Sailpoint IdentityIQ’s Transient workflows and their advantages

Quicklinks are usually used for faster access of specific functionalities. Often a “no delays” workflow where the start and end of the workflow happen within one single launch of quicklink shall be launched by quicklinks. Usually these kind of workflows involve custom Sailpoint forms which would not be useful once the user stops using this quick link by navigating to some other page.

Conventional workflow launches are serialized by storing the workflow cases as XML objects. This leads to many work items and workflow cases which are incomplete and hang around the Identity IQ over long run. This might lead to performance issues and unwanted data accumulated inside IIQ.

This problem could easily be solved using the transient workflows. The main feature of transient workflows is that they don’t get serialized.

Without the workflow getting serialized, we have specific advantages.

  1. Workflow cases which are inactive specific to this workflow shall not be generated.
  2. Work items that are generated do not get serialized and as a result we don’t have any unwanted work items related to this workflow in user’s inbox.

This would result in cleaner environment where we don’t have unnecessary data.

Extra perk with logging:

Workflow variables in Sailpoint are serialized in non-transient workflows. This means that we can store only the objects that Sailpoint has capability to store as XML object. Log4J loggers are very useful objects which are disqualified as workflow variables because of this restriction.

As the transient workflows do not try to serialize the objects referred by the variables, Logger objects can also be stored in the workflow variables.

This provides us the flexibility to maintain a workflow level logger variable to use your custom logging. Rather than instantiating the custom loggers whenever we require them, we can simply use the workflow variable whenever required.

Sailpoint Implementation: Referring Rule Libraries in Validation Scripts

Validation scripts are amongst the most common features while working with Sailpoint Identity IQ’s workflow forms. When we have common validation logic for multiple fields, it is always good to maintain this piece of logic in a separate rule library and call it from the validation script whenever required. This encourages modularity of the code and decreases code redundancy.

 

The way in which the name space of a validation script of a form in the workflow behaves is quite different from the rest of the workflow. Initial declaration of referenced libraries does well for referring the code in other parts of the workflow. But this does not work with validation scripts.

 

The following syntax should be used when we are using the rule referencing in validation scripts –

<ValidationScript>

<Includes>

<Reference class=”sailpoint.object.Rule” name=”Rule-Library-Name”/>

</Includes>

<Source>

// your code that calls some useful function in the rule library

</Source>

</ValidationScript>

 

 

Resolved : Manage Account Request Problem in SailPoint IIQ

Environment:

SailPoint Version : 7.0, 7.1

Problem Statement:

Unable to request a new account for existing identity from Manage Accounts in SailPoint IIQ.

Problem : Account Request Option is not available

 

Solution :

Firstly we need to check the Lifecycle Manager Configurations, navigate to Lifecycle Manager and in Configure tab Search for Manage Accounts options :

Applications that support account only requests : Select all applications check box or specified application according to your requirement.

Solution part 1- Select all applications

 

Allow Manage Accounts Additional Account Requests : Enable
Allow Manage Existing Accounts : Enable
Allow Account Only Requests : Enable

–> If you are using higher version of SailPoint 6.4 then you will face problem in finding these 3 options to enable them.

So, you need to edit init-lcm.xml and import it again in iiq console. By following steps and pictures shown below.

 

Step 1: init-lcm.xml is present in ~identityIQ/WEB-INF/config/init-lcm.xml location. Make a copy of it and place it in a safe folder.

 

Now open init.xml and search for Manage Accounts under QuickLink tag.

In init.xml search Manage Account

 

Carefully observe 3 entries under Manage Accounts tag.

Original_init-lcm.xml of SailPoint 7.1 version

 

Step 2: Now open init-lcm.xml file and make few changes by enabling this options manually from false to true 3 times in Quicklink Manage Accounts tag as shown in the picture below.

<entry key=”allowManageAccountsAdditionalAccountRequests” value=”false” />
<entry key=”allowManageExistingAccounts” value=”true” />
<entry key=”allowAccountOnlyRequests” value=”false” />

After editing : <entry key=”allowManageAccountsAdditionalAccountRequests” value=”true” />
<entry key=”allowManageExistingAccounts” value=”true” />
<entry key=”allowAccountOnlyRequests” value=”true” />

 

After Editing init-lcm.xml will look like.

 

Step 3: Now save it and import it in iiq console. By using command import init-lcm.xml. After importing observe following changes.

Step 4: Request Account option is available (Issue Resolved). Choose the application for account request. Submit the form.

 

Request Option Available Now 7.1

> Just for Reference in SailPoint 7.0  it will look like this as shown in the picture below.

Request Option Available in SailPoint 7.0

 

 

Step 5: Confirm Account Action . Click Confirm at the end of the page.

Confirm Account Request

 

 

 

Sailpoint IdentityIQ Pass through Authentication via Active Directory

When working with the Cloud, organizations of any scale wish to have common credentials across on-premise applications and the cloud applications. It’s the best user experience as well as the best IT management experience. The overhead of facilitating this can be quite a large endeavor.

Sailpoint’s IIQ provides Pass-through authentication using which a Login into IdentityIQ can be done via an enterprise directory credentials or via SSO credentials.

