Showing results for 
Show  only  | Search instead for 
Did you mean: 

IdentityIQ 8.0: File attachments in access requests

IdentityIQ 8.0: File attachments in access requests

Back to the IdentityIQ 8.0 overview: What's new in IdentityIQ 8.0



File attachments in access requests

The new attachments feature enables users to add attachments to single-user access requests. For example, you could attach a training certificate or a notarized document of authorization to a request.


Here are some key points for this feature:

  • The option for including attachments can be switched on or off, system-wide
  • Attachments can only be used with single-identity access requests. That is, the attachment option is not available for access requests that include multiple identities.
  • You can add multiple attachments to each request item
  • You can add attachments to permitted roles that may be included with an access request item
  • You can designate items as requiring attachment, via rules
  • You can review attachments during the approval process, and when the access request is archived
  • File size and type limits for attachments are configured globally
  • The feature supports encryption of file attachments
  • In version 8.0 of IdentityIQ, attachments are NOT supported in custom workflow/forms


Enabling file attachments

To enable the file attachments feature:

  1. Click the gear menu and navigate to Global Settings > IdentityIQ Configuration
  2. Click the Miscellaneous tab
  3. In the Attachment Settings section of the Miscellaneous tab, enable and configure file attachments:
    • Enable Attachments: check the box to enable file attachments
    • Maximum file size (MB): set the maximum file size, in megabytes, for each attachment. The default is 5 MB, and the system maximum is 20 MB.
    • Supported file types: list the types of file attachments you want to support, in a comma-separated list. You do NOT need to include a dot prefix for the file type. For example, txt, jpg, png, pdf
    • Configuration Rules: if you want to require attachments for particular use cases (such as job title, location, et cetera), use a rule to enforce the requirement. Any Attachment Configuration rules that have been confirmed on your IdentityIQ instance are listed here. You can select multiple rules to implement, by using Ctrl-click. Note, only rules with a rule type of AttachmentConfig are used to govern attachment behavior and are listed here.
  4. Save your changes.


Required vs. optional attachments

When you enable attachments, you can make them either optional, or required. Requirements for attachments are managed through rules, and rule logic gives you flexibility on how to implement your requirements for attachments. For example, you might require attachments based on job title, location, the specific access being requested, et cetera. You can implement multiple rules to manage various use cases or requirements. IdentityIQ version 8.0 includes some sample rules that you can use as a model for developing your own.


Rules that govern file attachments are of rule type AttachmentConfig. Any rules with a type of AttachmentConfig appear in the selection list of rules in Global Settings. You can choose more than one rule to govern requirements for attachments; use Ctrl-click to select multiple rules to activate. Some sample rules are included out-of-the-box with IdentityIQ version 8.0.


Attachment rules are inactive by default. To activate rules that govern attachments:

  1. Click the gear menu and navigate to Global Settings > IdentityIQ Configuration
  2. Click the Miscellaneous tab.
  3. In the Attachment Settings section of the Miscellaneous tab, click to select all the rules you want to activate. Use Ctrl-click to select multiple rules. Selected rules are highlighted in blue.
  4. Save your changes. When you save your changes, the active rules remain highlighted.


Adding file attachments to access requests

When you create an Access Request, file attachments can be added on the Review and Submit tab of the request. Attachments are added to individual access request items, and can also be added for specific roles that may be included with the access request item. Note that attachments can NOT be added to requests that encompass multiple identities; they can be added for single-identity requests only.


To add an attachment, click the attachment (paper clip) icon. You can browse to files, or drag and drop them into the dialog:


Once you've added an attachment, you have the option to add a description, download the attachment, or delete the attachment. You can also add more attachments to the request.


If you try to add an attachment for a file type that is not supported, or that exceeds the maximum file size that was configured for attachments, you will see an error.


Viewing attachments when approving requests

When an Access Request item includes file attachments, the reviewer sees a green attachment icon indicating the presence and number of attachments. The reviewer can click the icon to download and view the attachment. IdentityIQ does not have any built-in viewers; in order to open and view an attachment, the user must have the appropriate application installed (for example, Adobe Acrobat or similar, to open and view a PDF attachment).



Who can view attachments

The requester or the requestee can view and download the attachment via the Access Request details. Approval owners can view or download the attachment in the approval. System Administrators can also view and download attachments at any stage of the request or review process. Other users will see that an attachment has been included, but will not be able to access the attachment for viewing or download.


