Back to the IdentityIQ 8.0 overview: What's new in IdentityIQ 8.0
The new attachments feature enables users to add attachments to single-user access requests. For example, you could attach a training certificate or a notarized document of authorization to a request.
Here are some key points for this feature:
To enable the file attachments feature:
When you enable attachments, you can make them either optional, or required. Requirements for attachments are managed through rules, and rule logic gives you flexibility on how to implement your requirements for attachments. For example, you might require attachments based on job title, location, the specific access being requested, et cetera. You can implement multiple rules to manage various use cases or requirements. IdentityIQ version 8.0 includes some sample rules that you can use as a model for developing your own.
Rules that govern file attachments are of rule type AttachmentConfig. Any rules with a type of AttachmentConfig appear in the selection list of rules in Global Settings. You can choose more than one rule to govern requirements for attachments; use Ctrl-click to select multiple rules to activate. Some sample rules are included out-of-the-box with IdentityIQ version 8.0.
Attachment rules are inactive by default. To activate rules that govern attachments:
When you create an Access Request, file attachments can be added on the Review and Submit tab of the request. Attachments are added to individual access request items, and can also be added for specific roles that may be included with the access request item. Note that attachments can NOT be added to requests that encompass multiple identities; they can be added for single-identity requests only.
To add an attachment, click the attachment (paper clip) icon. You can browse to files, or drag and drop them into the dialog:
Once you've added an attachment, you have the option to add a description, download the attachment, or delete the attachment. You can also add more attachments to the request.
If you try to add an attachment for a file type that is not supported, or that exceeds the maximum file size that was configured for attachments, you will see an error.
When an Access Request item includes file attachments, the reviewer sees a green attachment icon indicating the presence and number of attachments. The reviewer can click the icon to download and view the attachment. IdentityIQ does not have any built-in viewers; in order to open and view an attachment, the user must have the appropriate application installed (for example, Adobe Acrobat or similar, to open and view a PDF attachment).
The requester or the requestee can view and download the attachment via the Access Request details. Approval owners can view or download the attachment in the approval. System Administrators can also view and download attachments at any stage of the request or review process. Other users will see that an attachment has been included, but will not be able to access the attachment for viewing or download.
Rules that govern requirements for attachments use BeanShell to determine the rule's behavior. BeanShell provides a great deal of flexibility in what your rules can do, including things like who or what the rule applies to, and what messaging the UI will show users regarding attachments. This section shows a simple example rule, to help you understand how to create your own attachment rules.
This sample attachment configuration rule enforces a requirement that any time access is requested for a contractor identity, a Contractor Authorization Form must be attached to the request. The sections below explain some specific areas of the rule's elements and BeanShell code.
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE sailpoint PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<sailpoint>
<Rule language="beanshell" name="Contractor Work Auth Rule" type="AttachmentConfig">
<Description>Returns configs for contractor work authorization.</Description>
<Signature returnType="java.util.List">
<Inputs>
<Argument name="log">
<Description>
</Description>
</Argument>
<Argument name="context">
<Description>
</Description>
</Argument>
<Argument name="requester" type="sailpoint.object.Identity">
<Description>
</Description>
</Argument>
<Argument name="requestee" type="sailpoint.object.Identity">
<Description>
</Description>
</Argument>
<Argument name="requestedItem" type="sailpoint.object.SailPointObject">
<Description>
</Description>
</Argument>
<Argument name="action" type="java.lang.String">
<Description>
</Description>
</Argument>
</Inputs>
<Returns>
<Argument name="configList">
<Description>
</Description>
</Argument>
</Returns>
</Signature>
<Source>
import sailpoint.object.*;
import java.util.*;
import sailpoint.service.*;
import sailpoint.tools.Util;
// Result is always a list of AttachmentConfigDTOs. The list may be empty but shouldn't be null.
List result = new ArrayList();
if (requestee != null) {
String employeeType = requestee.getType();
if (Util.nullSafeEq(employeeType, "contractor") && Util.nullSafeEq(action, "add")) {
result.add(new AttachmentConfigDTO(true, "Please attach signed work authorization form."));
}
}
return result;
</Source>
</Rule>
</sailpoint>
In the Rule element of the XML, the rule type is specified as AttachmentConfig. This is what indicates that the rule applies to Attachments, and what makes the rule appear in the Attachment Settings area of the IdentityIQ Global Configuration (gear menu > Global Settings > IdentityIQ Configuration > Miscellaneous Tab). The Rule element also provides the name of the rule as it will appear in the configuration UI.
<Rule language="beanshell" name="Contractor Work Auth Rule" type="AttachmentConfig">
The bolded BeanShell code here specifies that this rule applies to identities of employee type "contractor":
if (requestee != null) {
String employeeType = requestee.getType();
if (Util.nullSafeEq(employeeType, "contractor")) && Util.nullSafeEq(action, "add")) {
result.add(new AttachmentConfigDTO(true, "Please attach signed work authorization form."));
Here's an example of the Access Request UI showing a request for a user who is a contractor; with our sample Contractor Work Auth Rule in force. Note that the attachment icon includes text indicating that it is required.
The BeanShell code can also determine the message that appears on the overlay screen when the requestor clicks the Attachment link.
if (requestee != null) {
String employeeType = requestee.getType();
if (Util.nullSafeEq(employeeType, "contractor")) && Util.nullSafeEq(action, "add")) {
result.add(new AttachmentConfigDTO(true, "Please attach signed work authorization form."));
When an attachment rule is enabled, the requestor will see an error message if they try to submit an access request without the required attachment.
Hi @boilermakerny
In the SSF Framework. the same feature was available and in this link PDF https://community.sailpoint.com/t5/Services-Standard-Deployment/SSD-Access-Request-Attachments-User-...
you can see the objects that are being used. I am not entirely sure if the IdentityIQ 8.0 version uses the same obejcts.
In order to achieve what you are looking for, you would need to do the following:
1) In the custom workflow, have a form that can upload a file.
2) Create a Java library that can store the uploaded file into the IdentityIQ database table. (either a new or existing access request table) Make sure to add the Java library class to the custom workflow.
3) You wouldn't have to worry about the jars for the upload capability since they are available in identityIQ/WEB-INF/lib. Jar name - commons-fileupload-1.3.3.jar (one thing to check is the IdentityIQ versions that contains the jar)
Thanks
Rohit Prabhu
If we want to allow members of a work group to view and download attachments, is this possible?
@cathy_malletI am having trouble finding documentation relating to where in the db attachments are stored. I'd like to be able to set a purge date for attachments, as I have limited db space, and no requirement to keep attachments. Only the record of the request approval.
@cathy_mallet @darylclaude_medina
Where those files store in physical location apart of tables.
Kindly let me know please .
Hi, is it possible to add attachments to "Create Identity"?