cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using IDNRuleUtil as a Wrapper for Common Rule Operations

Using IDNRuleUtil as a Wrapper for Common Rule Operations

 

This article with teach you how to configure searchable account attributes within IdentityNow and then leverage them within the IDNRuleUtil wrapper class when searching accounts for things such as uniqueness checks. There are also methods in the IDNRuleUtil wrapper class that you can use without the additional searchable attributes.

Search attributes allow you to search across accounts and sources to determine if a specific attribute value is being used in your IdentityNow environment.

There are two different components that are critical to searchable attributes:

  • Configuration of search attributes within the IdentityNow system.

    • Seed data for accounts already aggregated into the system.

    • Ensure attribute promotion happens for new/changed accounts that are aggregated.

  • Creation of rules that can be used to query the attribute values

  • Implement these rules within the Create Profile of each source for which an account is being provisioned.

 

Configuration of Search Attributes within the IdentityNow system

When planning to implement search attributes, it is important to consider how new accounts will have their values generated and what attributes should be used as reference.

  • Information to gather

    • IDs for sources that will be searched

      • The external ID for the source

    • Attribute name for each source that will be searched

      • The attribute name (such as mail, email, emailAddress)

    • Name for new attribute that will become common to all accounts in the Account Search configuration.

      • The new attribute name that will house the promoted value (newMail, newEmail, newEmailAddress)

    • Display name for new attribute configuration.

      • “newEmailAddressDisplayName”

Please use the following API docs to complete the Account Search configuration:

Account Search API Documentation

Example:

A company has two sources. The first is Active Directory and the second is Workday. When new accounts are aggregated into the system, they wish to query IdentityNow to see if an email address is in existence. If the email address is not in use, it can be assigned to the new account. If it is in use, we can iterate on the email address value (add a 1 for example). We can then query IdentityNow once more to see if our incremented email address is in use. We can repeat this procedure until we have determined that an email address is unique.

  • Information to gather

    • IDs for sources

      • Active Directory: “4028112837fe14c70177fe1955e9032c”

      • Workday: “4028812877fa18c72177fs195baa0341”

    • Attribute name for each source that will be search. In this case, we want to identify which attribute on the account contains the email address.

      • Active Directory: “mail”

      • Workday: “emailAddress”

    • Name for the new attribute value that will exist on each account after attribute promotion occurs

      • “promotedEmailAddress”

    • Display name for new attribute value configuration

      • “Promoted Email Address”

 

Create the Search Attributes configuration within IdentityNow

  1. Create the Account Search configuration within IdentityNow by calling the POST API specified in the docs. Example

{
  "name": "promotedEmailAddress",
  "displayName": "Promoted Email Address",
  "applicationAttributes": 
    {
      "4028112837fe14c70177fe1955e9032c": "mail",
      "4028812877fa18c72177fs195baa0341": "emailAddress"
    }
}

This will create an Account Search configuration for the two sources/attributes specified. All new/changed accounts that are aggregated will have this new attribute(“promotedEmailAddress”) created in the account schema and the value of the attribute(“mail” or “emailAddress”) depending on the source will be promoted to that new attribute.


NOTE: AGGREGATION ONLY PROCESSES NEW AND/OR CHANGED ACCOUNTS FOR MANY SOURCES. THIS MEANS THAT IF AN ACCOUNT IS UNCHANGED, AN AGGREGATION WILL NOT SEED THE NEW ATTRIBUTE OR ITS VALUE FOR THIS ACCOUNT. FOR THIS REASON, IT IS MANDATORY THAT A NON-OPTIMIZED AGGREGATION BE PERFORMED WHEN AN ACCOUNT SEARCH CONFIGURATION IS CREATED/MODIFIED, FOR EACH SOURCE INVOLVED IN THAT CONFIGURATION.


2. If this source has already been aggregated before the Account Search configuration was created, a non-optimized aggregation must be performed at this time to seed the new attribute data for all existing accounts.

At this point, the configuration exists to promote attributes on any new/changed account that comes into IdentityNow. These attributes and their associated values are stored for use in custom rules. Each account that exists on either of these sources will now have a new attribute called “promotedEmailAddress”. The value of this attribute will be the value of “mail” if it was the Active Directory Source or “emailAddress” if it was the Workday source.

