Class AccountUtilities
- java.lang.Object
-
- com.identityworksllc.iiq.common.AbstractBaseUtility
-
- com.identityworksllc.iiq.common.AccountUtilities
-
public class AccountUtilities extends AbstractBaseUtility
This class contains several utilities for dealing with accounts and applications
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
AccountUtilities.AggregateOptions
The options class foraggregateAccount(AggregateOptions)
, allowing expansion of the inputs without having to break backwards compatibility.
-
Field Summary
-
Fields inherited from class com.identityworksllc.iiq.common.AbstractBaseUtility
context, debug, log
-
-
Constructor Summary
Constructors Constructor Description AccountUtilities(sailpoint.api.SailPointContext c)
ConstructorAccountUtilities(sailpoint.api.SailPointContext c, ProvisioningUtilities provisioningUtilities)
Constructor allowing you to pass a new ProvisioningUtilities
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description AggregationOutcome
aggregateAccount(AccountUtilities.AggregateOptions options)
Executes an aggregation according to the given options.AggregationOutcome
aggregateAccount(String application, String id, boolean refreshIdentity)
AggregationOutcome
aggregateAccount(String application, String id, boolean refreshIdentity, boolean forceAggregate)
AggregationOutcome
aggregateAccount(String application, String id, boolean refreshIdentity, boolean forceAggregate, Map<String,Object> arguments)
Aggregates the given account information into IIQ, given only a nativeIdentity.AggregationOutcome
aggregateAccount(String application, String id, boolean refreshIdentity, Map<String,Object> arguments)
Aggregates the given account information into IIQ, given only a nativeIdentity.AggregationOutcome
aggregateAccount(String application, Map<String,Object> resource)
AggregationOutcome
aggregateAccount(String application, Map<String,Object> resource, Map<String,Object> arguments)
Aggregates the given account information into IIQ, given the Map as the resource object dataMap<String,Object>
aggregateAccount(Map<String,Object> optionsMap)
Aggregates the account, given the options as a Map.AggregationOutcome
aggregateAccount(sailpoint.object.Application appObject, sailpoint.connector.Connector appConnector, sailpoint.object.ResourceObject rObj, boolean refreshIdentity)
AggregationOutcome
aggregateAccount(sailpoint.object.Application appObject, sailpoint.connector.Connector appConnector, sailpoint.object.ResourceObject resource, boolean refreshIdentity, Map<String,Object> aggregateArguments)
Aggregates the givenResourceObject
into IIQ as though it was pulled in via an aggregation taskvoid
backgroundAggregateAccount(sailpoint.object.Identity targetIdentity, sailpoint.object.Application application, sailpoint.object.ResourceObject ro)
Aggregates the given account in the background via the Aggregate Request request type.void
createAccount(sailpoint.object.Identity user, String applicationName, Map<String,Object> map)
Creates the given accountvoid
disable(sailpoint.object.Link target)
Disables the given account in the target systemsailpoint.object.ResourceObject
doJDBCConnectorHack(sailpoint.object.Application application, String nativeIdentity)
Retrieves a single record from a JDBC application, simulating a properly working getObject().sailpoint.object.ResourceObject
doServiceNowConnectorHack(String field, String id, sailpoint.object.Application appObject, boolean skipGroups)
Retrieves a single account from the ServiceNow connector.void
enable(sailpoint.object.Link target)
Enables the given account in the target systemvoid
fixLinkSearchableAttributes(sailpoint.object.Link theLink)
Invokes the Identitizer to refresh the searchable Link attributesstatic void
fixResourceObjectIdentity(sailpoint.object.ResourceObject resourceObject, sailpoint.object.Application application)
Fixes the Identity of the given Resource ObjectProvisioningUtilities
getProvisioningUtilities()
Gets the provisioning utilities object associated with this AccountUtilities for modification.void
heuristicMaskSecretAttributes(Map<String,Object> attributes)
Mask any attributes flagged as secret attributes at the ProvisioningPlan level, and also any attributes that look like they might be secrets based on a set of likely substrings.boolean
isAssignedByRole(sailpoint.api.SailPointContext context, sailpoint.object.Link account, String attribute, String entitlementName)
Returns true if the given entitlement is assigned by a role.void
maskSecretAttributes(Map<String,Object> attributes)
Mask any attributes flagged as secret attributes at the ProvisioningPlan level-
Methods inherited from class com.identityworksllc.iiq.common.AbstractBaseUtility
inject, isDebug, setDebug
-
-
-
-
Constructor Detail
-
AccountUtilities
public AccountUtilities(sailpoint.api.SailPointContext c)
Constructor- Parameters:
c
- The current SailPointContext
-
AccountUtilities
public AccountUtilities(sailpoint.api.SailPointContext c, ProvisioningUtilities provisioningUtilities)
Constructor allowing you to pass a new ProvisioningUtilities- Parameters:
c
- The contextprovisioningUtilities
- A pre-existing provisioning utilities
-
-
Method Detail
-
fixResourceObjectIdentity
public static void fixResourceObjectIdentity(sailpoint.object.ResourceObject resourceObject, sailpoint.object.Application application)
Fixes the Identity of the given Resource Object- Parameters:
resourceObject
- The ResourceObject input to modifyapplication
- The Application that the ResourceObject belongs to
-
aggregateAccount
public Map<String,Object> aggregateAccount(Map<String,Object> optionsMap) throws sailpoint.tools.GeneralException
Aggregates the account, given the options as a Map.The Map will be decoded into an
AccountUtilities.AggregateOptions
object.The return value will also be a Map.
