Package com.identityworksllc.iiq.common

Class AccountUtilities

  • public class AccountUtilities
extends AbstractBaseUtility
    This class contains several utilities for dealing with accounts and applications.

    In particular, the aggregateAccount(AggregateOptions) method is provided to simplify the process of aggregating a single account (either pulling it from the connector by name, or constructing an instance yourself) into IIQ. There are several overloaded versions of this method for convenience.

    As a core utility, this class is guaranteed to remain stable, except after a lengthy deprecation period. New functionality may be added, but existing functionality will not be removed or changed in a breaking way.

    • Constructor Detail

      • AccountUtilities

        public AccountUtilities​(sailpoint.api.SailPointContext c)
        Constructor
        Parameters:
        c - The current SailPointContext

      • AccountUtilities

        public AccountUtilities​(sailpoint.api.SailPointContext c,
                        ProvisioningUtilities provisioningUtilities)
        Constructor allowing you to pass a new ProvisioningUtilities
        Parameters:
        c - The context
        provisioningUtilities - A pre-existing provisioning utilities

    • Method Detail

      • fixResourceObjectIdentity

        public static void fixResourceObjectIdentity​(sailpoint.object.ResourceObject resourceObject,
                                             sailpoint.object.Application application)
        Fixes the Identity and display name of the given Resource Object by extracting it from the ResourceObject based on the identity field defined in the application.

        Connectors typically do this, but a manually constructed ResourceObject probably will not.

        Parameters:
        resourceObject - The ResourceObject input to modify
        application - The Application that the ResourceObject belongs to

      • aggregateAccount

        public Map<String,​ObjectaggregateAccount​(Map<String,​Object> optionsMap)
                                          throws sailpoint.tools.GeneralException
        Aggregates the account, given the options as a Map.

        The Map will be decoded into an AccountUtilities.AggregateOptions object.

        The return value will also be a Map.

        This simplified interface is intended for situations where this class is only available via reflection, such as a third-party plugin.

        Parameters:
        optionsMap - The options map
        Returns:
        The AggregationOutcome, serialized to a Map via Jackson
        Throws:
        sailpoint.tools.GeneralException - on any errors

      • aggregateAccount

        public AggregationOutcome aggregateAccount​(AccountUtilities.AggregateOptions options)
                                    throws sailpoint.tools.GeneralException
        Executes an aggregation according to the given options.

        This may be invoked directly or via one of the many overloaded shortcut methods.

        Parameters:
        options - The aggregation options
        Returns:
        An AggregationOutcome object, with various
        Throws:
        sailpoint.tools.GeneralException - if any aggregation failures occur

      • aggregateAccount

        public AggregationOutcome aggregateAccount​(sailpoint.object.Application appObject,
                                           sailpoint.connector.Connector appConnector,
                                           sailpoint.object.ResourceObject rObj,
                                           boolean refreshIdentity)
                                    throws sailpoint.tools.GeneralException
        Aggregates the given ResourceObject into IIQ as though it was pulled in via an aggregation task.

        Identical to aggregateAccount(Application, Connector, ResourceObject, boolean, Map) with an empty Map for the final parameter.

        Parameters:
        appObject - The application objet
        appConnector - The connector object
        rObj - The ResourceObject, either pulled from the Connector yourself or constructed manually
        refreshIdentity - If true, refresh the Identity after aggregation
        Returns:
        The aggregation outcomes
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failure occurs

      • aggregateAccount

        public AggregationOutcome aggregateAccount​(sailpoint.object.Application appObject,
                                           sailpoint.connector.Connector appConnector,
                                           sailpoint.object.ResourceObject resource,
                                           boolean refreshIdentity,
                                           Map<String,​Object> aggregateArguments)
                                    throws sailpoint.tools.GeneralException
        Aggregates the given ResourceObject into IIQ as though it was pulled in via an aggregation task
        Parameters:
        appObject - The application objet
        appConnector - The connector object
        resource - The ResourceObject, either pulled from the Connector or constructed
        refreshIdentity - If true, refresh the Identity after aggregation
        aggregateArguments - Any additional parameters to add to the aggregator
        Returns:
        The aggregation outcomes
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failure occurs

      • aggregateAccount

        public AggregationOutcome aggregateAccount​(String application,
                                           Map<String,​Object> resource)
                                    throws sailpoint.tools.GeneralException
        Aggregates the given account information into IIQ, given the Map as the resource object data.

        Identical to aggregateAccount(String, Map, Map) with null for the final parameter.

