Friday, January 29, 2021

SailPoint IIQ - URL to download IdentityIQ Deployment Accelerator

The IdentityIQ Deployment Accelerator is a plug-in for the free and popular Eclipse IDE that provides several features designed to make configuring and managing IdentityIQ easier.

Download URL -  https://sailpoint.github.io/epiiq/


Monday, January 25, 2021

SailPoint IIQ - Script to generate certification from a workflow

import java.util.List;

import java.util.ArrayList;

import sailpoint.object.Identity;

import sailpoint.api.CertificationScheduler;

import sailpoint.object.CertificationSchedule;

import sailpoint.object.CertificationDefinition;

import sailpoint.object.TaskSchedule;

import sailpoint.object.Certification;

import sailpoint.api.Correlator; 

import sailpoint.task.CertificationExecutor.CertifierSelectionType;


//

// requestor = user who made the request

// identity = user to be certified

//

  

Identity requestor = context.getObject(Identity.class, launcher);  

System.out.println("Change requested by " + requestor.getName()); 

Identity identity = context.getObject(Identity.class, event.getIdentityName());

System.out.println("Building certification for " + identity.getName());


//

// Identities to certify: 

//


List identities = new ArrayList();

identities.add(identity.getName());


//

// Certification Group Owner

//


Identity certGroupOwner = context.getObjectByName(Identity.class, "spadmin");


//

// Get department user is moving to

//

String department = event.getObject().getAttribute("department");


// 

// Set sertifier based on department

//

Correlator correlator = new Correlator(context); 

Identity certifier = null;


if ( department != null && department.equals("IT Management") ) {   

   certifier = correlator.findIdentityByAttribute("name", "Mary.Johnson"); 

} else {

   certifier = correlator.findIdentityByAttribute("name", "spadmin"); 

}

System.out.println("Certification will be done by " + certifier.getName());


//

// Schedule Certification

//

// Create new Scheduler object

// 


CertificationScheduler scheduler = new CertificationScheduler(context);


//

// Create schedule and set to run now...

//

CertificationSchedule schedule = scheduler.initializeScheduleBean(requestor, Certification.Type.Identity);

schedule.setRunNow(true);


//

// Configure Certification Definition

//


CertificationDefinition definition = schedule.getDefinition();

definition.setCertifierSelectionType(CertificationDefinition.CertifierSelectionType.Manual);

definition.setProcessRevokesImmediately(true);


definition.setNameTemplate("Department Transfer for " + identity.getDisplayName() + ": assigned to " + certifier.getDisplayName());

definition.setShortNameTemplate("Dept xfer for " + identity.getDisplayName());

definition.setName("Department Transfer : " + identity.getDisplayName() + " [" + new Date().toString() + "]");

definition.setIdentitiesToCertify(identities);

definition.setCertifierName(certifier.getName());

definition.setCertificationOwner(certGroupOwner);

definition.setCertificationNameTemplate("Department Transfer: " + identity.getDisplayName());


//

// Schedule task to run, passing in schedule (which has certficiaton defintion attached)

//


TaskSchedule taskSchedule = scheduler.saveSchedule(schedule, false);

Wednesday, January 20, 2021

SailPoint IIQ - Role Request Flow - Account v/s No-Account

 

When a business role is requested:

  • Add the requested business role to the Identity Cube.

  • Determine from the business role being requested what IT roles are required by this role. 

  • From the IT role, determine what entitlements are needed.

  • Does the user have an application account for the application? If yes, provision the entitlement to grant the user the appropriate access that was requested. If no, expand the request to also request an account to be created.

SailPoint IIQ - Provisioning Rule Example - JDBC Application

import java.util.Date;

import java.sql.Connection;

import java.sql.DriverManager;

import java.sql.PreparedStatement;

import java.sql.Statement;

import java.sql.SQLException;

import java.sql.ResultSet;

import java.sql.Types;

import java.util.List;

import sailpoint.api.SailPointContext;

import sailpoint.connector.JDBCConnector;

import sailpoint.object.Application;

import sailpoint.object.ProvisioningPlan;

import sailpoint.object.ProvisioningPlan.AccountRequest;

import sailpoint.object.ProvisioningPlan.AttributeRequest;

import sailpoint.object.ProvisioningPlan.PermissionRequest;

import sailpoint.object.ProvisioningResult;

import sailpoint.object.Schema;

import sailpoint.tools.xml.XMLObjectFactory;

import org.apache.commons.logging.LogFactory;

import org.apache.commons.logging.Log;

import sailpoint.tools.Util;


//

// Internal method for grabbing an Attribute Request Value.

