More often then not, this is because IIQ machine is not able to connect to IQService.
- Check the status of IQService
- Check network
- Check firewalls
More often then not, this is because IIQ machine is not able to connect to IQService.
A common mistake that I have seen being made is how the aggregation query is written.
Let's say there are three tables:
delete workitem ff8080813eb1de6f013eb3d811f10081
delete workitem ff8080813eb1de6f013eb3d82b6b0095
delete workitem ff8080813eb1de6f013eb3d83b1000a9
delete workitem ff8080813eb1de6f013eb3d846b900bd
delete workitem ff8080813eb1de6f013eb3d855cb00d1
find ./ -name '*.txt' | xargs grep yourtext
./: root path to search
-name: file name
Use one of the following options depending on your environment
service mysql start/etc/init.d/mysqld restart
For many activities like developing a web application, creating data lake or creating trusted/target system for learning IAM, a custom Database schema is required.
There is always an option to use tools (like SQL developer) or execute one off commands. This works well but the only issue is that we have to set these databases up so frequently that it would be nice to have a template which can be used everytime.
For this template, we simply need to create a .sql file and store it. Every time a new database has to be created, this can be leveraged. You will still have to update the table names etc.
This exercise will also help you understand, how to share your database creation details with fellow developers or even how the IAM tools like SailPoint IIQ or Oracle Identity Manager (RCU) shares the same with us.
I have used a MySQl server but it will work on all RDBMS with minor changes.
Create a .sql file and use the below structure:
/*
SQL file to create a custom database
-- Date: 2021-19-09 08:15
*/
CREATE DATABASE customapp;
SET GLOBAL validate_password_policy=LOW;
GRANT ALL PRIVILEGES ON customapp.*
TO 'appUser' IDENTIFIED BY 'admin@12345';
GRANT ALL PRIVILEGES ON customapp.*
TO 'appUser'@'%' IDENTIFIED BY 'admin@12345';
GRANT ALL PRIVILEGES ON customapp.*
TO 'appUser'@'localhost' IDENTIFIED BY 'admin@12345';
USE customapp;
CREATE TABLE `UserTable` (
`dbID` varchar(45) NOT NULL,
`empID` varchar(45) DEFAULT NULL,
`userName` varchar(45) DEFAULT NULL,
`Inactive` varchar(45) DEFAULT NULL,
`lastlogin` date DEFAULT NULL,
PRIMARY KEY (`dbID`)
);
INSERT INTO `financeuser` (`dbID`,`empID`,`userName`,`Inactive`,`lastlogin`) VALUES ('112','1a2c3a','RichardJackson','FALSE','2009-04-04');
INSERT INTO `financeuser` (`dbID`,`empID`,`userName`,`Inactive`,`lastlogin`) VALUES ('113','1a2c3b','MariaWhite','FALSE','2009-04-04');
INSERT INTO `financeuser` (`dbID`,`empID`,`userName`,`Inactive`,`lastlogin`) VALUES ('114','1a2c3c','CharlesHarris','FALSE','2009-04-04');
INSERT INTO `financeuser` (`dbID`,`empID`,`userName`,`Inactive`,`lastlogin`) VALUES ('115','1a2c3d','SusanMartin','TRUE','2009-04-04');
INSERT INTO `financeuser` (`dbID`,`empID`,`userName`,`Inactive`,`lastlogin`) VALUES ('156','1a2c3a4a','LarryMorgan','FALSE','2009-04-04');
INSERT INTO `financeuser` (`dbID`,`empID`,`userName`,`Inactive`,`lastlogin`) VALUES ('159','1a2c3a4d','MelissaBailey','FALSE','2009-04-04');
INSERT INTO `financeuser` (`dbID`,`empID`,`userName`,`Inactive`,`lastlogin`) VALUES ('160','1a2c3a4e','FrankRivera','FALSE','2009-04-04');
INSERT INTO `financeuser` (`dbID`,`empID`,`userName`,`Inactive`,`lastlogin`) VALUES ('161','1a2c3b4a','BrendaCooper','TRUE','2009-04-04');
INSERT INTO `financeuser` (`dbID`,`empID`,`userName`,`Inactive`,`lastlogin`) VALUES ('162','1a2c3b4b','ScottRichardson','FALSE','2009-04-04');
INSERT INTO `financeuser` (`dbID`,`empID`,`userName`,`Inactive`,`lastlogin`) VALUES ('163','1a2c3b4c','AmyCox','FALSE','2009-04-04');
Now login into database:
> mysql -u root -p
> source fileName.sql
The sql file can be shared and the devs will be able to create the schema in their sandboxes.
