Requirement: When an Active Directory entitlement (PMS Group) is removed, the identity has to be disabled in the target through webservice. This can be achieved by writing an After Provisioning rule.
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="" id="" language="beanshell" modified="" name="AD After Provisioning Disable PMS User" type="AfterProvisioning">
<Description>An IdentityIQ server-side rule that is executed after the connector's provisioning method is called. This gives the customer the ability to customize or react to anything in the ProvisioningPlan AFTER it has been sent out to the specific applications.
This rule will be called for any application found in a plan that also has a configured 'afterProvisioningRule' configured.</Description>
<Signature>
<Inputs>
<Argument name="log">
<Description>
The log object associated with the SailPointContext.
</Description>
</Argument>
<Argument name="context">
<Description>
A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
</Description>
</Argument>
<Argument name="plan">
<Description>
The ProvisioningPlan object on its way to the Connector.
</Description>
</Argument>
<Argument name="application">
<Description>
The application object that references this before/after script.
</Description>
</Argument>
<Argument name="result">
<Description>
The ProvisioningResult object returned by the connectors provision method. This can be null and in many cases the connector will not return a result and instead will annotate the plan's ProvisioningResult either at the plan or account level.
</Description>
</Argument>
</Inputs>
</Signature>
<Source>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="" id="" language="beanshell" modified="" name="AD After Provisioning Disable PMS User" type="AfterProvisioning">
<Description>An IdentityIQ server-side rule that is executed after the connector's provisioning method is called. This gives the customer the ability to customize or react to anything in the ProvisioningPlan AFTER it has been sent out to the specific applications.
This rule will be called for any application found in a plan that also has a configured 'afterProvisioningRule' configured.</Description>
<Signature>
<Inputs>
<Argument name="log">
<Description>
The log object associated with the SailPointContext.
</Description>
</Argument>
<Argument name="context">
<Description>
A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
</Description>
</Argument>
<Argument name="plan">
<Description>
The ProvisioningPlan object on its way to the Connector.
</Description>
</Argument>
<Argument name="application">
<Description>
The application object that references this before/after script.
</Description>
</Argument>
<Argument name="result">
<Description>
The ProvisioningResult object returned by the connectors provision method. This can be null and in many cases the connector will not return a result and instead will annotate the plan's ProvisioningResult either at the plan or account level.
</Description>
</Argument>
</Inputs>
</Signature>
<Source>
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import java.net.URL;
import java.net.HttpURLConnection;
import javax.net.ssl.HttpsURLConnection;
import org.apache.log4j.Logger;
import org.apache.log4j.Level;
Logger log = Logger.getLogger("sailpoint.services.rule.AfterProvisioning");
log.debug("Enter Rule AD After provisioning Rule");
public void changeUserStatus(String username) {
log.debug("username: " + username);
String auth = "username:password";
Base64.Encoder encoder = Base64.getEncoder();
String encodedString = encoder.encodeToString(auth.getBytes());
// log.debug("endocded string: " +encodedString);
try{
java.net.URL url = new URL("http://example.com/ChangeUserStatus");
log.debug("The URL to get token is "+url);
java.net.HttpURLConnection conPost;
conPost = (java.net.HttpURLConnection) url.openConnection();
conPost.setRequestMethod("POST");
conPost.setRequestProperty("Content-Type","application/json");
conPost.setRequestProperty("Accept", "*/*");
conPost.setRequestProperty("Content-Length", "108");
conPost.setRequestProperty("Authorization", "Basic "+encodedString);
//log.debug("Setting properties over");
conPost.setDoOutput(true);
// JSON body for POST call
String jsonInputString = "{" +
"\"users\": { \"ActivateUser\": false, " +
"\"Logins\": [ \"" + username +
"\" ] " +
"}" +
"}";
log.debug("JSON body: " + jsonInputString);
// log.debug("sending request");
// Send the request
conPost.connect();
OutputStream os = conPost.getOutputStream();
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
// log.debug("Reading response ");
// read the response body
StringBuilder res = new StringBuilder();
int responseCode = conPost.getResponseCode();
String responseMessage = conPost.getResponseMessage();
String geturl = conPost.getURL().toString();
// log.debug(geturl);
// log.debug(responseMessage);
log.debug("HTTP Post Response Code :: " + responseCode);
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import java.net.URL;
import java.net.HttpURLConnection;
import javax.net.ssl.HttpsURLConnection;
import org.apache.log4j.Logger;
import org.apache.log4j.Level;
Logger log = Logger.getLogger("sailpoint.services.rule.AfterProvisioning");
log.debug("Enter Rule AD After provisioning Rule");
public void changeUserStatus(String username) {
log.debug("username: " + username);
String auth = "username:password";
Base64.Encoder encoder = Base64.getEncoder();
String encodedString = encoder.encodeToString(auth.getBytes());
// log.debug("endocded string: " +encodedString);
try{
java.net.URL url = new URL("http://example.com/ChangeUserStatus");
log.debug("The URL to get token is "+url);
java.net.HttpURLConnection conPost;
conPost = (java.net.HttpURLConnection) url.openConnection();
conPost.setRequestMethod("POST");
conPost.setRequestProperty("Content-Type","application/json");
conPost.setRequestProperty("Accept", "*/*");
conPost.setRequestProperty("Content-Length", "108");
conPost.setRequestProperty("Authorization", "Basic "+encodedString);
//log.debug("Setting properties over");
conPost.setDoOutput(true);
// JSON body for POST call
String jsonInputString = "{" +
"\"users\": { \"ActivateUser\": false, " +
"\"Logins\": [ \"" + username +
"\" ] " +
"}" +
"}";
log.debug("JSON body: " + jsonInputString);
// log.debug("sending request");
// Send the request
conPost.connect();
OutputStream os = conPost.getOutputStream();
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
// log.debug("Reading response ");
// read the response body
StringBuilder res = new StringBuilder();
int responseCode = conPost.getResponseCode();
String responseMessage = conPost.getResponseMessage();
String geturl = conPost.getURL().toString();
// log.debug(geturl);
// log.debug(responseMessage);
log.debug("HTTP Post Response Code :: " + responseCode);
if (responseCode == 200) { // success
InputStream is = conPost.getInputStream();
int b = -1;
do {
b = is.read();
char c = (char)b;
res.append(c);
}while(b!=-1);
log.debug("The response is "+res.toString());
} else {
log.debug("Failed");
InputStream is = conPost.getErrorStream();
int b = -1;
do {
b = is.read();
char c = (char)b;
res.append(c);
}while(b!=-1);
log.debug("The failed response is "+res.toString());
}
} catch (MalformedURLException ex) {
log.error("MalformedURLException " + ex);
} catch (IOException ex) {
log.error("IOException "+ ex);
}
}
List <AccountRequest> accountRequests = plan.getAccountRequests();
for(AccountRequest accountRequest : accountRequests){
if(accountRequest.getApplicationName().equalsIgnoreCase("Active Directory and Exchange") && accountRequest.getOperation().equals(AccountRequest.Operation.Modify)){
List<AttributeRequest> attributeRequests = accountRequest.getAttributeRequests();
for(AttributeRequest attributeRequest : attributeRequests){
if(attributeRequest.getName().equalsIgnoreCase("memberOf") && attributeRequest.getOperation().equals(ProvisioningPlan.Operation.Remove) && attributeRequest.getValue().toString().equalsIgnoreCase("CN=PMSGroup,OU=Security Groups,OU=IBM,DC=COM")){
// Invoke webservice here to Inactive user
changeUserStatus(plan.getIdentity().getName());
}
}
}
}
</Source>
</Rule>
No comments:
Post a Comment