 

Creation of the rules that can be used to query the attribute values

  1. To access the promoted attribute data mentioned in the above section, library methods have been implemented to allow access to that data. There are two methods that have been implemented.

/**
 * Count the accounts that match the searchable attribute and value.
 *
 * @param sourceIds The list of Application ids that represent the sources of the data.
 * @param attributeName  The name of the searchable account attribute. The name parameter is required.
 * @param operation The operation to use when matching, it'll either be "Equals" OR "StartsWith."
 * @param values The values of that searchable attribute to match.  The values parameter is required.
 *
 * @return The number of accounts that match the parameters provided.
 */
public int attrSearchCountAccounts(List<String> sourceIds, String attributeName, String operation, List<String> values)
/**
 * Get the identity name for the account matching the specified criteria.
 *
 * @param sourceIds The list of Application ids that represent the sources of the data
 * @param attributeName  The name of the searchable account attribute. The name parameter is required.
 * @param operation The operation to use when matching, it'll either be Equals or StartsWith.
 * @param values The values of that searchable attribute to match.  The values parameter is required.
 *
 * @return The name of the Identity that matched the account that match the parameters provided.
 */
public String attrSearchGetIdentityName(List<String> sourceIds, String attributeName, String operation, List<String> values) {

Each of these utility library methods are loaded into the context that is available from within your custom rule. It can be accessed by appending the prefix “idn.” to the method call.

Example: We want to use the promoted attribute data to determine the uniqueness of an email address before it is used to provision a new account to one of the sources involved in the Account Search configuration. A call to these methods can be used to determine that uniqueness.

import sailpoint.object.*;
import java.util.*;
import sailpoint.rule.*; import org.apache.commons.lang.StringUtils; List SOURCE_IDS = new ArrayList(Arrays.asList(new String[]{"4028112837fe14c70177fe1955e9032c","4028812877fa18c72177fs195baa0341"})); String PROMOTED_ATTR_NAME = "promotedEmailAddress"; String SEARCH_OP = "StartsWith"; //Can also use "Equals"   List SEARCH_VALUES = new ArrayList(Arrays.asList(new String[]{"jc@sailpoint.com"})); //return matching accounts return idn.attrSearchCountAccounts(SOURCE_IDS, PROMOTED_ATTR_NAME, SEARCH_OP, SEARCH_VALUES)); //In the event the above call returns non-zero values, it is certain //that an email value is already in use. Should it be required to //know which identity owns the account with this value, this method //can be called. //idn.attrSearchGetIdentityName(SOURCE_IDS, PROMOTED_ATTR_NAME, SEARCH_OP, SEARCH_VALUES));

Note that there are two method calls from within the example rule above.

  1. idn.attrSearchCountAccounts

    1. Calling this method with both example source IDs, will cause a search of all accounts for a value “promotedEmailAddress=”jc@sailpoint.com”. It will return the count of accounts that contain that attribute value pair.

  2. idn.attrSearchGetIdentityName

    1. In the event idn.attrSearchCountAccounts returns non zero, it may be useful to determine which identity owns the account(s) contain that value. This method will return that identity name.

 

Implementing rules within the Create Profile of each source

Rules can be invoked in different ways but one of the most common implementations involves binding it to the create profile. This will result in the rule being used to generate/check values that are used during new account provisioning.

In the example above, when a “Generator” is selected for the “distinguishedName” attribute, a rule can be selected that invokes the provided library methods. An example of this would be the following scenario.

  1. Through a Lifecycle State Change, an account needs to be provisioned to an Active Directory source.

  2. When the provisioning plan is created, the rule that generates the value for distinguishedName is called. The rule invokes the library methods mentioned above to determine the uniqueness of the attribute. In this case it may:

    1. Call idn.attrSearchCountAccounts to determine if any other accounts are using first.last as a distinguishedName.

      1. If a count of 1 or more is returned, the call can be retried with first.last+1.

      2. The call is repeated until a zero is returned.

      3. At that point, the value is unique and can be used. The value is returned to the calling rule.

    2. In some cases, where a non zero value is returned, it may be useful to know which identity owns the account to which that value belongs.

