Furqan Shaikh

A personal portfolio and blog by Furqan Shaikh, featuring technology insights and project showcases.

© 2024. All rights reserved.

Check and Set Java JDK Versions on macOS

12 Oct 2024

Understanding Java and JDK

Before diving into the commands, let’s clarify:

  • Java: A programming language used to create software applications.
  • JDK (Java Development Kit): A toolkit that includes the Java Runtime Environment (JRE), compiler, debugger, and other tools needed to develop Java applications.

Checking the Current JDK Version

  1. Open Terminal: Use the Spotlight search (Command + Space) or navigate to Applications > Utilities > Terminal.
  2. Execute the Command: Type the following command and press Enter: 
    java -version

    This will display the installed Java version. If no output appears, it means Java is not installed.

Installing a Specific JDK

If you need to install a different JDK (e.g., for a specific project or environment), follow these steps:

  1. Download the JDK: Visit the Oracle website (https://www.oracle.com/java/technologies/downloads/) and download the desired JDK for macOS.
  2. Extract the Archive: Double-click the downloaded DMG file and drag the JDK folder to the /Library/Java/JavaVirtualMachines directory.
  3. Update Environment Variables: Open Terminal and execute the following command to update the environment variables: 
    sudo nano /etc/profile

    Add the following line to the end of the file, replacing /Library/Java/JavaVirtualMachines/jdk-11.0.1.jdk/Contents/Home with the actual path to your JDK:

    export JAVA_HOME="/Library/Java/JavaVirtualMachines/jdk-11.0.1.jdk/Contents/Home"

    Save the file (Command + X, then Y) and close the Terminal.

  4. Reload Environment Variables: Open a new Terminal window or execute the following command in the existing one: 
    source /etc/profile

Setting a Default JDK

To set a specific JDK as the default, use the following command, replacing /Library/Java/JavaVirtualMachines/jdk-11.0.1.jdk/Contents/Home with the desired JDK path:

sudo defaults write /Library/Java/JavaVirtualMachines/jdk-11.0.1.jdk/Contents/Home/bin/java -currentVersion -XstartOnFirstThread

Verifying the Default JDK

To check the current default JDK, execute the following command:

/usr/libexec/java_home -V

Additional Tips

  • Homebrew: If you use Homebrew, you can install and manage JDKs using the brew command. For example, to install JDK 11: 
    brew install openjdk@11
  • Multiple JDKs: You can have multiple JDKs installed and switch between them using the JAVA_HOME environment variable or tools like jenv or sdkman.

By following these steps, you can effectively manage Java JDK versions on your macOS system.

Oracle Identity Management (OIM) Certification Report Query

30 Sep 2024

Oracle Identity Management (OIM) helps organizations manage user access and ensure security through regular certifications. Certification queries allow you to track the progress of user access reviews. Here’s a quick breakdown of a certification query in OIM and how it works.

Sample Certification Query

SELECT DISTINCT
  cc.ID AS ID,
  cd.cert_name,
  cc.CERT_NAME AS CERTIFICATE_NAME,
  CS.PERCENT_COMPLETE AS COMPLETION_PERCENT,
  CDU.USR_LOGIN AS MANAGER,
  CDU.USR_DISPLAY_NAME AS MANAGER_USERNAME,
  CDU.USR_EMAIL AS MANAGER_EMAIL,
  COALESCE(CS.LID2_COMPL, 0) AS ACCOUNT_COMPLETED,
  COALESCE(CS.LID2_TOT, 0) AS ACCOUNT_TOTAL,
  COALESCE(CS.LID3_COMPL, 0) AS ENTITLEMENT_COMPLETED,
  COALESCE(CS.LID3_TOT, 0) AS ENTITLEMENT_TOTAL
FROM
  cert_certs CC
LEFT OUTER JOIN PRODOIM_OIM.CERTD_STATS CS ON CC.ID = CS.CERT_ID
LEFT OUTER JOIN USR CDU ON CDU.USR_KEY = CC.CERTIFIER_ID
LEFT OUTER JOIN CERT_DEFN cd ON UPPER(cc.CERT_NAME) LIKE '%' || UPPER(cd.cert_name) || '%'
WHERE
  cc.CREATEDATE > sysdate - 90
  AND LINE_ITEM_TYPE = 0
ORDER BY ID DESC;

Key Points of the Query

  1. Certification Details:
    • ID: Unique certification ID.
    • Certificate Name: Name of the certification.
    • Completion Percentage: How much of the certification process is done.
  2. Certifier (Manager) Information:
    • Manager Login/Name/Email: Details of the manager responsible for the certification.
  3. Progress on Accounts and Entitlements:
    • Accounts Certified: The number of certified user accounts.
    • Entitlements Certified: The number of certified permissions (entitlements) granted to users.
  4. Filtering and Sorting:
    • The query filters certifications created in the last 90 days (cc.CREATEDATE > sysdate - 90).
    • Results are sorted by certification ID in descending order.

