Package com.identityworksllc.iiq.common

Class ProvisioningUtilities

    • Constructor Summary

      Constructors 
      Constructor Description
      ProvisioningUtilities​(sailpoint.api.SailPointContext c)
      Constructs a workflow-based Provisioning Utilities that will use the default LCM Provisioning workflow for all operations.
      ProvisioningUtilities​(sailpoint.api.SailPointContext c, boolean useWorkflow)
      Constructs a Provisioning Utilities that will optionally directly forward provisioning operations to the Provisioner.
      ProvisioningUtilities​(sailpoint.api.SailPointContext context, ProvisioningArguments arguments)  
      ProvisioningUtilities​(sailpoint.api.SailPointContext c, String provisioningWorkflowName)
      Constructs a workflow-based Provisioning Utilities that will use the given workflow instead of the default
      ProvisioningUtilities​(sailpoint.api.SailPointContext c, String provisioningWorkflowName, boolean useWorkflow)
      Constructs a Provisioning Utilities that will optionally directly forward provisioning operations to the Provisioner, or else will use the given provisioning workflow
      ProvisioningUtilities​(sailpoint.api.SailPointContext context, Map<String,​Object> arguments)  

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      void addEntitlement​(String identityName, sailpoint.object.Link account, String attribute, String value, boolean withApproval)
      Adds the given entitlement to the given account on the user
      void addEntitlement​(String identityName, sailpoint.object.Link account, sailpoint.object.ManagedAttribute entitlement, boolean withApproval)
      Adds the given entitlement to the given account on the user
      void addPlanArgument​(String argument, Object value)
      Adds an argument to the ProvisioningPlan that will eventually be constructed on a call to doProvisioning(ProvisioningPlan)
      void addUserRole​(String identityName, String roleName)
      Adds the given user to the given role
      void addUserRole​(String identityName, String roleName, boolean withApproval)
      Adds the given user to the given role
      void addUserRole​(String identityName, String roleName, boolean withApproval, String accountName)
      Adds the given user to the given role, guessing the target account by name.
      void addUserRole​(String identityName, String roleName, boolean withApproval, Map<String,​sailpoint.object.Link> targets)
      Adds the given user to the given role, associating it statically with the given target accounts (or new accounts if none are specified).
      static void addUserRolePlan​(sailpoint.api.SailPointContext context, String identityName, String roleName, Map<String,​sailpoint.object.Link> targets, sailpoint.object.ProvisioningPlan provisioningPlan)
      Modifies the plan to add the given user to the given role, associating it statically with the given target accounts (or new accounts if none are specified).
      void addWorkflowArgument​(String argument, Object value)
      Adds an argument to the workflow or Provisioner that will be used in a call to doProvisioning(ProvisioningPlan).
      void deleteAccount​(sailpoint.object.Link link)
      Deletes the given account by submitting a Delete request to IIQ
      void disableAccount​(sailpoint.object.Link link)
      Disables the given account by submitting a Disable request to IIQ
      void disableAccount​(sailpoint.object.Link link, boolean doRefresh)
      Disables the given account by submitting a Disable request to IIQ
      void disableAccounts​(sailpoint.object.Identity identity)
      Submits a single request to disable all accounts on the Identity that are not already disabled.
      void disableAccounts​(sailpoint.object.Identity identity, Predicate<sailpoint.object.Link> onlyThese)
      Submits a single request to disable all accounts on the Identity that are not already disabled.
      void disableAccounts​(sailpoint.object.Identity identity, List<String> onlyThese)
      Submits a single request to disable all accounts on the Identity that are not already disabled.
      void disableAccounts​(sailpoint.object.Identity identity, sailpoint.object.Filter onlyThese)
      Submits a single request to disable all accounts on the Identity that are not already disabled.
      sailpoint.object.ProvisioningProject doProvisioning​(String identityName, sailpoint.object.ProvisioningPlan plan)
      Submits a provisioning plan using the configured defaults.
      sailpoint.object.ProvisioningProject doProvisioning​(String identityName, sailpoint.object.ProvisioningPlan plan, boolean doRefresh)
      Submits a provisioning plan using the configured defaults and optionally does a refresh.
      sailpoint.object.ProvisioningProject doProvisioning​(String identityName, sailpoint.object.ProvisioningPlan plan, boolean doRefresh, Map<String,​Object> extraParameters)
      Submits a provisioning plan using the configured defaults and optionally does a refresh.
      sailpoint.object.ProvisioningProject doProvisioning​(sailpoint.object.ProvisioningPlan plan)
      Submits a provisioning plan using the configured defaults.
      sailpoint.object.ProvisioningProject doProvisioning​(sailpoint.object.ProvisioningPlan plan, boolean doRefresh, Map<String,​Object> extraParameters)
      Submits a provisioning plan using the configured defaults and optionally does a refresh.
      void enableAccount​(sailpoint.object.Link link)
      Enables the given account by submitting an Enable provisioning action to IIQ
      sailpoint.object.Identity findIdentity​(String identityName)
      Finds the identity first by name and then by ID.
      sailpoint.object.ProvisioningProject forceRetry​(sailpoint.object.ProvisioningTransaction pt, boolean createToModify)
      Force retry on the given transaction.
      static sailpoint.object.Attributes<String,​Object> getArguments​(sailpoint.object.ProvisioningPlan plan)
      Gets the arguments for the given plan, creating one if needed
      static sailpoint.object.Attributes<String,​Object> getArguments​(sailpoint.object.ProvisioningPlan.AbstractRequest request)
      Gets the arguments for the given request, creating one if needed
      String getCaseName​(String identityName)
      Builds the case name based on the template provided
      String getCaseNameTemplate()  
      String getExternalTicketId()  
      static sailpoint.object.ProvisioningPlan.AccountRequest getIIQAccountRequest​(sailpoint.object.ProvisioningPlan plan)