      1. Call idn.attrSearchGetIdentityName to determine the identity in question.

 

IdnRuleUtil.java Descriptors

Important Note: Both the normal SailPoint context which is passed into the Beanshell rule evaluation and the new IdnRuleUtil class which is referenced below include an "Identity" class:

  • The SailPoint context Identity class is provided via sailpoint.object.Identity
  • The IdnRuleUtil Identity class is provided via sailpoint.rule.Identity

When referencing an Identity class, you must be explicit as to which Identity class you are using to avoid a namespace conflict. For example:

 

 

sailpoint.object.Identity identity = plan.getIdentity();
String sAMAccountName = identity.getAttribute("adUsername");

sailpoint.rule.Identity foundIdentity = idn.getIdentityById("uid");
String email = foundIdentity.getEmail();

 

 

 

The sailpoint.rule.Identity class supports several "getter" methods to get information about the identity object which is returned by the IdnRuleUtil class:

public static final String ATT_COUNTRY = "country";
public static final String ATT_EMPLOYEE_NUMBER = "identificationNumber";
public static final String ATT_LAST_SYNC_DATA = "lastSyncDate";
public static final String ATT_LIFECYCLE_STATE = "cloudLifecycleState";
public static final String ATT_PERSONAL_EMAIL = "personalEmail";
public static final String ATT_PHONE = "phone";
public static final String ATT_UID = "uid";
public static final String ATT_WORK_PHONE = "workPhone";
public static final String ATT_DISPLAY_NAME = "displayName";

/**
* Get the internal name of the Identity.
* @return the internal name
*/
public String getName()


/**
* Get the display name of the identity
* @return The displayName
*/
public String getDisplayName()


/**
* Get the internal unique identifier.
* @return The id
*/
public String getId()


/**
* Get the first name of the Identity.
* @return The FirstName
*/
public String getFirstName()


/**
* Get the last name of the Identity.
* @return The LastName
*/
public String getLastName()


/**
* Get the phone of the Identity.
* @return The phone
*/
public String getPhone()


/**
* Get the work phone of the Identity.
* @return The work phone
*/
public String getWorkPhone()


/**
* Get the personal email of the Identity.
* @return The personal email address
*/
public String getPersonalEmail()


/**
* Get the work email of the Identity.
* @return The work email
*/
public String getEmail()


/**
* Get the current lifecycle state of the Identity.
* @return The lifecycle state
*/
public String getLifecycleState()


/**
* Gets the raw attributes of the Identity.
*
* @return The map attributes derived from attribute promotion.
*/
public Map<String, Object> getAttributes()


/**
* Check to see if the current user has reports and is a manager.
* @return if the Identity is a manager.
*/
public boolean isManager()


/**
* The internal id of the manager.
*
* @return The id of the Identity's manager.
*/
public String getManagerId()


/**
* The name id of the manager.
*
* @return The id of the Identity's manager.
*/
public String getManagerName()


/**
* The uid of the user.
*
* @return The uid
*/
public String getUid()


/**
* The country of the user.
*
* @return The country.
*/
public String getCountry()


/**
* The employeeNumber of the user.
*
* @return The employeeNumber.
*/
public String getEmployeeNumber()

 

The below section provides a full accounting of the methods available to rule writes via the IdnRuleUtil class:

/**
 * Utility class containing methods customers can use within a rules to perform common tasks. 
 * IdnRuleUtil is available in rules as "idn" variable, e.g. "idn.countAccounts("someAppId")".
 * This utility class allows us to abstract out the use of SailPointContext in rules so that we can one day not pass a
 * context to the rule at all.
 */