Why This Query Matters

  • Audit & Compliance: This query helps track the status of certifications, which is crucial for regulatory compliance (e.g., SOX, GDPR).
  • Real-time Monitoring: Managers can easily see which certifications need attention and follow up on incomplete certifications.
  • Customizable: The query can be adapted to focus on specific certifications, timeframes, or managers.

Conclusion

This certification query in OIM provides a simple way to track progress on access reviews, ensuring timely completion and supporting compliance efforts. You can modify this query to suit your organization’s specific certification reporting needs.

Designing Effective Birthright and IT Roles in SailPoint for Large Organizations

30 Sep 2024

In SailPoint IdentityIQ (IIQ) implementation for a large organization, it is important to define both Birthright Roles and IT Roles strategically. Here’s a breakdown of each:

Birthright Roles

Birthright roles are automatically assigned to users based on their attributes (e.g., department, location, job title). These are often used to provision basic access required for employees to perform their roles from the start.

Suggested Birthright Roles for a Large Organization

  1. Basic Employee Role
    • Access to the organization’s intranet.
    • Email account creation.
    • Basic communication tools (e.g., Slack, Microsoft Teams).
    • Access to HR systems for self-service functions (leave requests, pay stubs).
    • Directory access (e.g., LDAP or AD) for organization-wide contact lookup.
  2. Department-Specific Roles
    • HR Role: Access to HR applications like payroll, performance management systems.
    • Finance Role: Access to basic financial tools, budget management systems.
    • Marketing Role: Access to marketing automation tools, CRM.
    • IT Support Role: Access to ticketing systems, documentation portals.
    • Engineering Role: Access to version control (e.g., GitLab, GitHub), DevOps tools, code repositories.
  3. Location-Based Role
    • Access to location-specific systems (e.g., access to certain network drives or facilities).
    • Region-specific HR or legal resources.
  4. Manager Role
    • Access to employee management tools (approval workflows, performance management).
    • Delegation capabilities and reporting.
  5. Temporary/Contractor Role
    • Time-limited access to systems relevant to specific projects.
    • Restricted permissions to sensitive information or corporate assets.
  6. New Hire Role
    • Access to onboarding materials.
    • Limited temporary access to common systems until role assignment.

IT Roles

IT roles provide access to specific applications and infrastructure management tools. These roles are typically assigned based on specific job functions in the IT department and require elevated privileges.

Suggested IT Roles for SailPoint Implementation

  1. Help Desk Role
    • Access to user management tools (password resets, account unlock).
    • Limited administrative rights on systems to troubleshoot basic IT issues.
  2. Network Administrator Role
    • Access to network management tools (firewalls, routers, switches).
    • Ability to provision network resources like VLANs, VPNs.
    • Access to network monitoring systems.
  3. Database Administrator Role
    • Full access to manage databases (e.g., Oracle, MySQL).
    • Role-based restrictions on certain sensitive databases.
    • Access to backup and disaster recovery tools.
  4. System Administrator Role
    • Full administrative access to operating systems (Windows, Linux).
    • Control over user accounts and permissions at the OS level.
    • Access to system monitoring and performance tools.
  5. Application Administrator Role
    • Admin access to specific business applications (e.g., CRM, ERP, HRMS).
    • Ability to configure and manage roles within those applications.
    • Manage application updates and performance.
  6. DevOps Role
    • Access to CI/CD tools (e.g., Jenkins, GitLab CI).
    • Infrastructure management (e.g., AWS, Azure, Kubernetes clusters).
    • Access to development and production environments.
  7. Security Administrator Role
    • Access to security monitoring tools (SIEM, IDS/IPS systems).
    • Privileged access to configure security policies (firewall rules, encryption).
    • Ability to manage user access audits and incident response.
  8. Identity Administrator Role
    • Full access to SailPoint IdentityIQ for managing roles, provisioning, and deprovisioning.
    • Audit and review permissions across the organization.
    • Ability to create and modify certification campaigns.
  9. Access Reviewer Role
    • Assigned to managers or security teams to review user access periodically.
    • Ability to certify access or flag anomalies for review.
  10. Compliance Auditor Role
    • Read-only access to reports on user access and policy compliance.
    • Ability to generate and review compliance reports for audits.

