Refresh Rules for Identity,Account Groups

  • 7011174
  • 30-Jan-2012
  • 02-Nov-2012

Environment

NetIQ Access Governance Suite

Situation

Refresh Rules for Identity,Account Groups

Resolution

Both identity refresh and account group aggreation tasks provide an "hidden" option to run a rule on each object (identity, account group resp) during iteration.

For the "Refresh Identity Cube" task, the "Housekeeper" class calls methods from the "Identitizier" class on each identity to update. At the end of Access Governance Suite's refresh operation, or the "finishRefresh" step in a cfg-ed workflow, the logic checks the task args for a "refreshRule" setting and runs the associated rule with "environment","identity" as args (in addition to the std rule "context" and "log" args).
While the rule doesn't return a value per se, yet changes in "identity" arg persist in the identity.  This taskdef snippet and sample rule show how to set the email address:

<TaskDefinition ... name="myTaskRefreshIdentity" resultAction="Delete" type="Identity">
  <Attributes>
    <Map>
      <entry key="refreshRule" value="myRuleRefreshIdentity"/>
...
    </Map>
  </Attributes>
...
  <Parent>
    <Reference class="sailpoint.object.TaskDefinition" ... name="Identity Refresh"/>
  </Parent>

<Rule language='beanshell' name='myRuleRefreshIdentity'>
  <Description>
This account group refreshRule can be called to set the email string value
when creating new identity objects or refreshing existing identities.
  </Description>
  <Signature>
    <Inputs>
      <Argument name='env'>
        <Description>
          "Map" of attributes (key-string,value-object pairs) from task executor
        </Description>
      </Argument>
      <Argument name='identity'>
        <Description>
          Identity object being created/refreshed
        </Description>
      </Argument>
    </Inputs>
  </Signature>
  <Source>
    <![CDATA[
        import sailpoint.object.Identity;

        identity.setEmail("email.address@dummy.com");
        return identity;
    ]]>
  </Source>
</Rule>


For the "Account Group Aggregation" task, the "ResourceIdentityScan" class calls the "Aggregator" class to process application's groups.  At the end of Access Governance Suite's refresh operation, the logic checks the task args for a "accountGroupRefreshRule" arg and runs the associated rule with "environment","obj","accountGroup","groupApplication" as args (in addition to the std rule "context" and "log" settings).
The rule returns an accountGroup object, most likely same one passed in as "accountGroup".  This taskdef snippet and sample rule show how to set "spadmin" as account group owner:

<TaskDefinition ... name="myTaskAggAcctGrp" resultAction="Delete" type="AccountGroupAggregation">
  <Attributes>
    <Map>
      <entry key="accountGroupRefreshRule" value="myRuleRefreshAcctGrp"/>
...
    </Map>
  </Attributes>
...
  <Parent>
    <Reference class="sailpoint.object.TaskDefinition" id="297eb1dd33a351b50133a351fda2011e" name="Account Group Aggregation"/>
  </Parent>

<Rule language='beanshell' name='myRuleRefreshAcctGrp'>
  <Description>
This account group refreshRule can be called to set the owner to "spadmin"
when creating new account group objects or refreshing existing account groups.
  </Description>
  <Signature>
    <Inputs>
      <Argument name='obj'>
        <Description>
          "Group" ResourceObject returned from the connector
        </Description>
      </Argument>
      <Argument name='groupapplication'>
        <Description>
          Application where the group originated
        </Description>
      </Argument>
      <Argument name='accountGroup'>
        <Description>
          AccountGroup object being created/refreshed
        </Description>
      </Argument>
    </Inputs>
    <Returns>
      <Argument name='An AccountGroup Object'>
        <Description>
          The updated accountgroup object to create/to refresh
        </Description>
      </Argument>
    </Returns>
  </Signature>
  <Source>
    <![CDATA[
        import sailpoint.object.Identity;

        Identity admin = context.getObject(Identity.class, "spadmin");

        accountGroup.setOwner(admin);
        return accountGroup;
    ]]>
  </Source>
</Rule>