Back to the IdentityIQ 8.0 overview: What's new in IdentityIQ 8.0
The new attachments feature enables users to add attachments to single-user access requests. For example, you could attach a training certificate or a notarized document of authorization to a request.
Here are some key points for this feature:
To enable the file attachments feature:
When you enable attachments, you can make them either optional, or required. Requirements for attachments are managed through rules, and rule logic gives you flexibility on how to implement your requirements for attachments. For example, you might require attachments based on job title, location, the specific access being requested, et cetera. You can implement multiple rules to manage various use cases or requirements. IdentityIQ version 8.0 includes some sample rules that you can use as a model for developing your own.
Rules that govern file attachments are of rule type AttachmentConfig. Any rules with a type of AttachmentConfig appear in the selection list of rules in Global Settings. You can choose more than one rule to govern requirements for attachments; use Ctrl-click to select multiple rules to activate. Some sample rules are included out-of-the-box with IdentityIQ version 8.0.
Attachment rules are inactive by default. To activate rules that govern attachments:
When you create an Access Request, file attachments can be added on the Review and Submit tab of the request. Attachments are added to individual access request items, and can also be added for specific roles that may be included with the access request item. Note that attachments can NOT be added to requests that encompass multiple identities; they can be added for single-identity requests only.
To add an attachment, click the attachment (paper clip) icon. You can browse to files, or drag and drop them into the dialog:
Once you've added an attachment, you have the option to add a description, download the attachment, or delete the attachment. You can also add more attachments to the request.
If you try to add an attachment for a file type that is not supported, or that exceeds the maximum file size that was configured for attachments, you will see an error.
When an Access Request item includes file attachments, the reviewer sees a green attachment icon indicating the presence and number of attachments. The reviewer can click the icon to download and view the attachment. IdentityIQ does not have any built-in viewers; in order to open and view an attachment, the user must have the appropriate application installed (for example, Adobe Acrobat or similar, to open and view a PDF attachment).
The requester or the requestee can view and download the attachment via the Access Request details. Approval owners can view or download the attachment in the approval. System Administrators can also view and download attachments at any stage of the request or review process. Other users will see that an attachment has been included, but will not be able to access the attachment for viewing or download.
Rules that govern requirements for attachments use BeanShell to determine the rule's behavior. BeanShell provides a great deal of flexibility in what your rules can do, including things like who or what the rule applies to, and what messaging the UI will show users regarding attachments. This section shows a simple example rule, to help you understand how to create your own attachment rules.
This sample attachment configuration rule enforces a requirement that any time access is requested for a contractor identity, a Contractor Authorization Form must be attached to the request. The sections below explain some specific areas of the rule's elements and BeanShell code.
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE sailpoint PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<sailpoint>
<Rule language="beanshell" name="Contractor Work Auth Rule" type="AttachmentConfig">
<Description>Returns configs for contractor work authorization.</Description>
<Signature returnType="java.util.List">
<Inputs>
<Argument name="log">
<Description>
</Description>
</Argument>
<Argument name="context">
<Description>
</Description>
</Argument>
<Argument name="requester" type="sailpoint.object.Identity">
<Description>
</Description>
</Argument>
<Argument name="requestee" type="sailpoint.object.Identity">
<Description>
</Description>
</Argument>
<Argument name="requestedItem" type="sailpoint.object.SailPointObject">
<Description>
</Description>
</Argument>
<Argument name="action" type="java.lang.String">
<Description>
</Description>
</Argument>
</Inputs>
<Returns>
<Argument name="configList">
<Description>
</Description>
</Argument>
</Returns>
</Signature>
<Source>
import sailpoint.object.*;
import java.util.*;
import sailpoint.service.*;
import sailpoint.tools.Util;
// Result is always a list of AttachmentConfigDTOs. The list may be empty but shouldn't be null.
List result = new ArrayList();
if (requestee != null) {
String employeeType = requestee.getType();
if (Util.nullSafeEq(employeeType, "contractor") && Util.nullSafeEq(action, "add")) {
result.add(new AttachmentConfigDTO(true, "Please attach signed work authorization form."));
}
}
return result;
</Source>
</Rule>
</sailpoint>
In the Rule element of the XML, the rule type is specified as AttachmentConfig. This is what indicates that the rule applies to Attachments, and what makes the rule appear in the Attachment Settings area of the IdentityIQ Global Configuration (gear menu > Global Settings > IdentityIQ Configuration > Miscellaneous Tab). The Rule element also provides the name of the rule as it will appear in the configuration UI.
<Rule language="beanshell" name="Contractor Work Auth Rule" type="AttachmentConfig">
The bolded BeanShell code here specifies that this rule applies to identities of employee type "contractor":
if (requestee != null) {
String employeeType = requestee.getType();
if (Util.nullSafeEq(employeeType, "contractor")) && Util.nullSafeEq(action, "add")) {
result.add(new AttachmentConfigDTO(true, "Please attach signed work authorization form."));
Here's an example of the Access Request UI showing a request for a user who is a contractor; with our sample Contractor Work Auth Rule in force. Note that the attachment icon includes text indicating that it is required.
The BeanShell code can also determine the message that appears on the overlay screen when the requestor clicks the Attachment link.
if (requestee != null) {
String employeeType = requestee.getType();
if (Util.nullSafeEq(employeeType, "contractor")) && Util.nullSafeEq(action, "add")) {
result.add(new AttachmentConfigDTO(true, "Please attach signed work authorization form."));
When an attachment rule is enabled, the requestor will see an error message if they try to submit an access request without the required attachment.
Nice feature, it would be good to allow requestee to attach files even after the request is submitted. An example would be that the approver is requiring further documentation
@cathy_mallet Where are the attachments stored? Are they stored in the DB?
Thanks.
@GreeneT , yes, they are stored in the database (encrypted).
@cathy_mallet Thank you
Nice feature. We have a requirement for uploading reference documents. it is helpful
Can we enable this feature in 7.3 environment ?
Why is it not available for access requests that include multiple identities? It could be very helpful.
This looks great - Is there any way we can expand this feature to strip attachments from an incoming email? i.e. for a pass request system, users must submit an image which is done via email (due to security filtering etc. it remains the preferred method).
We'd like IIQ to strip the attachment automatically and attach it to a request, which will be necessary to complete birthright access provisioning. We could then use smarts around emailID etc. to link it up with the joining identity.
Hi,
Are there anymore examples on AttachmentConfig rules?
We want to enforce attachment requirement for specific roles, can we get requested roles from requestedItem?
Please advise
Thanks
@cathy_mallet this is great!
I notice it is specifically mentioned that this feature is not available for custom workflows/forms in IdentityIQ 8.0 - Do you know if it is now possible to leverage this capability with custom workflows in IdentityIQ 8.1 (or targeted for a future version?) If not, can you provide point me in a direction or provide further details on how the attachment feature is implemented in OOTB access requests such that my team might be able to code a solution for to replicate this capability for a custom workflow?
Many thanks.