With pass-through authentication in Sailpoint IdentityIQ, password validation takes place through Application Configured in IdenitytIQ. What this means is a simple, but effective SSO solution for the end user. The below presentation gives a quick overview of concepts of Pass Through Authentication and how it is implemented in Sailpoint IdentityIQ.

The presentation is followed by different use cases demonstrated.

 

 

 

 

SailPoint IdentityIQ’s ER Relationship Model

Traditionally, all developers deciphered a product, by understanding the Entity Relationship model of the product’s database schema. This approach was the quick and easiest way to understand any product.

 

A similar approach is tried in deciphering SailPoint IdentityIQ, an Identity Governance solution from Sailpoint. The presentation envisages to give the audience a thorough understanding of the product, not from the API perspective, but from a database model perspective.

 

Sailpoint’s Identity IQ has some key objects like Identity, Application, Bundle etc. There are many dependent objects. Most of the key objects are covered comprehensively in the presentation.

 

 

eMail Configuration in Sailpoint IdentityIQ

eMail communication has revolutionized the way we communicate. A tool/facility introduced for simple communications is now considered more formal and legal. For a long time deep linking, in simple terms, embedding buttons with logic to provide email based decisions has been prevalent.

There is nothing better than sending a direct link to a page where one needs to take an action, in an email. Especially for something which needs urgent attention.

 

Sailpoint’s IdentityIQ provides the functionality to notify users through Emails. We may also have Emails with embedded URL which provides direct access to pages in IdentityIQ.

In the following presentation, a detailed overview of Email Configurations and use of Emails in IdentityIQ is presented.

Following is the demo on Email notifications with URLs embedded in mails, which provides direct access to pages in IdentityIQ.

 

Solved: “HTTP proxy setting has incorrect value”

Environment:

OS: Oracle Linux 7.0

Java: jdk1.8

DB: Oracle Database 11G R2

DB Installed mode: Single Instance Server

 

Problem Statement:

A connection to an Oracle database, via CLI mode, may be achieved using the following commands in a Linux Shell.

Start the listener by typing below command:

>lsnrctl start

Start the database by typing below command:

>sqlplus sys as sysdba

>startup

Error:

Error 46 initializing SQL*Plus
HTTP proxy setting has incorrect value
SP2-1502: The HTTP proxy server specified by http_proxy is not accessible.

HTTP proxy setting has incorrect value error

Error: HTTP proxy setting has incorrect value

 

Reasoning:

In the above error message, “HTTP proxy server specified by http_proxy variable”, the specified value is incorrect.The error may have occurred because sqlplus uses the http_proxy and no_proxy environment variables to determine if proxy is used. To bypass the proxy settings, both these values need to be unset or exported.

http_proxy: Specify the value to use as the HTTP proxy for all connections.

For example: http_proxy=“http://proxy.mycompany.com:8080”

no_proxy: Determine hosts that should bypass the proxy.

For example: no_proxy=localhost, mycompany.com, 192.168.0.10:80 so it can’t access this proxy.

 

Solution

First check the proxy settings , it should be correct value or unset it if no proxy is needed. SQL*Plus may get the proxy name from the environment variable http_proxy.This problem could be resolved by using the following commands –

>unset http_proxy

>unset no_proxy

Or

>export http_proxy=

>export no_proxy=

 

HTTP proxy setting has incorrect value issue resolved

Sailpoint – Service Now Integration

Ticketing systems form a great part of any enterprise’s IT infrastructure. Service Now is a global leader in cloud based ticketing systems and has been playing a visionary role in ITSM and ITOM.

Sailpoint integration with Service Now provides a great value when direct provisioning from Sailpoint is not possible.

It streamlines the manual provisioning by raising tickets on Service Now for provisioning. This provides a great visibility and accountability in the IT environments.

 

In the following presentation, we provide a detailed overview of Service Now integration with Sailpoint:

The following is a demo of various types of Service Now integrations that are supported by Sailpoint:

Design Patterns for Programmers

In 1986, Chernobyl was the result of bad designs/coding. Huge disasters in the world happen due to naive and inappropriate logic built into systems.

From a refrigerator to your car, a mobile to a rocket, everything runs on a microprocessor. It is a logic builder’s responsibility to take care of some cliched issues that might crash the entire system.

In 1995 at Sun Microsystems design patterns were developed by visionaries christened as GOF (gang of four).

This Video blog is an attempt to lucidly present the design patterns, which have to be considered by every programmer, irrespective of platform of development, for impeccable results.

In this presentation, we spoke about almost all the design patterns which are mostly used in Software Development.In a nutshell, the following are the various aspects of design patterns covered as part of the video:

  1. Creational Design Pattern – 7 design patterns.
  2. Structural Design Pattern – 6 design patterns.
  3. Behavioral Design Pattern -11 design patterns.

 

 

Sailpoint – Refresh Identity Cubes

In Sailpoint’s Identity IQ Refresh Identity Cubes” is one among the most important internal tasks. Refresh Identity Cubes helps in building 360 degree purview of an identity based on all the data aggregated from external sources.

The following video is an extensive discussion on various aspects of Refresh Identity Cubes.

The various aspects that are covered as part of this video are:

  1. Mechanisms to filter the identities to be considered for Refresh.
  2. Various options in the Refresh Identity Cubes.
  3. Using Multi-threading to improve the performance