Working with attachment rules

Rules that govern requirements for attachments use BeanShell to determine the rule's behavior. BeanShell provides a great deal of flexibility in what your rules can do, including things like who or what the rule applies to, and what messaging the UI will show users regarding attachments. This section shows a simple example rule, to help you understand how to create your own attachment rules.


Sample attachment configuration rule - Contractor work authorization form

This sample attachment configuration rule enforces a requirement that any time access is requested for a contractor identity, a Contractor Authorization Form must be attached to the request. The sections below explain some specific areas of the rule's elements and BeanShell code.


<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE sailpoint PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Contractor Work Auth Rule" type="AttachmentConfig">
    <Description>Returns configs for contractor work authorization.</Description>
    <Signature returnType="java.util.List">
        <Argument name="log">
        <Argument name="context">
        <Argument name="requester" type="sailpoint.object.Identity">
        <Argument name="requestee" type="sailpoint.object.Identity">
        <Argument name="requestedItem" type="sailpoint.object.SailPointObject">
        <Argument name="action" type="java.lang.String">
        <Argument name="configList">
      import sailpoint.object.*;
      import java.util.*;
      import sailpoint.service.*;

      // Result is always a list of AttachmentConfigDTOs. The list may be empty but shouldn't be null.
      List result = new ArrayList();

      if (requestee != null) {
          String employeeType = requestee.getType();
          if (Util.nullSafeEq(employeeType, "contractor")  && Util.nullSafeEq(action, "add")) {
              result.add(new AttachmentConfigDTO(true, "Please attach signed work authorization form."));

      return result;


The rule type

In the Rule element of the XML, the rule type is specified as AttachmentConfig. This is what indicates that the rule applies to Attachments, and what makes the rule appear in the Attachment Settings area of the IdentityIQ Global Configuration (gear menu > Global Settings > IdentityIQ Configuration > Miscellaneous Tab). The Rule element also provides the name of the rule as it will appear in the configuration UI.


<Rule language="beanshell" name="Contractor Work Auth Rule" type="AttachmentConfig">



Who this rule applies to

The bolded BeanShell code here specifies that this rule applies to identities of employee type "contractor":


if (requestee != null) {

          String employeeType = requestee.getType();

          if (Util.nullSafeEq(employeeType, "contractor")) && Util.nullSafeEq(action, "add")) {

              result.add(new AttachmentConfigDTO(true, "Please attach signed work authorization form."));


Required attachments in the UI

Here's an example of the Access Request UI showing a request for a user who is a contractor; with our sample Contractor Work Auth Rule in force. Note that the attachment icon includes text indicating that it is required.


Attachment overlay text

The BeanShell code can also determine the message that appears on the overlay screen when the requestor clicks the Attachment link.


if (requestee != null) {

          String employeeType = requestee.getType();

          if (Util.nullSafeEq(employeeType, "contractor")) && Util.nullSafeEq(action, "add")) {

              result.add(new AttachmentConfigDTO(true, "Please attach signed work authorization form."));



Error message - Missing attachment

When an attachment rule is enabled, the requestor will see an error message if they try to submit an access request without the required attachment.


Labels (1)

Hi @boilermakerny

In the SSF Framework. the same feature was available and in this link PDF 
you can see the objects that are being used. I am not entirely sure if the IdentityIQ 8.0 version uses the same obejcts.
In order to achieve what you are looking for, you would need to do the following:

1) In the custom workflow, have a form that can upload a file.
2) Create a Java library that can store the uploaded file into the IdentityIQ database table. (either a new or existing access request table) Make sure to add the Java library class to the custom workflow.
3) You wouldn't have to worry about the jars for the upload capability since they are available in identityIQ/WEB-INF/lib. Jar name - commons-fileupload-1.3.3.jar (one thing to check is the IdentityIQ versions that contains the jar)

Rohit Prabhu

Hello @rohit_prabhu - thank you for the advice!



If we want to allow members of a work group to view and download attachments, is this possible?

@cathy_malletI am having trouble finding documentation relating to where in the db attachments are stored.  I'd like to be able to set a purge date for attachments, as I have limited db space, and no requirement to keep attachments. Only the record of the request approval.

@cathy_mallet @darylclaude_medina 

Where those files store in physical location apart of tables.

Kindly let me know please . 

Hi, is it possible to add attachments to "Create Identity"?

Version history
Revision #:
3 of 3
Last update:
‎Apr 28, 2023 09:37 PM
Updated by: