One of the goals of a certification is to provide certifiers with a succinct list of items to be reviewed. Default values, low-risk entitlements, and distribution groups can commonly be removed from a certification. It is also common to have application entitlements reviewed by one user and other entitlements by a separate user.
To remove various items from a SailPoint Certification, an Exclusion Rule is employed. The Exclusion Rule iterates over the items in a certification and removes items based on logic built within the rule. The matching items are removed from the “active list” and added to a list of items to be excluded (these items can be saved for future analysis).
The example below illustrates one methodology for excluding items from a SailPoint Certification:
One note about Exclusion Rules – Saving the exclusions after certification generation is an option but can have detrimental affects on performance. Storing thousands of “saved exclusions” can impede a certification since the background generated XML is larger than one without saved exclusions.
Example: Remove items based on attribute name & value.
For a certification, every user is provisioned with the role “PeopleSoft:Birthright” and the entitlement of “invoiceamt=0.” Since those values are given to every user, they can be considered an acceptable exclusion
import sailpoint.object.Certifiable;
import sailpoint.object.Link;
import sailpoint.object.Bundle;
import sailpoint.object.EntitlementGroup;
import sailpoint.object.Attributes;
import java.util.List;
import java.util.ArrayList;
//Iterate through certification items
Iterator it = items.iterator();
while ( it.hasNext() )
{
Certifiable certifiable = (Certifiable) it.next();
//Exclude Roles
if (certifiable instanceof Bundle)
{
Bundle role = (Bundle) certifiable;
rolename = role.getFullName();
//Exclude birthright roles
if ( (rolename.startsWith("PeopleSoft:Birthright
{
it.remove();
itemsToExclude.add(certifiable);
}
}
//Exclude Entitlements
if (certifiable instanceof EntitlementGroup)
{
EntitlementGroup entgrp = (EntitlementGroup) certifiable;
Attributes atts = entgrp.getAttributes();
List entlist = atts.getKeys();
Iterator entit = entlist.iterator();
while (entit.hasNext())
{
String attrname = entit.next();
String attrval = atts.getString(attrname);
if ( (attrname.equalsIgnoreCase("INVOICE_AMT_MAX") && attrval.equalsIgnoreCase(“0”))
{
it.remove();
itemsToExclude.add(certifiable);
}
}
}
}
// No explanation.
return null;