SailPoint Certification Exclusion Rules
One of the goals of a certification is to provide certifiers with a succinct list of items to be reviewed. Default values, low-risk entitlements, and distribution groups can commonly be removed from a certification. It is also common to have application entitlements reviewed by one user and other entitlements by a separate user.
To remove various items from a SailPoint Certification, an Exclusion Rule is employed. The Exclusion Rule iterates over the items in a certification and removes items based on logic built within the rule. The matching items are removed from the “active list” and added to a list of items to be excluded (these items can be saved for future analysis).
The example below illustrates one methodology for excluding items from a SailPoint Certification:
One note about Exclusion Rules – Saving the exclusions after certification generation is an option but can have detrimental affects on performance. Storing thousands of “saved exclusions” can impede a certification since the background generated XML is larger than one without saved exclusions.
Example: Remove items based on attribute name & value.
For a certification, every user is provisioned with the role “PeopleSoft:Birthright” and the entitlement of “invoiceamt=0.” Since those values are given to every user, they can be considered an acceptable exclusion
//Iterate through certification items
Iterator it = items.iterator();
while ( it.hasNext() )
Certifiable certifiable = (Certifiable) it.next();
if (certifiable instanceof Bundle)
Bundle role = (Bundle) certifiable;
rolename = role.getFullName();
//Exclude birthright roles
if ( (rolename.startsWith("PeopleSoft:Birthright
if (certifiable instanceof EntitlementGroup)
EntitlementGroup entgrp = (EntitlementGroup) certifiable;
Attributes atts = entgrp.getAttributes();
List entlist = atts.getKeys();
Iterator entit = entlist.iterator();
String attrname = entit.next();
String attrval = atts.getString(attrname);
if ( (attrname.equalsIgnoreCase("INVOICE_AMT_MAX") && attrval.equalsIgnoreCase(“0”))
// No explanation.