Section - 3

Section 3 - 1
Section Three: Roles, Rules, Custom Tasks and Custom Reports
Fundamentals of IdentityIQ Implementation

Training for SailPoint IdentityIQ Version 7.1
11305 Four Points Drive

Bldg 2, Suite 100
Austin, TX 78726
www.sailpoint.com
Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

Section 3 - 2
Contents
Section 3: Roles, Tasks, Rules and Custom Reports .................................................................................................. 4
Exercise #1: Defining a Role Model ................................................................................................................................. 5
Objective:................................................................................................................................................................................ 5
Overview ................................................................................................................................................................................ 5
Create Role Container ....................................................................................................................................................... 5
Run a Business Role Mining Task to generate Region Roles ............................................................................ 6
Run an IT Role Mining Task to create TRAKK Roles ............................................................................................ 9
Create an IT Role with Direct Entitlements ........................................................................................................... 13
Load a Role Model for the PRISM Application ...................................................................................................... 14
Exercise #2: Assign and Detect Roles ........................................................................................................................... 15
Objective ............................................................................................................................................................................... 15
Overview .............................................................................................................................................................................. 15
Assign Business Roles and Detect IT Roles ............................................................................................................ 15
Exercise #3: Using Roles to Provision Access to the PRISM Application ....................................................... 19
Objective ............................................................................................................................................................................... 19
Overview .............................................................................................................................................................................. 19
Modify Business Roles to have Assignment Logic............................................................................................... 19
Create a new Refresh Task that will Provision Access ...................................................................................... 20
Exercise #4: Using Rules to Learn the API .................................................................................................................. 22
Objectives ............................................................................................................................................................................. 22
Overview .............................................................................................................................................................................. 22
Terminology Check .......................................................................................................................................................... 22
Load and Run the Walk Identity Rule....................................................................................................................... 22
Load and Run the Uncorrelated Identities Rule................................................................................................... 24
Load and Run the Certification Walker Rule ......................................................................................................... 25
Exercise #5: Running Tasks Sequentially and Running Rules on a Schedule .............................................. 26
Objective ............................................................................................................................................................................... 26
Overview .............................................................................................................................................................................. 26
Create and Schedule a Set of Tasks ........................................................................................................................... 26
Run a Rule on a Schedule............................................................................................................................................... 27

Section 3 - 3
Exercise #6: Compiling and Deploying a Custom Task .......................................................................................... 30

Objective ............................................................................................................................................................................... 30
Overview .............................................................................................................................................................................. 30
Compile the Custom Task .............................................................................................................................................. 30
Load and Test the Custom Task .................................................................................................................................. 30
Exercise #7: Creating and Extending a Custom Report ......................................................................................... 32
Objective ............................................................................................................................................................................... 32
Overview .............................................................................................................................................................................. 32
Load and Investigate the Custom Report Definition XML File ....................................................................... 32
Extend the Report............................................................................................................................................................. 35
Extension Exercises (Optional) ................................................................................................................................... 36
Extend the Report using Signatures and Forms .................................................................................................. 36
Extend the Report to Limit Returned Data ............................................................................................................ 36

Section 3 - 4
Section 3: Roles, Tasks, Rules and Custom Reports

In this section, we will be exploring Roles and ways to extend IdentityIQ.
In the previous sections we:
• loaded identities, applications, accounts and entitlements
• performed certifications on the data we loaded
• used analytics, populations and groups to help us to organize and make sense of the data
• detected policy violations
In this section we will be doing the following:
• Define a Role Model
o Business Roles – Based on identity or account attributes
o IT Roles – Based on account entitlements
• Learn about the SailPoint API by running an assortment of example rules
• Configure, schedule, and run sequential tasks and a rule runner task
• Learn how to create and deploy a custom task
• Learn how to create a custom report

