Form AllowedValues rule to filter Identities with Active Regular Active Directory accounts and identity is active and correlated

 The rule type is AllowedValues.

import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import sailpoint.object.Filter;
import sailpoint.object.Identity;
import sailpoint.object.Link;
import sailpoint.object.QueryOptions;
import sailpoint.api.SailPointContext;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;


    Logger log = Logger.getLogger("sailpoint.rules.FilterActiveRegularADAccounts");
    log.setLevel(Level.DEBUG);
    log.debug("-----------------------------------");

    List identityList = new ArrayList();
    QueryOptions qo = new QueryOptions();
    qo.addFilter(Filter.ne("inactive",true));
    qo.addFilter(Filter.eq("correlated", true));
    qo.add(Filter.eq("links.application.name","Active Directory"));
    qo.add(Filter.eq("links.accounttype","Regular"));
    log.debug("Get list of Identities");
    Iterator iterator = context.search(Identity.class,qo);
    while(iterator.hasNext()){
        Identity identityObject = (Identity) iterator.next();
        List linksList = identityObject.getLinks();
        Link contractorADLink;
        for (Link link : linksList){
            if ("Active Directory".equalsIgnoreCase(link.getApplicationName())){
                if (null!=link.getBooleanAttribute("IIQDisabled") && 
                        link.getBooleanAttribute("IIQDisabled")){
                    //do nothing
                } else{
                    identityList.add(identityObject.getName());
                }

                }
            }
        }
    Filter finalFilter = Filter.in("name", identityList);
    field.setFilterString(finalFilter.toString());
    log.debug("-------------------------------------");

    }

IdentitySelectorConfiguration to add more filter attributes for Identity fields in form

 Requirement: In a form which has field type as Identity, by deafult sailpoint allows seach using username, first name, last name and display name. We need to enable seach by employeeid. This can be acheived by adding employeeid field in the IdentitySelectorConfiguration.

1. Open SailPoint in debug console.

2. Search for Configuration objects and select IdentitySelectorConfiguration.

3. Locate the Global parameter.

4. Update the filter string by adding employeeid.

Rule to read a custom object and insert values into Database table

The custom object contain a hashmap with list of values. Read the list and insert into DB table.

import org.apache.log4j.Logger;
import org.apache.log4j.Level;
import sailpoint.object.Custom;
import sailpoint.plugin.PluginBaseHelper;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.util.HashMap;
import java.util.List;


    Logger log = Logger.getLogger("sailpoint.rules.InsertIntoDBTable");
    log.setLevel(Level.DEBUG);
    log.debug("-----------------------------------");

    Custom customObj = context.getObject(Custom.class, "custom_object_name");
    HashMap hashMap = customObj.getAttributes();
    List list = hashMap.get("list_name");
    Connection connection = PluginBaseHelper.getConnection();
    log.debug("Connection established to DB: " + connection.getCatalog());
    ResultSet resultSet = null;
    PreparedStatement preparedStatement = null;

    for(String value : list)
    {
        try {
            String insertQuery = "INSERT INTO TABLE_NAME (COLUMN_NAME) VALUES(?);";
            preparedStatement = connection.prepareStatement(insertQuery);
            preparedStatement.setString(1, value);
            log.debug("Executing the query: " + insertQuery);
            resultSet = preparedStatement.execute()

        } catch (Exception e) {
            log.error("Exception occurred: " + e);
        }
    }
    connection.close();

Rule to Read Database Table

import org.apache.log4j.Level;
import org.apache.log4j.Logger;import sailpoint.plugin.PluginBaseHelper;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;

    Logger log = Logger.getLogger("sailpoint.rules.ReadDBTable");
    log.setLevel(Level.DEBUG);
    log.debug("-----------------------------------");

    Connection connection = PluginBaseHelper.getConnection();
    log.debug("Connection established to DB: " + connection.getCatalog());
    ResultSet resultSet = null;
    PreparedStatement preparedStatement = null;
    try{

        String selectQuery = "SELECT COLUMN_NAME FROM TABLE_NAME; ";
        preparedStatement = connection.prepareStatement(selectQuery);
        log.debug("Executing the query: " +selectQuery);
        resultSet = preparedStatement.executeQuery();

        while(resultSet.next()){
            String column_value = resultSet.getString("COLUMN_NAME");
            log.debug(column_value);
        }