      Gets the IIQ account request from the given plan, creating one if needed
      static Object getLatestValue​(sailpoint.api.SailPointContext context, sailpoint.object.ProvisioningPlan.AccountRequest req, String name)
      Intended to be used in a pre or post-provision rule, this method will return the given attribute from the AccountRequest if present and otherwise will return it from the Link.
      static Object getLatestValue​(sailpoint.object.Link account, sailpoint.object.ProvisioningPlan.AccountRequest req, String name)
      Intended to be used in a pre or post-provision rule, this method will return the given attribute from the AccountRequest if present and otherwise will return it from the Link
      static sailpoint.object.Link getLinkFromRequest​(sailpoint.api.SailPointContext context, sailpoint.object.ProvisioningPlan.AccountRequest request)
      Retrieves the Link that is associated with the given AccountRequest, or returns null if no link can be found.
      String getProvisioningWorkflow()  
      boolean isErrorOnAccountSelection()  
      boolean isErrorOnManualTask()  
      boolean isErrorOnNewAccount()  
      boolean isErrorOnProvisioningForms()  
      boolean isUseWorkflow()  
      static sailpoint.object.ProvisioningPlan linkMovePlan​(sailpoint.object.Link theLinkToMove, sailpoint.object.Identity targetIdentity, sailpoint.object.ProvisioningPlan existingPlan)
      Creates an AttributeRequest to move the given Link to the given target Identity, either modifying the provided plan or creating a new one.
      void moveLinks​(sailpoint.object.Identity targetOwner, sailpoint.object.Link... accounts)
      Moves the given target account(s) to the given target owner
      void removeAllAccess​(sailpoint.object.Identity identity)
      Removes all entitlements and assigned roles from the given Identity
      void removeAllEntitlements​(sailpoint.object.Identity identity, sailpoint.object.Application target)
      Removes all entitlements from all accounts of the given type on the given user
      void removeAllEntitlements​(sailpoint.object.Identity identity, sailpoint.object.Application target, sailpoint.object.ProvisioningPlan plan)
      Modifies the plan to add entitlement removal requests for all entitlements on accounts of the given type
      void removeAllEntitlements​(sailpoint.object.Link account, String attribute, sailpoint.object.ProvisioningPlan plan)
      Modifies the plan to remove all values from the given attribute on the given account.
      void removeEntitlement​(String identityName, sailpoint.object.Link account, sailpoint.object.ManagedAttribute entitlement, boolean withApproval)
      Removes the given entitlement from the given account on the user
      void removeUserRole​(String identityName, String roleName)
      Removes the given role from the given user
      void removeUserRole​(String identityName, String roleName, boolean withApproval)
      Removes the given role from the given user
      void removeUserRole​(String identityName, String roleName, boolean withApproval, boolean revoke)
      Removes the given role from the given user
      void removeUserRole​(String identityName, String roleName, boolean withApproval, sailpoint.object.Link target)
      Removes the given user from the given role associated with the target provisioned account.
      void removeUserRole​(String identityName, sailpoint.object.RoleAssignment targetAssignment)
      Removes the given user from the given role
      void removeUserRole​(String identityName, sailpoint.object.RoleDetection targetDetection)
      Removes the given user from the given role.
      static void removeUserRolePlan​(String roleName, boolean revoke, sailpoint.object.ProvisioningPlan provisioningPlan)
      Modifies the plan to add a role removal request for the given role
      static sailpoint.object.AccountSelection roleTargetToAccountSelection​(sailpoint.object.RoleTarget target)
      Creates a AccountSelection object from the given account selection
      void setBeforeProvisioning​(Consumer<sailpoint.object.ProvisioningPlan> planConsumer)  
      void setCaseNameTemplate​(String caseNameTemplate)  
      void setErrorOnAccountSelection​(boolean errorOnAccountSelection)  
      void setErrorOnManualTask​(boolean errorOnManualTask)  
      void setErrorOnNewAccount​(boolean errorOnNewAccount)  
      void setErrorOnProvisioningForms​(boolean errorOnProvisioningForms)  
      void setExternalTicketId​(String externalTicketId)  
      void setLauncher​(String who)  
      void setProjectDebugger​(Consumer<sailpoint.object.ProvisioningProject> projectDebugger)  
      void setProvisioningArguments​(ProvisioningArguments config)
      Sets workflow configuration items all at once for this utility
      void setProvisioningWorkflow​(String provisioningWorkflow)  
      void setUseWorkflow​(boolean useWorkflow)  
      void setWorkflowDebugger​(Consumer<sailpoint.object.WorkflowLaunch> workflowDebugger)  
      sailpoint.object.Attributes<String,​Object> toMap()
      Transforms this object into a Map that can be passed to the constructor that takes a Map
      static sailpoint.object.ProvisioningTarget toProvisioningTarget​(sailpoint.api.SailPointContext context, sailpoint.object.Bundle role, String application, String nativeIdentity)
      Creates a Provisioning Target from the given application and nativeIdentity name
      static sailpoint.object.ProvisioningTarget toProvisioningTarget​(sailpoint.object.Bundle role, sailpoint.object.Link target)
      Creates a Provisioning Target from account
      void updateAccount​(sailpoint.object.Link link, Map<String,​Object> map)
      Updates the given link with the given values.
      void updateAccountRemove​(sailpoint.object.Link link, String attribute, Object value)
      Updates the given link by setting or adding the given values.
      void updateAccountSet​(sailpoint.object.Link link, String attribute, Object value)
      Updates the given link by setting or adding the given values.
      void updateUser​(sailpoint.object.Identity identity, String defaultOperation, Map<String,​Object> params)
      Updates the given identity with the given values.
      void updateUser​(sailpoint.object.Identity identity, String field, sailpoint.object.ProvisioningPlan.Operation operation, Object value)
      Updates the given user with the given field values
      void updateUser​(sailpoint.object.Identity identity, Map<String,​Object> params)
      Updates the given identity with the given values.

