Recently, we had a requirement to de-provision entitlements that had been removed from an IT role that had been modified, but not removed from an active business role. Apparently that is not something IIQ does automatically. The initial difficulty that we encountered was that the previous version of the bundle describing the IT role and the entitlements therein was available only as a string, through the archive() method of the BundleArchive object. While it would certainly be possible to ferret out the differences through string operations, that didn't seem like the optimal approach.
After some searching in the class hierarchy, I found that I could reconstitute the archived object as an (almost) live IIQ Bundle by\ passing the String returned by the BundleArchive's archive method to the static parseXml() method of the class sailpoint.object.AbstractXmlObject, which is the great-grandparent of sailpoint.object.Bundle, and also the source of toXml(), which I rely on a great deal when logging.
The result was a fully populated Bundle that was an exact copy of the current Bundle prior to the most recent changes. At that point I was able to compare various corresponding components of each using the java.lang.Object.equals() method, which was far simpler, and seemed less prone to error than a lot of string indexing and comparisons of the XML, which had looked like our only option at the start. The code looks like this (the code for locating the most recent archive was written by my colleague Greg Zajac):
BundleArchive latestVersion;
List roleVersions = context.getObjects(BundleArchive.class, qo);
if (roleVersions.size() > 0)
{
int version = 0;
for (BundleArchive item : roleVersions)
{
if (item.getVersion() > version)
{
version = item.getVersion();
latestVersion = item;
}
}
System.out.println("Archive Got: " + latestVersion);
/*
** reconstitute archived role as real Role object
*/
Bundle archiveCopy = AbstractXmlObject.parseXml(context, latestVersion.getArchive());
if(null == archiveCopy)
{
throw new Exception("Could not reconstitute Role Archive item.");
}
else
{
archiveCopy.clearPersistentIdentity();
archiveCopy.setName(archiveCopy.getName() + ":archive Copy");
}
While I haven't tested this with any types but Bundle, I presume that it can also be used on other archivable types, such as Identity.
Hello @howard_west, @darylclaude_medina
How do we archive a role in a workflow using the class Archive & BundleArchive.
I tried the following code for committing a transaction instead of the inbuilt commit method as I have to validate few things before the role is created
Archive archive;
if(bundle.getActivationDate()!=null){
log.debug("----- Has activation date scheduled -----");
bundle.setDisabled(true);
bundle.setActivationDate(bundle.getActivationDate());
context.saveObject(bundle);
archive.setArchive(bundle.getName()); // tried to pass role name
log.debug("-----Bundle archived and is in disabled state -----"+archive);
context.commitTransaction();
}
Please let me know if you have any inputs.
Hi, did you find any solution for this?
Hi , any solution for this? Does Sailpoint APIs have any way to archive a role? We change the role attributes programmatically on several occasions and the archive the bundle via API is much recommended add on. Thanks