IIQ rule To exclude Inactive Identity

Question

`

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule created="1691658072552" id="c0a8c78e89de1e298189deadb1e82b9e" language="beanshell" modified="1691659060902" name="Exclusion rule Ent and role" type="CertificationExclusion">
  <Description>This rule is an example Certification Exclusion rule that removes all of the certifiable items from a certification if the identity being certified is marked as inactive.</Description>
  <Signature returnType="String">
    <Inputs>
      <Argument name="log" type="org.apache.commons.logging.Log">
        <Description>
          The log object associated with the SailPointContext.
        </Description>
      </Argument>
      <Argument name="context" type="sailpoint.api.SailPointContext">
        <Description>
          A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
        </Description>
      </Argument>
      <Argument name="entity" type="AbstractCertifiableEntity">
        <Description>
          The AbstractCertifiableEntity that is part of the certification.
          Currently, this is either an Identity, ManagedAttribute, or Bundle.
        </Description>
      </Argument>
      <Argument name="certification" type="Certification">
        <Description>
          The certification that this identity is part of.
        </Description>
      </Argument>
      <Argument name="certContext" type="CertificationContext">
        <Description>
          The CertificationContext that is being used to generate the
          certification.
        </Description>
      </Argument>
      <Argument name="items" type="List">
        <Description>
          List of Certifiable items that are currently part of the
          certification for this identity.  Any items that should be excluded
          from the certification should be deleted from this list and added
          to the itemsToExclude list.
        </Description>
      </Argument>
      <Argument name="itemsToExclude" type="List">
        <Description>
          A List of Certifiable items that should not be included in the
          certification.  This list will be empty when the rule is executed
          and any items that should not be part of the certification should
          be moved from the items list to the itemsToExclude list.
        </Description>
      </Argument>
      <Argument name="state">
        <Description>
          A Map containing state information.
        </Description>
      </Argument>
    </Inputs>
    <Returns>
      <Argument name="explanation" type="String">
        <Description>
          An optional explanation describing why the items were excluded.
        </Description>
      </Argument>
    </Returns>
  </Signature>
  <Source>


  import sailpoint.object.Certifiable;
  import sailpoint.object.Link;
  import sailpoint.object.Bundle;
  import sailpoint.object.EntitlementGroup;
  import sailpoint.object.Attributes;
  import java.util.List;
  import java.util.ArrayList;
  import sailpoint.object.Identity;
  //Iterate through certification items
  Iterator it = items.iterator();
  while ( it.hasNext() )
  {
    Certifiable certifiable = (Certifiable) it.next();
    //Exclude Roles
    if (certifiable instanceof Bundle)
    {
      Bundle role = (Bundle) certifiable;
      rolename = role.getFullName();
      //Exclude birthright roles
      if(rolename.startsWith(""))
      {
        it.remove();
        itemsToExclude.add(certifiable);
      }
    }
    //Exclude Entitlements
    if (certifiable instanceof EntitlementGroup)
    {
      EntitlementGroup entgrp = (EntitlementGroup) certifiable;
      Attributes atts = entgrp.getAttributes();
      List entlist = atts.getKeys();
      Iterator entit = entlist.iterator();
      while (entit.hasNext())
      {
        String attrname = entit.next();
        String attrval = atts.getString(attrname);
        if(attrname.equalsIgnoreCase("RoleId") &amp;&amp; attrval.equalsIgnoreCase("4"))
        {
          it.remove();
          itemsToExclude.add(certifiable);
        }
      }
    }
  }

  //Exclude Identity   
  Identity currentUser = (Identity) entity;

  if ( currentUser.isInactive()) {
    log.error("Inactive User: " + currentUser.getDisplayName());
    log.error("Do not certify.");
    itemsToExclude.addAll(items);
    items.clear();
    explanation = "Not certifying inactive users";
  }
  return explanation;


  </Source>
</Rule>

This is to find inactive Identity from IIQ Here we can filter Entitlement and Roles also We can use this rule into sailpoint cetification Rule Exclude “inactive” Identities from a Manager certification Exclude items from a certification when they have already been included in another active certification For example, in some organizations, the Manager might be responsible for the access review but team Leads are charged with reviewing their group’s Entitlements before they are sent to the Manager. A pre-delegation rule can be written to pre-delegate items to the Leads. When the Leads’ reviews are complete, the items are returned to the Manager for final approval and sign-off.

Answer 1

An easier option would be to just use the option "Exclude Inactive Identities" on the "Advanced" page of the manager certification, or use a Targeted certification and only include active identities. No code needed in that case.