    • Constructor Detail

      • ProvisioningUtilities

        public ProvisioningUtilities​(sailpoint.api.SailPointContext c)
        Constructs a workflow-based Provisioning Utilities that will use the default LCM Provisioning workflow for all operations.
        Parameters:
        c - The SailPoint context

      • ProvisioningUtilities

        public ProvisioningUtilities​(sailpoint.api.SailPointContext context,
                             Map<String,​Object> arguments)
                      throws sailpoint.tools.GeneralException
        Throws:
        sailpoint.tools.GeneralException

      • ProvisioningUtilities

        public ProvisioningUtilities​(sailpoint.api.SailPointContext c,
                             boolean useWorkflow)
        Constructs a Provisioning Utilities that will optionally directly forward provisioning operations to the Provisioner.
        Parameters:
        c - The SailPoint context
        useWorkflow - If true, workflows will be bypassed and provisioning will be sent directly to the provisioner

      • ProvisioningUtilities

        public ProvisioningUtilities​(sailpoint.api.SailPointContext c,
                             String provisioningWorkflowName)
        Constructs a workflow-based Provisioning Utilities that will use the given workflow instead of the default
        Parameters:
        c - The SailPoint context
        provisioningWorkflowName - The name of a provisioning workflow which should expect an ‘identityName’ and ‘plan’ attribute

      • ProvisioningUtilities

        public ProvisioningUtilities​(sailpoint.api.SailPointContext c,
                             String provisioningWorkflowName,
                             boolean useWorkflow)
        Constructs a Provisioning Utilities that will optionally directly forward provisioning operations to the Provisioner, or else will use the given provisioning workflow
        Parameters:
        c - The SailPoint context
        provisioningWorkflowName - The name of a provisioning workflow which should expect an ‘identityName’ and ‘plan’ attribute
        useWorkflow - If true, workflows will be bypassed and provisioning will be sent directly to the provisioner

    • Method Detail

      • addUserRolePlan

        public static void addUserRolePlan​(sailpoint.api.SailPointContext context,
                                   String identityName,
                                   String roleName,
                                   Map<String,​sailpoint.object.Link> targets,
                                   sailpoint.object.ProvisioningPlan provisioningPlan)
                            throws sailpoint.tools.GeneralException
        Modifies the plan to add the given user to the given role, associating it statically with the given target accounts (or new accounts if none are specified).
        Parameters:
        context - the IIQ context
        identityName - The identity name to add to the given role
        roleName - The role to add
        targets - These Links will be used as a provisioning target for the plan. If a value is null, a new account create will be requested.
        provisioningPlan - The provisioning plan to modify
        Throws:
        sailpoint.tools.GeneralException - if a failure occurs while looking up required objects

      • getArguments

        public static sailpoint.object.Attributes<String,​ObjectgetArguments​(sailpoint.object.ProvisioningPlan plan)
        Gets the arguments for the given plan, creating one if needed
        Parameters:
        plan - The request
        Returns:
        The arguments for the plan