Hope this helps !!!
Status : Failure -Test failed: The server time zone value 'CDT' is unrecognized or represents more than one time zone. You must configure either the server or JDBC driver (via the serverTimezone configuration property) to use a more specifc time zone value if you want to utilize time zone support
Add the following string after the port number
This error is due to incorrect URL in XXX.target.properties file.
The URL should exactly like: %%ECLIPSE_URL%%=http\://192.168.61.102\:8080/identityiq
Replace with your IP and Host
e.g. /u01/sailpoint/tomcat/apache-tomcat-8.5.65/webapps/identityiq/scripts/sailpoint/web/define
The firewall on Oracle Linux 7 system is enabled by default.
Fedora 18 introduced firewalld as a replacement for the previous iptables service. Since RHEL7 and Oracle Linux 7 are based on Fedora 19, the switch from iptables service to firewalld is now part of the Enterprise Linux distributions.
Use the following two commands to check the status and them stop the firewall
systemctl status firewalld
service firewalld stop
Creation Rule:
Identity creation rules are used to set attributes on new Identity objects when they are created. New identities may be created during the aggregation of application accounts, or optionally created after pass-through authentication.
One common operation is to change the name property of the identity when the default application name is complex (such as a directory DN).
Another common operation is to assign a set of initial capabilities based on the attributes pulled from the application account.
Use Case: Generate user email, set password
Customization Rule:
This rule is configured on the application and is called after the connector has build a ResourceObject from the native application data.
Initially designed for non-rule based connectors to add SPPrivileged flag to an object, but could be used to do any transformations.
Use Case: Set IIQDisable flag to set account status
<WIP>
I created an OEL VM and installed a My SQL server. For ease of access, I installed SQL developer on my local windows 10 machine.
After installing the my sql driver in SQL developer and trying to connect to the DB, I got the following error:
Granted the permissions
If you using VirtualBox and your mouse pointer is stuck inside the guest's(VM) window. This is by design. When you are using the VM, the keyboard and mouse input go there. If you want to switch this to host, a specific key can be configured, called as "Host Key" (great name)
Default Host Key
Windows: right Ctrl - Press right Ctrl on Windows to unstuck your mouse pointer
macOS: left Cmd
You can also change this key to any other key in VirtualBox settings:
Look into Guest Addition to get rid of this dependency
This post will be a work in progress and plans to be a comprehensive guide for self assessment and interview questions of IIQ
Level: Beginner to Advanced
WEB-INF/classes/sailpoint/web/messages/iiqCustom.properties
att_user_name=Corporate ID
Acts on object, scheduled
Acts on object, event driven
Beanshell logic, hooks to modify system behavior
>find / -perm -u=s -type f 2>/dev/null
The IdentityIQ Deployment Accelerator is a plug-in for the free and popular Eclipse IDE that provides several features designed to make configuring and managing IdentityIQ easier.
