Вы находитесь на странице: 1из 10

Section 5 - 1

Section Five: Putting it all Together

Fundamentals of IdentityIQ Implementation


Training for SailPoint IdentityIQ Version 6.2

11305 Four Points Drive


Bldg 2, Suite 100
Austin, TX 78726
www.sailpoint.com

Copyright © 2014 SailPoint Technologies – All Rights Reserved – VERSION 6.2b


Section 5 - 2

Contents
Section 5: Putting it all Together ....................................................................................................................................... 3
Exercise #1: Resolving Data Problems ........................................................................................................................... 4
The Problem.......................................................................................................................................................................... 4
Research the Problem ....................................................................................................................................................... 4
Analyze the Problem ......................................................................................................................................................... 5
Investigate the Rule ........................................................................................................................................................... 6
Code the Rule........................................................................................................................................................................ 7
BuildMap (excerpted from the whitepaper Rules in IdentityIQ) ..................................................................... 9
Description ....................................................................................................................................................................... 9
Definition and Storage Location .............................................................................................................................. 9
Arguments ........................................................................................................................................................................ 9
Example ........................................................................................................................................................................... 10

Copyright © 2014 SailPoint Technologies – All Rights Reserved – VERSION 6.2b


Section 5 - 3

Section 5: Putting it all Together


Now that we’ve finished introducing new topics, this exercise focuses on using IdentityIQ
comprehensively. In this exercise we will research and resolve a data problem identified during
user acceptance testing.

This exercise starts with a problem discovered in LifeCycle Manager and walks through the
following steps to resolution:

 Research the problem to understand what we are trying to fix


 Analyze the problem to decide how to approach the resolution
 Investigate the rule that was selected during the analysis phase
 Code and test the rule
 Clean up, confirm, and finalize the fix

Note that the directions provide minimal guidance, however they intentionally do not specify how
or where to perform the required actions.

Copyright © 2014 SailPoint Technologies – All Rights Reserved – VERSION 6.2b


Section 5 - 4

Exercise #1: Resolving Data Problems


The Problem
During user acceptance testing, Amanda Ross reported a problem when using LifeCycle manager to
request access for herself to the PayrollAnalysis entitlement on the Financials Application. When
requesting access, she searched on “Payroll”, and saw that there are two similar entitlements:
PayrollAnalysis and PayrollAnalyis. Only the PayrollAnalysis option should exist.

Your task is to debug and fix this problem, ensuring that the Financials Application data is correct.
Assume that no changes can be made outside of IdentityIQ. You can use the following outline to
guide you, or you can pursue the solution independently from the course book.

Research the Problem


1. Login and confirm the problem with requesting the Payroll Analysis entitlement.

2. Investigate the definitions of the Payroll Analysis Entitlements.

a. How many members are listed for the PayrollAnalysis entitlement? _________________

b. Who is the member with the PayrollAnalyis entitlement? __________________________

3. View Richard Jackson’s Identity Cube.

a. List the Financials Application entitlements shown on Richard’s cube.

___________________________________________ ___________________________________________

___________________________________________ ___________________________________________

4. Investigate IdentityIQ and the Financials data. Why does Richard Jackson have the
PayrollAnalyis Entitlement rather than the PayrollAnalysis Entitlement?

_________________________________________________________________________________________________________

_________________________________________________________________________________________________________

Copyright © 2014 SailPoint Technologies – All Rights Reserved – VERSION 6.2b


Section 5 - 5

Analyze the Problem


The data being aggregated for the Financials Application has a spelling error which causes an
additional incorrect entitlement (PayrollAnalyis) to be created for the Financials Application.

1. List two ways to fix this problem.

1) ______________________________________________________________________________________________________

2) ______________________________________________________________________________________________________

2. Note that you can reduce the visibility of this error by removing the Requestable option for
the PayrollAnalyis Entitlement. This does not fix the underlying problem. Thus, don’t use
this functionality to resolve this problem.