//

public Object getAttributeRequestValue(AccountRequest acctReq, String attribute) {

    if ( acctReq != null ) {

   AttributeRequest attrReq = acctReq.getAttributeRequest(attribute);

      if ( attrReq != null ) {

        return attrReq.getValue();

      }

    }

    return null;

    }


//

// JDBC Provisioning Rule Body

//

// We will handle these cases right now: 

// 

// Account Request Create

// Account Request Modify

// Account Request Delete

// Account Lock/Unlock

// Account Enable/Disable

//

Date now = new Date();


System.out.println("\n\n\n\n\n");

System.out.println("****************************************");

System.out.println("Entering Provisioning Rule for PRISM");

System.out.println(" Current Time =  " + now.toString());

System.out.println("****************************************");



//

// The ProvisioningResult is the return object for this type of rule. We'll create it here and then populate it later

//


ProvisioningResult result = new ProvisioningResult();



//

// Check if the plan is null or not, if not null, process it... 

//


if ( plan != null ) {


System.out.println("*** \n The Provisioning Plan being passed in = \n***\n" + plan.toXml() + "\n****************************************");


List accounts = plan.getAccountRequests();

// 

//  Get all Account Requests out of the plan

// 


if ( ( accounts != null ) && ( accounts.size() > 0 ) ) {

//

// If the plan contains one or more account requests, we'll iterate through them

//

for ( AccountRequest account : accounts ) {

try {

// 

// All of the account operations will reside in a try block in case we have any errors, we can mark the provisioningresult as "Failed" if we have an issue.

//


if (AccountRequest.Operation.Create.equals(account.getOperation())) {


//

// CREATE Operation

//

System.out.println("Account Request Operation = Create");


PreparedStatement statement = connection.prepareStatement("insert into users (login,first,last,groups,status,locked) values (?,?,?,?,?,?)");

statement.setString(1, (String) account.getNativeIdentity());

statement.setString(2, getAttributeRequestValue(account, "first"));

statement.setString(3, getAttributeRequestValue(account, "last"));

statement.setString(5, getAttributeRequestValue(account, "status"));

statement.setString(6, getAttributeRequestValue(account, "locked"));

//

// Grab the role from the request. If it's a single role, it'll be a string, add it to 

// the statement, other wise if it's a List, convert to CSV and add it to the statement

//

AttributeRequest attrReq = account.getAttributeRequest("groups");

if (attrReq != null) {

if (attrReq.getValue() instanceof String) {

statement.setString(4, (String) attrReq.getValue());

} else if (attrReq.getValue() instanceof List) {

String listOfRoles = Util.listToCsv((List) attrReq.getValue());

statement.setString(4, listOfRoles);

}

} else {

                                                               statement.setString(4,"");

                                         }


System.out.println("Preparing to execute: " + statement);

statement.executeUpdate();

//

// Sucessful Create, so mark result as COMMITTED

//

result.setStatus(ProvisioningResult.STATUS_COMMITTED);


} else if (AccountRequest.Operation.Modify.equals(account.getOperation())) {

//

// MODIFY Operation

// 

//

// We have a modify, this one is trickier, as we can have "Add" and "Remove" 

// operations and each can be a single string value or a list

//


System.out.println("Account Request Operation = Modify");


//

// Determine what the current roles are first... 

//


Statement curr_stmt = connection.createStatement();

ResultSet rs = curr_stmt .executeQuery("select * from users where login = '" + account.getNativeIdentity() + "'");


//

//  Check result set. Should only be one row since login is a unique key for the table

//

List current_roles = null;

String roles = "";


while (rs.next()) {

   roles = roles + "," + rs.getString("groups");

current_roles = Util.csvToList(roles,true);

if (current_roles == null) {

System.out.println("We have a null current_roles list... change it to an empty list for subsequent processing.");

current_roles = new ArrayList();

}


System.out.println("Current Roles for User = " + Util.listToCsv(current_roles));


//

// Get all Attribute Requests and pull out just the role ones. 

//

List remove_roles = new ArrayList();

List add_roles = new ArrayList(); 

//

// Get all attribute requests and then we will filter for those related to the roles column

//

List mod_attr_requests = account.getAttributeRequests();

if (mod_attr_requests != null) {

for (AttributeRequest req : mod_attr_requests ) {

if (req.getName().equals("groups")) {

   if (ProvisioningPlan.Operation.Remove.equals(req.getOperation())) {

// Process Removes First

if (req.getValue() instanceof String) {

  remove_roles = Util.csvToList(req.getValue());

} else if (req.getValue() instanceof List) {

  remove_roles = req.getValue();                

}

} else if (ProvisioningPlan.Operation.Add.equals(req.getOperation())) {

// Process Adds Second

if (req.getValue() instanceof String) {

   add_roles = Util.csvToList(req.getValue());

} else if (req.getValue() instanceof List) {

  add_roles = req.getValue();                     

}


   } 

}

}

//

//  We now have a calculated list of the roles we are adding, the roles we are removing, and the current roles for the user.