Section 3 - 5
Exercise #1: Defining a Role Model

Objective:
Learn how to define roles, assign them to Identities, and detect them from account entitlements.
Overview:
In our case, we are going to set up some roles for the following:
• Container Roles for all the roles we will create
• Region Roles driven off of Identity Attributes (i.e. a role for users in Americas, Europe and
Asia-Pacific).
• Application Roles (TRAKK Application) to define roles for the TRAKK Time Sheet
application
• Application Roles (PRISM Application) to define roles for the PRISM application.
After configuring roles, we will learn how to update identities so that roles get assigned and
detected and stored in the Identity Cubes.
Create Role Container

1. Login as spadmin/admin.
2. Create TRAKK Container
a. Navigate to Setup  Roles , select New Role and choose Role
b. Name: TRAKK
c. Display Name: TRAKK
d. Type: Organizational
e. Owner: The Administrator
f. Click: Submit

Section 3 - 6
3. Create Regions Container
a. New Role and choose Role
b. Name: Regions
c. Display Name: Regions
d. Type: Organizational
e. Owner: The Administrator
f. Click: Submit
4. You should have two container roles defined:
Run a Business Role Mining Task to generate Region Roles

1. From the Role Management screen, click New Role and select Business Role Mining
2. Configure the Role Mining Task using the following settings:
a. Name: Business Roles - Regions
b. Compute Population Statistics: Checked
c. Specify an Existing Root Container Role: Regions
d. Ordered Identity Mining Attributes: Region
e. Type of Business Roles to Generate: Business
f. Owner: The Administrator
g. Prefix to Apply to Generated Role Names: Region
h. Select Save and Execute and OK

Section 3 - 7
3. Observe the results of Role Mining
a. Click the Role Mining Results tab
b. Select the Role Mining results and observe:
c. Navigate back to the Role Viewer tab and refresh by selecting Refresh and see the
roles defined.
d. Notice the business roles: Region.Americas, Region.Asia-Pacific, and Region.Europe.

Why are they greyed out?
_________________________________________________________________________________________________

Section 3 - 8
4. Enable each of the three Region roles by repeating the following steps for each role
a. Select the role
b. In the bottom center, select Edit Role
c. Scroll down and uncheck Disabled to enable the role
d. In the role, find and list the Assignment Rule for each Region role:
_________________________________________________________________________________________________
_________________________________________________________________________________________________
_________________________________________________________________________________________________
e. Scroll down and Submit the changes

Section 3 - 9
Run an IT Role Mining Task to create TRAKK Roles

1. Under Role Management, select New Role and choose IT Role Mining
2. Configure the IT Role Mining Task as shown:
a. Name: IT Roles - TRAKK
b. Owner: The Administrator
c. Identities to Mine: Search by Attributes
i. Notice that the Identity Attributes listed are a subset of those available on
the Identity Cube. What is special about these identity attributes such that
they’re included in this list?
________________________________________________________________________________________
d. Inactive: False
e. Applications to Mine: TRAKK
f. Click Save and Execute and click OK
3. Observe the results of Role Mining
a. Click the Role Mining Results tab
b. Select the result for IT Roles - TRAKK
c. From the results, we will create an IT-Role for all users with the Input entitlement.
To do this, right click Group1 and select Create Role.

Section 3 - 10
d. Configure the Role:
i. Name: TRAKK - Basic
ii. Owner: The Administrator
iii. Container Role: TRAKK
iv. Click Save and OK
4. Enable the TRAKK - Basic role
a. Select the Role Viewer tab, click Refresh, expand TRAKK and select the TRAKK -
Basic Role
b. Edit this role and enable it
c. Scroll down and select Submit
5. We will now create a child role to the TRAKK - Basic
a. Select the Entitlement Analysis tab
b. Select TRAKK as the application
c. Under Identity Attributes: Is Manager: True
d. Select Search
e. From these results, we can see that all Managers that have TRAKK access have the
same set of entitlements, which include the ability to approve and reject
entitlements.
f. We will create a new role from the entitlement analysis that will include these two
entitlements. Select the checkboxes next to approve and reject and click Create
Role

Section 3 - 11
g. Name the Role TRAKK - Manager Access, and Save
h. Go back to the Role Viewer tab and Refresh. You should see the TRAKK -
Manager Access role in the role hierarchy.
i. Edit TRAKK - Manager Access
j. Scroll down to Inherited Roles and select Modify Inheritance
k. Enter TRAKK in the Search Box and select TRAKK - Basic and then select Add and
Save