3. The best way to fix this error is to correct the Financials data and re-aggregate.
Unfortunately, you have been informed that the data feed cannot be altered. You will need
to change the erroneous data within IdentityIQ using a rule.

a. From the listed rules (all of which are available for delimited files), check the rules
that are most appropriate for correcting the data.

_____ Build Map Rule

_____ PreIterate Rule

_____ PostIterate Rule

_____ Map to ResourceObject Rule

_____ MergeMaps Rule

_____ Customization Rule

_____ Creation Rule

b. Circle the rule that you will use, and explain why you selected it.

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

_________________________________________________________________________________________________

Copyright © 2014 SailPoint Technologies – All Rights Reserved – VERSION 6.2b


Section 5 - 6

Investigate the Rule


Remember that rules are written using BeanShell (a Java scripting language that uses Java-like
syntax). To review, rule development consists of three steps:

 Figure out what you have to work with (input variables) - a.


You can use println statements to see what values are being passed in each of the rule’s
input variables.
 Figure out what you need to return (from signature) - b.
 Use API calls to get from a to b.

1. Consider the input variables for the rule that you selected.

a. List the input variables.

___________________________________________ ___________________________________________

___________________________________________ ___________________________________________

___________________________________________ ___________________________________________

___________________________________________ ___________________________________________

b. What is the rule expected to return?

_________________________________________________________________________________________________

2. What is the name of the field in the Financials data that holds the entitlement values?

_________________________________________________________________________________________________________

3. What does the rule need to do? Write the pseudo-code for the rule.

_________________________________________________________________________________________________________

_________________________________________________________________________________________________________

_________________________________________________________________________________________________________

_________________________________________________________________________________________________________

_________________________________________________________________________________________________________

_________________________________________________________________________________________________________

Copyright © 2014 SailPoint Technologies – All Rights Reserved – VERSION 6.2b


Section 5 - 7

4. The remainder of this exercise will use the BuildMap rule. If you selected a different rule,
you can choose to implement using the rule you selected or the BuildMap rule. For
reference, the BuildMap rule section from the whitepaper Rules in IdentityIQ is included at
the end of this exercise. If you choose to implement this fix using a different rule type than
the BuildMap rule, go to Compass and download the whitepaper to view the documentation
for the rule you selected.

a. In the documentation, read the rule description.

b. What is the name of the class that needs to be imported to use the convenience
method provided with the BuildMap rule?

_________________________________________________________________________________________________

Code the Rule


In this section we will walk you through creation of the BeanShell code necessary to create this rule.
You can choose to use the provided code or to write your own.

1. Create the BuildMap rule for the Financials Application.

2. Use println statements to view the data that is being provided to you. Input the following
code:
import sailpoint.connector.DelimitedFileConnector;

Map map = DelimitedFileConnector.defaultBuildMap(cols, record);


String identity = (String)map.get("userName");
String entitlement = (String)map.get("groupmbr");

System.out.println("identity: " + identity + ", entitlement: " + entitlement);

return map;

3. Aggregate the data and view the output.

a. Who is the last identity in your output? ____________________________________________

b. Find the output for Richard Jackson and confirm that he has the PayrollAnalyis
entitlement.

Copyright © 2014 SailPoint Technologies – All Rights Reserved – VERSION 6.2b


Section 5 - 8

4. To your rule, add the following code shown in bold:


import sailpoint.connector.DelimitedFileConnector;

Map map = DelimitedFileConnector.defaultBuildMap(cols, record);


String identity = (String)map.get("userName");
String entitlement = (String)map.get("groupmbr");

if ("PayrollAnalyis".equals(entitlement)) {
map.put("groupmbr", "PayrollAnalysis");
System.out.print("***identity: " + identity + ", ");
System.out.println("Changed PayrollAnalyis to PayrollAnalysis");
} else {
System.out.println("identity: " + identity + ", entitlement: " + entitlement);
}

return map;

5. Aggregate the data, and Refresh only identities with accounts on the Financials Application.

a. Remember, entitlements are not fully promoted to the Identity Cube until a refresh
is performed. If you were to run a certification between the aggregation and the
refresh, which entitlement would be provided for certification? (Circle your answer)

PayrollAnalysis PayrollAnalyis

6. Verify and complete the fix.

a. Confirm that Richard Jackson has the PayrollAnalysis entitlement.

b. Confirm that no one has the PayrollAnalyis entitlement.

c. Clean-up the entitlements. Remove the misspelled entitlement.

