Furqan Shaikh

A personal portfolio and blog by Furqan Shaikh, featuring technology insights and project showcases.

© 2024. All rights reserved.

Lifecycle Events in SailPoint IdentityIQ

16 Jul 2024

Lifecycle Events in SailPoint IdentityIQ

In IdentityIQ, Lifecycle Events represent activities that occur during an employee’s tenure at a company, such as joining, changing roles, or leaving. These events, when triggered by specific changes to an identity (like attribute changes or creation), initiate Business Processes (workflows) that can include provisioning actions.

Here’s a breakdown of key aspects related to Lifecycle Events:

  • Pre-defined Lifecycle Events: IdentityIQ provides four pre-defined Lifecycle Events, each linked to a specific trigger and default Business Process:
    • Joiner: Triggered upon identity creation. The default process simply logs the identity’s name. Typically customized to provision initial access rights (birthright access).
    • Leaver: Triggered when the “Inactive” attribute changes from false to true. The default process disables all the leaving identity’s accounts.
    • Manager Transfer: Triggered when an identity’s manager changes. The default process logs the old and new managers’ names. Commonly customized to initiate a certification for the new manager to review the identity’s access or provision access based on the new manager’s group memberships.
    • Reinstate: Triggered when the “Inactive” attribute changes from true to false. The default process enables all previously disabled accounts of a returning identity.
  • Lifecycle Events and Rapid Setup: The Rapid Setup module simplifies the configuration of common Lifecycle Events like Joiner, Mover, and Leaver. It allows administrators to define event triggers, global actions, and per-application actions (like birthright role assignment). Rapid Setup offers a user-friendly interface for configuring these events without requiring in-depth workflow customization.
  • Custom Lifecycle Events: You can create custom Lifecycle Events beyond the pre-defined ones to cater to specific organizational needs. These custom events offer flexibility in defining triggers, target identities, and associated workflows.
  • Lifecycle Events and Provisioning: Lifecycle Events are tightly integrated with IdentityIQ’s provisioning engine. The Business Processes triggered by these events can contain provisioning actions, such as creating, modifying, enabling, disabling, or deleting accounts and entitlements.
  • Lifecycle Events Configuration: You manage Lifecycle Events through the Lifecycle Events page (Setup > Lifecycle Events). Here, you can:
    • Create new Lifecycle Events: Define a name, description, event type (Create, Manager Transfer, Attribute Change, Rule, Native Change, Alert), target identity population, and the triggering business process.
    • Edit pre-defined Lifecycle Events: Customize the default behavior of the provided events by modifying their associated Business Processes.
  • Monitoring Lifecycle Events: You can monitor the execution and outcomes of Lifecycle Events through various methods:
    • Track My Requests: Provides visibility into the access requests generated by Lifecycle Events, particularly those initiated through Rapid Setup workflows.
    • Advanced Analytics: Allows you to search and analyze audit data, including events related to Lifecycle Events (action: IdentityLifecycleEvent).
    • Identity Events: Offers a historical view of past events associated with an identity, including those triggered by Lifecycle Events.

Overall, Lifecycle Events provide a powerful mechanism in IdentityIQ to automate identity management processes based on real-world events throughout an employee’s lifecycle. By defining appropriate triggers and associating them with customized workflows, organizations can streamline access provisioning, de-provisioning, and other critical identity management tasks.

Prerequisites for Enabling and Integrating SailPoint AI Services with IdentityIQ

13 Jul 2024

Prerequisites for Enabling and Integrating SailPoint AI Services with IdentityIQ

To successfully enable and integrate SailPoint AI Services with your IdentityIQ instance, several prerequisites must be met. These prerequisites can be categorized as:

1. IdentityIQ Environment:

  • Plugins Enabled: Ensure that plugins are enabled in your IdentityIQ instance. This is essential for installing the AI Services Recommender Plugin. Verify that the plugins.enabled=true setting is present in the identityiq_home/WEB-INF/classes/iiq.properties file.
  • Default hbm.xml Fields: Refrain from removing any default fields from the various .hbm.xml files (like IdentityExtended.hbm.xml or LinkExtended.hbm.xml), even if you’ve customized extended and searchable attributes. Removing default fields will prevent AI Services from functioning correctly. You are free to add custom fields as needed.

2. IdentityNow Tenant:

  • Active IdentityNow Tenant: You need an active IdentityNow tenant to integrate AI Services with IdentityIQ, as SailPoint’s AI Services are part of the IdentityNow platform. This tenant will facilitate data exchange and analysis.
  • Client Credentials: Generate OAuth client credentials (Client ID and Client Secret) within your IdentityNow tenant for the AI Services Recommendation API. These credentials are crucial for secure communication between IdentityIQ and AI Services.

3. Network and Connectivity:

  • AI Services Virtual Appliance: An AI Services Virtual Appliance is deployed for communication between IdentityIQ and AI Services. This appliance requires specific network configurations to facilitate data transfer.
  • Firewall Configuration: Configure your firewall to allow outbound HTTPS traffic from your IdentityIQ instance to the AI Services Virtual Appliance. This ensures uninterrupted communication for data sharing and recommendation retrieval.

