Recently, we had a requirement to de-provision entitlements that had been removed from an IT role that had been modified, but not removed from an active business role. Apparently that is not something IIQ does automatically. The initial difficulty that we encountered was that the previous version of the bundle describing the IT role and the entitlements therein was available only as a string, through the archive() method of the BundleArchive object. While it would certainly be possible to ferret out the differences through string operations, that didn't seem like the optimal approach.
After some searching in the class hierarchy, I found that I could reconstitute the archived object as an (almost) live IIQ Bundle by\ passing the String returned by the BundleArchive's archive method to the static parseXml() method of the class sailpoint.object.AbstractXmlObject, which is the great-grandparent of sailpoint.object.Bundle, and also the source of toXml(), which I rely on a great deal when logging.
The result was a fully populated Bundle that was an exact copy of the current Bundle prior to the most recent changes. At that point I was able to compare various corresponding components of each using the java.lang.Object.equals() method, which was far simpler, and seemed less prone to error than a lot of string indexing and comparisons of the XML, which had looked like our only option at the start. The code looks like this (the code for locating the most recent archive was written by my colleague Greg Zajac):
BundleArchive latestVersion;
List roleVersions = context.getObjects(BundleArchive.class, qo);
if (roleVersions.size() > 0)
{
int version = 0;
for (BundleArchive item : roleVersions)
{
if (item.getVersion() > version)
{
version = item.getVersion();
latestVersion = item;
}
}
System.out.println("Archive Got: " + latestVersion);
/*
** reconstitute archived role as real Role object
*/
Bundle archiveCopy = AbstractXmlObject.parseXml(context, latestVersion.getArchive());
if(null == archiveCopy)
{
throw new Exception("Could not reconstitute Role Archive item.");
}
else
{
archiveCopy.clearPersistentIdentity();
archiveCopy.setName(archiveCopy.getName() + ":archive Copy");
}
While I haven't tested this with any types but Bundle, I presume that it can also be used on other archivable types, such as Identity.