//

System.out.println("Add Roles = " + Util.listToCsv(add_roles));

System.out.println("Remove Roles = " + Util.listToCsv(remove_roles));



//

// If we have roles to remove, remove them

//

if (!remove_roles.isEmpty()) {

System.out.println("About to remove roles: " + remove_roles.toString() + "from the current_roles = " + current_roles.toString());

current_roles.removeAll(remove_roles);

}

//

// If we have roles to add, check if they are there and add them as we iterate through

//

if (!add_roles.isEmpty()) {

System.out.println("About to add roles: " + add_roles.toString() + " to the current_roles = " + current_roles.toString());

for (Object item: add_roles) {

if (!current_roles.contains(item)) {

   current_roles.add(item);

}

}

}

//

//  Print out the list of roles being provisioned after processing "add" and "remove" operations

//

System.out.println("Updating the roles for:" + (String) account.getNativeIdentity() + " Current Roles after adding/removing = " + Util.listToCsv(current_roles)); 


//

// Process update SQL operation

//


PreparedStatement statement = connection.prepareStatement("update users set groups = ? where login = ?");

statement.setString(2, (String) account.getNativeIdentity());

statement.setString(1,Util.listToCsv(current_roles)); 

statement.executeUpdate();


// Add these in the future.

// statement.setString ( 2,

// getAttributeRequestValue(account,"first") );

// statement.setString ( 3,

// getAttributeRequestValue(account,"last") );

// statement.setString ( 4,

// getAttributeRequestValue(account,"groups") );

// statement.setString ( 5,

// getAttributeRequestValue(account,"status") );


result.setStatus(ProvisioningResult.STATUS_COMMITTED);


} else if (AccountRequest.Operation.Delete.equals(account.getOperation())) {

//

// DELETE Operation

// 



System.out.println("Account Request Operation = Delete");

PreparedStatement statement = connection.prepareStatement("delete from users where login = ?");

statement.setString(1, (String) account.getNativeIdentity());

statement.executeUpdate();


result.setStatus(ProvisioningResult.STATUS_COMMITTED);


} else if (AccountRequest.Operation.Disable.equals(account.getOperation())) {


System.out.println("Account Request Operation = Disable");

PreparedStatement statement = connection.prepareStatement("update users set status = 'I' where login = ?");

statement.setString(1, (String) account.getNativeIdentity());

statement.executeUpdate();

result.setStatus(ProvisioningResult.STATUS_COMMITTED);


} else if (AccountRequest.Operation.Enable.equals(account.getOperation())) {


System.out.println("Account Request Operation = Enable");

PreparedStatement statement = connection.prepareStatement("update users set status = 'A' where login = ?");

statement.setString(1, (String) account.getNativeIdentity());

statement.executeUpdate();

result.setStatus(ProvisioningResult.STATUS_COMMITTED);



} else if (AccountRequest.Operation.Lock.equals(account.getOperation())) {


System.out.println("Account Request Operation = Lock");

PreparedStatement statement = connection.prepareStatement("update users set locked = 'Y' where login = ?");

statement.setString(1, (String) account.getNativeIdentity());

statement.executeUpdate();

result.setStatus(ProvisioningResult.STATUS_COMMITTED);



} else if (AccountRequest.Operation.Unlock.equals(account.getOperation())) {


System.out.println("Account Request Operation = Unlock");

PreparedStatement statement = connection.prepareStatement("update users set locked = 'N' where login = ?");

statement.setString(1, (String) account.getNativeIdentity());

statement.executeUpdate();

result.setStatus(ProvisioningResult.STATUS_COMMITTED);


} else {


// Unknown operation!

System.out.println("Unknown operation ["

+ account.getOperation() + "]!");

}


} catch (SQLException e) {

                        System.out.println("Error: " + e);

                        result.setStatus(ProvisioningResult.STATUS_FAILED);

                        result.addError(e);

}    // account request loop

}     // if account requests exist

}   // if plan not null



System.out.println("****************************************");

System.out.println("****************************************");

System.out.println("Exiting Provisioning Rule for PRISM. \n  Result=  \n" + result.toXml(false));

System.out.println("****************************************");

System.out.println("****************************************");

System.out.println("\n\n\n\n\n");

return result;