      • getArguments

        public static sailpoint.object.Attributes<String,​ObjectgetArguments​(sailpoint.object.ProvisioningPlan.AbstractRequest request)
        Gets the arguments for the given request, creating one if needed
        Parameters:
        request - The request
        Returns:
        The arguments for the request

      • getIIQAccountRequest

        public static sailpoint.object.ProvisioningPlan.AccountRequest getIIQAccountRequest​(sailpoint.object.ProvisioningPlan plan)
        Gets the IIQ account request from the given plan, creating one if needed
        Parameters:
        plan - The plan in question
        Returns:
        The IIQ account request

      • getLatestValue

        public static Object getLatestValue​(sailpoint.api.SailPointContext context,
                                    sailpoint.object.ProvisioningPlan.AccountRequest req,
                                    String name)
                             throws sailpoint.tools.GeneralException
        Intended to be used in a pre or post-provision rule, this method will return the given attribute from the AccountRequest if present and otherwise will return it from the Link.

        The Link will be looked up based on the contents of the AccountRequest.

        Parameters:
        req - The AccountRequest modifying this Link
        name - The name of the attribute to return
        Returns:
        the attribute value
        Throws:
        sailpoint.tools.GeneralException - if a query failure occurs

      • getLatestValue

        public static Object getLatestValue​(sailpoint.object.Link account,
                                    sailpoint.object.ProvisioningPlan.AccountRequest req,
                                    String name)
        Intended to be used in a pre or post-provision rule, this method will return the given attribute from the AccountRequest if present and otherwise will return it from the Link
        Parameters:
        account - The Link being modified
        req - The AccountRequest modifying this Link
        name - The name of the attribute to return
        Returns:
        the attribute value

      • getLinkFromRequest

        public static sailpoint.object.Link getLinkFromRequest​(sailpoint.api.SailPointContext context,
                                                       sailpoint.object.ProvisioningPlan.AccountRequest request)
                                                throws sailpoint.tools.GeneralException
        Retrieves the Link that is associated with the given AccountRequest, or returns null if no link can be found.

        The Application on the request must be set and accurate.

        On create, the outcome will always be null because the Link doesn’t exist until after the operation has completed.

        Parameters:
        request - The request to use to search
        Returns:
        the matching Link, or null if none can be found
        Throws:
        sailpoint.tools.GeneralException - if more than one matching Link is found

      • linkMovePlan

        public static sailpoint.object.ProvisioningPlan linkMovePlan​(sailpoint.object.Link theLinkToMove,
                                                             sailpoint.object.Identity targetIdentity,
                                                             sailpoint.object.ProvisioningPlan existingPlan)
                                                      throws sailpoint.tools.GeneralException
        Creates an AttributeRequest to move the given Link to the given target Identity, either modifying the provided plan or creating a new one.

        A move-account plan can be structured in either direction. It can be an “Add” plan that focuses on the destination Identity (allowing movement of accounts from more than one source) or a “Remove” plan that focuses on the source Identity (allowing movement of accounts to more than one target). You cannot mix these on a single plan.

        If the plan does not already contain a link move, it will be set up as an Add.

        This method will throw an exception if you pass an existing plan and its structure does not match the objects you pass in.

        Parameters:
        theLinkToMove - The link to move
        targetIdentity - The Identity to which the link should be moved
        existingPlan - The existing plan to modify, or null to create a new one
        Returns:
        The plan created or modified by this method
        Throws:
        sailpoint.tools.GeneralException - if any validation failures occur

      • removeUserRolePlan

        public static void removeUserRolePlan​(String roleName,
                                      boolean revoke,
                                      sailpoint.object.ProvisioningPlan provisioningPlan)
                               throws sailpoint.tools.GeneralException
        Modifies the plan to add a role removal request for the given role
        Parameters:
        roleName - The role to remove from the identity
        revoke - If true, the role will be revoked and not removed
        provisioningPlan - The plan to add the role removal to
        Throws:
        sailpoint.tools.GeneralException - If a failure occurs

      • roleTargetToAccountSelection

        public static sailpoint.object.AccountSelection roleTargetToAccountSelection​(sailpoint.object.RoleTarget target)
        Creates a AccountSelection object from the given account selection
        Parameters:
        target - The target to transform
        Returns:
        An AccountSelection with the given RoleTarget parameters

      • toProvisioningTarget

        public static sailpoint.object.ProvisioningTarget toProvisioningTarget​(sailpoint.object.Bundle role,
                                                                       sailpoint.object.Link target)
        Creates a Provisioning Target from account
        Parameters:
        role - The role being provisioned
        target - The target account
        Returns:
        A ProvisioningTarget object for the given role / account combination

      • toProvisioningTarget

        public static sailpoint.object.ProvisioningTarget toProvisioningTarget​(sailpoint.api.SailPointContext context,
                                                                       sailpoint.object.Bundle role,
                                                                       String application,
                                                                       String nativeIdentity)
                                                                throws sailpoint.tools.GeneralException
        Creates a Provisioning Target from the given application and nativeIdentity name
        Parameters:
        role - The role being provisioned
        application - The application to target
        nativeIdentity - The native identity to target
        Returns:
        A ProvisioningTarget object for the given role / account combination
        Throws:
        sailpoint.tools.GeneralException - if any failures occur

      • addEntitlement

        public void addEntitlement​(String identityName,
                           sailpoint.object.Link account,
                           sailpoint.object.ManagedAttribute entitlement,
                           boolean withApproval)
                    throws sailpoint.tools.GeneralException
        Adds the given entitlement to the given account on the user
        Parameters:
        identityName - The identity name
        account - The account to modify
        entitlement - The managed attribute from which to extract the entitlement
        withApproval - If false, approval will be skipped
        Throws:
        sailpoint.tools.GeneralException - if any failure occurs

      • addEntitlement

        public void addEntitlement​(String identityName,
                           sailpoint.object.Link account,
                           String attribute,
                           String value,
                           boolean withApproval)
                    throws sailpoint.tools.GeneralException
        Adds the given entitlement to the given account on the user
        Parameters:
        identityName - The identity name
        account - The account to modify
        attribute - The attribute to modify
        value - The value to add
        withApproval - If false, approval will be skipped
        Throws:
        sailpoint.tools.GeneralException - if any failure occurs

      • addPlanArgument

        public void addPlanArgument​(String argument,
                            Object value)
        Adds an argument to the ProvisioningPlan that will eventually be constructed on a call to doProvisioning(ProvisioningPlan)
        Parameters:
        argument - The argument to add to the plan
        value - The value to add to the plan

      • addUserRole

        public void addUserRole​(String identityName,
                        String roleName,
                        boolean withApproval,
                        String accountName)
                 throws sailpoint.tools.GeneralException
        Adds the given user to the given role, guessing the target account by name.

        If the plan expands to more than one account selection question, this method will throw an exception.

        Parameters:
        identityName - The identity name to add to the given role
        roleName - The role to add
        withApproval - If true, default approval will be required
        accountName - The target account to locate
        Throws:
        sailpoint.tools.GeneralException - if a provisioning failure occurs

      • addUserRole

        public void addUserRole​(String identityName,
                        String roleName,
                        boolean withApproval,
                        Map<String,​sailpoint.object.Link> targets)
                 throws sailpoint.tools.GeneralException
        Adds the given user to the given role, associating it statically with the given target accounts (or new accounts if none are specified).

        If a target is not supplied for a given application that is provisioned by this role, the provisioning engine will automatically run any account selection rule followed by an attempt at heuristic guessing.

        Parameters:
        identityName - The identity name to add to the given role
        roleName - The role to add
        withApproval - If true, default approval will be required
        targets - These Links will be used as a provisioning target for the plan. If a value is null, a new account create will be requested.
        Throws:
        sailpoint.tools.GeneralException - if a provisioning failure occurs

      • addUserRole

        public void addUserRole​(String identityName,
                        String roleName)
                 throws sailpoint.tools.GeneralException
        Adds the given user to the given role
        Parameters:
        identityName - The identity name to add to the given role
        roleName - The role to add
        Throws:
        sailpoint.tools.GeneralException - if a provisioning failure occurs

      • addUserRole

        public void addUserRole​(String identityName,
                        String roleName,
                        boolean withApproval)
                 throws sailpoint.tools.GeneralException
        Adds the given user to the given role
        Parameters:
        identityName - The identity name to add to the given role
        roleName - The role to add
        withApproval - If true, default approval will be required
        Throws:
        sailpoint.tools.GeneralException - if a provisioning failure occurs

      • addWorkflowArgument

        public void addWorkflowArgument​(String argument,
                                Object value)
        Adds an argument to the workflow or Provisioner that will be used in a call to doProvisioning(ProvisioningPlan).

        If the value provided is null, the key will be removed from the arguments.

        Parameters:
        argument - The argument to set the value for
        value - The value to set

      • deleteAccount

        public void deleteAccount​(sailpoint.object.Link link)
                   throws sailpoint.tools.GeneralException
        Deletes the given account by submitting a Delete request to IIQ
        Parameters:
        link - The Link to disable
        Throws:
        sailpoint.tools.GeneralException - if any failures occur

      • disableAccount

        public void disableAccount​(sailpoint.object.Link link)
                    throws sailpoint.tools.GeneralException
        Disables the given account by submitting a Disable request to IIQ
        Parameters:
        link - The Link to disable
        Throws:
        sailpoint.tools.GeneralException - if any failures occur

      • disableAccount

        public void disableAccount​(sailpoint.object.Link link,
                           boolean doRefresh)
                    throws sailpoint.tools.GeneralException
        Disables the given account by submitting a Disable request to IIQ
        Parameters:
        link - The Link to disable
        Throws:
        sailpoint.tools.GeneralException - if any failures occur

      • disableAccounts

        public void disableAccounts​(sailpoint.object.Identity identity)
                     throws sailpoint.tools.GeneralException
        Submits a single request to disable all accounts on the Identity that are not already disabled.
        Parameters:
        identity - Who to disable the accounts on
        Throws:
        sailpoint.tools.GeneralException - if any failures occur

      • disableAccounts

        public void disableAccounts​(sailpoint.object.Identity identity,
                            List<String> onlyThese)
                     throws sailpoint.tools.GeneralException
        Submits a single request to disable all accounts on the Identity that are not already disabled.
        Parameters:
        identity - Who to disable the accounts on
        onlyThese - Only applications in this list will be disabled
        Throws:
        sailpoint.tools.GeneralException - if any failures occur

      • disableAccounts

        public void disableAccounts​(sailpoint.object.Identity identity,
                            Predicate<sailpoint.object.Link> onlyThese)
                     throws sailpoint.tools.GeneralException
        Submits a single request to disable all accounts on the Identity that are not already disabled.
        Parameters:
        identity - Who to disable the accounts on
        onlyThese - Only Link objects where the Predicate returns true will be disabled
        Throws:
        sailpoint.tools.GeneralException - if any failures occur

      • disableAccounts

        public void disableAccounts​(sailpoint.object.Identity identity,
                            sailpoint.object.Filter onlyThese)
                     throws sailpoint.tools.GeneralException
        Submits a single request to disable all accounts on the Identity that are not already disabled.
        Parameters:
        identity - Who to disable the accounts on
        onlyThese - Only Link objects matching the filter will be disabled. This uses the HybridObjectMatcher, allowing fields like “application.name” in the filter.
        Throws:
        sailpoint.tools.GeneralException - if any failures occur

      • doProvisioning

        public sailpoint.object.ProvisioningProject doProvisioning​(sailpoint.object.ProvisioningPlan plan)
                                                    throws sailpoint.tools.GeneralException
        Submits a provisioning plan using the configured defaults.

        This plan must have an Identity attached to it using setIdentity().

        Parameters:
        plan - The ProvisioningPlan to execute
        Throws:
        sailpoint.tools.GeneralException - if any failures occur

      • doProvisioning

        public sailpoint.object.ProvisioningProject doProvisioning​(String identityName,
                                                           sailpoint.object.ProvisioningPlan plan)
                                                    throws sailpoint.tools.GeneralException
        Submits a provisioning plan using the configured defaults.
        Parameters:
        identityName - If the plan does not already have an Identity configured, this one will be used.
        plan - The provisioning plan.
        Returns:
        The compiled provisioning project, post-provision
        Throws:
        sailpoint.tools.GeneralException - if any failures occur

      • doProvisioning

        public sailpoint.object.ProvisioningProject doProvisioning​(String identityName,
                                                           sailpoint.object.ProvisioningPlan plan,
                                                           boolean doRefresh)
                                                    throws sailpoint.tools.GeneralException
        Submits a provisioning plan using the configured defaults and optionally does a refresh.
        Parameters:
        identityName - If the plan does not already have an Identity configured, this one will be used.
        plan - The provisioning plan
        doRefresh - If true, a refresh will be performed by the provisioning handler
        Returns:
        The compiled provisioning project, post-provision
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failures occur

      • doProvisioning

        public sailpoint.object.ProvisioningProject doProvisioning​(String identityName,
                                                           sailpoint.object.ProvisioningPlan plan,
                                                           boolean doRefresh,
                                                           Map<String,​Object> extraParameters)
                                                    throws sailpoint.tools.GeneralException
        Submits a provisioning plan using the configured defaults and optionally does a refresh.

        Additionally, extra arguments to the workflow can be provided in a Map.

        Parameters:
        identityName - If the plan does not already have an Identity configured, this one will be used.
        plan - The provisioning plan
        doRefresh - If true, a refresh will be performed by the provisioning handler
        extraParameters - A Map containing workflow parameters that will be passed to the provisioning workflow or Provisioner
        Returns:
        The compiled provisioning project, post-provision
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failures occur

      • doProvisioning

        public sailpoint.object.ProvisioningProject doProvisioning​(sailpoint.object.ProvisioningPlan plan,
                                                           boolean doRefresh,
                                                           Map<String,​Object> extraParameters)
                                                    throws sailpoint.tools.GeneralException
        Submits a provisioning plan using the configured defaults and optionally does a refresh.

        Additionally, extra arguments to the workflow can be provided in a Map.

        Parameters:
        plan - The provisioning plan
        doRefresh - If true, a refresh will be performed by the provisioning handler
        extraParameters - A Map containing workflow parameters that will be passed to the provisioning workflow or Provisioner
        Throws:
        sailpoint.tools.GeneralException - if any IIQ failures occur

      • enableAccount

        public void enableAccount​(sailpoint.object.Link link)
                   throws sailpoint.tools.GeneralException
        Enables the given account by submitting an Enable provisioning action to IIQ
        Parameters:
        link - The Link to enable
        Throws:
        sailpoint.tools.GeneralException - if any IIQ errors occur

      • findIdentity

        public sailpoint.object.Identity findIdentity​(String identityName)
                                       throws sailpoint.tools.GeneralException
        Finds the identity first by name and then by ID.