import sailpoint.object.Application;
import sailpoint.object.Attributes;
import sailpoint.object.Filter;
import sailpoint.object.Link;
import sailpoint.object.LinkExternalAttribute;
import sailpoint.object.ManagedAttribute;
import sailpoint.object.QueryOptions;
import sailpoint.rule.Account;
import sailpoint.rule.ManagedAttributeDetails;
import sailpoint.rule.RuleObjectFactory;
import sailpoint.tools.GeneralException;
import sailpoint.tools.Util;
class IdnRuleUtil { /** * Determines if an account currently exists on an application using the native identity. * * @param applicationName The application name. * @param nativeIdentity The native identity of the account. * @return True if the account exists, false otherwise. * @throws GeneralException wrapping underlying DB related errors */ boolean accountExistsByNativeIdentity(String applicationName, String nativeIdentity) /** * Determines if an account currently exists on an application using the display name. * * @param applicationName The application name. * @param displayName The display name of the account. * @return True if the account exists, false otherwise. * @throws GeneralException wrapping underlying DB related errors */ boolean accountExistsByDisplayName(String applicationName, String displayName) /** * Gets an account on an application using the native identity. * * @param applicationName The application name. * @param nativeIdentity The native identity of the account. * @return The Account representing the account or null if not found. If more than one found then the first * Account in the exists is returned. * @throws GeneralException wrapping underlying DB related errors */ Account getAccountByNativeIdentity(String applicationName, String nativeIdentity) /** * Gets an account on an application using the display name. * * @param applicationName The application name. * @param displayName The display name of the account. * @return The Account representing the account or null if not found. If more than one found then the first * Account in the exists is returned. * @throws GeneralException wrapping underlying DB related errors */ Account getAccountByDisplayName(String applicationName, String displayName)
/**
* Get the first account found for the application and identityName.
* IF there is more then on e account the first account will be returned.
*
* @param applicationName The name of the application
* @param identityName The name of the Identity
* @return The account object
*
* @throws GeneralException wrapping underlying DB related errors
*/
Account getFirstAccount(String applicationName, String identityName)
/**
* Get the first account for the application and identityName and return the first accounts native Identity.
*
* @param applicationName The name of the application
* @param identityName The name of the identity
* @return The first link's nativeIdentity
*
* @throws GeneralException wrapping underlying DB related errors
*/
public String getFirstAccountNativeIdentity(String applicationName, String identityName) /** * Counts the number of accounts on an application. * * @param applicationName The application name. * @return The total number of accounts. * @throws GeneralException wrapping underlying DB related errors */ int countAccounts(String applicationName) /** * Gets the value of an attribute from an account on an application. * * @param applicationName The application name. * @param nativeIdentity The native identity of the account. * @param attribute The name of the attribute to retrieve. * @return The attribute value or null if the attribute does not exist. * @throws GeneralException wrapping underlying DB related errors */ Object getRawAccountAttribute(String applicationName, String nativeIdentity, String attribute) /** * Gets the value of an attribute from an account on an application. * * @param account The account on the application. * @param attribute The name of the attribute to retrieve. * @return The attribute value or null if the attribute does not exist. */ Object getRawAccountAttribute(Account account, String attribute) /** * Gets the String value of an attribute from an account on an application. * * @param applicationName The application name. * @param nativeIdentity The native identity of the account. * @param attribute The name of the attribute to retrieve. * @return The attribute value or null if the attribute does not exist. * @throws GeneralException wrapping underlying DB related errors */ String getAccountAttribute(String applicationName, String nativeIdentity, String attribute) /** * Gets the String value of an attribute from an account on an application. * * @param account The account on the application. * @param attribute The name of the attribute to retrieve. * @return The attribute value or null if the attribute does not exist. */ String getAccountAttribute(Account account, String attribute) /** * Gets the boolean value of an attribute from an account on an application. * * @param applicationName The application name. * @param nativeIdentity The native identity of the account. * @param attribute The name of the attribute to retrieve. * @return The attribute value or false if the attribute does not exist. * @throws GeneralException wrapping underlying DB related errors */ boolean getAccountAttributeBool(String applicationName, String nativeIdentity, String attribute) /** * Gets the boolean value of an attribute from an account on an application. * * @param account The account on the application. * @param attribute The name of the attribute to retrieve. * @return The attribute value or false if the attribute does not exist. */ boolean getAccountAttributeBool(Account account, String attribute) /** * Count the accounts that match the searchable attribute and value. * * @param sourceIds The list of Application ids that represent the sources of the data. * @param attributeName The name of the searchable account attribute. The name parameter is required. * @param operation The operation to use when matching, it'll either be Equals or StartsWith. * @param values The list of values of that searchable attribute to match. The values parameter is required. * * @return The number of accounts that match the parameters provided. * @throws IllegalStateException wrapping underlying errors */ int attrSearchCountAccounts(List<String> sourceIds, String attributeName, String operation, List<String> values) /** * Get the identity name for the account matching the specified criteria. * * @param sourceIds The list of Application ids that represent the sources of the data * @param attributeName The name of the searchable account attribute. The name parameter is required. * @param operation The operation to use when matching, it'll either be Equals or StartsWith. * @param values The list of values of that searchable attribute to match. The values parameter is required. * * @return The name of the Identity that matched the account that match the parameters provided. * @throws IllegalStateException wrapping underlying errors */ String attrSearchGetIdentityName(List<String> sourceIds, String attributeName, String operation, List<String> values) /** * Gets the int value of an attribute from an account on an application. * * @param applicationName The application name. * @param nativeIdentity The native identity of the account. * @param attribute The name of the attribute to retrieve. * @return The attribute value or zero if the attribute does not exist. * @throws GeneralException wrapping underlying DB related errors */ int getAccountAttributeInt(String applicationName, String nativeIdentity, String attribute) /** * Gets the int value of an attribute from an account on an application. * * @param account The account on the application. * @param attribute The name of the attribute to retrieve. * @return The attribute value or zero if the attribute does not exist. */ int getAccountAttributeInt(Account account, String attribute) /** * Finds ManagedAttribute description by provided sourceId/name/value/type. * * @param sourceId The sourceId used to query the ManagedAttribute. * @param name The name of the attribute used to query the ManagedAttribute. * @param value The value of the attribute used to query the ManagedAttribute. * @param type The type of the attribute used to query the ManagedAttribute (see enum ManagedAttribute.Type). * Defaults to Entitlement (if null provided). * @return ManagedAttribute's description if found or else null. * @throws GeneralException wrapping underlying DB related errors */ String getManagedAttributeDescription(String sourceId, String name, String value, ManagedAttribute.Type type)