This simplified interface is intended for situations where this class is only available via reflection, such as a third-party plugin.
- Parameters:
optionsMap
- The options map- Returns:
- The
AggregationOutcome
, serialized to a Map via Jackson - Throws:
sailpoint.tools.GeneralException
- on any errors
-
aggregateAccount
public AggregationOutcome aggregateAccount(AccountUtilities.AggregateOptions options) throws sailpoint.tools.GeneralException
Executes an aggregation according to the given options.This may be invoked directly or via one of the many overloaded shortcut methods.
- Parameters:
options
- The aggregation options- Returns:
- An AggregationOutcome object, with various
- Throws:
sailpoint.tools.GeneralException
- if any aggregation failures occur
-
aggregateAccount
public AggregationOutcome aggregateAccount(sailpoint.object.Application appObject, sailpoint.connector.Connector appConnector, sailpoint.object.ResourceObject rObj, boolean refreshIdentity) throws sailpoint.tools.GeneralException
- Throws:
sailpoint.tools.GeneralException
- See Also:
aggregateAccount(Application, Connector, ResourceObject, boolean, Map)
-
aggregateAccount
public AggregationOutcome aggregateAccount(sailpoint.object.Application appObject, sailpoint.connector.Connector appConnector, sailpoint.object.ResourceObject resource, boolean refreshIdentity, Map<String,Object> aggregateArguments) throws sailpoint.tools.GeneralException
Aggregates the givenResourceObject
into IIQ as though it was pulled in via an aggregation task- Parameters:
appObject
- The application objetappConnector
- The connector objectresource
- The ResourceObject, either pulled from the Connector or constructedrefreshIdentity
- If true, refresh the Identity after aggregationaggregateArguments
- Any additional parameters to add to the aggregator- Returns:
- The aggrgation outcomes
- Throws:
sailpoint.tools.GeneralException
- if any IIQ failure occurs
-
aggregateAccount
public AggregationOutcome aggregateAccount(String application, Map<String,Object> resource) throws sailpoint.tools.GeneralException
- Throws:
sailpoint.tools.GeneralException
- See Also:
aggregateAccount(String, Map, Map)
-
aggregateAccount
public AggregationOutcome aggregateAccount(String application, Map<String,Object> resource, Map<String,Object> arguments) throws sailpoint.tools.GeneralException
Aggregates the given account information into IIQ, given the Map as the resource object data- Parameters:
application
- The application nameresource
- The data representing the account fields- Throws:
sailpoint.tools.GeneralException
- if any IIQ failure occurs
-
aggregateAccount
public AggregationOutcome aggregateAccount(String application, String id, boolean refreshIdentity) throws sailpoint.tools.GeneralException
- Throws:
sailpoint.tools.GeneralException
- See Also:
aggregateAccount(String, String, boolean, Map)
-
aggregateAccount
public AggregationOutcome aggregateAccount(String application, String id, boolean refreshIdentity, Map<String,Object> arguments) throws sailpoint.tools.GeneralException
Aggregates the given account information into IIQ, given only a nativeIdentity.Additionally, optionally refresh the user.
The Application in question must support the “random access” feature (i.e. it must not have the NO_RANDOM_ACCESS flag defined).
- Parameters:
application
- The application name to checkid
- The native identity on the target systemrefreshIdentity
- If true, the identity will be refreshed after aggregationarguments
- Any optional arguments to pass to the Aggregator- Throws:
sailpoint.tools.GeneralException
- if any IIQ failure occurs
-
aggregateAccount
public AggregationOutcome aggregateAccount(String application, String id, boolean refreshIdentity, boolean forceAggregate) throws sailpoint.tools.GeneralException
- Throws:
sailpoint.tools.GeneralException
- See Also:
aggregateAccount(String, String, boolean, boolean, Map)
-
aggregateAccount
public AggregationOutcome aggregateAccount(String application, String id, boolean refreshIdentity, boolean forceAggregate, Map<String,Object> arguments) throws sailpoint.tools.GeneralException
Aggregates the given account information into IIQ, given only a nativeIdentity.Additionally, optionally refresh the user.
The Application in question must support the “random access” feature (i.e. it must not have the NO_RANDOM_ACCESS flag defined).
- Parameters:
application
- The application name to checkid
- The native identity on the target systemrefreshIdentity
- If true, the identity will be refreshed after aggregationforceAggregate
- If true, we may override what Sailpoint tells us about the features of certain applicationsarguments
- Any optional arguments to pass to the Aggregator- Throws:
sailpoint.tools.GeneralException
- if any IIQ failure occurs
-
backgroundAggregateAccount
public void backgroundAggregateAccount(sailpoint.object.Identity targetIdentity, sailpoint.object.Application application, sailpoint.object.ResourceObject ro) throws sailpoint.tools.GeneralException
Aggregates the given account in the background via the Aggregate Request request type.Uses a slightly future event date to fire the request asynchronously.
