";
  Identity identity = null;

  log.debug("Plan Source " + plan.getSource());
  if (plan != null &amp;amp;&amp;amp; plan.getSource().equals("LCM")) {
    ProvisioningResult provisioningResult = plan.getResult();
    trackingID = plan.getTrackingId();
    identity = plan.getIdentity();

    if(identity != null){
      log.debug("Identity " + identity);
      String userEmail = identity.getEmail();

      log.debug("userEmail " + userEmail);
      for (AccountRequest accountRequest : plan.getAccountRequests("Active Directory PH Accounts")) {
        ProvisioningPlan.AccountRequest.Operation op = accountRequest.getOperation();
        if (op != null &amp;amp;&amp;amp; accountRequest.getOperation().equals(AccountRequest.Operation.Create)){
          log.debug("Operation " + accountRequest.getOperation());
          log.debug("status " + accountRequest.getResult().getStatus());

          AttributeRequest attrsamAccountName = accountRequest.getAttributeRequest("sAMAccountName");
          if(null != attrsamAccountName) {
            usersAMAccountName = (String) attrsamAccountName.getValue();
            log.debug("sAMAccount Name from the provisioning rule : " + usersAMAccountName);
          }

          if(accountRequest != null &amp;amp;&amp;amp; accountRequest.getResult().getStatus().equalsIgnoreCase("Committed")){

            String identityRequest = plan.get("identityRequestId").toString();
            log.debug("identityRequest of the user from the privilege After Provisioning : "+identityRequest);

            EmailTemplate createTemplate = context.getObjectByName(EmailTemplate.class, "Active Directory PH Accounts Joiner AD Account Creation Notification");
            EmailOptions options = new EmailOptions();
            options.setTo(userEmail);

            Map args = new HashMap();
            args.put("password",plainPassword);
            args.put("identity",identity);
            args.put("samAccountType",usersAMAccountName);
            args.put("userReqID",identityRequest);
            options.setVariables(args);
            context.sendEmailNotification(createTemplate,options);
          }
          if(accountRequest != null &amp;amp;&amp;amp; accountRequest.getResult().getStatus().equalsIgnoreCase("failed")){
            String adError = accountRequest.getResult().getErrors().get(0).getKey();
            EmailTemplate template = context.getObjectByName(EmailTemplate.class, "Active Directory PH Accounts Joiner AD Failure Notification");
            EmailOptions options = new EmailOptions();
            options.setTo(userEmail);
            Map args = new HashMap();
            args.put("adError",adError);
            args.put("identity",identity);
            args.put("samAccountType",usersAMAccountName);
            options.setVariables(args);
            context.sendEmailNotification(template,options);
          }
        }    
      }
    }
  }
  log.debug("Exiting After Provisioning Rule");
   ]]>
  </Source>
</Rule>