/**
* Finds ManagedAttribute by sourceId/name/value/type and returns its details in ManagedAttributeDetails model.
*
* @param sourceId The sourceId used to query the ManagedAttribute.
* @param name The name of the attribute used to query the ManagedAttribute.
* @param value The value of the attribute used to query the ManagedAttribute.
* @param type The type of the attribute used to query the ManagedAttribute (see enum ManagedAttribute.Type).
* Defaults to Entitlement (if null provided).
* @return ManagedAttributeDetails if found or else null.
* @throws GeneralException wrapping underlying DB related errors
*/
public ManagedAttributeDetails getManagedAttributeDetails(String sourceId, String name, String value, ManagedAttribute.Type type)



/**
* Fetch an identity by the internal id.
*
* @param id The id to use when fetching an identity object
* @return A DTO representing the Identity, will throw if identity was not found
*/
public sailpoint.rule.Identity getIdentityById(String id)



/**
* Find and return the users that match the incoming attributeName, operation, value ordered by
* the specified sortAttribute
*
* @param attributeName The attribute that should be searched, must be searchable and non-null
* @param operation The operation to be used when searching; only Equals and StartsWith are supported
* @param value The value that should match and must be non-null
* @param sortAttribute The attribute that should be used while sorting
* Default ordering will be on uid if not specified and this also must be searchable
* Sort will always be in ascending order
*
* @return The List of users that match the passed in parameters. The max number returned values will be limited to 50.
*
* @throws IllegalStateException when attribute provided is not searchable,
* when operation is not StartsWith or Equals,
* the sortAttribute is not searahable,
* or if there are issues during the search
*
* @see #EQUALS_FILTER
* @see #STARTS_WITH_FILTER
*/
public List<sailpoint.rule.Identity> findIdentitiesBySearchableIdentityAttribute(String attributeName, String operation,
String value, String sortAttribute)



/**
* Count and return the number of users that match the incoming attributeName, operation and value.
*
* @param attributeName The attribute that should be searched, must be searchable and non-null
* @param operation The operation to be used when searching; only Equals and StartsWith are supported
* @param value The value that should match and must be non-null
*
* @return The number of identities that match the parameters
*
* @throws IllegalStateException when attribute provided is not searchable,
* when operation is not StartsWith or Equals,
* or if there are issues during the count operation
*
* @see #EQUALS_FILTER
* @see #STARTS_WITH_FILTER
*/
public int countIdentitiesBySearchableIdentityAttribute(String attributeName, String operation, String value)


