Code to update provisioning plan to remove the "Remove entitlement requests" from the provisioning plan

 Requirement: The function takes three inputs ProvisioningPlan, application name and the list entitlements that shouldn't be removed from the user. (This funtion can be used as a part of Mover workflow where a set of entitlements must not be removed from the user after provisioning due to mover event).

public ProvisioningPlan removeADGroupRemoveRequest(ProvisioningPlan plan, String appName, List<String> groups) {

log.debug("Entered removeADGroupRemoveRequest");

// Define a new ProvisioningPlan

ProvisioningPlan newplan = new ProvisioningPlan();

List<AccountRequest> newAccountRequests = null; 

sailpoint.object.ProvisioningPlan.AccountRequest.Operation operation = null;

// Get the account requests

List<AccountRequest> accountRequests = plan.getAccountRequests();

if (accountRequests.size()>=0) {

// Iterate for every accountRequest

for (AccountRequest accountRequest : accountRequests) {

operation = accountRequest.getOperation();

String applicationName = accountRequest.getApplicationName();

//check if the application name of the accountRequest is same as the incoming appName

if(applicationName.equalsIgnoreCase(appName)) {

log.debug("Operation for Account Request: "+operation);

if(operation.equals(AccountRequest.Operation.Modify)) {

// Get attribute requests from the accountRequest

List<AttributeRequest> attributeRequests = accountRequest.getAttributeRequests();

if(attributeRequests.size()>0) {

for(AttributeRequest attributeRequest : attributeRequests) {

String name = attributeRequest.getName();

Object value = attributeRequest.getValue();

ProvisioningPlan.Operation oper = attributeRequest.getOp();

if(name!=null)

{

if(name.equalsIgnoreCase("memberOf")) {

if(attributeRequest.getOperation().equals(ProvisioningPlan.Operation.Remove)) {

log.debug("Remove entitlement operation entered");

String entValue = (String)value;

if(groups.contains(entValue)){

// remove the attribute request from account request

accountRequest.remove(attributeRequest);

}

}

}

}

}

}

}

}

//adding all the accountRequests to the newAccountRequests list

newAccountRequests.add(accountRequest);

}

  }

//add the newAccountRequests to the newplan and return newplan

newplan.setAccountRequests(newAccountRequests);

return newplan;

}

Comment below if you find this post helpful.

Quicklink to display the list of users who are expiring in next 14 days

 Requirement: Develop a Quicklink, once we click on it, return the list of users who are expiring in next 14 days.

1. Create a quicklink category. Import the below file into Sailpoint to create quicklink category. 

https://drive.google.com/file/d/1JzGYxpY_4BDZn2MZyKbRy22MNwt-hHN3/view?usp=sharing

2. Create a workflow quick link. Import the below file into Sailpoint to create quicklink.

https://drive.google.com/file/d/15_2GVWHXmHQcUQ44FYoeGGPKVUuJcBqm/view?usp=sharing

3.  Create a workflow and add a form in it. Add a field in the form and add a rule for the field which returns the users who are expiring in next 14 days.

Import the below workflow into Sailpoint.

https://drive.google.com/file/d/13fdQcrH2HAiS44anmA0sLXB2Z-DZ5uX4/view?usp=sharing 

Note: The rule is written with keeping below points in mind:

1. The user expiry is known from the Application attribute 'lastLogOn' of "HR System - Employees" application

2. The date format of 'lastLogOn' is in LDAP millisecond.

3. Convert the LDAP millisecond date to normal date and them compare it with current date. If the difference is <= 14 days, return the Identity Name.

Import the below Rule into Sailpoint.

https://drive.google.com/file/d/1DBZbhQVYw0Yt69Mrwejjuo6MsFY6p5aq/view?usp=sharing

Comment below if you find this post helpful.

Email Template to send success message for Joiner

 Sample Email template to send success message for Joiner. Download here:

https://drive.google.com/file/d/1Rgp3Pid_rWKRp9RxOsV8vysX6VX3ULtC/view?usp=sharing

Update the logo by convert the image to base64 encoded https://www.base64encode.org/ and replace in the email template.