        Parameters:
        application - The application name
        resource - The data representing the account fields
        Returns:
        The aggregation outcome
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failure occurs

      • aggregateAccount

        public AggregationOutcome aggregateAccount​(String application,
                                           Map<String,​Object> resource,
                                           Map<String,​Object> arguments)
                                    throws sailpoint.tools.GeneralException
        Aggregates the given account information into IIQ, given the Map as the resource object data.
        Parameters:
        application - The application name
        resource - The data representing the account fields
        arguments - Any arguments to pass to the Aggregator
        Returns:
        The aggregation outcome
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failure occurs

      • aggregateAccount

        public AggregationOutcome aggregateAccount​(String application,
                                           String id,
                                           boolean refreshIdentity)
                                    throws sailpoint.tools.GeneralException
        Aggregates the given account information into IIQ, given the native identity and application name.

        Optionally, refresh the identity.

        Identical to aggregateAccount(String, String, boolean, boolean, Map) with false for the forceAggregate parameter and an empty Map for the final parameter.

        The Application in question must support the “random access” feature (i.e. it must not have the NO_RANDOM_ACCESS flag defined) unless forceAggregate is true.

        Parameters:
        application - The application name to check
        id - The native identity on the target system
        refreshIdentity - If true, the identity will be refreshed after aggregation
        Returns:
        The aggregation outcome
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failure occurs

      • aggregateAccount

        public AggregationOutcome aggregateAccount​(String application,
                                           String id,
                                           boolean refreshIdentity,
                                           Map<String,​Object> arguments)
                                    throws sailpoint.tools.GeneralException
        Aggregates the given account information into IIQ, given only a nativeIdentity.

        Additionally, optionally refresh the user.

        Identical to aggregateAccount(String, String, boolean, boolean, Map) with false for the forceAggregate parameter.

        The Application in question must support the “random access” feature (i.e. it must not have the NO_RANDOM_ACCESS flag defined).

        Parameters:
        application - The application name to check
        id - The native identity on the target system
        refreshIdentity - If true, the identity will be refreshed after aggregation
        arguments - Any optional arguments to pass to the Aggregator
        Returns:
        The aggregation outcome
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failure occurs

      • aggregateAccount

        public AggregationOutcome aggregateAccount​(String application,
                                           String id,
                                           boolean refreshIdentity,
                                           boolean forceAggregate)
                                    throws sailpoint.tools.GeneralException
        Aggregates the given account information into IIQ, given only a nativeIdentity.

        Additionally, optionally refresh the user. If the forceAggregate option is true, the aggregation will be attempted even if the Application does not support random access (e.g., DelimitedFile).

        Identical to aggregateAccount(String, String, boolean, boolean, Map) with an empty Map for the final parameter.

        Parameters:
        application - The application name to check
        id - The native identity on the target system
        refreshIdentity - If true, the identity will be refreshed after aggregation
        forceAggregate - If true, we may override what Sailpoint tells us about the features of certain applications
        Returns:
        The aggregation outcome
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failure occurs

      • aggregateAccount

        public AggregationOutcome aggregateAccount​(String application,
                                           String id,
                                           boolean refreshIdentity,
                                           boolean forceAggregate,
                                           Map<String,​Object> arguments)
                                    throws sailpoint.tools.GeneralException
        Aggregates the given account information into IIQ, given only a nativeIdentity and application name.

        Additionally, optionally refresh the user.

        The Application in question must support the “random access” feature (i.e. it must not have the NO_RANDOM_ACCESS flag defined) unless forceAggregate is true.

        Parameters:
        application - The application name to check
        id - The native identity on the target system
        refreshIdentity - If true, the identity will be refreshed after aggregation
        forceAggregate - If true, we will attempt aggregation anyway, even if the application does not support random access
        arguments - Any optional arguments to pass to the Aggregator
        Returns:
        The aggregation outcome
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failure occurs

      • aggregateAccounts

        public Map<sailpoint.tools.Pair<String,​String>,​AggregationOutcomeaggregateAccounts​(AccountUtilities.MultipleAggregateOptions options)
                                                                                          throws sailpoint.tools.GeneralException
        Aggregates a list of individual accounts belonging to an Identity according to the options provided.

        This allows you to “resync” an Identity’s entire set of existing links in a single operation.

        In the output Map, the key is a Pair with the first element being the application name and the second element being the native identity. The Map value is the AggregationOutcome corresponding to that aggregation.

        If a list of accounts is supplied, it will be used. Otherwise, all accounts on the Identity will be aggregated, subject to the accountFilter if one is provided.

        The four-argument version of aggregateAccount() is used to perform each individual aggregation: #aggregateAccount(String, String, boolean, Map).

        The aggregation option correlateOnly will always be set to true.

        Parameters:
        options - The options, specifying which Identity and accounts to aggregate
        Returns:
        The outcomes of the aggregations
        Throws:
        sailpoint.tools.GeneralException - if any failures occur

      • backgroundAggregateAccount

        public void backgroundAggregateAccount​(sailpoint.object.Identity targetIdentity,
                                       sailpoint.object.Application application,
                                       sailpoint.object.ResourceObject ro)
                                throws sailpoint.tools.GeneralException
        Aggregates the given account in the background via the Aggregate Request request type.

        Uses a slightly future event date to fire the request asynchronously.

        Parameters:
        targetIdentity - The target identity
        application - The application from which the account is being aggregated
        ro - The resource object to process asynchronously
        Throws:
        sailpoint.tools.GeneralException - on failures

      • createAccount

        public void createAccount​(sailpoint.object.Identity user,
                          String applicationName,
                          Map<String,​Object> map)
                   throws sailpoint.tools.GeneralException
        Creates the given account
        Parameters:
        user - The user to add the account to
        applicationName - The application name
        map - The account data
        Throws:
        sailpoint.tools.GeneralException - If any failures occur

      • disable

        public void disable​(sailpoint.object.Link target)
             throws sailpoint.tools.GeneralException
        Disables the given account in the target system
        Parameters:
        target - The target to disable
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failure occurs

      • doJDBCConnectorHack

        public sailpoint.object.ResourceObject doJDBCConnectorHack​(sailpoint.object.Application application,
                                                           String nativeIdentity)
                                                    throws sailpoint.tools.GeneralException,
                                                           sailpoint.connector.ConnectorException
        Retrieves a single record from a JDBC application, simulating a properly working getObject().

        The JDBC connector has a bug where the Connection object is not passed to a BuildMap rule following a getObject(). This method works around the bug by calling iterateObjects() instead after swapping out the getObjectSQL and SQL parameters.

        NOTE: This is no longer necessary as of 8.2, as this bug has been fixed.

        TODO this does NOT work where a stored procedure is used.

        Parameters:
        application - The application to swap SQL and getObjectSQL
        nativeIdentity - The native identity to query
        Returns:
        The queried ResourceObject
        Throws:
        sailpoint.tools.GeneralException - on failures to work with the Application
        sailpoint.connector.ConnectorException - on failures to work with the Connector

      • doServiceNowConnectorHack

        public sailpoint.object.ResourceObject doServiceNowConnectorHack​(String field,
                                                                 String id,
                                                                 sailpoint.object.Application appObject,
                                                                 boolean skipGroups)
                                                          throws sailpoint.tools.GeneralException,
                                                                 sailpoint.connector.ConnectorException
        Retrieves a single account from the ServiceNow connector.

        The ServiceNow connector does not respect all of the connector options for single-account (getObject) aggregation. This means that you end up with a weird subset of fields. We need to do a “big” aggregation with the connector filtered to a single account.

        Parameters:
        field - The field to query
        id - The value for that field (usually a sys_id)
        appObject - The Application
        skipGroups - If true, groups and roles will not be cached (or queried)
        Returns:
        The resulting ResourceObject from the query
        Throws:
        sailpoint.tools.GeneralException - If any failures occur
        sailpoint.connector.ConnectorException - If any connector failures occur

      • enable

        public void enable​(sailpoint.object.Link target)
            throws sailpoint.tools.GeneralException
        Enables the given account in the target system
        Parameters:
        target - The target to enable
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failure occurs

      • fixLinkSearchableAttributes

        public void fixLinkSearchableAttributes​(sailpoint.object.Link theLink)
                                 throws sailpoint.tools.GeneralException
        Invokes the Identitizer to refresh the searchable Link attributes
        Parameters:
        theLink - The link to refresh
        Throws:
        sailpoint.tools.GeneralException - if anything fails

      • heuristicMaskSecretAttributes

        public void heuristicMaskSecretAttributes​(Map<String,​Object> attributes)
        Mask any attributes flagged as secret attributes at the ProvisioningPlan level, and also any attributes that look like they might be secrets based on a set of likely substrings.

        The list of tokens to check heuristically is stored in likelyPasswordTokens.

        Parameters:
        attributes - The attribute map to modify

      • isAssignedByRole

        public boolean isAssignedByRole​(sailpoint.api.SailPointContext context,
                                sailpoint.object.Link account,
                                String attribute,
                                String entitlementName)
                         throws sailpoint.tools.GeneralException
        Returns true if the given entitlement is assigned by a role.

        This will first check the IdentityEntitlement metadata on the Identity and, failing that, laboriously search through assigned and detected role metadata.

        NOTE: Why not just use IdentityEntitlements? Because they’re a delayed indicator. They are populated via specific refresh and aggregation flags and so may not be up to date when you need this result.

        Parameters:
        context - A Sailpoint context
        account - The account to check
        attribute - The account attribute to examine
        entitlementName - The account attribute value to examine
        Returns:
        True if the entitlement is associated with an assigned role
        Throws:
        sailpoint.tools.GeneralException - if any failures occur

      • maskSecretAttributes

        public void maskSecretAttributes​(Map<String,​Object> attributes)
        Mask any attributes flagged as secret attributes at the ProvisioningPlan level
        Parameters:
        attributes - The attribute map to modify