    } catch(Exception e){
        log.error("Exception occurred: " +e);
    }
    connection.close();

Rule to create a table in database

import org.apache.log4j.Logger;
import org.apache.log4j.Level;
import sailpoint.plugin.PluginBaseHelper;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;


    Logger log = Logger.getLogger("sailpoint.rules.CreatePluginDBTable");
    log.setLevel(Level.DEBUG);
    log.debug("-----------------------------------");

    ResultSet resultSet = null;
    PreparedStatement preparedStatement = null;
    try{
        Connection connection = PluginBaseHelper.getConnection();
        log.debug("Connection established to DB: " + connection.getCatalog());
        String createTableQuery = "CREATE TABLE Tablename(column1 varchar(255)); ";
        preparedStatement = connection.prepareStatement(createTableQuery);
        log.debug("Executing the query: " +createTableQuery);
        preparedStatement.execute();
    } catch(Exception e){
        log.error("Exception occurred: " +e);
    }
    connection.close();

Rule to read data from csv file and update the identity cube attributes

 Requirement is to read a csv file with contains identity's displayname, nationality and relation attributes in first, fifth and sixth columns of the file. 

Below is the Rule:

<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="" id="" language="beanshell" modified="" name="Read CSV file">
  <Description>Identity creation rules are used to set attributes on new Identity objects when they are created.  New identities may be created during the aggregation of application accounts, or optionally created after pass-through authentication.
One common operation is to change the name property of the identity when the default application name is complex (such as a directory DN).
Another common operation is to assign a set of initial capabilities based on the attributes pulled from the application account.</Description>
  <Signature returnType="void"/>
  <Source>
 import sailpoint.object.Identity;
  import sailpoint.object.QueryOptions;
  import sailpoint.object.Filter;
  
  log.error("Running Rule: Read CSV file"); 
  String line = "";
  QueryOptions identityQuery = new QueryOptions();
  
  try   
  { 
    
  BufferedReader br = new BufferedReader(new FileReader("C:\\SailPoint\\VendorsWithNationality.csv"));
  br.readLine();
  while ((line = br.readLine()) != null)  
    {  
    String[] data = line.split(","); 
    log.error("----"+ data[0] + "----"+ data[4] + "------" + data[5]);
    String dname = data[0];
    String nationality = data[4];
    String relation = data[5];
    Filter idFilter = Filter.eq("displayName", dname);
    Identity identity = context.getUniqueObject(Identity.class, idFilter);
    log.error(identity);
    if(identity != null){
    log.error("Display name: "+identity.getDisplayName());
    if(identity.getDisplayName()!=null &amp;&amp; identity.getDisplayName().equalsIgnoreCase(dname)){
    identity.setAttribute("nationality",nationality);
    identity.setAttribute("relation", relation);
    log.error("Identity "+identity.getDisplayName()+" Nationality: "+nationality + " Relation: "+ relation);
            context.saveObject(identity);
            context.commitTransaction();
   
        }else {
        log.error("************ Update skipped for user ************" + dname);
        }
    }else {
    log.error("************ Update skipped for user ************" + dname);
    }
   
    }
  } catch (IOException e)   
  {  
    log.error(e); 
  }
  
  log.error("End of Rule: Read CSV file");
  </Source>
</Rule>

 

After Provisioning Rule - When an entitlement is removed, disable the user through webservice

 Requirement: When an Active Directory entitlement (PMS Group) is removed, the identity has to be disabled in the target through webservice. This can be achieved by writing an After Provisioning rule.

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="" id="" language="beanshell" modified="" name="AD After Provisioning Disable PMS User" type="AfterProvisioning">
  <Description>An IdentityIQ server-side rule that is executed after the connector's provisioning method is called. This gives the customer the ability to customize or react to anything in the ProvisioningPlan AFTER it has been sent out to the specific applications.
This rule will be called for any application found in a plan that also has a configured 'afterProvisioningRule' configured.</Description>
  <Signature>
    <Inputs>
      <Argument name="log">
        <Description>
          The log object associated with the SailPointContext.
        </Description>
      </Argument>
      <Argument name="context">
        <Description>
          A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
        </Description>
      </Argument>
      <Argument name="plan">
        <Description>
          The ProvisioningPlan object on its way to the Connector.
        </Description>
      </Argument>
      <Argument name="application">
        <Description>
          The application object that references this before/after script.
        </Description>
      </Argument>
      <Argument name="result">
        <Description>
          The ProvisioningResult object returned by the connectors provision method. This can be null and in many cases the connector will  not return a result and instead will annotate the plan's ProvisioningResult either at the plan or account level.        
        </Description>
      </Argument>
    </Inputs>
  </Signature>
  <Source>

