SailPoint IIQ Rule to fetch entitlements assigned to an Identity

Beanshell script to display all the entitlements assigned to an identity: 

import java.util.List;
import java.util.Iterator;
import sailpoint.object.*;
    
Identity user = context.getObjectByName(Identity.class,"Richard.Jackson");
    
System.out.println("Identity Name =" + user.getName());
       
// Get the list of entitlements
List<EntitlementGroup>  entitlementGroup = user.getExceptions();
   
if (entitlementGroup != null) {
System.out.println("Entitlements assigned: ");
    for(EntitlementGroup entGrp : entitlementGroup){
    List<String> entitlements = entGrp.getAttributes().getMap().get("groupmbr");
    for (String ent: entitlements){
    System.out.println(ent);
           }
    }
   }

Execute the rule and check the results:

Comment below if you find this post helpful.

Creation Rule - Set default password and transform attribute values

 Creation Rule is triggered only at the time of Identity creation. We can use this rule to set default passwords for identities or transform any attribute values while creating the identities. Below is the sample Beanshell script:

import sailpoint.object.Identity;
   // All identities using this creation rule will have their passwords set to "Pass2@2@"
identity.setPassword("Pass2@2@");
 //
 // Remove the "." in the fullName for the Identity Name
 //
String fullName = account.getStringAttribute("fullName");
System.out.println("Display Name (before removing .) = " + fullName);
fullName = fullName.replace("."," ");
System.out.println("Display Name (after removing .) = " + fullName);
identity.setDisplayName(fullName);

Comment below if you find this post helpful.

BeanShell script to get the Business Roles and IT Roles attached to an Identity

Business Roles are Assigned Roles and IT Roles are Detected Roles. Below is the BeanShell script to get the list of Assigned and Detected Roles:

Identity user = context.getObjectByName(Identity.class,"Richard.Jackson");

System.out.println("\nListing of Assigned Roles");
 Bundles = (List) user.getAssignedRoles();
 if (null != Bundles) {
        for(Bundle role: Bundles) {
            System.out.println("Role Name = " + role.getFullName() + ";  Role Type = " + role.getType());
    }
}

System.out.println("\nListing of Detected Roles");
List Bundles = (List) user.getBundles();
if (null != Bundles) {
        for(Bundle role: Bundles) {
            System.out.println("Role Name = " + role.getFullName() + ";  Role Type = " + role.getType());
    }
}

Comment below if you find this post helpful.

Rule to get the Identity Attribute values and list of applications assigned to an Identity

Import and execute the below Rule to get the Identity details:

<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<Rule created="1606561116525" id="4028de8175ff665c017609edaaed09f1" language="beanshell" modified="1606561116525" name="Get Identity Details">

  <Description>Get Identity Details</Description>

  <Source>

    import java.util.List;

    import java.util.Iterator;

    import sailpoint.object.*;

    

  Identity user = context.getObjectByName(Identity.class,"Richard.Jackson");

  System.out.println("Identity Info for Richard.Jackson");

  System.out.println("========================");

  System.out.println("User Name = " + user.getName());

  System.out.println("First Name = " + user.getFirstname());

  System.out.println("Last Name = " + user.getLastname());

  System.out.println("Full Name = " + user.getFullName());

  //user.getManger() returns the Identity object of manager

  System.out.println("Manager = " + user.getManager().getName());

  System.out.println("Email Address = " + user.getEmail());

  System.out.println("Status = " + user.getAttribute("status"));

  System.out.println("Location = " + user.getAttribute("location"));

  System.out.println("Region = " + user.getAttribute("region"));

  

  //Check if the user is a manger for other Identity

  System.out.println("\n\nIs the user Manager for any identity = " + user.getManagerStatus());

  System.out.println("\nListing of Accounts");

  System.out.println("========================");

  List Links= (List) user.getLinks();  //Links represent application accounts correlated to an identity

 if (null != Links) {

        Iterator linkIterator = Links.iterator();

        while (linkIterator.hasNext()) {  

            Link account = (Link) linkIterator.next();

            System.out.println("Application Name = " + account.getApplicationName() + ";  Account Name = " + account.getDisplayableName());

    log.debug("Application Name = " + account.getApplicationName() + ";  Account Name = " + account.getDisplayableName());

      }

}

  </Source>

</Rule>

Check the Logs for Results:

Comment below if you find this post helpful.

Delimited File Connector parsing error: To parse the file you must specify either a delimiter or a regular expression, both option cannot be specified

 While onboarding a delimited file connector in SailPoint you may encounter the error: To parse the file you must specify either a delimiter or a regular expression, both option cannot be specified. Even you have selected the Parsing Type as Delimited and provided a value for delimiter, you may face this error. The cause of the error is there is value specified for the Regular Expression (often set to spadmin). Removing the value for this field resolves the error.

Comment below if this post is helpful.

Sailpoint IdentityIQ 7.3 Installation Steps

This post provides the steps to install Sailpoint IdentityIQ 7.3 for a micro footprint installation topology. 

Please check the SailPoint IIQ installation support matrix for version compatibility.