Section 3 - 12
l. Scroll Down and select Submit to save the role.
m. Once again, go to the Role Viewer tab, Refresh and take a look at the changes to the
role hierarchy.
n. Note that we have made the Manager role inherit from the Basic role. This is so that
our hierarchy reflects the following:
i. All users have Basic access to TRAKK (capability = input)
ii. Some users have Basic access plus additional Manager access to TRAKK
(capability = approve and capability = reject)
iii. A user with the Manager access to TRAKK will inherit the Basic access as
well since it’s defined in its inheritance path.

Section 3 - 13
Create an IT Role with Direct Entitlements

Entitlements can be associated to a role directly or through a profile. A profile allows for more
complex associations, while a direct entitlement is just that - a direct specification of the
entitlements that make up a given role. Both provide the criteria that IdentityIQ uses to detect who
has a given role, and specifies the entitlements to provision when assigning a role. In this exercise,
we will create a role and directly define its entitlements -- we’ll model super user access to TRAKK
using the capability “super”.
1. Select the Role Viewer tab (Setup  Roles)
2. Click Add
3. Define a new role as follows:
a. Name: TRAKK - Super User
b. Display Name: TRAKK - Super User
c. Type: IT
d. Owner: The Administrator
e. Inherited Roles: select Modify Inheritance
i. Choose TRAKK (Organizational Role)
ii. Add, then Save
f. Entitlements: click Add
i. Application: TRAKK
ii. Field: capability
iii. Select Entitlement: super
iv. Save
g. Scroll down and click Submit to save the role.
4. Confirm that your role hierarchy looks like this:

Section 3 - 14
Load a Role Model for the PRISM Application

Another way to create roles is to load them via XML role definitions. Next we will load roles for the
PRISM application.
1. Navigate to  Global Settings  Import from File and load the following file:
/home/spadmin/ImplementerTraining/config/PRISM/Roles-PRISM.xml
2. Confirm that six total roles were loaded (three IT Roles and three Business Roles):
3. View the PRISM roles to complete the following chart of the PRISM role model. The PRISM
Super and the PRISM Super-IT entries have been completed as examples.
Role Name Type Required Role Entitlement (Profile)

PRISM Super Business PRISM Super-IT Not applicable (only for IT
roles)
PRISM Manager
PRISM User
PRISM Super-IT IT Not applicable (only for Groups contains “Super”

business roles)
PRISM Manager-IT
PRISM User-IT

Section 3 - 15
Exercise #2: Assign and Detect Roles

Objective
To learn how roles are assigned and detected as part of the identity refresh process.
Overview
In this section we will run a task that will do the following:
• Iterate over each identity

• Look at the Identity Attributes and Entitlements that are possessed by each Identity
• Determine if any Business Roles should be assigned to an Identity
• Determine if an Identity has the appropriate IT Entitlement Access to detect any IT Roles.
Assign Business Roles and Detect IT Roles

In order to assign and detect roles, we need to run a task.
1. Navigate to Setup  Tasks and open the task called: Refresh Entitlement Correlation
a. List the option selected for this task:
_________________________________________________________________________________________________
b. Execute the task.
2. Navigate to Identities  Identity Warehouse and confirm that Business Roles have been
assigned, and that the IT Roles have been detected.

Section 3 - 16
3. Click Aaron.Nichols and look at his Entitlements and notice that he now has an assigned
Business Role based on his Region, and a few detected IT Roles based on his access to the
TRAKK application.
a. Expand the TRAKK – Manager Access and confirm that it consists of the approve
and reject capability.

Section 3 - 17
4. Scroll down to the Entitlements section and click the TRAKK capabilities input and reject to
see the meta information that we are storing with regards to each entitlement. Note that
these entitlements are granted by a role as the role definition includes these entitlements:
5. Click the Show only additional entitlements option to hide those entitlements that are
included in a role.
6. Run a Manager certification to confirm that Roles are now part of the certification:
a. Recipient: Catherine.Simmons
b. Run Now: checked
c. Confirm the following
i. Included Access, Entitlements: selected
ii. Include Additional Entitlements: checked
iii. Include Roles: checked
iv. Include Policy Violations: checked
d. Select Schedule Certification

Section 3 - 18
e. Login as Catherine.Simmons/xyzzy and verify in the Access Review that Roles are
part of the certification now.

Section 3 - 19
Exercise #3: Using Roles to Provision Access to the PRISM

Application
Objective
In this section we will use Role assignments to provision IT access to the PRISM application.
Overview
The PRISM application is a new application and only has two current user accounts on the system:
• PRISM ADMIN – An Out of the Box Account that came with the software
• Walter.Henderson – The owner of the application and the only user to create an account on
the system
As part of this exercise, we will assign the “PRISM Manager” Business Role to all users that are
managers at the company. We will do this by modifying the “PRISM Manager” Role to have
assignment logic that defines that managers will be assigned to this role. We will then assign this
role to everyone and this will cause provisioning to occur.
Modify Business Roles to have Assignment Logic

1. Login as spadmin/admin, and edit the PRISM Manager business role
2. Scroll down to Assignment Rule
a. Select Rule, and click Edit Rule
i. Rule Name: Role Assignment to Managers
ii. Script: return identity.getManagerStatus();
1. Notice that identity is listed in the Arguments list
iii. Click Save
b. Choose the rule you just created:
c. Scroll down and Submit to save the role changes.
3. This rule will return true if an Identity is a manager. When we refresh assigned and
detected roles, this rule will assign the PRISM Manager role to each identity that is a
manager. In turn, this will cause the required IT Role, PRISM Manager-IT to get

Section 3 - 20
provisioned as part of the refresh processing. This will create an account and add the user
to the Manager group on the PRISM application.
Create a new Refresh Task that will Provision Access

1. Navigate to Setup  Tasks and create a new task of type Identity Refresh
a. Name: Refresh and Provision Roles
b. Select these options on the task:
i. Refresh assigned, detected roles and promote additional entitlements
ii. Provision assignments
c. Click Save and Execute
d. Wait until the task finishes, as it will take a while since it will look at all 200+
identities. While the task is running you can observe the progress, by clicking on the
Pending… task in the Task Results window and watching the progress as it runs.
e. Once the task has successfully finished, go to a terminal window, and login to
MySQL:
[spadmin@training ~]$ mysql -u root -p

Enter password: root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 64
Server version: 5.1.58-community MySQL Community Server (GPL)
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights
reserved.
Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input
statement.
mysql> use prism

Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select * from users;

Section 3 - 21
In your results, you should see that several managers were provisioned with access
to the PRISM application:
…
| A | N | NULL |
| Sara.Berry | NULL | Sara | Berry | Manager
| A | N | NULL |
| Stephanie.Coleman | NULL | Stephanie | Coleman | Manager
| A | N | NULL |
| Susan.Martin | NULL | Susan | Martin | Manager
| A | N | NULL |
| Victor.Pierce | NULL | Victor | Pierce | Manager
| A | N | NULL |
| whenderson | NULL | Walter | Henderson | User,
Manager, Super | A | Y | 2012-01-01 |
| William.Moore | NULL | William | Moore | Manager
| A | N | NULL |
+-------------------+-------------+-----------+------------+-------------
---------+--------+--------+------------+
49 rows in set (0.00 sec)

Section 3 - 22
Exercise #4: Using Rules to Learn the API

Objectives
In this section, we will load (import) several rules and run them to learn how to interact with rules
and how to use the SailPoint API.
Overview
We will load each rule and investigate the rule in debug. For each rule, a set of questions introduces
you to the SailPoint API and provides understanding as to the purpose of each rule.
Non-programmers: Do your best to answer the programming questions, but don’t spend too much
time on them. Do load and run each rule.
Terminology Check
1. Match the following internal (programming) and user interface terminology. Check your
answers against the Common IdentityIQ Synonyms chart in the appendix.
Internal User Interface

bundle access review
certification account
certificationgroup role
link task
taskDefinition certification
2. Match the following role types
Business Roles Assigned Roles

IT Roles Detected Roles
Load and Run the Walk Identity Rule

This rule loads one identity and lists attributes and other information about the identity.
1. Load the rule XML:
/home/spadmin/ImplementerTraining/config/Rule-Example-WalkIdentity.xml
Rule Name: Example – Walk Identities

Section 3 - 23
2. Navigate to the Debug Pages, select the Rule object, view the rule Example - Walk
Identities, and answer the following questions.
a. This rule loads an Identity.
i. What is the name of the method used to retrieve the identity?
________________________________________________________________________________________
ii. What is the name of the class passed to the method identified above?
________________________________________________________________________________________
b. How many identity attributes are printed to standard out? ________
c. Why do we use the getEmail method to retrieve the email attribute, but the
getAttribute method to retrieve the status, location, and region attributes?
_________________________________________________________________________________________________
d. What is the name of the method used to retrieve the following information?
i. Accounts _____________________________________________________________
ii. Detected roles _____________________________________________________________
iii. Assigned roles _____________________________________________________________
3. Run the rule from the Debug Page.
4. When a rule runs in the Debug Page, print statements are listed in the standard out for the
application server (in our instance, Tomcat). Use the desktop shortcut Tail Tomcat
Standard Out to view the print statements.
a. How many accounts are listed? ________
b. How many detected roles are listed? ________
c. How many assigned roles are listed? ________
Note: If you see an error in the logfile regarding CSRF validation failed, this could be
because you have multiple IdentityIQ windows open in your browser. CSRF validation is a
security measure.

Section 3 - 24
Load and Run the Uncorrelated Identities Rule

This rule lists all of the uncorrelated identities.
/home/spadmin/ImplementerTraining/config/Rule-Example-
ReportUncorrelatedIdentities.xml
2. From the import results, write the rule name:
_________________________________________________________________________________________________________
3. On the debug page, view the rule and answer the following questions:
a. What is the name of the method being used to query the system for all uncorrelated
identity objects?
_________________________________________________________________________________________________
b. For the above method, what is the purpose of the qo parameter?
_________________________________________________________________________________________________
c. What method is used to retrieve the names? __________________________________
4. Use the rule command in the IdentityIQ console to run the rule. The print statements will be
printed to the console screen.
> rule “Example - Report Uncorrelated Identities”
a. What is the name of the last uncorrelated identity? ______________________________________

Section 3 - 25
Load and Run the Certification Walker Rule

This rule processes through all of the certifications and lists statistics about each one.
/home/spadmin/ImplementerTraining/config/Rule-Example-
CertificationWalker.xml
Write the rule name: _________________________________________________________________________________
2. View the rule and answer the following questions:
a. What is returned by the first search() statement:

context.search(CertificationGroup.class, qo)?
_________________________________________________________________________________________________
b. What is the name of the method that provides the name of the certification?
_________________________________________________________________________________________________
c. What is returned by the second search() statement:

context.search(Certification.class, ops, "id")?
_________________________________________________________________________________________________
d. What is returned by the statement: context.getObjectById(Certification.class, certId)?
_________________________________________________________________________________________________
3. Run the rule using either method (from debug or from the IdentityIQ Console).
a. What is the name of the last certification (certificationGroup object) found?
_________________________________________________________________________________________________

Section 3 - 26
Exercise #5: Running Tasks Sequentially and Running Rules

on a Schedule
Objective
The objective of this exercise is to introduce two particularly useful tasks, the Sequential Task
Launcher and the Run Rule task, and to learn to schedule tasks.
Overview
In this exercise, we will define a single task that will run nightly to aggregate our authoritative
applications followed by a refresh. We will use the run rule task to run a rule every 5 minutes.
Create and Schedule a Set of Tasks

1. From Setup  Tasks, create a new task of type Sequential Task Launcher and configure
as shown:
a. Name: Aggregate Authoritative Apps and Refresh
b. Enter the list of tasks: Aggregate Employees