When designing these roles, it’s essential to maintain a balance between security (least privilege principle) and the usability for employees. Tailor these roles based on organizational needs, regulatory compliance (e.g., GDPR, SOX), and the specific structure of the IT environment.

Delta Aggregation Support in SailPoint Web Service Connector

20 Sep 2024

Delta Aggregation Support in SailPoint Web Service Connector

Delta aggregation plays a vital role in optimizing identity management processes by ensuring that only the changes (deltas) since the last aggregation are retrieved, reducing time and resource consumption. In SailPoint IdentityIQ, this feature allows efficient synchronization with external systems by only fetching modified or new records instead of performing a full account aggregation each time.

Does SailPoint Web Service Connector Support Delta Aggregation?

The Web Service connector, as it stands out-of-the-box, does not natively support delta aggregation. However, through custom configurations and clever rule manipulation, it is possible to enable delta aggregation for Web Service-based integrations.

Implementing Delta Aggregation with Web Service Connector

To implement delta aggregation in a Web Service connector within SailPoint, you can follow a custom approach that involves using rules and tasks to modify the connector behavior dynamically. Here’s an outline of how it can be done:

1. WebServiceBeforeOperation Rule

One method for implementing delta aggregation is by using a WebServiceBeforeOperation rule. This rule checks the primary account aggregation task and looks for a delta aggregation attribute. If delta aggregation is enabled, the rule manipulates the web service call’s ContextURI or body payload to include a timestamp. This timestamp represents the last successful aggregation date, retrieved from the application configuration. The web service then returns only the changes since that date.

2. Standard and Delta Aggregation Tasks

You will need two separate tasks:

  • Full Account Aggregation Task: This is the standard task that aggregates all accounts.
  • Delta Account Aggregation Task: This task runs more frequently and aggregates only the changes since the last aggregation.

Both tasks can be part of a sequential workflow that toggles between full and delta aggregations as needed.

3. Automating Task Execution

You can schedule the delta aggregation task to run on an hourly basis, while the full aggregation task could be scheduled less frequently (e.g., weekly). The delta task will focus on identifying newly added or modified accounts, whereas the full task ensures that deleted accounts or any missed changes are captured.

In this scenario:

  • Delta Task: Runs a rule to set deltaAggregation = true and checkDeleted = false.
  • Full Task: Resets deltaAggregation = false and checkDeleted = true.

By doing this, you ensure that delta aggregation picks up incremental changes, while full aggregation takes care of the rest, including cleanup of deleted accounts.

Example Configuration

BeanShell Rule for Delta Aggregation:

if (deltaAggregationEnabled) {
    task.setAttribute("deltaAggregation", true);
    task.setAttribute("checkDeleted", false);
} else {
    task.setAttribute("deltaAggregation", false);
    task.setAttribute("checkDeleted", true);
}

This rule dynamically sets the attributes for each task to determine whether a full or delta aggregation should be performed.

Dealing with Last Aggregation Timestamp

For delta aggregation to work effectively, you need to keep track of the last successful aggregation timestamp. This timestamp can either be stored in the application configuration or in a custom table in the IdentityIQ database.

Here are two possible methods to retrieve the timestamp:

  1. Application Configuration: Store the timestamp of the last successful aggregation within the configuration of the connected application and retrieve it during the WebServiceBeforeOperation rule.

  2. Custom Database Table: Create a custom table in IdentityIQ to store metadata such as the last aggregation timestamp. You can then fetch this timestamp inside the rule and use it to perform the delta aggregation.

Conclusion

While the Web Service connector in SailPoint IdentityIQ does not inherently support delta aggregation, with custom configurations and rules, you can enable delta aggregation efficiently. This setup can reduce the overhead of full account aggregations and ensure that only the most recent changes are aggregated, making identity management more responsive and scalable.

By scheduling delta aggregation tasks and maintaining full aggregations for cleanup, you can strike a balance between performance and completeness in your integration processes.