/**
* A method that can be used to call LDAP type connectors to look for
* unique values. The connector is called with a specific search filter
* based on the attributeName and value that is passed into this method.
* If there is a value returned the values is considered to be non-unique.
*
* @param identityNameOrId The name or ID of the identity we are using
* @param applicationNameOrId The name or ID of the source we are targeting
* @param attributeName The name of the attribute we want to validate
* @param attributeValue The value of the attribute we want to validate
*
* @return true if the value is unique AND false otherwise. If the application or identity can't be found an
* IllegalStateException will be thrown.
*
*/
public boolean isUniqueLDAPValue(String identityNameOrId, String applicationNameOrId, String attributeName, String attributeValue) }

 

Example Usage

  • Getting an entitlement description

//IdnRuleUtil is available in rules as "idn" variable, the same way we can currently use context
/*
* In before provisioning rules (where this will likely be used), the Source that is being provisioned to
* is passed in via "application" variable. This can then be used to get sourceId using application.getId()
* e.g. String sourceId = application.getId();
*/ String entitlementDescription = idn.getManagedAttributeDescription(sourceId, attributeName, attributeValue, Type.Entitlement);
  • Checking if an accountID is unique

//IdnRuleUtil is available in rules as "idn" variable, the same way we can currently use context
/*
* In Attribute Generator rules (where this will likely be used), the Source that is being provisioned to
* is passed in via "application" variable. This can then be used to get applicationName using application.getName()
* e.g. String applicationName = application.getName();
*/ boolean exists = idn.accountExistsByNativeIdentity(applicationName, nativeIdentity);
  • Get the name of the identity which matches a specific account search result

//IdnRuleUtil is available in rules as "idn" variable, the same way we can currently use context
String identityName = idn.attrSearchGetIdentityName(sourceIdsAsList, attributeName, "Equals", valuesToMatchAsList);
  • Get a the first account for a source for a user in an IdentityAttribute Rule and grab multiple attributes

//IdnRuleUtil is available in rules as "idn" variable, the same way we can currently use context
//Account objects are used with the import statement import sailpoint.rule.Account; Account acct = idn.getFirstAccount("HR [source]", identity.getName());
Map acctAttrs = acct.getAttributes();
String firstName = acctAttrs.get("First Name");
String lastName = acctAttrs.get("Last Name");

Labels (1)
Comments

Hi I am struggling with the imports that need to be added in the rules where I use methods on this class.  Especially when accessing 

I am getting the following error ...

There was an exception while calculating the value for this attribute. java.lang.RuntimeException: Error running rule transform:sailpoint.tools.GeneralException: BeanShell script error: Sourced file: inline evaluation of: `` import sailpoint.object.Application; import java.text.ParseException; import j . . . '' : Typed variable declaration : Class or variable not found: Operation.Equal : at Line: 73 : in file: inline evaluation of: `` import sailpoint.object.Application; import java.text.ParseException; import j . . . '' : Operation .Equal BSF info: Calculate UID at line: 0 column: columnNo

As you can see that the Operation.Equal is not found.  I don't know which package this Operation class is in, I was hoping that it will be automatically be accessible to the beanshell.

Please help.

@santosh_pulickal
@hari_patel 

Regards,
--
Raoon Kundi

@rkundiey  you should be able to use either "Equals" or "StartsWith" as basic strings; there is no need to import the Operation class or reference the static string through the final class variable. I've updated the documentation to make this more readily apparent. Please let us know if that still throws issues for you.

@hari_patel that fixed it.

Thanks,
Raoon

Is there any doco available for Account object/class?

Hi @hari_patel 

Is there any way to access the idn rule utilities in AfterCreate/AfterModify Rule. ?

 

Thanks

Yunus

@hari_patelThe last example above uses a method that isn't actually present in the list of methods available above. Is this an error in the example or is the list above missing a few methods

Account acct = idn.getFirstAccount("HR [source]", identity.getName());

 

Why does calling the getLifecycleState method result in an error?

String lcs = idn.getLifecycleState() != null ? idn.getLifecycleState() : null;


["sailpoint.tools.GeneralException: BeanShell script error: Sourced file: inline evaluation of: `` import java.util.*; import java.time.*; import java.time.format.DateTimeFormatt . . . \u0027\u0027 : Typed variable declaration : Error in method invocation: Method getLifecycleState() not found in class\u0027sailpoint.server.IdnRuleUtil\u0027 : at Line: 71 : in file: inline evaluation of: `` import java.util.*; import java.time.*; import java.time.format.DateTimeFormatt . . . \u0027\u0027 : idn .getLifecycleState ( ) \n BSF info: at line: 0 column: columnNo"]

@rshabhthukral ,

I added idn.getFirstAccount above. Thank you for catching that.