Download URL - https://sailpoint.github.io/epiiq/
import java.util.List;
import java.util.ArrayList;
import sailpoint.object.Identity;
import sailpoint.api.CertificationScheduler;
import sailpoint.object.CertificationSchedule;
import sailpoint.object.CertificationDefinition;
import sailpoint.object.TaskSchedule;
import sailpoint.object.Certification;
import sailpoint.api.Correlator;
import sailpoint.task.CertificationExecutor.CertifierSelectionType;
//
// requestor = user who made the request
// identity = user to be certified
//
Identity requestor = context.getObject(Identity.class, launcher);
System.out.println("Change requested by " + requestor.getName());
Identity identity = context.getObject(Identity.class, event.getIdentityName());
System.out.println("Building certification for " + identity.getName());
//
// Identities to certify:
//
List identities = new ArrayList();
identities.add(identity.getName());
//
// Certification Group Owner
//
Identity certGroupOwner = context.getObjectByName(Identity.class, "spadmin");
//
// Get department user is moving to
//
String department = event.getObject().getAttribute("department");
//
// Set sertifier based on department
//
Correlator correlator = new Correlator(context);
Identity certifier = null;
if ( department != null && department.equals("IT Management") ) {
certifier = correlator.findIdentityByAttribute("name", "Mary.Johnson");
} else {
certifier = correlator.findIdentityByAttribute("name", "spadmin");
}
System.out.println("Certification will be done by " + certifier.getName());
//
// Schedule Certification
//
// Create new Scheduler object
//
CertificationScheduler scheduler = new CertificationScheduler(context);
//
// Create schedule and set to run now...
//
CertificationSchedule schedule = scheduler.initializeScheduleBean(requestor, Certification.Type.Identity);
schedule.setRunNow(true);
//
// Configure Certification Definition
//
CertificationDefinition definition = schedule.getDefinition();
definition.setCertifierSelectionType(CertificationDefinition.CertifierSelectionType.Manual);
definition.setProcessRevokesImmediately(true);
definition.setNameTemplate("Department Transfer for " + identity.getDisplayName() + ": assigned to " + certifier.getDisplayName());
definition.setShortNameTemplate("Dept xfer for " + identity.getDisplayName());
definition.setName("Department Transfer : " + identity.getDisplayName() + " [" + new Date().toString() + "]");
definition.setIdentitiesToCertify(identities);
definition.setCertifierName(certifier.getName());
definition.setCertificationOwner(certGroupOwner);
definition.setCertificationNameTemplate("Department Transfer: " + identity.getDisplayName());
//
// Schedule task to run, passing in schedule (which has certficiaton defintion attached)
//
TaskSchedule taskSchedule = scheduler.saveSchedule(schedule, false);
When a business role is requested:
Add the requested business role to the Identity Cube.
Determine from the business role being requested what IT roles are required by this role.
From the IT role, determine what entitlements are needed.
Does the user have an application account for the application? If yes, provision the entitlement to grant the user the appropriate access that was requested. If no, expand the request to also request an account to be created.
import java.util.Date;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.Statement;
import java.sql.SQLException;
import java.sql.ResultSet;
import java.sql.Types;
import java.util.List;
import sailpoint.api.SailPointContext;
import sailpoint.connector.JDBCConnector;
import sailpoint.object.Application;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.ProvisioningPlan.PermissionRequest;
import sailpoint.object.ProvisioningResult;
import sailpoint.object.Schema;
import sailpoint.tools.xml.XMLObjectFactory;
import org.apache.commons.logging.LogFactory;
import org.apache.commons.logging.Log;
import sailpoint.tools.Util;
//
// Internal method for grabbing an Attribute Request Value.
//
public Object getAttributeRequestValue(AccountRequest acctReq, String attribute) {
if ( acctReq != null ) {
AttributeRequest attrReq = acctReq.getAttributeRequest(attribute);
if ( attrReq != null ) {
return attrReq.getValue();
}
}
return null;
}
//
// JDBC Provisioning Rule Body
//
// We will handle these cases right now:
//
// Account Request Create
// Account Request Modify
// Account Request Delete
// Account Lock/Unlock
// Account Enable/Disable
//
Date now = new Date();
System.out.println("\n\n\n\n\n");
System.out.println("****************************************");
System.out.println("Entering Provisioning Rule for PRISM");
System.out.println(" Current Time = " + now.toString());
System.out.println("****************************************");
//
// The ProvisioningResult is the return object for this type of rule. We'll create it here and then populate it later
//
ProvisioningResult result = new ProvisioningResult();
//
// Check if the plan is null or not, if not null, process it...