7. Verify that the fix resolved the original problem: when requesting access and searching on
“Payroll”, only one entitlement should be returned: PayrollAnalysis.

This concludes Section 5.

Copyright © 2014 SailPoint Technologies – All Rights Reserved – VERSION 6.2b


Section 5 - 9

BuildMap (excerpted from the whitepaper Rules in IdentityIQ)


Description
A BuildMap rule applies only to applications of type DelimitedFile. It is run for each row of data as it is
read in from a connector. A BuildMap rule is used to manipulate the raw input data (provided via the
rows and columns in the file) and build a map out of the incoming data.

If no BuildMap rule is specified, the default behavior is to traverse the column list (from the file header
record or Columns list) and the parsed record, assigning each record element to the columns in order
and inserting those pairs into a map. For example:

Columns: Name, ID, Phone


Record: John Doe, 1a3d3f, 555-555-1212
Map: Name, John Doe; ID, 1a3d3f; Phone, 555-555-1212

A convenience method is available to BuildMap rules that performs this default behavior. The remainder
of the rule can then make modifications to the map. The convenience method is:

DelimitedFileConnector.defaultBuildMap(cols, record);

The rule must import the sailpoint.connector.DelimitedFileConnector class to use this method.

NOTE: Because this rule is run for each record in the input file, it can have a noticeable effect on
performance if it contains time-intensive operations. Where possible, complicated lookups should be
done in the PreIterate rule, with the results stored in CustomGlobal for use by the BuildMap rule; the
global data should be removed by the PostIterate rule.

Definition and Storage Location


This rule is associated to an application in the UI on the Attributes tab when defining an application of
type DelimitedFile.

Define -> Application -> Application Type: DelimitedFile -> Attributes -> Connector Rules
section -> Build Map Rule

The rule name is recorded in the attributes map of the application XML.

<entry key="buildMapRule" value="[BuildMap Rule Name]"/>

Arguments
Inputs (in addition to the defaults):

Argument Type Purpose


application sailpoint.object.Application A reference to the Application object.
schema sailpoint.object.Schema A reference to the Schema object for the
Delimited File source being read.
state java.util.Map A Map that can be used to store and share data
between executions of this rule during a single

Copyright © 2014 SailPoint Technologies – All Rights Reserved – VERSION 6.2b


Section 5 - 10

aggregation run
record java.util.List An ordered list of the values for the current
record (parsed based on the specified delimiter)
cols java.util.List An ordered list of the column names from the
file’s header record or specified Columns list

Outputs:

Argument Type Purpose


map java.util.Map Map of names/values representing a row of data
from the delimited file resource.

Example
This example BuildMap rule first invokes the default logic to create a map based on the defined columns
and the record’s values. It then manipulates targets and rights into direct permission objects by joining
the map’s target and rights values into a single direct permission value which is added to the map. The
original target and rights are then removed from the map.

import sailpoint.connector.DelimitedFileConnector;
import sailpoint.object.Permission;

// Execute default build map logic


Map map = DelimitedFileConnector.defaultBuildMap(cols, record);

String strTarget = (String) map.get("target");


String strRights = (String) map.get("rights");

//Manipulate Target and Rights into Permissions


if ( strTarget != null && strRights != null ) {
Permission perm = new Permission();
perm.setRights(strRights);
//probably need some annotations for these
perm.setAnnotation("Annotation For Target: " + strTarget);
perm.setTarget(strTarget);
permList = new ArrayList();
permList.add (perm);
map.remove("target");
map.remove("rights");
map.put("directPermissions", permList);
}

return map;

Copyright © 2014 SailPoint Technologies – All Rights Reserved – VERSION 6.2b