Regarding getLifecycleState, that's on the Identity class

sailpoint.rule.Identity foundIdentity = idn.getIdentityById("objectId");
String email = foundIdentity.getEmail();
String lcs = foundIdentity.getLifecycleState();

Need all the methods available for sailpoint.rule.ManagedAttributeDetail class. I did not find any documentation for that same. Can anyone please help? @ross_shwarts 

When needing to provide the SourceID's (like the snippet below from the example provided) is there any way to lookup these values based on source name which is consistent between SBX / PRD to avoid needing to modify these when promoting the rule between environments?

List SOURCE_IDS = new ArrayList(Arrays.asList(new String[]{"4028112837fe14c70177fe1955e9032c","4028812877fa18c72177fs195baa0341"})); 

AttrSearchCountAccounts or any account related methods will search/count the accounts which are uncorrelated also?     (which are not mapped through identity profiles)

 

It seems the function "isUniqueLDAPValue" parameters are a bit incorrectly specified. It says:

"@@param applicationNameOrId The name or ID of the source we are targeting"

But when we deployed a rule and used the source name in that parameter we got error:
"java.lang.RuntimeException: sailpoint.tools.GeneralException: Error running rule transform:sailpoint.tools.GeneralException: The application script threw an exception: java.lang.IllegalStateException: Unable to find object of type 'Application' and identifier 'thisistheapplicationname' BSF info: *name of attributegeneratorrule* at line: 0 column: columnNo"

When we swapped from the name to the id of the source, it executed fine. Please update accordingly to avoid confusion and frustration. Or make sure it works with name would be better for that matter so same rule can be used in different environments.

 

Looking for an enhancement to the identity object for idnruleutil,  to basically return roles/AP's that an identity has.
I can use below code snippet to see if an identity has a specific entitlement by getting the raw attribute of the entitlement on the source. 
What would be really useful, is if there was a method on the identity object to get all the roles and access profiles the identity has, or pass in a role or AP name return true/false if the identity has it.  I know i can accomplish this using context search with query options etc.. , but we as customers are not permitted to use that method of retrival any longer.

String appNativeId = idn.getFirstAccountNativeIdentity(applicationName, identity.getName());
Account account = idn.getAccountByNativeIdentity(applicationName, appNativeId);
Object entitlementAttribute = idn.getRawAccountAttribute(account,entitlementAttributeName);



Team,

I'm trying to get accounts count from specific source for identity in identity profile level using below code, but getting error:

There was an exception while calculating the value for this attribute. Error running rule transform:sailpoint.tools.GeneralException: The application script threw an exception: java.lang.NullPointerException: Null Pointer in Method Invocation BSF info: Get MultipleContractorProfile at line: 0 column: columnNo

Code:

List accounts = idn.getAllAccounts("SAP Fieldglass",identity.getName());

if ( accounts.size() > 1 ){
return true;
} else {
return false;
}

Please let me know what is wrong with code here. My requirement is to identify user with multi account from a specific source (single source two accounts) but getting null pointer exception. I have created a IdentityAttribute rule and deployed the rule with SailPoint's help. Please let me know if anyone came across this issue.

Hi @hari_patel, @ross_shwarts @Rich_Miller 

We are using below connector service in our existing rule, but we are getting error while updating it with additional logic. Can you please provide any alternative to use this service? SailPoint team has asked us to take reference of this documentation, but we cannot find anything related to this.

" connectorService.generatePasswordBasedOnPolicy(context, application, identity, field); "

 

Errors: (1)

Line 7 - [RegExRuleValidator(206)] 'ConnectorService connectorService = ServiceModule.getService(ConnectorService.class' Only 'Identity.class', 'Link.class' and standard Java class objects are allowed. 

 

Thanks,

Krishna Patil

 

Version history
Revision #:
25 of 25
Last update:
‎Oct 30, 2022 09:45 AM
Updated by: