Class AccountUtilities

    • Constructor Detail

      • AccountUtilities

        public AccountUtilities​(sailpoint.api.SailPointContext c)
        Constructor
        Parameters:
        c - The current SailPointContext
      • AccountUtilities

        public AccountUtilities​(sailpoint.api.SailPointContext c,
                                ProvisioningUtilities provisioningUtilities)
        Constructor allowing you to pass a new ProvisioningUtilities
        Parameters:
        c - The context
        provisioningUtilities - A pre-existing provisioning utilities
    • Method Detail

      • fixResourceObjectIdentity

        public static void fixResourceObjectIdentity​(sailpoint.object.ResourceObject resourceObject,
                                                     sailpoint.object.Application application)
        Fixes the Identity of the given Resource Object
        Parameters:
        resourceObject - The ResourceObject input to modify
        application - The Application that the ResourceObject belongs to
      • aggregateAccount

        public Map<String,​ObjectaggregateAccount​(Map<String,​Object> optionsMap)
                                                  throws sailpoint.tools.GeneralException
        Aggregates the account, given the options as a Map.

        The Map will be decoded into an AccountUtilities.AggregateOptions object.

        The return value will also be a Map.

        This simplified interface is intended for situations where this class is only available via reflection, such as a third-party plugin.

        Parameters:
        optionsMap - The options map
        Returns:
        The AggregationOutcome, serialized to a Map via Jackson
        Throws:
        sailpoint.tools.GeneralException - on any errors
      • aggregateAccount

        public AggregationOutcome aggregateAccount​(AccountUtilities.AggregateOptions options)
                                            throws sailpoint.tools.GeneralException
        Executes an aggregation according to the given options.

        This may be invoked directly or via one of the many overloaded shortcut methods.

        Parameters:
        options - The aggregation options
        Returns:
        An AggregationOutcome object, with various
        Throws:
        sailpoint.tools.GeneralException - if any aggregation failures occur
      • aggregateAccount

        public AggregationOutcome aggregateAccount​(sailpoint.object.Application appObject,
                                                   sailpoint.connector.Connector appConnector,
                                                   sailpoint.object.ResourceObject resource,
                                                   boolean refreshIdentity,
                                                   Map<String,​Object> aggregateArguments)
                                            throws sailpoint.tools.GeneralException
        Aggregates the given ResourceObject into IIQ as though it was pulled in via an aggregation task
        Parameters:
        appObject - The application objet
        appConnector - The connector object
        resource - The ResourceObject, either pulled from the Connector or constructed
        refreshIdentity - If true, refresh the Identity after aggregation
        aggregateArguments - Any additional parameters to add to the aggregator
        Returns:
        The aggrgation outcomes
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failure occurs
      • aggregateAccount

        public AggregationOutcome aggregateAccount​(String application,
                                                   Map<String,​Object> resource,
                                                   Map<String,​Object> arguments)
                                            throws sailpoint.tools.GeneralException
        Aggregates the given account information into IIQ, given the Map as the resource object data
        Parameters:
        application - The application name
        resource - The data representing the account fields
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failure occurs
      • aggregateAccount

        public AggregationOutcome aggregateAccount​(String application,
                                                   String id,
                                                   boolean refreshIdentity,
                                                   Map<String,​Object> arguments)
                                            throws sailpoint.tools.GeneralException
        Aggregates the given account information into IIQ, given only a nativeIdentity.

        Additionally, optionally refresh the user.

        The Application in question must support the “random access” feature (i.e. it must not have the NO_RANDOM_ACCESS flag defined).

        Parameters:
        application - The application name to check
        id - The native identity on the target system
        refreshIdentity - If true, the identity will be refreshed after aggregation
        arguments - Any optional arguments to pass to the Aggregator
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failure occurs
      • aggregateAccount

        public AggregationOutcome aggregateAccount​(String application,
                                                   String id,
                                                   boolean refreshIdentity,
                                                   boolean forceAggregate,
                                                   Map<String,​Object> arguments)
                                            throws sailpoint.tools.GeneralException
        Aggregates the given account information into IIQ, given only a nativeIdentity.

        Additionally, optionally refresh the user.

        The Application in question must support the “random access” feature (i.e. it must not have the NO_RANDOM_ACCESS flag defined).

        Parameters:
        application - The application name to check
        id - The native identity on the target system
        refreshIdentity - If true, the identity will be refreshed after aggregation
        forceAggregate - If true, we may override what Sailpoint tells us about the features of certain applications
        arguments - Any optional arguments to pass to the Aggregator
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failure occurs
      • backgroundAggregateAccount

        public void backgroundAggregateAccount​(sailpoint.object.Identity targetIdentity,
                                               sailpoint.object.Application application,
                                               sailpoint.object.ResourceObject ro)
                                        throws sailpoint.tools.GeneralException
        Aggregates the given account in the background via the Aggregate Request request type.

        Uses a slightly future event date to fire the request asynchronously.

        Parameters:
        targetIdentity - The target identity
        application - The application from which the account is being aggregated
        ro - The resource object to process asynchronously
        Throws:
        sailpoint.tools.GeneralException - on failures
      • createAccount

        public void createAccount​(sailpoint.object.Identity user,
                                  String applicationName,
                                  Map<String,​Object> map)
                           throws sailpoint.tools.GeneralException
        Creates the given account
        Parameters:
        user - The user to add the account to
        applicationName - The application name
        map - The account data
        Throws:
        sailpoint.tools.GeneralException - If any failures occur
      • disable

        public void disable​(sailpoint.object.Link target)
                     throws sailpoint.tools.GeneralException
        Disables the given account in the target system
        Parameters:
        target - The target to disable
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failure occurs
      • doJDBCConnectorHack

        public sailpoint.object.ResourceObject doJDBCConnectorHack​(sailpoint.object.Application application,
                                                                   String nativeIdentity)
                                                            throws sailpoint.tools.GeneralException,
                                                                   sailpoint.connector.ConnectorException
        Retrieves a single record from a JDBC application, simulating a properly working getObject().

        The JDBC connector has a bug where the Connection object is not passed to a BuildMap rule following a getObject(). This method works around the bug by calling iterateObjects() instead after swapping out the getObjectSQL and SQL parameters.

        NOTE: This is no longer necessary as of 8.2, as this bug has been fixed.

        TODO this does NOT work where a stored procedure is used.

        Parameters:
        application - The application to swap SQL and getObjectSQL
        nativeIdentity - The native identity to query
        Returns:
        The queried ResourceObject
        Throws:
        sailpoint.tools.GeneralException - on failures to work with the Application
        sailpoint.connector.ConnectorException - on failures to work with the Connector
      • doServiceNowConnectorHack

        public sailpoint.object.ResourceObject doServiceNowConnectorHack​(String field,
                                                                         String id,
                                                                         sailpoint.object.Application appObject,
                                                                         boolean skipGroups)
                                                                  throws sailpoint.tools.GeneralException,
                                                                         sailpoint.connector.ConnectorException
        Retrieves a single account from the ServiceNow connector.

        The ServiceNow connector does not respect all of the connector options for single-account (getObject) aggregation. This means that you end up with a weird subset of fields. We need to do a “big” aggregation with the connector filtered to a single account.

        Parameters:
        field - The field to query
        id - The value for that field (usually a sys_id)
        appObject - The Application
        skipGroups - If true, groups and roles will not be cached (or queried)
        Returns:
        The resulting ResourceObject from the query
        Throws:
        sailpoint.tools.GeneralException - If any failures occur
        sailpoint.connector.ConnectorException - If any connector failures occur
      • enable

        public void enable​(sailpoint.object.Link target)
                    throws sailpoint.tools.GeneralException
        Enables the given account in the target system
        Parameters:
        target - The target to enable
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failure occurs
      • fixLinkSearchableAttributes

        public void fixLinkSearchableAttributes​(sailpoint.object.Link theLink)
                                         throws sailpoint.tools.GeneralException
        Invokes the Identitizer to refresh the searchable Link attributes
        Parameters:
        theLink - The link to refresh
        Throws:
        sailpoint.tools.GeneralException - if anything fails
      • heuristicMaskSecretAttributes

        public void heuristicMaskSecretAttributes​(Map<String,​Object> attributes)
        Mask any attributes flagged as secret attributes at the ProvisioningPlan level, and also any attributes that look like they might be secrets based on a set of likely substrings.

        The list of tokens to check heuristically is stored in likelyPasswordTokens.

        Parameters:
        attributes - The attribute map to modify
      • isAssignedByRole

        public boolean isAssignedByRole​(sailpoint.api.SailPointContext context,
                                        sailpoint.object.Link account,
                                        String attribute,
                                        String entitlementName)
                                 throws sailpoint.tools.GeneralException
        Returns true if the given entitlement is assigned by a role.

        This will first check the IdentityEntitlement metadata on the Identity and, failing that, laboriously search through assigned and detected role metadata.

        NOTE: Why not just use IdentityEntitlements? Because they’re a delayed indicator. They are populated via specific refresh and aggregation flags and so may not be up to date when you need this result.

        Parameters:
        context - A Sailpoint context
        account - The account to check
        attribute - The account attribute to examine
        entitlementName - The account attribute value to examine
        Returns:
        True if the entitlement is associated with an assigned role
        Throws:
        sailpoint.tools.GeneralException - if any failures occur
      • maskSecretAttributes

        public void maskSecretAttributes​(Map<String,​Object> attributes)
        Mask any attributes flagged as secret attributes at the ProvisioningPlan level
        Parameters:
        attributes - The attribute map to modify