Implementing a Three-Level Approval Workflow in SailPoint IdentityIQ

20 Sep 2024

Implementing a Three-Level Approval Workflow in SailPoint IdentityIQ

Approval workflows in identity governance are essential to ensure that access requests are validated and approved by the right authorities. In SailPoint IdentityIQ, you can customize workflows to fit your organization’s approval requirements, including multi-level approval processes. This post explores how to implement a three-level approval system, where access requests go through:

  1. Level 1: Manager of the requester
  2. Level 2: General Manager of the department
  3. Level 3: Any additional approver (for example, security officers or specific identities)

Understanding SailPoint Approval Workflow

SailPoint’s provisioning workflows allow for flexible approval configurations using the approvalScheme and approvingIdentities variables. By leveraging these variables, you can create sequential or parallel approval flows that involve multiple identities, managers, or workgroups.

In this case, we will create a sequential three-level approval process using a custom workflow.

Steps to Implement the Three-Level Approval Process

1. Define Workflow Variables

Start by defining the variables that will store the identities of the approvers at each level:

<Variable editable="true" name="manager"/>
<Variable editable="true" name="generalManager"/>
<Variable editable="true" name="identityApprover"/>

These variables will store the identities of the manager, general manager, and any other specific identity (e.g., security officer or external approver) that need to approve the request.

2. Configure Approval Scheme

In SailPoint, the approvalScheme variable determines how approval items are generated and processed. To create a three-level approval flow, you can use the following setup:

<Variable initializer="manager,generalManager,identityApprover" name="approvalScheme">
    <Description>
        A comma-separated string that defines how approval items are generated.
        The approval process will include the requester's manager, the department's
        general manager, and an additional identity approver.
    </Description>
</Variable>

3. Setting Approving Identities

The approvingIdentities variable will contain the identities or workgroups that need to approve the request. You can concatenate the identities as follows:

<Variable input="true" name="approvingIdentities">
    <Description>
        List of identities and/or workgroups names/ids involved in the approval process.
    </Description>
</Variable>

For this three-level approval process, the identities of the manager, general manager, and identity approver can be dynamically set in the workflow:

<Variable initializer="manager,generalManager,identityApprover" input="true" name="approvingIdentities"/>

4. Parallel vs. Sequential Approvals

You can configure the approval flow to be either parallel or sequential depending on your organization’s requirements.

For sequential approval (one approver after the other):

<Variable initializer="sequential" name="approvalMode"/>

For parallel approval (all approvers receive the request simultaneously):

<Variable initializer="parallel" name="approvalMode"/>

In our case, since the approvals need to be processed in sequence (starting with the manager, then the general manager, and finally the identity approver), we use the sequential mode.

5. Building the Approval Workflow

With the variables and configuration in place, you can now define the actual workflow steps. Here’s a simplified example:

<Workflow name="ThreeLevelApprovalWorkflow">
    <Start>
        <!-- Initial step: Search for the requester and prepare the request -->
    </Start>

    <ApprovalSet>
        <!-- Step to build the approval set based on the defined scheme -->
    </ApprovalSet>

    <Approval>
        <!-- Step to execute the approval process -->
        <ApprovalStage stage="1" actor="${manager}" />
        <ApprovalStage stage="2" actor="${generalManager}" />
        <ApprovalStage stage="3" actor="${identityApprover}" />
    </Approval>

    <Provision>
        <!-- If all approvals are successful, proceed with provisioning -->
    </Provision>

    <Notify>
        <!-- Notify security officers or relevant teams -->
    </Notify>

    <Audit>
        <!-- Log the workflow for auditing purposes -->
    </Audit>

    <Stop>
        <!-- End of workflow -->
    </Stop>
</Workflow>

Scheduling and Customization

Once you have the workflow configured, it can be scheduled to run based on specific triggers or events (e.g., an access request or entitlement modification). The flexibility of SailPoint allows for further customizations, such as:

  • Setting timeouts for each approval level
  • Escalating requests if approval is not received in time
  • Adding additional approval steps if required

Conclusion

By leveraging SailPoint IdentityIQ’s flexible workflow engine, you can implement complex, multi-level approval processes that ensure proper oversight over access requests. The three-level approval process described here ensures that each access request is validated by the requester’s manager, the department’s general manager, and an additional identity approver, adding layers of security and compliance to your provisioning workflows.

Whether you’re handling role assignments, entitlement modifications, or identity provisioning, this customizable approval process helps streamline governance while adhering to organizational policies.