Aggregate Contractors
Refresh Identity Cube
2. Save (do not execute).
3. Schedule the task Aggregate Authoritative Apps and Refresh.
a. In the list of tasks, right click on Aggregate Authoritative Apps and Refresh, and
select Schedule
b. Configure as shown:
i. Name: Nightly Authoritative Agg and Refresh
ii. First Execution: Tonight at 11:30 PM
iii. Execution Frequency: Daily
c. Schedule

Section 3 - 27
Run a Rule on a Schedule

The Run Rule task can run any specified rule. This task can often be used in place of writing a
custom task – write a rule, and then use this task to schedule and run the rule.
1. Navigate to  Global Settings  Import from File and import the following file:
/home/spadmin/ImplementerTraining/config/Rule-Example-RuleRunnerTest.xml
2. View the rule Example – Test Rule Runner Task.
a. This rule simply determines the date and prints it to the log file.
b. What value is returned by the rule? ____________________________________________

The return value is required by the Run Rule task so as to display in the task results.
3. Create a new task of type Run Rule
4. Configure as shown:
a. Name: Rule Runner Test
b. Rule: Example - Test Rule Runner Task
c. Choose Save and Execute

Section 3 - 28
5. Check the execution.
a. View the task results. All we’re returning is the status, so there is no other
information listed.
b. View the output from the Tomcat Standard Out log to see that a time stamp gets
printed when the task runs:
Rule Runner Test... Current Time/Date = 2017/03/03 21:52:43
6. On the Tasks tab, right click the Rule Runner Test task and select Schedule
7. Configure the schedule as shown:
a. Name: Rule Runner Task Schedule
b. Run Now: checked
c. Execution Frequency: Hourly
d. Select Schedule
This will run the task immediately and then every hour.

Section 3 - 29
8. To run this task more frequently than hourly, edit the TaskSchedule through the Debug
page and adjust the schedule parameters to run it more often. In order to do this, change the
TaskSchedule cron expression as shown.
Note: Detailed information about the cron expressions used in IdentityIQ can be found at
www.quartz-scheduler.org.
Original Task Schedule (the task runs every hour at 58 minutes past the hour):
<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE TaskSchedule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<TaskSchedule id="Schedule for Rule Runner Task" name="Schedule
for Rule Runner Task" nextExecution="1392933480000">
<Arguments>
<Map>
<entry key="executor" value="Rule Runner Test"/>
<entry key="launcher" value="spadmin"/>
</Map>
</Arguments>
<CronExpressions>
<String>0 58 * * * ? </String>
</CronExpressions>
<Description></Description>
</TaskSchedule>
New Task Schedule (the task runs every five minutes):
<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE TaskSchedule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<TaskSchedule id="Schedule for Rule Runner Task" name="Schedule
for Rule Runner Task" nextExecution="1352433949000">
<Arguments>
<Map>
<entry key="executor" value="Rule Runner Test"/>
<entry key="launcher" value="spadmin"/>
</Map>
</Arguments>
<CronExpressions>
<String>0 0/5 * * * ? </String>
</CronExpressions>
<Description></Description>
</TaskSchedule>
9. Check back periodically to the Tomcat Standard Out log to see that the task continues to run
and execute the rule that writes test messages to the log file.

Section 3 - 30
Exercise #6: Compiling and Deploying a Custom Task

Objective
The objective of this exercise is to learn the process for creating a custom task, and importing the
task into IdentityIQ
Overview
In this exercise, we will compile and deploy a task that will allow the user to enter a search term
and an object type and run a search for the term against all objects of that type.
Compile the Custom Task

1. Log out of IdentityIQ.
2. Your training VM includes a build environment for building a custom task. The build tool we
will use is called Ant.
a. The source file for the task is under the ImplementerTraining/src directory. If
you are interested, view the sample code.
3. Build and deploy the task.
a. Open up a terminal window and navigate to the ImplementerTraining directory
b. From within the terminal window type the following:
[spadmin@training ImplementerTraining]$ ant deploy
c. This will build the sample task, jar it up and deploy it into the App Server directory
and bounce the application server.
Load and Test the Custom Task