Comment below if you find this post helpful.

Defining Multi-level approval process

 Defining approvals in a generic way based on a custom object. The custom object contains the type of provisioning request, application details and the approvers details. 
The approval assignment rule is written to trigger the approvals based on the approvers in the custom object. 

Requirement:

If the user request for Entitlement to be added, for Active Directory the approvals has to go 3 approvers in serial manner. 
1. Manager
2. Security Admin (Work group)
3. IT Team (Work group)

For Oracle ERP application, the approval has to go only to manager (single approver). And approvals are not required for removal of Entitlements.
For Account Request and Role Request, the approval has to go to manager.

Process:

Step 1: Import the below custom object into SailPoint. The custom object file contains the Provisioning request type, application details and the corresponding approvers.

https://drive.google.com/file/d/1bSNQLHcGacz3h01hEplsntHwZZaZL3zE/view?usp=sharing

Step 2: Import the Approval assignment rule into SailPoint. The Approval assignment rule contains the actual logic to trigger the approvals with the details from the custom object.

https://drive.google.com/file/d/1jgyNH62v6oM5FgFdY8EF3cXG91wWjonN/view?usp=sharing

Step 3: Edit the LCM Provisioning Workflow and provide the name of imported assignment rule in argument approvalAssignmentRule for the sub processes Split provisioning and Approve and Provision.

step 4: Make sure approval mode = serial and approvalScheme = Identity.

Request for Entitlements and the approvals are triggered as defined in the custom object mappings.

Comment below if you find this post helpful.

Trigger a Life cycle event for Active Directory users who did not login for last 90 days

 Requirement is to trigger an event for Active Directory users who are terminated and did not login for past 90 days.

Go to setup --> Lifecycle Events --> Add New Lifecycle Event.  
Enter the Name, Desription. Select Event type as Rule. 

Use the below code for the Rule:
if(newIdentity!=null){
return true;
}else{
return false;
}

Or you can import the below IdentityTrigger Rule and use it.

https://drive.google.com/file/d/1gb2rEPLFa-UVYg2wOjlan3nE3bPwTKlN/view?usp=sharing

Select Included Identities as Rule. Use the below code for the Rule:

import sailpoint.object.Identity;
import sailpoint.api.IdentityService;
import sailpoint.object.Link;
import sailpoint.object.Attributes;
import sailpoint.object.Application;
import java.util.Calendar;
import java.util.Date;
import java.text.SimpleDateFormat;
log.error("Identity Selector Rule Triggered : " + identity.getName());
// get the application link for Active Directory
IdentityService identityService = new IdentityService(context);
Application app = context.getObjectByName(Application.class, "HR System - Employees");
List links = identityService.getLinks(identity, app);
if(!links.isEmpty()){
Link link = links.get(0);
if(link!=null){
String applicationName = link.getApplicationName();
log.error("Application Name: " + applicationName);
Attributes attributes = link.getAttributes();
if(attributes!=null){

String lastLogOn = attributes.getString("lastLogOn");
String userAccountControl = attributes.getString("userAccountControl");
if(lastLogOn != null &amp;&amp; userAccountControl != null) {
// convert from millisecond to date format
Date currentDate=new Date();
        Long diffForDateAndTime = 11644473600000L;
        Long adDate = Long.parseLong(lastLogOn);
        Long epochTime = (adDate / 10000) - diffForDateAndTime;
        Date lastLogOnDate = new Date (epochTime);
        log.error("lastLogOnDate: " + lastLogOnDate);
        
        //calucalate the diff b/w today to lastLogOn date
        int diffInDays = (int) ((currentDate.getTime() - lastLogOnDate.getTime()) / (1000*60*60*24));
        log.error("diffInDays: " + diffInDays);
        //Event generation condition
        if(diffInDays>90 &amp;&amp; userAccountControl.equalsIgnoreCase("514")){
        // log.error("**************   Returning True *******************");
                                    return true;
                                             }
}
}
}
}
return false;

Or you can import the below IdentitySelector Rule and use it.

https://drive.google.com/file/d/1z-Sfva6ef-TTvFxFhA8T9A3_zJ41lAZq/view?usp=sharing

Run the refresh identity cube task with Process Events enabled. You can see the events are generated for the users that are inactive and not login into AD for last 90 days.

