| Subcribe via RSS

SailPoint IIQ: Rule Modeling in Real Java :-)

I’ve been sitting on this article and concept for months and have had others ask me about it via email — whether I’ve ever done something like this before — and well… here it is.

Tired of No BeanShell Coding Validation!

It turns out I was sitting around in my hotel room in Bangalore on India Independence Day last year, whacking away on some client code, doing some data modeling using CSV. I had a somewhat involved BuildMap rule I was working on and I was getting a null pointer exception I simply could not find. A few hours and one simple coding mistake later, once discovered, I was finally on my way. But it was really discouraging to know that if I had been coding in Eclipse, the coding mistake would have been spotted immediately.

The next thought I had was actually two-fold. While I have at times actually written test straps in real Java using the Sailpoint IIQ Java libraries (ie. jars) and dropped my BeanShell code into procedures to instantly validate the syntax, I have also wanted at some point in time to be able to simulate or partially simulate rule modeling and data modeling outside of Sailpoint IIQ using Java I had complete control over writing and executing.

So on this particular day, being particularly irked, I decided to combine those two wishes and see what I could do about having a place I could not only drop, for instance, BuildMap rule code into Eclipse and instantly validate it, but also execute the code I intended for Sailpoint IIQ against connector sources I also had connected to Sailpoint IIQ (in development, of course!) and see and manipulate the results.

Once I was done iterating my development over a real dataset, I could take my validated Java code, drop it back into Sailpoint IIQ in BeanShell and have not only validated but also working code in Sailpoint IIQ with very little or no modification.

Establishing SailPoint Context

One thing you will need if you want to run your Java code in an actual Sailpoint IIQ context outside of Sailpoint IIQ proper is establishing SailPointContext in your code. This, I will tell you, while not impossible, is not easy to do. You need to implement the Spring Framework and a lot of other stuff. If you are interested in doing this and have access to SailPoint Compass, you can actually read about establishing SailPointContext here4.

Since doing that much work wasn’t something I had the time for doing, almost immediately I decided to implement a partial simulation that would allow me to (1) model and validate my rule and (2) also allow me to model my data very simply and easily without establishing SailPointContext. I could still achieve my goal of iterating the solution to produce validated and working code to drop back into Sailpoint IIQ in this way.

The Code

Amazingly, the code for simulating a BuildMap rule, pointing it to the actual CSV I intend for Sailpoint IIQ, and simulating an account aggregation task is not that complex. Once you have the code, if you understand how Sailpoint IIQ works in general, you could conceivably re-engineer and simulate other segments of Sailpoint IIQ processing or modeling other rule types and.or data outside of Sailpoint IIQ1.
More »

Tags: , , , , , , , ,

Stupid SailPoint Developer Tricks

Hello, mates — as they say Down Under, where I happen to be at the moment on a rather large Sailpoint engagement. It’s been a while, and I’m sorry for that. I keep promising more, new and better content and haven’t delivered.

The last couple of months however have been absolutely crazy and there have been some changes on my end, as you perhaps can see. Now that things have shaped up a bit, maybe I can get back to the business at hand here on the blog, again as I have time.

Stupid Pet Tricks

When I was growing up and in college, a famous comedian became famous (partially) by having a segment on his show called “Stupid Pet Tricks.” Some were hilarious and some… belonged on the 1980’s “Gong Show.” (If you’ve never heard of “The Gong Show,” trust me, you aren’t missing anything).

Since that time, I’ve always thought of various developer tricks in the same light. Some are quite slick and useful and some… really just need to be buried. I’ll leave it to you to decide on this one.

Out of sheer laziness, while onboarding Sailpoint applications that feature a BuildMap rule (eg. BuildMap, JDBCBuildMap, and SAPBuildMap), I sometimes utilize a method for “printing debug statements” that I can see directly and immediately in connectorDebug, without having to jump into or tail the Sailpoint IIQ log or application server logs.

It’s also just a bit less verbose as the Sailpoint IIQ logs typically have a large class identification prefix in front of them, which can get rather cumbersome and make it more difficult to pick out one’s intended debug output.

Plus I hate changing logging levels in log4j.properties even though the Sailpoint IIQ debug page allows me to load a new logging configuration dynamically. In short, I’m just a lazy, complaining type when it comes to Sailpoint IIQ debug statements.

Someone mentioned this would be worth blogging about, so here goes. (At the very least, this is an easy article to write and perhaps will get me back into the blogging swing?!)

__DEBUG__ Schema

Now, I would definitely recommend doing this only on a local or designated sandbox and then making sure you clean up before checking in your code. (You are using some form of source code control for your Sailpoint IIQ development, aren’t you?!)
More »

Tags: , , , , ,

SailPoint IIQ: Best Practice – Native Change Detection

December 13th, 2012 | No Comments | Posted in IAM Development, Vendor Specific

This should be a short post. What I want to offer is longer than what I can fit into a tweet (@IdMConsultant), but pretty simple to state. (But since I’m blogging, I will expand slightly… :-))


For the new Native Change Detection feature in Sailpoint IIQ v6.0, Sailpoint warns, NCD needs to be turned on after your first aggregation. Obviously, if NCD is turned on before this, all your “changes” on your first aggregation are going to kick off a lot of needless workflows (at best) and could result in some possibly serious consequences in terms of changes made downstream (at worst, depending on how you’ve customized the resulting LCE workflow, especially if you’ve elected a heavy-handed approach to NCD).

Native Change Detection Best Practice

I would further this recommendation and state, as a Best Practice, don’t turn on NCD until after the aggregations for an application have “matured.” That is, you’ve worked through all the kinks that typically come in a production aggregation scenario. Almost always, there is something “forgotten” in an initial aggregation or even the first two or three aggregations. A transformation rule has to be written… You forgot an attribute… Your app owner and you decide another attribute needs to be added to the application… You forget to mark an entitlement… You don’t realize immediately you aren’t getting all expected data… etc.

(You can “mature” or solidify your application aggregations in one of two ways or a combination of both:

(1) Work out your aggregation details in lower environments. Attributes and schemas here should match what you plan to place into production. But since your data isn’t always the same in your lower environments as in production, you should also…

(2) Allow for a number of aggregations in Production with production data. I would recommend at least 2-3 validated aggregations with Production data to solidify expectations.)

Native Change Detection is a powerful new feature of Sailpoint IIQ that is quickly positioning Sailpoint IIQ as THE authoritative governance application in the enterprise (NCD as well as other new features of Sailpoint IIQ v6.0). So to recap:


(1) Don’t turn on Native Change Detection until aggregations for an application have matured or been solidified.

(2) Turn on Native Change Detection only one application at a time!! Plan your usage of NCD, and either turn NCD on one application at a time or in small groups of related applications (eg. Active Directory and Exchange). I really recommend one application at a time. If you don’t take this #2 approach, I promise you… you are asking for trouble! :-)

(3) I would even go so far as to recommend enabling one NCD function (eg. create, modify, or delete) at a time. At least in your earliest uses of NCD. So one function per one application at a time.

Plan. Map. Forecast. Test. Execute. Mitigate. Don’t “willy nilly” with this. :-)

Rising above 15″ of snow in the Twin Cities and wishing you the best with this fantastic new feature of Sailpoint IIQ!

Tags: , , , , ,