SailPoint Certification Exclusion Rules

One of the goals of a certification is to provide certifiers with a succinct list of items to be reviewed. Default values, low-risk entitlements, and distribution groups can commonly be removed from a certification.   It is also common to have application entitlements reviewed by one user and other entitlements by a separate user.

To remove various items from a SailPoint Certification, an Exclusion Rule is employed.  The Exclusion Rule iterates over the items in a certification and removes items based on logic built within the rule.  The matching items are removed from the “active list” and added to a list of items to be excluded (these items can be saved for future analysis).

The example below illustrates one methodology for excluding items from a SailPoint Certification:

One note about Exclusion Rules – Saving the exclusions after certification generation is an option but can have detrimental affects on performance.  Storing thousands of “saved exclusions” can impede a certification since the background generated XML is larger than one without saved exclusions.

Example: Remove items based on attribute name & value.

For a certification, every user is provisioned with the role “PeopleSoft:Birthright” and the entitlement of “invoiceamt=0.”  Since those values are given to every user, they can be considered an acceptable exclusion

import sailpoint.object.Certifiable;
import sailpoint.object.Link;
import sailpoint.object.Bundle;
import sailpoint.object.EntitlementGroup;
import sailpoint.object.Attributes;
import java.util.List;
import java.util.ArrayList;
//Iterate through certification items
Iterator it = items.iterator();
while ( it.hasNext() )
Certifiable certifiable = (Certifiable) it.next();

//Exclude Roles
if (certifiable instanceof Bundle)
Bundle role = (Bundle) certifiable;
rolename = role.getFullName();

//Exclude birthright roles
if ( (rolename.startsWith("PeopleSoft:Birthright

//Exclude Entitlements
if (certifiable instanceof EntitlementGroup)
EntitlementGroup entgrp = (EntitlementGroup) certifiable;
Attributes atts = entgrp.getAttributes();
List entlist = atts.getKeys();
Iterator entit = entlist.iterator();

while (entit.hasNext())
String attrname = entit.next();
String attrval = atts.getString(attrname);

if ( (attrname.equalsIgnoreCase("INVOICE_AMT_MAX") && attrval.equalsIgnoreCase(“0”))
// No explanation.
return null;

Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.

Leave a Reply

Your email address will not be published. Required fields are marked *