1. Login to Identity IQ as spadmin
2. Navigate to  Global Settings  Import from File and import the following file:
/home/spadmin/ImplementerTraining/config/TaskDefinition-SearchTask.xml
This is the Task Definition file that defines the Task within IdentityIQ. This XML Task
Definition points to the Java class that we just compiled and deployed into the Application
Server.
3. To test the task, from within IdentityIQ, navigate to Setup  Tasks and create a new task of
type Search Task

Section 3 - 31
4. Configure the task as shown here:
a. Name: Search Applications for spadmin
b. Search Term: spadmin
c. Object type to search: sailpoint.object.Application
d. Choose Save and Execute
5. Check the Task Results.
a. How many applications contain the term “spadmin”? ____________________
Bonus Question
1. Why might you need to identify applications that contain the phrase “spadmin”?
_________________________________________________________________________________________________________
_________________________________________________________________________________________________________

Section 3 - 32
Exercise #7: Creating and Extending a Custom Report

Objective
To understand the steps involved in extending, creating, and customizing IdentityIQ reports.
Overview
For this exercise, we will load a custom report and observe how it functions within IdentityIQ. We
will configure the report using the GUI. Then we will investigate the report XML using debug. Next
we will extend the report by adding more columns. This section ends with three optional
extensions.
Load and Investigate the Custom Report Definition XML File

1. Navigate to  Global Settings  Import from File and load the file:
/home/spadmin/ImplementerTraining/config/Report-CustomCapabilities.xml
2. Navigate to Intelligence  Reports and click the Reports tab
a. Filter the list of reports, filter on Capabilities
b. Click Capabilities Report
c. Configure the report as follows:
i. Name: My Capabilities Report
d. Click Save and Preview to preview the report.
e. Page through the report and check to see that the user spadmin has the
SystemAdministrator capability.

Section 3 - 33
3. Click Refine Report (top, right) and click the Report Layout section.
a. Reorder the columns so that the Capability column is displayed first.
b. Preview the report.
4. Change the report so that Username is displayed first, followed by Capability and omit
First Name and Last Name from this report.
5. Save and Preview the report.
6. Navigate to the Debug Pages and search for TaskDefinition objects and look for the
Capabilities Report that we just loaded. Click the Capabilities Report and view the report
XML.
7. Observe the XML to see what is causing the report to generate the information in the report.
a. Notice that the DataSource defines the base object (in our case Identity) and the
default sort order.
<DataSource defaultSort="name" objectType="Identity" type="Filter">

Section 3 - 34
b. Notice that the ReportColumnConfigs drives the columns shown in the report.
<Columns>
<ReportColumnConfig field="identity"
header="rept_user_details_col_identity" property="name"
sortable="true" width="110"/>
<ReportColumnConfig field="lastName"
header="rept_user_details_col_lastname" property="lastname"
<ReportColumnConfig field="firstName"
header="rept_user_details_col_firstname"
property="firstname" sortable="true" width="110"/>
<ReportColumnConfig field="capability"
header="Capability" property="capabilities.name"
</Columns>
c. Effectively, this report retrieves all the identities in the system and lists the four
columns (name, lastname, firstname, capabilities.name) defined.
d. Close the Capabilities Report XML.
8. Still on the Debug Page, search again for TaskDefinition objects and this time look for the
My Capabilities Report that we just created and view the report XML.
a. Observe that this definition includes the specific configuration for My Capabilities
Report.
i. Notice the entry key for reportColumnOrder. Why are only two columns
listed?
________________________________________________________________________________________
________________________________________________________________________________________
b. Observe that the My Capabilities Report XML references the report template from
which it was configured.
<Reference class="sailpoint.object.TaskDefinition"
id="ff80808140569e2201407d0889211672" name="Capabilities
Report"/>
c. Close the My Capabilities Report XML.

