Rules
Below is the information on the Rules (bean shell) that are used for various configurations. The following are rules that are applied in the above configurations:
Rule 1
It aggregates the groups ID to the schema groups in SailPoint.
import java.util.*;
import sailPoint.object.*;
import sailPoint.api.*;
import sailPoint.tools.Util;
List groups = new ArrayList();
List data = new ArrayList();
for(Map mapEntry : processedResponseObject){
String groupName = mapEntry.get("id");
groups.add(groupName);
}
Map groupsMap = new HashMap();
groupsMap.put("groups", groups);
data.add(groupsMap);
Map newProcessedResponseObjectMap = new HashMap();
newProcessedResponseObjectMap.put("data", data);
return newProcessedResponseObjectMap;
Rule 2
It aggregates the applications ID to the schema applications in SailPoint.
import java.util.*;
import SailPoint.object.*;
import SailPoint.api.*;
import SailPoint.tools.Util;
List apps = new ArrayList();
List data = new ArrayList();
for(Map mapEntry : processedResponseObject){
String appName = mapEntry.get("id");
apps.add(appName);
}
Map appsMap = new HashMap();
appsMap.put("applications",apps);
data.add(appsMap);
Map newProcessedResponseObjectMap = new HashMap();
newProcessedResponseObjectMap.put("data", data);
return newProcessedResponseObjectMap;
Rule 3
This rule ensures the following:
For each application,
-
A corresponding SailPoint managed group is created.
-
The assignment is changed to the corresponding SailPoint managed group.
-
It ensures that any synced group remains non-requestable.
The rule treats UserPortal Application as an exception.
import sailpoint.object.*;
import sailpoint.api.*;
import java.io.BufferedReader;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.*;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.net.URI;
import java.net.URLEncoder;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.client.ClientProtocolException;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPatch;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.message.BasicHeader;
import org.apache.http.protocol.HTTP;
import org.apache.http.util.EntityUtils;
if(accountGroup.getType().equalsIgnoreCase("applications")){
//have an application being aggregated - check if sp_application_name exists in IIQ db
QueryOptions ops = new QueryOptions();
Filter f = Filter.eq("displayName", "SP_" + accountGroup.getDisplayableName());
Filter f2 = Filter.eq("application.name", groupApplication.getName());
List filters = new ArrayList();
filters.add(f);
filters.add(f2);
ops.setRestrictions(filters);
int count = context.countObjects(ManagedAttribute.class, ops);
if(count == 0)
{
log.error("No group SP_" + accountGroup.getDisplayableName() + " exists, creating!");
String requestUrl = groupApplication.getAttributeValue("genericWebServiceBaseUrl") + "groups";
String groupName = "SP_" + accountGroup.getDisplayableName();
String body = "{\n \"name\": \"" + groupName + "\",\n \"description\": \"SailPoint managed group\",\n\"isSynchronized\": \"false\"\n}";
HttpURLConnection conn = null;
//First we need to create the SP managed group...
try{
if(accountGroup.getDisplayableName().equalsIgnoreCase("User Portal")) {
log.error("not creating userportal group");}
else if(accountGroup.getDisplayableName().equalsIgnoreCase("SailPoint IdentityIQ")) {
log.error("not creating SailPoint IdentityIQ group");}
else{
URL url = new URL(requestUrl);
conn = (HttpURLConnection) url.openConnection();
conn.setRequestMethod("POST");
conn.setRequestProperty("Accept", "*/*");
conn.setRequestProperty("Content-Type", "application/json");
String authTokn = "Bearer " + context.decrypt(groupApplication.getStringAttributeValue("accesstoken"));
conn.setRequestProperty("Authorization", authTokn);
conn.setRequestProperty("Content-Length", Integer.toString(body.length()));
conn.setDoInput(true);
conn.setDoOutput(true);
OutputStreamWriter outputWriter = new OutputStreamWriter(conn.getOutputStream(),"UTF-8");
outputWriter.write(body);
outputWriter.flush();
log.error("The response was: " + conn.getResponseCode());}
}catch (Exception e){
log.error("Error in executing request to create SailPoint managed group! " + e.toString());
}finally{
if(conn != null){
conn.disconnect();
}
}
//now need to assign group to the application
try{
if(accountGroup.getDisplayableName().equalsIgnoreCase("User Portal")) {
log.error("This is the User Portal application - do not assign SP_User_Portal!");}
else if(accountGroup.getDisplayableName().equalsIgnoreCase("SailPoint IdentityIQ")) {
log.error("This is the Sailpoint application - do not assign sailpoint application");}
else{
String assignGroupUrl = groupApplication.getAttributeValue("genericWebServiceBaseUrl") + "applications/" + accountGroup.getValue();
String body = "{\n \"assignment\" : {\n \"groups\" : [\"" + groupName + "\"]\n }\n}";
String authToken = "Bearer " + context.decrypt(groupApplication.getStringAttributeValue("accesstoken"));
HttpClient client = HttpClientBuilder.create().build();
HttpPatch groupPatch = new HttpPatch(assignGroupUrl);
StringEntity entity = new StringEntity(body);
groupPatch.addHeader("Authorization", authToken);
groupPatch.addHeader("Content-Type", "application/json");
groupPatch.setEntity(entity);
HttpResponse patchResponse = client.execute(groupPatch);
HttpEntity patchResponseEntity = patchResponse.getEntity();}
}catch (Exception e){
log.error("Error in executing request to assign new group to application!" + e.toString());
}
finally{
if(conn != null){
conn.disconnect();
}
}
} else {
log.error("A group SP_" + accountGroup.getDisplayableName() + " already exists!");
}
}
if(accountGroup.getType().equalsIgnoreCase("group")){
boolean synced = obj.getAttribute("isSynchronized");
if(synced){
log.error("Setting to NON requestable");
accountGroup.setRequestable(false);
}
else{
accountGroup.setRequestable(true);
}
}
return accountGroup;