        This is mainly here so that it can be overridden by customer-specific subclasses. Otherwise, it does the same thing as Resolver.getObject(Class, String).

        Parameters:
        identityName - The identity name to search for
        Returns:
        The Identity if found
        Throws:
        sailpoint.tools.GeneralException - if any errors occur

      • forceRetry

        public sailpoint.object.ProvisioningProject forceRetry​(sailpoint.object.ProvisioningTransaction pt,
                                                       boolean createToModify)
                                                throws sailpoint.tools.GeneralException
        Force retry on the given transaction.

        There is an out-of-box API for doing this on transactions pending retry (to force them to run ‘right now’ rather than ‘later’), but there is none for doing this on failed transactions.

        Parameters:
        pt - The transaction to retry
        createToModify - If true, a Create operation will be transmuted to a Modify
        Throws:
        sailpoint.tools.GeneralException - if any failures occur

      • getCaseName

        public String getCaseName​(String identityName)
        Builds the case name based on the template provided
        Parameters:
        identityName - The identity name passed to this case
        Returns:
        The case name generated

      • moveLinks

        public void moveLinks​(sailpoint.object.Identity targetOwner,
                      sailpoint.object.Link... accounts)
               throws sailpoint.tools.GeneralException
        Moves the given target account(s) to the given target owner
        Parameters:
        targetOwner - The target owner for the given accounts
        accounts - One or more accounts to move to the new owner
        Throws:
        sailpoint.tools.GeneralException - if anything goes wrong during provisioning

      • removeAllAccess

        public void removeAllAccess​(sailpoint.object.Identity identity)
                     throws sailpoint.tools.GeneralException
        Removes all entitlements and assigned roles from the given Identity
        Parameters:
        identity - The identity from whom to strip access
        Throws:
        sailpoint.tools.GeneralException - if anything goes wrong during provisioning

      • removeAllEntitlements

        public void removeAllEntitlements​(sailpoint.object.Identity identity,
                                  sailpoint.object.Application target)
                           throws sailpoint.tools.GeneralException
        Removes all entitlements from all accounts of the given type on the given user
        Parameters:
        identity - The identity to target
        target - The target application from which to remove accounts
        Throws:
        sailpoint.tools.GeneralException - if a failure occurs

      • removeAllEntitlements

        public void removeAllEntitlements​(sailpoint.object.Identity identity,
                                  sailpoint.object.Application target,
                                  sailpoint.object.ProvisioningPlan plan)
                           throws sailpoint.tools.GeneralException
        Modifies the plan to add entitlement removal requests for all entitlements on accounts of the given type
        Parameters:
        identity - The identity from which to extract the entitlements
        target - The target application
        plan - The provisioning plan
        Throws:
        sailpoint.tools.GeneralException - if any failures occur

      • removeAllEntitlements

        public void removeAllEntitlements​(sailpoint.object.Link account,
                                  String attribute,
                                  sailpoint.object.ProvisioningPlan plan)
        Modifies the plan to remove all values from the given attribute on the given account.
        Parameters:
        account - The account to modify
        attribute - The attribute to remove attributes from
        plan - The provisioning plan

      • removeEntitlement

        public void removeEntitlement​(String identityName,
                              sailpoint.object.Link account,
                              sailpoint.object.ManagedAttribute entitlement,
                              boolean withApproval)
                       throws sailpoint.tools.GeneralException
        Removes the given entitlement from the given account on the user
        Parameters:
        identityName - The identity name
        account - The account to modify
        entitlement - The managed attribute from which to extract the entitlement
        withApproval - If false, approval will be skipped
        Throws:
        sailpoint.tools.GeneralException - if any failure occurs

      • removeUserRole

        public void removeUserRole​(String identityName,
                           sailpoint.object.RoleAssignment targetAssignment)
                    throws sailpoint.tools.GeneralException
        Removes the given user from the given role
        Parameters:
        targetAssignment - The target existing RoleAssignment from an Identity
        Throws:
        sailpoint.tools.GeneralException - if a provisioning failure occurs

      • removeUserRole

        public void removeUserRole​(String identityName,
                           sailpoint.object.RoleDetection targetDetection)
                    throws sailpoint.tools.GeneralException
        Removes the given user from the given role.

        For a detected role, this will remove any entitlements provisioned by that role that are not required by another role assigned to the user.

        Parameters:
        identityName - The name of the Identity to modify
        targetDetection - The target existing RoleDetection from an Identity
        Throws:
        sailpoint.tools.GeneralException - if a provisioning failure occurs

      • removeUserRole

        public void removeUserRole​(String identityName,
                           String roleName,
                           boolean withApproval,
                           sailpoint.object.Link target)
                    throws sailpoint.tools.GeneralException
        Removes the given user from the given role associated with the target provisioned account.

        Note that the role may also be associated with a different account. This is used only to locate the RoleAssignment object for deprovisioning by assignment ID.

