0

I'm trying to write a policy violation in Sailpoint. But I don't know how to get the rights of the user who is asking a new right. I've tried this:

List links1 = null;
IdentityService service = new IdentityService(context);
Application app1 = context.getObjectByName(Application.class, "Autres");
try {
  links1 = service.getLinks(identity, app1);
} catch (Exception e)
{
  System.out.println(e.getMessage());
  e.printStackTrace();
}

List DUList1 = new ArrayList();

if(links1.size() != 0){

  Object DUObj = links1.get(0).getAttribute("DU");
  if(DUObj != null){
  if (DUObj instanceof String)
    DUList1.add((String) DUObj);
  else
    DUList1.addAll((List) DUObj);
  }
}

It was supposed to return the list of the rights that the user has and the rights that he is asking. But it doesn't work.

David Buck
  • 3,752
  • 35
  • 31
  • 35
Dassie
  • 1
  • 2

1 Answers1

2

"Links" in IIQ are accounts, which are entities that you get from IIQ Applications.

IIQ works with 2 types of "rights", which are entitlements and roles.

Entitlements are usually aggregated from IIQ Applications as "groups", while Roles are manually defined as pure IIQ entities. You may think of Roles as groups of entitlements (roughly speaking).

So in order to check what "rights" an IIQ identity has, you must check entitlements and roles.

Since you're working on a policy, I am assuming you're trying something for the access request. In this case, you can consider that roles will be translated into a set of entitlements, so all we have to check are, in the end of the day, entitlements.

I suppose your application "Autres" is aggregating both accounts and entitlements, right? So in your application schema, there is at least 1 account attribute that is marked as "entitlement". Let's say you have something like this

Account schema

  • login (correlates to your identity, identifies your account uniquely)
  • fullname
  • groupsXYZ (correlates to your entitlements)

Then your rule will get the entitlements using something like this

Application app = context.getObjectByName(Application.class, "Autres");
Link account = identity.getLink(app);
Object groups = account.getAttribute("groupsXYZ");
if (groups == null){
  ...
}else if (groups instanceof List){
  ...
}else if (groups instanceof String){
  ...
}

Now, notice that groups can be a List or a String. It depends if your account has one or more entitlements associated to it. Because of that, you need to check the type first (I really don't know why IIQ does not use List always, probably because the way they map their XMLs internally), but you must be careful with it and provide the appropriate typecast.

So in the case you're showing, does "DU" maps to an application account attribute which represents the entitlement? You can debug and print all the attributes for example in order to see what's associated to your account (link).

Now, if we're not talking about entitlements, but about IIQ Roles, then we're talking about something like this

Bundle someRole = context.getObjectByName(Bundle.class,"My IIQ Role ABC");
boolean hasRole = identity.hasRole(someRole);
shikida
  • 485
  • 2
  • 10