import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;    
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import java.net.URL;
import java.net.HttpURLConnection;
import javax.net.ssl.HttpsURLConnection;
import org.apache.log4j.Logger;
import org.apache.log4j.Level;
  

Logger log = Logger.getLogger("sailpoint.services.rule.AfterProvisioning");
log.debug("Enter Rule AD After provisioning Rule");
public void changeUserStatus(String username) {
  log.debug("username: " + username);
  String auth = "username:password";
  Base64.Encoder encoder = Base64.getEncoder();
  String encodedString = encoder.encodeToString(auth.getBytes());
 // log.debug("endocded string: " +encodedString);
 
try{
  java.net.URL url = new URL("http://example.com/ChangeUserStatus");
  log.debug("The URL to get token is "+url);
  java.net.HttpURLConnection conPost;
  conPost = (java.net.HttpURLConnection) url.openConnection();
  conPost.setRequestMethod("POST");
  conPost.setRequestProperty("Content-Type","application/json");
  conPost.setRequestProperty("Accept", "*/*");
  conPost.setRequestProperty("Content-Length", "108");
  conPost.setRequestProperty("Authorization", "Basic "+encodedString);
  //log.debug("Setting properties over");
  
  conPost.setDoOutput(true);
  
    // JSON body for POST call           
    String jsonInputString =  "{" +
   "\"users\": {   \"ActivateUser\": false, " +
       "\"Logins\":  [ \"" + username +
      "\" ] " +
    "}" +
"}";
log.debug("JSON body: " + jsonInputString);
//  log.debug("sending request");
// Send the request
  
  conPost.connect();
  
OutputStream os = conPost.getOutputStream();
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);

//  log.debug("Reading response ");
// read the response body
 StringBuilder res = new StringBuilder();
    int responseCode = conPost.getResponseCode();
    String responseMessage = conPost.getResponseMessage();
    String geturl = conPost.getURL().toString();
 //   log.debug(geturl);
 //   log.debug(responseMessage);
    log.debug("HTTP Post Response Code :: " + responseCode);

    if (responseCode == 200) { // success
      InputStream is = conPost.getInputStream();
      int b = -1;
      do {
        b = is.read();
        char c = (char)b;
        res.append(c);
      }while(b!=-1);
      log.debug("The response is "+res.toString());
    } else {
      log.debug("Failed");
      InputStream is = conPost.getErrorStream();
      int b = -1;
      do {
        b = is.read();
        char c = (char)b;
        res.append(c);
      }while(b!=-1);
      log.debug("The failed response is "+res.toString());
    }
    
    } catch (MalformedURLException ex) {
        log.error("MalformedURLException " + ex);
    } catch (IOException ex) {
       log.error("IOException "+ ex);
    }
} 

List &lt;AccountRequest> accountRequests = plan.getAccountRequests();
for(AccountRequest accountRequest : accountRequests){
if(accountRequest.getApplicationName().equalsIgnoreCase("Active Directory and Exchange") &amp;&amp; accountRequest.getOperation().equals(AccountRequest.Operation.Modify)){
List&lt;AttributeRequest> attributeRequests = accountRequest.getAttributeRequests();
for(AttributeRequest attributeRequest : attributeRequests){
if(attributeRequest.getName().equalsIgnoreCase("memberOf") &amp;&amp; attributeRequest.getOperation().equals(ProvisioningPlan.Operation.Remove) &amp;&amp; attributeRequest.getValue().toString().equalsIgnoreCase("CN=PMSGroup,OU=Security Groups,OU=IBM,DC=COM")){
// Invoke webservice here to Inactive user
changeUserStatus(plan.getIdentity().getName());
}
}
}
}
</Source>
</Rule>