Section 3 - 35
Extend the Report

1. Continuing to work on the Debug Pages, redisplay the Capabilities Report XML.
2. Extend the Columns in the Capabilities Report to add the user’s region and location.
a. Add the following ReportColumnConfigs to the existing Columns
<ReportColumnConfig field="region" header="Region"

property="region" sortable="true" width="110"/>
<ReportColumnConfig field="location" header="Location"
property="location" sortable="true" width="110"/>
Note: Enter each ReportColumnConfig as one line of text. There is no “enter” before
property, only a space.
b. Click Save
3. Navigate to Intelligence  Reports and click the Reports tab.
4. Configure a new Capabilities Report.
a. Name: My Capabilities Report 2
5. Click Save and Preview and confirm that the Region and Location columns are now
displayed.
6. From the dropdown menu next to Last Name, click Columns and remove Last Name and
First Name from the report.
a. Save your changes

Section 3 - 36
7. From the Select an action menu (top, left), select Run Now, and when the report is
complete click View Report Results.
a. What are the two format options for downloading a report?
_________________________________ _________________________________
This concludes Section 3.
Extension Exercises (Optional)

The following report extensions are optional. They provide additional practice with extending
reports. Note that these are advanced exercises and little is provided by way of instruction. If
necessary, use the solution files as examples for your solution.
Extend the Report using Signatures and Forms

1. Extend the Capabilities Report to support configuration of the report to allow searching for
capabilities by Identity and by Manager
a. Extend the report using Query Parameters and a Signature to allow users to filter
the results.
Run the report and notice that the new Report Options section allows the user to
filter the report based on the values specified in the Signature. The Report Options
section uses the default form for display and lists item in a single column.
Solution File: /home/spadmin/ImplementerTraining/config/Report-

CustomCapabilities3.xml
b. Extend the report using the previously created Signature and a Form to control the
display. Load the XML for the form from:
/home/spadmin/ImplementerTraining/config/Report-CapabilitiesForm.xml.
Run the report and notice that now the middle section is called Capabilities Filters
(from the form) and the section uses the specified form to list items in two columns.

Extend the Report to Limit Returned Data

1. Extend the report to add a query option to show only capabilities with values.


Section - 3

Uploaded by

Copyright:

Available Formats

Section - 3

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Section - 3

Uploaded by

Copyright:

Available Formats

Section 3 - 1

Section Three: Roles, Rules, Custom Tasks and Custom Reports

Fundamentals of IdentityIQ Implementation

11305 Four Points Drive

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

Exercise #6: Compiling and Deploying a Custom Task .......................................................................................... 30

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

Section 3: Roles, Tasks, Rules and Custom Reports

In the previous sections we:

• loaded identities, applications, accounts and entitlements

• performed certifications on the data we loaded

• detected policy violations

In this section we will be doing the following:

• Define a Role Model

o Business Roles – Based on identity or account attributes

o IT Roles – Based on account entitlements

• Learn about the SailPoint API by running an assortment of example rules

• Learn how to create and deploy a custom task

• Learn how to create a custom report

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

Exercise #1: Defining a Role Model

• Container Roles for all the roles we will create

Create Role Container

2. Create TRAKK Container

a. Navigate to Setup  Roles , select New Role and choose Role

c. Display Name: TRAKK

e. Owner: The Administrator

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

3. Create Regions Container

a. New Role and choose Role

c. Display Name: Regions

e. Owner: The Administrator

4. You should have two container roles defined:

Run a Business Role Mining Task to generate Region Roles

2. Configure the Role Mining Task using the following settings:

a. Name: Business Roles - Regions

b. Compute Population Statistics: Checked

c. Specify an Existing Root Container Role: Regions

d. Ordered Identity Mining Attributes: Region

e. Type of Business Roles to Generate: Business

f. Owner: The Administrator

g. Prefix to Apply to Generated Role Names: Region

h. Select Save and Execute and OK

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

3. Observe the results of Role Mining

a. Click the Role Mining Results tab

b. Select the Role Mining results and observe:

d. Notice the business roles: Region.Americas, Region.Asia-Pacific, and Region.Europe.

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

a. Select the role

b. In the bottom center, select Edit Role

c. Scroll down and uncheck Disabled to enable the role

e. Scroll down and Submit the changes

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

Run an IT Role Mining Task to create TRAKK Roles

2. Configure the IT Role Mining Task as shown:

a. Name: IT Roles - TRAKK

b. Owner: The Administrator

c. Identities to Mine: Search by Attributes