//
if ( plan != null ) {
System.out.println("*** \n The Provisioning Plan being passed in = \n***\n" + plan.toXml() + "\n****************************************");
List accounts = plan.getAccountRequests();
//
// Get all Account Requests out of the plan
//
if ( ( accounts != null ) && ( accounts.size() > 0 ) ) {
//
// If the plan contains one or more account requests, we'll iterate through them
//
for ( AccountRequest account : accounts ) {
try {
//
// All of the account operations will reside in a try block in case we have any errors, we can mark the provisioningresult as "Failed" if we have an issue.
//
if (AccountRequest.Operation.Create.equals(account.getOperation())) {
//
// CREATE Operation
//
System.out.println("Account Request Operation = Create");
PreparedStatement statement = connection.prepareStatement("insert into users (login,first,last,groups,status,locked) values (?,?,?,?,?,?)");
statement.setString(1, (String) account.getNativeIdentity());
statement.setString(2, getAttributeRequestValue(account, "first"));
statement.setString(3, getAttributeRequestValue(account, "last"));
statement.setString(5, getAttributeRequestValue(account, "status"));
statement.setString(6, getAttributeRequestValue(account, "locked"));
//
// Grab the role from the request. If it's a single role, it'll be a string, add it to
// the statement, other wise if it's a List, convert to CSV and add it to the statement
//
AttributeRequest attrReq = account.getAttributeRequest("groups");
if (attrReq != null) {
if (attrReq.getValue() instanceof String) {
statement.setString(4, (String) attrReq.getValue());
} else if (attrReq.getValue() instanceof List) {
String listOfRoles = Util.listToCsv((List) attrReq.getValue());
statement.setString(4, listOfRoles);
}
} else {
statement.setString(4,"");
}
System.out.println("Preparing to execute: " + statement);
statement.executeUpdate();
//
// Sucessful Create, so mark result as COMMITTED
//
result.setStatus(ProvisioningResult.STATUS_COMMITTED);
} else if (AccountRequest.Operation.Modify.equals(account.getOperation())) {
//
// MODIFY Operation
//
//
// We have a modify, this one is trickier, as we can have "Add" and "Remove"
// operations and each can be a single string value or a list
//
System.out.println("Account Request Operation = Modify");
//
// Determine what the current roles are first...
//
Statement curr_stmt = connection.createStatement();
ResultSet rs = curr_stmt .executeQuery("select * from users where login = '" + account.getNativeIdentity() + "'");
//
// Check result set. Should only be one row since login is a unique key for the table
//
List current_roles = null;
String roles = "";
while (rs.next()) {
roles = roles + "," + rs.getString("groups");
}
current_roles = Util.csvToList(roles,true);
if (current_roles == null) {
System.out.println("We have a null current_roles list... change it to an empty list for subsequent processing.");
current_roles = new ArrayList();
}
System.out.println("Current Roles for User = " + Util.listToCsv(current_roles));
//
// Get all Attribute Requests and pull out just the role ones.
//
List remove_roles = new ArrayList();
List add_roles = new ArrayList();
//
// Get all attribute requests and then we will filter for those related to the roles column
//
List mod_attr_requests = account.getAttributeRequests();
if (mod_attr_requests != null) {
for (AttributeRequest req : mod_attr_requests ) {
if (req.getName().equals("groups")) {
if (ProvisioningPlan.Operation.Remove.equals(req.getOperation())) {
// Process Removes First
if (req.getValue() instanceof String) {
remove_roles = Util.csvToList(req.getValue());
} else if (req.getValue() instanceof List) {
remove_roles = req.getValue();
}
} else if (ProvisioningPlan.Operation.Add.equals(req.getOperation())) {
// Process Adds Second
if (req.getValue() instanceof String) {
add_roles = Util.csvToList(req.getValue());
} else if (req.getValue() instanceof List) {
add_roles = req.getValue();
}
}
}
}
}
//
// We now have a calculated list of the roles we are adding, the roles we are removing, and the current roles for the user.
