I am new to sailpoint IdentityIQ.
How to find the connectors that filter out read-only entitlements during aggregation and certification please?
Thanks for your help!
During group aggregation, you can use a rule to modify the entiries found, including to make them requestable or not, modify their names, or to exclude them from IdentityIQ. This rule is attached to the group aggregation task.
You can refer to this article in SailPoint Community:
https://community.sailpoint.com/t5/Technical-White-Papers/Group-Aggregation-Data-Flow/ta-p/79070
Basically, in your group aggregation task, there is a dropdown to select/create a rule. You can create a new rule to do the logic you want. IdentityIQ will invoke your rule once per group object found, and if you return null, the group will be ignored. Or you can modify the object (change its name or description for example) and return it.
You can see the parameters IdentityIQ provides in the rule editor interface. Those groups you do return in your rule, becomes "Entitlement" objects in IdentityIQ.
For certification, you can assign a rule to select what you want to certify. In the campaign settings, IdentityIQ only certifies entitlement objects only. When it finds a group that is not an entitlement, that group is called "Additional Entitlement", and there's a checkbox to include or exclude it in the certification.
So if you already took care of groups you don't want in your group aggregation rule, for certification you can simply set it to exclude additional entitlements.
Related
I have a Use Case i am working on.
An Alert is fired in Azure when some conditions are met:
Condition: Whenever the total task complete events is greater than 0
The alert rule has some basic information.
Subscription
Resource Type
Resource Group
There is a Custom properties section and i want to use this to enrich the alert rule.The information I am hoping to include is in a table called AzureDiagnostics. Field values,conditions i need as follows (i included some custom fields):
OperationName=="TaskCompleteEvent" jobId_s id_s == "analyse" ElapsedTime=datetime_diff('second', executionInfo_endTime_t, executionInfo_startTime_t) ElapsedTime_in_Hours_Minutes_Seconds=ElapsedTime * 1s TimeGenerated
Can someone guide me on the best way to include these as custom properties? Adds value to the alert instead of then going back into azure to find more information. Any help is appreciated
I don't really have enough information to go on to properly answer this however, if you are referring to a default rule that you cannot edit, you can easily create an automation rule to autoclose the alert, you use custom KQL to reference the SecurityAlert table to enrich, such as
SecurityAlert | where DisplayName contains "previousRuleName"
or
If it is already custom KQL you can simply add, whether that's to the same table by removing the already specified column or otherwise, by using the join ( operator
We currently have a number of workflows in our organization that require users to add an item to a list via a form, but then not be able to edit that item unless given special permission to do so.
For example a user submits a leave of absence request and it is routed to their manager. The 1st level manager might approve this request and the workflow continues. While the request is in the managers hands it cannot be modified by the original submitter, however if the manager rejects it or requires revision the original submitter should then be able to edit.
Is this possible? The best strategy we could come up with for this is multiple Lists to handle the different levels of security required for this. Are there better ways of doing this?
SharePoint seems to have a very open concept of security within an SP site and maybe were just trying to fit a square peg in a round hole.
Thanks!
How about Remove permission for that user/for all user using workflow itself?
http://spcycle.blogspot.jp/2012/01/how-to-create-workflow-to-change-item.html
http://shareapointkiran.blogspot.jp/2012/06/addremove-permissions-using-sharepoint.html
And then give it back when manager approves/rejects
I had a similar problem and solved it with a quick and dirty solution.
In our case this quick and dirty solution might be even easier.
You could add a hidden field that has an default value of for example 0.
Then you add a (formating) rule to one of the fields that should be deactived.
The rule should deactivate the field if the value of the hidden field is not 0.
This rule can be copied to every field that should be deactivated too.
Now add a set field action to your workflow that set the value of the hidden field to something else than 0, for example 1.
To make a hidden field you can define formating rule with a condition that is always true.
Now if someone creates a form the workflow will set the value of your hidden field to 1. The rule of the fields that should be deactived will now deactivate the fields.
Hide the field
Deactivate the field rule
It is possible to define in bugzilla the own list with assgined to users? In out company we have a lot of customers but when the customer assigned to one product he visible on all products on "assigned to" field. Can I change my assigned to select?
Look at Security Groups - http://www.bugzilla.org/docs/4.2/en/html/groups.html
Then navigate to the group security page.
Administration -> Parameters -> Group Security
Find the setting makeproductgroups and ensure that is is On.
Next find the usevisibilitygroups setting and ensure that it is On. This setting prevents someone in group A from seeing the people in group B. This is especially important if you are letting multiple clients view and/or edit their bugs.
Finally find the strict_isolation setting and ensure it is On.
Now create your groups and assign them to products and users.
I have a custom workflow. This workflow removes permissions to items when an item is added (example an item is added by a service account and once added those permissions need to be removed from that item). This works as I have the service account 'hard coded' in the custom workflow.
Now I would like to remove this hard coding and when a item is added to a list I would like to iterate through all users that have access to the list item. If a user matches some algorithm then remove that user from the item permissions which will be 0 to many.
The piece I'm stuggling with is how to iterage all users with permission to a SPListItem. Any thoughts on how to accomplish this?
Thanks in advance!
Check out the SPListItem.RoleAssignments property which is a collection of SPRoleAssignment objects. The Member property then represents a specific SPUser or SPGroup object that is assigned specific permissions in respect to the given list item by binding it to a collection of role definitions.
In your case you need to iterate over all available role assignments, inspect those that denote principals (users or groups) matching your criteria and rearrange the role assignments in a way that fits the desired security policy.
I think I just found the answer to this. I can iterate the RoleAssignments collection and perform my check on that. If anyone has another other ideas I'd be curious to hear about them :)
Thanks1
I am using the PublishingWebControls:SummaryLinkFieldControl and would like to add another field for the Group Description (In addition to the Group Name).
The default field available is the Group Name and Group Items. I really need an option to to hold the Group Description as well.
Is this possible without customisation?
You'll definitely need to customise to a certain extent!
I know you can create create new item screen by modifying CmsSlwpAddEditLink.aspx (search for it)
Though it seems like what you're after is modifying the creation of the Group.
Rough guess: Figure out which content type the list of fields is based on. Add your field in. Find the .aspx which fires when creating a new group (google it) , drop the field syntax into that and see if that works.
Let us know if you find a solution.