Sailpoint provides the capability of extending different entities like identity, entitlement, bundle, link, certification item, below are the allowed types.
|
Object Type
|
Supported Attribute Types
|
|
Identity
|
string, identity
|
|
Bundle
|
string, integer, boolean, date, rule, identity
|
|
Link
|
string, date, boolean
|
|
Application
|
string, integer, boolean, date, rule, identity
|
|
ManagedAttribute
|
string, integer, boolean, date, rule, identity
|
|
CertificationItem
|
string, date, boolean
|
Creating CertificationItem Extended Attribute
Usually CertificationItem extended attributes should match Link extended attributes. This allows those extended Link attributes to be included in the detail records of certification access reviews. CertificationItem extended attributes which do not correspond to Link extended attributes will not be populated (unless done so manually through a rule) since there is no way to declare a source for those attributes other than through a Link extended attribute of the same name, but in this article we are exploring the option of creating a Certification extended attribute which doesn't correspond to a link extended attribute but populated through a custom rule.
For creating a extended attribute CertificationItem for the first time, create the ObjectConfig object as below, if already not present from debug page in Sailpoint, provided namedColumn="true" , if the extended attribute has to be searchable and need in a seperate column in database.
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ObjectConfig PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ObjectConfig name="CertificationItem">
<ObjectAttribute displayName="sampleattribute1 Display Name" editMode="Permanent" namedColumn="true"> name="sampleattribute1" type="string">
<Description>Sample Attribute Description</Description>
</ObjectAttribute>
</ObjectConfig>
Add the corresponding entry in the certificationitemextended.hbm.xml file
<property name="sampleattribute1" type="string" length="450" access="sailpoint.persistence.ExtendedPropertyAccessor"
index="spt_certitem_sampleattribute1_ci"/>
Once this is done, execute the iiq console command to fetch the DB scripts to be executed.
C:\IdentityIQ\WEB-INF\bin>iiq extendedSchema
Home directory: C:/IdentityIQ
Generating database scripts for mysql
Generating database scripts for oracle
Generating database scripts for sqlserver
Generating database scripts for db2
This creates the DDL script files: add_identityiq_extensions.[dbms] which can then be run against the database to modify the IdentityIQ tables and indexes.
mysql > source add_identityiq_extensions.mysql
NOTE: All extended attributes defined in any of the .hbm.xml files are included in the DDL scripts, even if they already exist in the database. Consequently, if the generated script is executed without editing it to remove the unnecessary statements, it will report errors for any already existing columns or indexes as it attempts to recreate them; in most cases (e.g. unless you have configured your database to fail the whole operation on any error), these errors do no harm and the messages can be ignored.
Populating the Certification Item Extended attribute during the Certification Task generation.
Create a Custom CertificationEntityCustomization Rule, below is sample snippet.
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Certification Item Customization Rule" type="CertificationEntityCustomization">
<Source>
//import statements
// Add additional conditions to fetch the required Certification Item to update the extended attributes
item.setAttribute("sampleattribute1", "TEST_VALUE");
</Source>
</Rule>
Map this Rule in the System Configuration as below for the entry Key - certificationItemCustomizationRule
<entry key="certificationItemCustomizationRule" value="Certification Item Customization Rule"/>
Now whenever any Certification task is created, this rule is triggered so that extended attributes are set based on the logic.
Populating the Certification Item Extended attribute after the task is created.
There can be cases where we don't need this rule to be triggered for all kind of Certification tasks or we wanted to set the extended attributes in a async. manner i.e. after the Certification task is created, for doing this you can create a custom rule runner task or plugin to fetch the corresponding certification items and set the extended attributes accordingly, below is the sample snippet.
// Logic to fetch the Certification Item object. certItemObj
certItemObj.setAttribute("sampleattribute1", "TEST_VALUE");
context.saveObject(certItemObj);
context.commitTransaction();
context.decache(certItemObj);
