Friday, April 26, 2013

Advanced Policy Violation in SailPoint IIQ

Advanced policy violation in SailPoint can be used to create any custom violation condition, based on the account or identity attributes.
It allows you to write a custom java code(rule), so that you can write any logic to find the violation.

In this post I will describe how you can write a rule for advanced policy violation.

1. Go to policy and create a new policy of advanced type.

2. Create a new policy rule for this policy, a policy can have multiple policy rules which will define the set of violation definition.
For example you can create one policy called Dormant accounts, and create separate rules as per different application requirements for the Dormant account condition.

3. In the new policy rule, select rule as selection method and write the custom rule there.

Now identity is one of the input parameter of policy violation, so if we are writing policy violation for a specific application, then we need to filter the links form the identity specific to a single application.

 Here is to code snippet to filter the links
//create a policy violation object which is return object from this rule
PolicyViolation v = null

//get the application context for the desired application
Application app = context.getObject(Application.class, "< Application-Name >");

//get links for all the accounts in the application
List appAccounts = identity.getLinks(app);

//This statement is very important, otherwise the identities which don't have any application accounts will throw null pointer exception while executing the policy.

//Create a iterator to iterate through the application accounts
 Iterator itr = appAccounts.iterator();
    Link link = (Link);   
    // here you can write the logic to find the violation condition
   // once the violation is found do the following to update the policyviolation object

                                     v = new PolicyViolation();                                

                                     //this statement is very important otherwise the violation wouldn't show up in your certification. This will attach the applications to the violations.
                                     v.setRelevantApps("< all apps as java.util.list >");

 P.S :- Feel free to post your comments.

1 comment:

  1. can we send multiple policy violations , if yes how can we do that