Currently only the events are triggered, but no action is performed. Add a Business process to delete the users.

Remove Identity Entitlements for any application

 Field Value Rule to remove identity entitlements for any application 

In a given application, call this rule in the Provisioning Policy entitlement field, to remove the  entitlements. Below is the rule:

    import sailpoint.object.EntitlementGroup;
    import sailpoint.object.Attributes;
    import sailpoint.object.ProvisioningPlan;
    import sailpoint.object.ProvisioningPlan.AccountRequest;
    import sailpoint.object.ProvisioningPlan.AttributeRequest;
    import sailpoint.api.Provisioner;
    
    log.error("Executing Feild Value Rule - Remove Entitlements for Identity: " + identity.getName());
    String applicationName = link.getApplicationName();
    String nativeIdentity = link.getNativeIdentity();
    ProvisioningPlan plan = new ProvisioningPlan();
    Provisioner provisioner = new Provisioner(context);
    //Calucalting Identity Entitlements
    List exceptions = identity.getExceptions();
        
    if(exceptions !=null){
    for(EntitlementGroup entitlement: exceptions){
    Attributes attributes = entitlement.getAttributes();
    Map attributesMap = attributes.getMap();
   
    for (Map.Entry attrMap : attributesMap.entrySet()){
    ProvisioningPlan.AccountRequest accountRequest = new ProvisioningPlan.AccountRequest(
    ProvisioningPlan.AccountRequest.Operation.Modify, applicationName, null, nativeIdentity);
   
    ProvisioningPlan.AttributeRequest attributeRequest = new ProvisioningPlan.AttributeRequest(
    (String) attrMap.getKey(), ProvisioningPlan.Operation.Remove, attrMap.getValue());
   
    accountRequest.add(attributeRequest);
    plan.add(accountRequest);
    provisioner.execute(plan);
    }
    }
    } 

Or simply import this xml file to import the rule. 

https://drive.google.com/file/d/1H4WS46N6ph_8LtIO3GXdk-CZGELXw3wG/view?usp=sharing

Comment below if you find this post helpful.

Identity Creation Rule to generate username and full name

 Identity Creation Rule to generate username and full name based on given conditions.

Username condition:
1. First letter of first name + last name
2. First letter of first name.last name
3. first name.last name
4. last name.first letter of first name
5. last name.first name
6. If middele name exists: first letter of first name.first letter of middle name + last name
7. Generate a random integer and append to "newuser"

If the username genereated based on first condition already exists, then go to second condition. If second condition also exists, then go to third condition and so on.

Full name condition:
fullName = firstName + lastName + fatherName + grandFatherName;
 
Below is the code for Identity Creation Rule:

import sailpoint.object.QueryOptions;
import sailpoint.object.Filter;
import sailpoint.object.Identity;
import sailpoint.services.custom.utility.CustomUtil;

//get the attribute values from account
String firstName = account.getStringAttribute("firstName");
String lastName = account.getStringAttribute("lastName");
String middleName = account.getStringAttribute("middleName");
String fatherName = account.getStringAttribute("fatherName");
String grandFatherName = account.getStringAttribute("grandFatherName");
String [] userNameFullName = CustomUtil.getFinalUserNameFullName(firstName, middleName, lastName, fatherName, grandFatherName, context);
Logger log = Logger.getLogger("Custom.Rules.Custom-IdenitityCreation-HRMS");
log.setLevel(Level.DEBUG);
log.debug("firstName: "+firstName);
log.debug("lastName: "+lastName);
log.debug("middleName: " +middleName );
log.debug("fatherName: " +fatherName );
log.debug("grandFatherName: " +grandFatherName );
log.debug("username: "+ userNameFullName[0]);
log.debug("fullname: "+ userNameFullName[1]);
identity.setAttribute("username", userNameFullName[0]);
identity.setAttribute("fullname", userNameFullName[1]);
}