//
System.out.println("Add Roles = " + Util.listToCsv(add_roles));
System.out.println("Remove Roles = " + Util.listToCsv(remove_roles));
//
// If we have roles to remove, remove them
//
if (!remove_roles.isEmpty()) {
System.out.println("About to remove roles: " + remove_roles.toString() + "from the current_roles = " + current_roles.toString());
current_roles.removeAll(remove_roles);
}
//
// If we have roles to add, check if they are there and add them as we iterate through
//
if (!add_roles.isEmpty()) {
System.out.println("About to add roles: " + add_roles.toString() + " to the current_roles = " + current_roles.toString());
for (Object item: add_roles) {
if (!current_roles.contains(item)) {
current_roles.add(item);
}
}
}
//
// Print out the list of roles being provisioned after processing "add" and "remove" operations
//
System.out.println("Updating the roles for:" + (String) account.getNativeIdentity() + " Current Roles after adding/removing = " + Util.listToCsv(current_roles));
//
// Process update SQL operation
//
PreparedStatement statement = connection.prepareStatement("update users set groups = ? where login = ?");
statement.setString(2, (String) account.getNativeIdentity());
statement.setString(1,Util.listToCsv(current_roles));
statement.executeUpdate();
// Add these in the future.
// statement.setString ( 2,
// getAttributeRequestValue(account,"first") );
// statement.setString ( 3,
// getAttributeRequestValue(account,"last") );
// statement.setString ( 4,
// getAttributeRequestValue(account,"groups") );
// statement.setString ( 5,
// getAttributeRequestValue(account,"status") );
result.setStatus(ProvisioningResult.STATUS_COMMITTED);
} else if (AccountRequest.Operation.Delete.equals(account.getOperation())) {
//
// DELETE Operation
//
System.out.println("Account Request Operation = Delete");
PreparedStatement statement = connection.prepareStatement("delete from users where login = ?");
statement.setString(1, (String) account.getNativeIdentity());
statement.executeUpdate();
result.setStatus(ProvisioningResult.STATUS_COMMITTED);
} else if (AccountRequest.Operation.Disable.equals(account.getOperation())) {
System.out.println("Account Request Operation = Disable");
PreparedStatement statement = connection.prepareStatement("update users set status = 'I' where login = ?");
statement.setString(1, (String) account.getNativeIdentity());
statement.executeUpdate();
result.setStatus(ProvisioningResult.STATUS_COMMITTED);
} else if (AccountRequest.Operation.Enable.equals(account.getOperation())) {
System.out.println("Account Request Operation = Enable");
PreparedStatement statement = connection.prepareStatement("update users set status = 'A' where login = ?");
statement.setString(1, (String) account.getNativeIdentity());
statement.executeUpdate();
result.setStatus(ProvisioningResult.STATUS_COMMITTED);
} else if (AccountRequest.Operation.Lock.equals(account.getOperation())) {
System.out.println("Account Request Operation = Lock");
PreparedStatement statement = connection.prepareStatement("update users set locked = 'Y' where login = ?");
statement.setString(1, (String) account.getNativeIdentity());
statement.executeUpdate();
result.setStatus(ProvisioningResult.STATUS_COMMITTED);
} else if (AccountRequest.Operation.Unlock.equals(account.getOperation())) {
System.out.println("Account Request Operation = Unlock");
PreparedStatement statement = connection.prepareStatement("update users set locked = 'N' where login = ?");
statement.setString(1, (String) account.getNativeIdentity());
statement.executeUpdate();
result.setStatus(ProvisioningResult.STATUS_COMMITTED);
} else {
// Unknown operation!
System.out.println("Unknown operation ["
+ account.getOperation() + "]!");
}
} catch (SQLException e) {
System.out.println("Error: " + e);
result.setStatus(ProvisioningResult.STATUS_FAILED);
result.addError(e);
}
} // account request loop
} // if account requests exist
} // if plan not null
System.out.println("****************************************");
System.out.println("****************************************");
System.out.println("Exiting Provisioning Rule for PRISM. \n Result= \n" + result.toXml(false));
System.out.println("****************************************");
System.out.println("****************************************");
System.out.println("\n\n\n\n\n");
return result;