- Parameters:
targetIdentity
- The target identityapplication
- The application from which the account is being aggregatedro
- The resource object to process asynchronously- Throws:
sailpoint.tools.GeneralException
- on failures
-
createAccount
public void createAccount(sailpoint.object.Identity user, String applicationName, Map<String,Object> map) throws sailpoint.tools.GeneralException
Creates the given account- Parameters:
user
- The user to add the account toapplicationName
- The application namemap
- The account data- Throws:
sailpoint.tools.GeneralException
- If any failures occur
-
disable
public void disable(sailpoint.object.Link target) throws sailpoint.tools.GeneralException
Disables the given account in the target system- Parameters:
target
- The target to disable- Throws:
sailpoint.tools.GeneralException
- if any IIQ failure occurs
-
doJDBCConnectorHack
public sailpoint.object.ResourceObject doJDBCConnectorHack(sailpoint.object.Application application, String nativeIdentity) throws sailpoint.tools.GeneralException, sailpoint.connector.ConnectorException
Retrieves a single record from a JDBC application, simulating a properly working getObject().The JDBC connector has a bug where the Connection object is not passed to a BuildMap rule following a getObject(). This method works around the bug by calling iterateObjects() instead after swapping out the getObjectSQL and SQL parameters.
NOTE: This is no longer necessary as of 8.2, as this bug has been fixed.
TODO this does NOT work where a stored procedure is used.
- Parameters:
application
- The application to swap SQL and getObjectSQLnativeIdentity
- The native identity to query- Returns:
- The queried ResourceObject
- Throws:
sailpoint.tools.GeneralException
- on failures to work with the Applicationsailpoint.connector.ConnectorException
- on failures to work with the Connector
-
doServiceNowConnectorHack
public sailpoint.object.ResourceObject doServiceNowConnectorHack(String field, String id, sailpoint.object.Application appObject, boolean skipGroups) throws sailpoint.tools.GeneralException, sailpoint.connector.ConnectorException
Retrieves a single account from the ServiceNow connector.The ServiceNow connector does not respect all of the connector options for single-account (getObject) aggregation. This means that you end up with a weird subset of fields. We need to do a “big” aggregation with the connector filtered to a single account.
- Parameters:
field
- The field to queryid
- The value for that field (usually a sys_id)appObject
- The ApplicationskipGroups
- If true, groups and roles will not be cached (or queried)- Returns:
- The resulting ResourceObject from the query
- Throws:
sailpoint.tools.GeneralException
- If any failures occursailpoint.connector.ConnectorException
- If any connector failures occur
-
enable
public void enable(sailpoint.object.Link target) throws sailpoint.tools.GeneralException
Enables the given account in the target system- Parameters:
target
- The target to enable- Throws:
sailpoint.tools.GeneralException
- if any IIQ failure occurs
-
fixLinkSearchableAttributes
public void fixLinkSearchableAttributes(sailpoint.object.Link theLink) throws sailpoint.tools.GeneralException
Invokes the Identitizer to refresh the searchable Link attributes- Parameters:
theLink
- The link to refresh- Throws:
sailpoint.tools.GeneralException
- if anything fails
-
getProvisioningUtilities
public ProvisioningUtilities getProvisioningUtilities()
Gets the provisioning utilities object associated with this AccountUtilities for modification.- Returns:
- The ProvisioningUtilities
-
heuristicMaskSecretAttributes
public void heuristicMaskSecretAttributes(Map<String,Object> attributes)
Mask any attributes flagged as secret attributes at the ProvisioningPlan level, and also any attributes that look like they might be secrets based on a set of likely substrings.The list of tokens to check heuristically is stored in
likelyPasswordTokens
.- Parameters:
attributes
- The attribute map to modify
-
isAssignedByRole
public boolean isAssignedByRole(sailpoint.api.SailPointContext context, sailpoint.object.Link account, String attribute, String entitlementName) throws sailpoint.tools.GeneralException
Returns true if the given entitlement is assigned by a role.This will first check the IdentityEntitlement metadata on the Identity and, failing that, laboriously search through assigned and detected role metadata.
NOTE: Why not just use IdentityEntitlements? Because they’re a delayed indicator. They are populated via specific refresh and aggregation flags and so may not be up to date when you need this result.
- Parameters:
context
- A Sailpoint contextaccount
- The account to checkattribute
- The account attribute to examineentitlementName
- The account attribute value to examine- Returns:
- True if the entitlement is associated with an assigned role
- Throws:
sailpoint.tools.GeneralException
- if any failures occur
-
maskSecretAttributes
public void maskSecretAttributes(Map<String,Object> attributes)
Mask any attributes flagged as secret attributes at the ProvisioningPlan level- Parameters:
attributes
- The attribute map to modify
-
-