Below is the CustomUtil.java class, which has to be deployed:

package sailpoint.services.custom.utility;
import sailpoint.object.QueryOptions;
import sailpoint.object.Filter;
import sailpoint.object.Identity;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Random;
import sailpoint.api.SailPointContext;
import org.apache.log4j.Logger;
import org.apache.log4j.Level;
public class CustomUtil {

public String checkUserName(String username, SailPointContext context) throws Exception{

Logger log = Logger.getLogger("Custom.Rules.CustomUtil.checkUserName");
log.setLevel(Level.DEBUG);
QueryOptions identityQuery = new QueryOptions();
identityQuery.addFilter(Filter.eq("username", username));
List<Identity> identityList = context.getObjects(Identity.class,identityQuery);

if (!identityList.isEmpty()){
log.error("username already exist for identity: " + identityList);
return "TRUE";
}else{ 
  return "FALSE";
}
}

public String[] getUserNameFullName(String firstName, String middleName, String lastName, String fatherName, String grandFatherName, SailPointContext context) throws Exception{
String [] userNameFullName = {"", ""};
userNameFullName[0] = getUserName(firstName, middleName, lastName, context);
userNameFullName[1] = getFullName(firstName, lastName, fatherName, grandFatherName);
return userNameFullName;
}

public String getUserName(String firstName, String middleName, String lastName, SailPointContext context) throws Exception{

Logger log = Logger.getLogger("Custom.Rules.CustomUtil.getUserName");
log.setLevel(Level.DEBUG);

String userName = null;
if(firstName!=null && !firstName.isEmpty() && lastName !=null && !lastName.isEmpty()) {
//First Condition
userName = firstName.charAt(0) + lastName;
log.debug("First Condition userName: "+userName);
if(checkUserName(userName, context).equalsIgnoreCase("TRUE")){
//Second Condition
userName = firstName.charAt(0) + "." + lastName;
log.debug("Second Condition userName: "+userName);
}else{
return userName;
}
if(checkUserName(userName, context).equalsIgnoreCase("TRUE")){
//Third Condition
userName = firstName + "." + lastName;
log.debug("Third Condition userName: "+userName);
}else{
return userName;
}
if(checkUserName(userName, context).equalsIgnoreCase("TRUE")){
//Fourth Condition
userName = lastName + "." + firstName.charAt(0);
log.debug("Fourth Condition userName: "+userName);
}else{
return userName;
}
if(checkUserName(userName, context).equalsIgnoreCase("TRUE")){
//Fifth Condition
userName = lastName + "." + firstName;
log.debug("Fifth Condition userName: "+userName);
}else{
return userName; 
}
if(checkUserName(userName, context).equalsIgnoreCase("FALSE")){
return userName; 
}

// Final condition - if middlename exists
if(checkUserName(userName, context).equalsIgnoreCase("FALSE") && !middleName.isEmpty()){
//Sixth Condition
userName = firstName.charAt(0) + "." + middleName.charAt(0) + lastName;
log.debug("Sixth Condition userName: "+userName);
return userName;
}
}
//Final condition - generate random integer and append it to first condition
Random rand = new Random();
int rand_int = rand.nextInt(1000);
String rand_str = String.valueOf(rand_int);
userName = "newuser" + rand_str;
return userName;
}
public String getFullName(String firstName, String lastName, String fatherName, String grandFatherName){
String fullName = firstName + " "+ lastName + " " + fatherName + " " + grandFatherName;
return fullName;
}

public String[] getFinalUserNameFullName(String firstName, String middleName, String lastName, String fatherName, String grandFatherName, SailPointContext context) throws Exception{
String [] userNameFullName = getUserNameFullName(firstName, middleName, lastName, fatherName, grandFatherName, context);
return userNameFullName;
}
}

Comment below if you find this post helpful.