Required Software components

1. MYSQL 5.6 Database
2. Java JDK 1.8 and above
3. Apache Tomcat 9.0
4. Identity IQ 7.3 binaries

Prerequisites

1. Download all the required software components
2. Install the JDK and set JAVA_HOME=C:\Program Files\Java\jdk1.7.0_80 and append JAVA_HOME/bin to your path.
3. Install Apache Tomcat Application server

• Unzip the downloaded binaries to your local C drive
• Start the Tomcat server by navigating C:\apache-tomcat-9.0\bin and double click on startup
• Test URL: http ://localhost:8080 to confirm the application has installed successfully

      4. Install and Configure MYSQL. As a part of MYSQL installation you will be required to install:

• .NET
• VC++
• Work bench

Deploy IIQ War File

Stop the Tomcat Application server by navigating to C:\apache-tomcat-9.0\bin and double click on shutdown.

Create a directory with name identityiq in tomcat webapps directory C:\apache-tomcat-9.0 \webapps\identityiq, which would be the sailpoint installation directory

Unzip the download identityiq-7.3.zip file and locate the identityiq.war file and copy it to the SailPoint installation directory C:\apache-tomcat-9.0\webapps\identityiq

Run the below command from command prompt to extract the war file

               jar -xvf C:\apache-tomcat-9.0\webapps\identityiq\identityiq.war

Configure Extended Attributes (optional) 

There are few default identity attributes provided along with the installation like User Name, First Name, Last Name, Email and Manager. If you want to add extended identity attributes that needs to be searchable ex: userId and empType. We can add them as a named attributes.

Configure the Hibernate XML file to add two named, searchable, indexed, extended attributes.

Edit the file C:\apache-tomcat-9.0\webapps\identityiq\WEB-INF\classes\sailpoint\object\IdentityExtended.hbm.xml using notepad and add the below xml to add the attributes userId and empType. These attributes will be created in database.

Save the changes to the file.

In future you may need to add more identity attributes but we are not sure about the names of these attributes. For these by default 10 placeholders are provided in this file of which 5 are searchable and indexed and another 5 are searchable but not indexed.

Configure the Database

In the command prompt, navigate to C:\apache-tomcat-9.0\webapps\identityiq\WEB-INF\bin directory and enter below command to generate the database schema files

iiq schema

Create the IdentityIQ database by loading the MySQL schema file. In the command prompt navigate to C:\apache-tomcat-9.0\webapps\identityiq\WEB-INF\database directory and run the below commands to log into MySQL

mysql -u root -p
Enter the passoword

Run this command to load the schema into MySQL:

mysql> source create_identityiq_tables.mysql

Check that the database identityiq was created shows in the list of databases

mysql> show databases;

Type quit to exit MySQL.

Configure Database Settings that IdentityIQ will use to connect to database by editing the file C:\apache-tomcat-9.0\webapps\identityiq\WEB-INF\classes\iiq.properties

Load the initial files

Import the default IdentityIQ objects to init and init-lcm to initialize the system

In command prompt navigate to C:\apache-tomcat-9.0\webapps\identityiq\WEB-INF\bin and run the below commands:

iiq console

> import init.xml

> import init-lcm.xml

Start the Tomcat server and verify the installation by login to Identity IQ from browser using URL http://localhost:8080/identityiq/ with default credentials spadmin/admin

Software and Hardware requirements for various SailPoint IIQ installation topologies

This post provides you the information about various SailPoint IIQ installation topologies.

Please refer to SailPoint IIQ support matrix for version compatibility.

SOFTWARE REQUIREMENTS

• Java
• Database [MYSQL, OraleDB, IBM DB2, MS SQL etc]
• Application Server [Tomcat, Webogic, Websphere, Jboss etc]
• Software Binaries [identityiq.war]

HARDWARE REQUIREMENTS

Most of the SailPoint IIQ installations fall into one of the following categories.

Micro Footprint

Very small or non-production installations for managing upto 5000 Identities. Mainly used for developers.

Single server hosting DB and IIQ having:

• 1 or 2 core processor
• Min 2 GB of RAM [Preferred 4 GB or more]
• 40 GB of storage memory

 

Small Footprint

Installations to manage up to 10,000 Identities

2 x IIQ servers [one combined with DB] each having:

• 4 core processor
• 8 GB RAM
• 250 GB RAID protected DB block storage + Available RAID protected OS storage

 

Medium Footprint

Installations to manage 10,000 – 50,000 Identities

2 x IIQ Task servers, each having:

• 4 core processor
• 8 GB RAM
• 50 GB local block storage for binaries and logs

1 x IIQ UI server with:

• 4 core processor
• 8 GB RAM
• 40 GB local block storage for binaries and logs

1 x Dedicated DB server with:

• 4 core processor
• 64 GB RAM
• 500 GB RAID Protected DB storage + 20 GB RAID protected storage for OS files 

Large Footprint

Installations to manage 50,000 – 5 Lakh Identities

2 x IIQ Task servers, each having:

• 4 core processor
• 16 GB RAM
• 50 GB local block storage for binaries and logs

2 x IIQ UI server with:

• 4 core processor
• 8 GB RAM
• 40 GB local block storage for binaries and logs

1 x Dedicated DB server with:

• 4 core processor
• 128 GB RAM
• 1 TB RAID Protected DB storage + 20 GB RAID protected storage for OS files

For installations requirements having more 5 lakh identities, you need to contact SailPoint support.

Task server: Performs all the background tasks that are required, like running Refresh Identity Cube tasks, Aggregation tasks, custom scheduled tasks etc. Task server is not accessible to the end user.

UI server: End user performs all the UI related activities here. Raise a request, provide approvals, take actions on certifications, policy violations etc.

RAID protection: RAID (redundant array of independent disks) is a way of storing the same data in different places on multiple hard disks or solid-state drives to protect data in the case of a drive failure.