Package com.identityworksllc.iiq.common

Class AccountUtilities

    • Constructor Detail

      • AccountUtilities

        public AccountUtilities​(sailpoint.api.SailPointContext c)
        Constructor
        Parameters:
        c - The current SailPointContext

      • AccountUtilities

        public AccountUtilities​(sailpoint.api.SailPointContext c,
                        ProvisioningUtilities provisioningUtilities)
        Constructor allowing you to pass a new ProvisioningUtilities
        Parameters:
        c - The context
        provisioningUtilities - A pre-existing provisioning utilities

    • Method Detail

      • fixResourceObjectIdentity

        public static void fixResourceObjectIdentity​(sailpoint.object.ResourceObject resourceObject,
                                             sailpoint.object.Application application)
        Fixes the Identity of the given Resource Object
        Parameters:
        resourceObject - The ResourceObject input to modify
        application - The Application that the ResourceObject belongs to

      • aggregateAccount

        public Map<String,​ObjectaggregateAccount​(Map<String,​Object> optionsMap)
                                          throws sailpoint.tools.GeneralException
        Aggregates the account, given the options as a Map.

        The Map will be decoded into an AccountUtilities.AggregateOptions object.

        The return value will also be a Map.

        This simplified interface is intended for situations where this class is only available via reflection, such as a third-party plugin.

        Parameters:
        optionsMap - The options map
        Returns:
        The AggregationOutcome, serialized to a Map via Jackson
        Throws:
        sailpoint.tools.GeneralException - on any errors

      • aggregateAccount

        public AggregationOutcome aggregateAccount​(AccountUtilities.AggregateOptions options)
                                    throws sailpoint.tools.GeneralException
        Executes an aggregation according to the given options.

        This may be invoked directly or via one of the many overloaded shortcut methods.

        Parameters:
        options - The aggregation options
        Returns:
        An AggregationOutcome object, with various
        Throws:
        sailpoint.tools.GeneralException - if any aggregation failures occur

      • aggregateAccount

        public AggregationOutcome aggregateAccount​(sailpoint.object.Application appObject,
                                           sailpoint.connector.Connector appConnector,
                                           sailpoint.object.ResourceObject resource,
                                           boolean refreshIdentity,
                                           Map<String,​Object> aggregateArguments)
                                    throws sailpoint.tools.GeneralException
        Aggregates the given ResourceObject into IIQ as though it was pulled in via an aggregation task
        Parameters:
        appObject - The application objet
        appConnector - The connector object
        resource - The ResourceObject, either pulled from the Connector or constructed
        refreshIdentity - If true, refresh the Identity after aggregation
        aggregateArguments - Any additional parameters to add to the aggregator
        Returns:
        The aggrgation outcomes
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failure occurs

      • aggregateAccount

        public AggregationOutcome aggregateAccount​(String application,
                                           Map<String,​Object> resource,
                                           Map<String,​Object> arguments)
                                    throws sailpoint.tools.GeneralException
        Aggregates the given account information into IIQ, given the Map as the resource object data
        Parameters:
        application - The application name
        resource - The data representing the account fields
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failure occurs

      • aggregateAccount

        public AggregationOutcome aggregateAccount​(String application,
                                           String id,
                                           boolean refreshIdentity,
                                           Map<String,​Object> arguments)
                                    throws sailpoint.tools.GeneralException
        Aggregates the given account information into IIQ, given only a nativeIdentity.

        Additionally, optionally refresh the user.

        The Application in question must support the “random access” feature (i.e. it must not have the NO_RANDOM_ACCESS flag defined).

        Parameters:
        application - The application name to check
        id - The native identity on the target system
        refreshIdentity - If true, the identity will be refreshed after aggregation
        arguments - Any optional arguments to pass to the Aggregator
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failure occurs

      • aggregateAccount

        public AggregationOutcome aggregateAccount​(String application,
                                           String id,
                                           boolean refreshIdentity,
                                           boolean forceAggregate,
                                           Map<String,​Object> arguments)
                                    throws sailpoint.tools.GeneralException
        Aggregates the given account information into IIQ, given only a nativeIdentity.

        Additionally, optionally refresh the user.

        The Application in question must support the “random access” feature (i.e. it must not have the NO_RANDOM_ACCESS flag defined).

        Parameters:
        application - The application name to check
        id - The native identity on the target system
        refreshIdentity - If true, the identity will be refreshed after aggregation
        forceAggregate - If true, we may override what Sailpoint tells us about the features of certain applications
        arguments - Any optional arguments to pass to the Aggregator
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failure occurs

      • backgroundAggregateAccount

        public void backgroundAggregateAccount​(sailpoint.object.Identity targetIdentity,
                                       sailpoint.object.Application application,
                                       sailpoint.object.ResourceObject ro)
                                throws sailpoint.tools.GeneralException
        Aggregates the given account in the background via the Aggregate Request request type.

