Register Sign in Need help? FAQ SailPoint directory
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IdentityNow Rule Guide - Before Provisioning Rule

IdentityNow Rule Guide - Before Provisioning Rule

 

Purpose

This rule is used to modify a provisioning plan as provisioning is sent out. This rule should not be used to create new attributes, instead an account creation profile (provisioning policy) should be used.

 

Execution

  • Cloud Execution - This rule executes in the IdentityNow cloud, and has read-only access to IdentityNow data models, however it doesn't have access to on-premise sources or connectors.

 

 

Input

Argument Type Purpose
idn sailpoint.server.IdnRuleUtil

Provides a read-only starting point for using the SailPoint API. From this passed reference, the rule can interrogate the IdentityNow data model including identities or account information via helper methods as described here.
plan sailpoint.object.ProvisioningPlan A set of provisioning instructions which are sent to the source connectors.
application sailpoint.object.Application A representation of the configured source, and its configuration attributes.

 

Output

Argument Type Purpose
     

 

Template

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule name="Example Rule" type="BeforeProvisioning">
  <Description>Describe your rule here.</Description>
  <Source><![CDATA[

  // Add your logic here.

  ]]></Source>
</Rule>

 

Example

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule name="Example Rule" type="BeforeProvisioning">
  <Description>Before Provisioning Rule which changes disables and enables to a modify.</Description>
  <Source><![CDATA[
import sailpoint.object.*;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AccountRequest.Operation;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.Operation;

for ( AccountRequest accountRequest : plan.getAccountRequests() ) {   
  if ( accountRequest.getOp().equals( ProvisioningPlan.ObjectOperation.Disable ) ) {
    accountRequest.setOp( ProvisioningPlan.ObjectOperation.Modify );
  }
  if ( accountRequest.getOp().equals( ProvisioningPlan.ObjectOperation.Enable ) ) {
    accountRequest.setOp( ProvisioningPlan.ObjectOperation.Modify );
  }
}

  ]]></Source>
</Rule>

 

Labels (1)
Labels:
Comments
yashbarot
‎Nov 11, 2022 02:19 AM
‎Nov 11, 2022 02:19 AM

How we can iterate through entitlements for particular user is this before provisioning rule in identityNow ?

cassidiopia
‎Nov 15, 2022 10:51 PM
‎Nov 15, 2022 10:51 PM

@yashbarot Here is a method you can add to get the entitlements as a list, and then you can iterate through the list to get the individual values.

 

  public List getAttributeValuesList (AccountRequest acctReq){
    log.error("======Running method to get entitlement attributes on the account request(s)======");
    List entitlements = new ArrayList();
    if (acctReq != null) {
      //The next line, replace "role" with your entitlement schema attribute
      AttributeRequest attributes = acctReq.getAttributeRequest("role");
      if (attributes != null) {
        Object entList = attributes.getValue();
        
        //if single entitlement, add it to list, if array, iterate and add to list
        if (entList instanceof String) {
          entitlements.add((String) entList);
          log.error("======getAttributeValue has single Entitlement: " + entList);
        }else if (entList instanceof List){
          log.error("======getAttributeValue has list of: " + entList);
          for (String entitlement : entList){
            log.error("++++Adding entitlement value " + entitlement + " to entitlements array list.");
            entitlements.add((String)entitlement);
          }
        }
          if (entitlements != null && !entitlements.isEmpty()) {
            log.error("======List of role values" + entitlements + "======");
            return entitlements;
        }
      }
    }
    return null;
  }
yashbarot
‎Nov 16, 2022 12:44 AM
‎Nov 16, 2022 12:44 AM

@cassidiopia Thank you for the solution. 

PhilRawlings
‎Jan 18, 2023 04:40 AM
‎Jan 18, 2023 04:40 AM

Is there a way to add a wait to the provisioning rules? Observational evidence is that our AD account is being created faster than the identity attributes/transforms resulting in a RACE condition.
This means that intermittently the AD accounts are being created incorrectly for sAMAccount details.

Thanks

edmarks
‎Sep 13, 2023 02:39 PM
‎Sep 13, 2023 02:39 PM

Is it possible to use 2 (or more) Before Provisioning Rules within a single source?  The SOURCE API documentation for "beforeProvisioningRule" looks like it's a single Rule only, but we're trying to confirm.

 

jrossicare
‎Dec 04, 2023 05:41 PM
‎Dec 04, 2023 05:41 PM

@edmarks it is single rule only.

amulpuru
‎Jul 02, 2024 09:38 AM
‎Jul 02, 2024 09:38 AM

I have use case to Delete AD account after 90 days of termination I have explored developer community and discussion forum found that this could be achieved only
1.running script in IQservice
2. using before provisiong rule 

 

but I have not found exact way / process that could help in this can any one share any resource or link for it.

 

thank you 

@neil_mcglennon 

haegeunkim
‎Sep 09, 2024 08:05 AM
‎Sep 09, 2024 08:05 AM

I would like to implement the following two tasks as a before provisioning rule. Does anyone know if it's possible to do this using a before provisioning rule? If it is, I would greatly appreciate it if you could provide a sample. Otherwise, even a helpful link would be very appreciated.

1. Merge multiple plans into one if the sources are the same
2. Add some interval between the execution of each plan

mario_rod
‎Nov 27, 2024 12:33 PM
‎Nov 27, 2024 12:33 PM

Following this example to create a web service before operation rule:

https://documentation.sailpoint.com/connectors/webservices/help/integrating_webservices/beforeoperat...

But the info on posting the rule is not clear: https://developer.sailpoint.com/docs/api/beta/create-connector-rule/

Specifically: how to code the body in the post request for a web service before operation rule? What would the values be for "signature" and how does the "sourceCode"/"script" need to be encoded considering it's java code enclosed in xml?

pritam-merck
‎Apr 25, 2025 10:44 AM
‎Apr 25, 2025 10:44 AM

I would like to implement the following task as a before provisioning rule. Does anyone know if it's possible to do this using a before provisioning rule? If it is, I would greatly appreciate it if you could provide a sample. Otherwise, even a helpful link would be very appreciated.

1. Create multiple plans from one plan if the sources are the different

Version history
Revision #:
7 of 7
Last update:
‎May 03, 2023 03:16 AM
Updated by:
SailPoint Employee
 
View Article History