IdentityIQ does not allow for violations on objects other than Identities, and will only allow one PolicyViolation per Constraint. This Policy Engine allows you to generate any number of PolicyViolations for potentially any SailPointObject. I only have ManagedAttribute implemented, and it is specific to AD Groups, but the base is here.
This PolicyEngine implements the PartitionedRule that is posted here https://community.sailpoint.com/docs/DOC-8968. This zip file does contain the PartitionedRule code, so you do not need to add it separately. But if you want information on the PartitionedRule you can follow the link above.
To use, you will need to add the code to your repository and update all the package locations accordingly. I highly recommend using the SSB (Services Standard Build) for this. Once you have everything hooked up, you need to create active Advanced Policies with active Constraints and point to Rules. The Rule may return more than one PolicyViolation and, if you tag your Policy correctly, you can generate PolicyViolations for ManagedAttributes. When you write a Policy for this Engine, IIQs Policy Engine will fail. This becomes obvious when you run LCM Provisioning where Running Policies is on by default. You will likely need to turn this off or limit the Policies that LCM Provisioning is using.
From the user perspective, you initiate the PolicyEngine by creating a TaskDefinition of the type “Partitioned Rule”. Fill in the options
I have 4 TaskDefinitions included a simulation and real a version of Account and Group PolicyViolations.
The user will also need to set up at least one Policy for the PolicyEngine to run on. You will need to use an Advanced Policy, and your Constraint will need to use the method “Rule” and point to a Rule object. Also, your Policy must have an argument called “policyType” added to it. The “policyType” is used to indicate which Policies are relevant to the Runners. This needs to be done from the Debug page or in code.
The Rule needs to be able to handle the SailPointObject you are passing it, but can return as many policyViolations you wish. The Runner will aggregate them together for reporting and saving. As a result of these changes, the simulation button from the Policy page may not work, and I suggest that they not be used for these Policies.
Assuming you are running “Account Check Active Policies,” the Partitioned Rule will split your Identities into partitions and will run each Identity on the “Account Policy Runner”. “Account Policy Runner” looks up the Policies that are tagged with the “policyType” of “account”. Once the engine has all the relevant policies, it will check if the Policy and the Constraint are active then extract the Rule from the Policy and run the Rule. The Rule will return a List<PolicyViolation>, and the Runner will do a diff and save the new PolicyViolations, delete the old ones, and return the aggregated data to Partitioned Rule to be displayed on the TaskResults page.
The core of the PolicyEngine. Coordinates what Policies need to run and aggregates the resulting PolicyViolations, diffs them, updates them, and returns the results to the Partitioned Rule.
Concrete implementation of PolicyRunner that runs on Identities. Can return more than one PolicyViolation.
Concrete implementation of PolicyRunner that runs on ManagedAttributes. Can return more than one PolicyViolation and saves spadmin as the target for all of them.
Required to cleanup Policies that are targeting non-Identity objects. For example, if you have a PolicyViolation on a group that was deleted you will need to run PolicyCleanup to delete the PolicyViolation.
Generic TaskDefintion and code to run any Rule on every SailPointObject specified. See https://community.sailpoint.com/docs/DOC-8968 for more info.
Just the common code that PolicyEngine uses
The xhtml page that allows you to see the results of the PolicyEngine. NOTE: you must update faces-config.xml for this to work without crashing the UI
faces-config.xml
I have included our file but you should take the last bean in the file and paste it into your faces-config.xml to ensure that you have all the configurations you need for your version of IIQ.
CollectedPolicyImpactAnalysis
This is used by partitionedPolicyImpactAnalysis.xhtml and mapped by faces-config.xml so that the UI page may render without brining the server down.
Known Issues/Weird Quarks
Hi,
cool, I assume the same principle will work for bundles as well. We have some constellations where a role composition is containing policy violations. That would be nice to show it independent of identities.
Regards
Martin
You should only need to extend PolicyRunner for the SailPointObject you want to make a PolicyViolation for. Then make a TaskDefintion that will run the new PolicyRunner. I tried to make it pretty generic but I only have my usecases to work with so I cannot garentee that it will work with no other modifcation, but I think it will.
Let me know if you need any help.
Hi John,
thank you for the reply. I will let you know as soon as tested.
Martin
curious if this worked for you.
Hi,
no, actually the project focus slipped to other priorities. I will follow up as soon as this top comes back
Martin
Hi, thois sounds great as it imlements exactly these two functionalities, that I'm missing:
1.) returning ,more than one policy violations per identity and constraint - due to thatlimitation, I've written my own beanshell code to store the multiple violation information in the description field, but that's limited to 4k length.
2.) partitioning the policy run
So I'll definitely give it a try.
My question: will it work on Sailpoint v8.3 and potentially 8.4 (as we will update begin of 2024) ?