        Uses a slightly future event date to fire the request asynchronously.

        Parameters:
        targetIdentity - The target identity
        application - The application from which the account is being aggregated
        ro - The resource object to process asynchronously
        Throws:
        sailpoint.tools.GeneralException - on failures

      • createAccount

        public void createAccount​(sailpoint.object.Identity user,
                          String applicationName,
                          Map<String,​Object> map)
                   throws sailpoint.tools.GeneralException
        Creates the given account
        Parameters:
        user - The user to add the account to
        applicationName - The application name
        map - The account data
        Throws:
        sailpoint.tools.GeneralException - If any failures occur

      • disable

        public void disable​(sailpoint.object.Link target)
             throws sailpoint.tools.GeneralException
        Disables the given account in the target system
        Parameters:
        target - The target to disable
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failure occurs

      • doJDBCConnectorHack

        public sailpoint.object.ResourceObject doJDBCConnectorHack​(sailpoint.object.Application application,
                                                           String nativeIdentity)
                                                    throws sailpoint.tools.GeneralException,
                                                           sailpoint.connector.ConnectorException
        Retrieves a single record from a JDBC application, simulating a properly working getObject().

        The JDBC connector has a bug where the Connection object is not passed to a BuildMap rule following a getObject(). This method works around the bug by calling iterateObjects() instead after swapping out the getObjectSQL and SQL parameters.

        NOTE: This is no longer necessary as of 8.2, as this bug has been fixed.

        TODO this does NOT work where a stored procedure is used.

        Parameters:
        application - The application to swap SQL and getObjectSQL
        nativeIdentity - The native identity to query
        Returns:
        The queried ResourceObject
        Throws:
        sailpoint.tools.GeneralException - on failures to work with the Application
        sailpoint.connector.ConnectorException - on failures to work with the Connector

      • doServiceNowConnectorHack

        public sailpoint.object.ResourceObject doServiceNowConnectorHack​(String field,
                                                                 String id,
                                                                 sailpoint.object.Application appObject,
                                                                 boolean skipGroups)
                                                          throws sailpoint.tools.GeneralException,
                                                                 sailpoint.connector.ConnectorException
        Retrieves a single account from the ServiceNow connector.

        The ServiceNow connector does not respect all of the connector options for single-account (getObject) aggregation. This means that you end up with a weird subset of fields. We need to do a “big” aggregation with the connector filtered to a single account.

        Parameters:
        field - The field to query
        id - The value for that field (usually a sys_id)
        appObject - The Application
        skipGroups - If true, groups and roles will not be cached (or queried)
        Returns:
        The resulting ResourceObject from the query
        Throws:
        sailpoint.tools.GeneralException - If any failures occur
        sailpoint.connector.ConnectorException - If any connector failures occur

      • enable

        public void enable​(sailpoint.object.Link target)
            throws sailpoint.tools.GeneralException
        Enables the given account in the target system
        Parameters:
        target - The target to enable
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failure occurs

      • fixLinkSearchableAttributes

        public void fixLinkSearchableAttributes​(sailpoint.object.Link theLink)
                                 throws sailpoint.tools.GeneralException
        Invokes the Identitizer to refresh the searchable Link attributes
        Parameters:
        theLink - The link to refresh
        Throws:
        sailpoint.tools.GeneralException - if anything fails

      • heuristicMaskSecretAttributes

        public void heuristicMaskSecretAttributes​(Map<String,​Object> attributes)
        Mask any attributes flagged as secret attributes at the ProvisioningPlan level, and also any attributes that look like they might be secrets based on a set of likely substrings.

        The list of tokens to check heuristically is stored in likelyPasswordTokens.

        Parameters:
        attributes - The attribute map to modify

      • isAssignedByRole

        public boolean isAssignedByRole​(sailpoint.api.SailPointContext context,
                                sailpoint.object.Link account,
                                String attribute,
                                String entitlementName)
                         throws sailpoint.tools.GeneralException
        Returns true if the given entitlement is assigned by a role.

        This will first check the IdentityEntitlement metadata on the Identity and, failing that, laboriously search through assigned and detected role metadata.

        NOTE: Why not just use IdentityEntitlements? Because they’re a delayed indicator. They are populated via specific refresh and aggregation flags and so may not be up to date when you need this result.

        Parameters:
        context - A Sailpoint context
        account - The account to check
        attribute - The account attribute to examine
        entitlementName - The account attribute value to examine
        Returns:
        True if the entitlement is associated with an assigned role
        Throws:
        sailpoint.tools.GeneralException - if any failures occur

      • maskSecretAttributes

        public void maskSecretAttributes​(Map<String,​Object> attributes)
        Mask any attributes flagged as secret attributes at the ProvisioningPlan level
        Parameters:
        attributes - The attribute map to modify