        Parameters:
        identityName - The identity name to add to the given role
        roleName - The role to add
        withApproval - If true, default approval will be required
        target - If not null, this will be used as a provisioning target for the plan
        Throws:
        sailpoint.tools.GeneralException - if a provisioning failure occurs

      • removeUserRole

        public void removeUserRole​(String identityName,
                           String roleName)
                    throws sailpoint.tools.GeneralException
        Removes the given role from the given user
        Parameters:
        identityName - The identity to remove the role from
        roleName - The role to remove from the identity
        Throws:
        sailpoint.tools.GeneralException - If a failure occurs

      • removeUserRole

        public void removeUserRole​(String identityName,
                           String roleName,
                           boolean withApproval)
                    throws sailpoint.tools.GeneralException
        Removes the given role from the given user
        Parameters:
        identityName - The identity to remove the role from
        roleName - The role to remove from the identity
        withApproval - If true, a default approval will be required
        Throws:
        sailpoint.tools.GeneralException - If a failure occurs

      • removeUserRole

        public void removeUserRole​(String identityName,
                           String roleName,
                           boolean withApproval,
                           boolean revoke)
                    throws sailpoint.tools.GeneralException
        Removes the given role from the given user
        Parameters:
        identityName - The identity to remove the role from
        roleName - The role to remove from the identity
        withApproval - If true, a default approval will be required
        revoke - If true, the role will be revoked and not removed
        Throws:
        sailpoint.tools.GeneralException - If a failure occurs

      • setUseWorkflow

        public void setUseWorkflow​(boolean useWorkflow)

      • toMap

        public sailpoint.object.Attributes<String,​ObjecttoMap()
        Transforms this object into a Map that can be passed to the constructor that takes a Map
        Returns:
        The resulting map transformation

      • updateAccount

        public void updateAccount​(sailpoint.object.Link link,
                          Map<String,​Object> map)
                   throws sailpoint.tools.GeneralException
        Updates the given link with the given values.

        Field names can also have the form “Operation:Name”, e.g. “Add:memberOf”, to specify an operation.

        Values ‘Set’ to a multi-value field will be transformed to ‘Add’ by default. You can override this using the colon syntax above, which will always take priority.

        Parameters:
        link - The Link to update
        map - The values to update (Set by default)
        Throws:
        sailpoint.tools.GeneralException - if any provisioning failures occur

      • updateAccountRemove

        public void updateAccountRemove​(sailpoint.object.Link link,
                                String attribute,
                                Object value)
                         throws sailpoint.tools.GeneralException
        Updates the given link by setting or adding the given values.

        Multi-value attributes will be transformed to Set.

        Parameters:
        link - The Link to update
        attribute - The name of the attribute to either set or add
        value - The value(s) to set or add
        Throws:
        sailpoint.tools.GeneralException - if any provisioning failures occur

      • updateAccountSet

        public void updateAccountSet​(sailpoint.object.Link link,
                             String attribute,
                             Object value)
                      throws sailpoint.tools.GeneralException
        Updates the given link by setting or adding the given values.

        Multi-value attributes will be transformed to Set.

        Parameters:
        link - The Link to update
        attribute - The name of the attribute to either set or add
        value - The value(s) to set or add
        Throws:
        sailpoint.tools.GeneralException - if any provisioning failures occur

      • updateUser

        public void updateUser​(sailpoint.object.Identity identity,
                       Map<String,​Object> params)
                throws sailpoint.tools.GeneralException
        Updates the given identity with the given values.

        Field names can also have the form “Operation:Name”, e.g. “Add:memberOf”, to specify an operation.

        Values ‘Set’ to a multi-value field will be transformed to ‘Add’ by default. You can override this using the colon syntax above, which will always take priority.

        Parameters:
        identity - The identity to modify
        params - The parameters to modify
        Throws:
        sailpoint.tools.GeneralException - if anything goes wrong

      • updateUser

        public void updateUser​(sailpoint.object.Identity identity,
                       String defaultOperation,
                       Map<String,​Object> params)
                throws sailpoint.tools.GeneralException
        Updates the given identity with the given values.

        Field names can also have the form “Operation:Name”, e.g. “Add:memberOf”, to specify an operation.

        Values ‘Set’ to a multi-value field will be transformed to ‘Add’ by default. You can override this using the colon syntax above, which will always take priority.

        Parameters:
        identity - The identity to modify
        defaultOperation - The default operation to update with (Set, Add, Remove, etc) if one is not given
        params - The parameters to modify
        Throws:
        sailpoint.tools.GeneralException - if anything goes wrong

      • updateUser

        public void updateUser​(sailpoint.object.Identity identity,
                       String field,
                       sailpoint.object.ProvisioningPlan.Operation operation,
                       Object value)
                throws sailpoint.tools.GeneralException
        Updates the given user with the given field values
        Parameters:
        identity - The identity in question
        field - The field to set
        operation - The operation to use
        value - The value to update
        Throws:
        sailpoint.tools.GeneralException - if any provisioning failures occur