4. IBM JDK and WebSphere Configuration (If Applicable):

  • TLS 1.2 Support: If your IdentityIQ deployment utilizes IBM JDK or WebSphere, ensure that your JVM arguments include -Dcom.ibm.jsse2.overrideDefaultTLS=true. This enables TLS version 1.2 support, which is necessary for connecting to AI Services in such environments.

5. Additional Considerations:

  • Onboarding Process: Familiarize yourself with the AI Services onboarding process, which outlines the steps for connecting your IdentityIQ instance to AI Services and configuring the necessary settings. This process is essential for seamless integration and data synchronization.
  • Deployment Steps: Review and understand the deployment steps outlined in the “Getting Started with AI-Driven Identity Security for IdentityIQ” guide. These steps provide a roadmap for successfully deploying and configuring AI Services within your IdentityIQ environment.
  • Licensing: AI Services modules may require separate licensing. Consult your account manager to confirm your licensing agreement and ensure you have the necessary permissions to access and utilize AI Services.

Remember: These prerequisites assume a standard deployment of IdentityIQ. Your specific configuration, environment, and integration requirements might necessitate additional steps or considerations. Always refer to the official SailPoint documentation and consult with SailPoint support for guidance tailored to your unique setup.

Activity Data Source in SailPoint IdentityIQ

10 Jul 2024

Discussion on Activity Data Source

In IdentityIQ, an Activity Data Source is a source of information about actions taken by users on applications. This activity information is collected, normalized, and stored by IdentityIQ to enable the monitoring and analysis of user behavior.

Here are some key aspects of Activity Data Sources:

  • Purpose: Activity Data Sources provide the raw data for IdentityIQ’s activity monitoring and reporting capabilities. This data is used to:
    • Track User Actions: Monitor activities such as logins, file accesses, data modifications, and other application-specific events.
    • Detect Anomalies and Risks: Identify unusual or suspicious activity patterns that might indicate security breaches, policy violations, or insider threats.
    • Support Compliance Requirements: Generate reports and provide audit trails to demonstrate compliance with regulatory frameworks and internal policies.
  • Types of Activity Data Sources: IdentityIQ supports various types of Activity Data Sources, catering to different application environments and log formats. Some common types include:
    • JDBC Collector: Collects activity data from relational databases that support JDBC connectivity. This collector requires configuring JDBC connection parameters (connection URL, driver class, username, password) and SQL queries to retrieve relevant activity data.
    • Windows Event Log Collector: Retrieves activity data from Windows event logs. This collector necessitates specifying connection details like the event log server, user credentials, and an MQL query to filter the desired events.
    • Log File Collector: Gathers activity data from log files stored on various systems. This collector supports different transport mechanisms (local, FTP, SCP) to access log files and requires specifying file names, lines to skip, regular expressions for parsing, and log field definitions.
    • RACF Audit Log Collector: Extracts activity data from RACF (Resource Access Control Facility) audit logs, commonly used in IBM mainframe environments. This collector, similar to the Log File Collector, supports local, FTP, and SCP transports for accessing log files.
    • CEF Log File: Collects data from log files in the Common Event Format (CEF), a standardized log format used by various security information and event management (SIEM) systems.
  • Activity Data Source Configuration: You manage Activity Data Sources through the Activity Data Source Configuration page, accessible from the Application Configuration page. This page allows you to:
    • Add or Edit Data Sources: Define a descriptive name, provide a brief explanation of the data source, and select the appropriate Activity Data Source Type from the available options.
    • Configure Type-Specific Settings: Input the necessary connection and query settings for the chosen data source type, as detailed in the previous point about types of Activity Data Sources.
    • Define Transformation and Correlation Rules: Specify rules to transform raw activity data into a format usable by IdentityIQ and correlate it with identities in the system. The Transformation Rule converts the collected data, while the Correlation Rule establishes links between activities and identities.
  • Activity Targets: Within each Activity Data Source, you can define Activity Targets. These targets represent specific objects within the data source that are acted upon, such as machine names for logins or file names for file accesses. Activity Targets are used to:
    • Focus Activity Searches: Allow administrators to generate searches for activity information on specific targets within a data source.
    • Create Activity Target Categories: Enable the grouping of targets from multiple applications into categories, simplifying activity monitoring across related systems.
  • Activity Aggregation Task: The actual process of collecting, transforming, correlating, and storing activity data is performed by the Activity Aggregation task. This task can be scheduled to run periodically, ensuring that IdentityIQ’s activity data is up-to-date.

Activity Data Sources form the backbone of IdentityIQ’s ability to monitor and analyze user behavior across diverse applications. By configuring appropriate Activity Data Sources, defining relevant Activity Targets, and scheduling regular Activity Aggregation tasks, organizations can gain valuable insights into user activity, enhance their security posture, and meet their compliance obligations.

Special Considerations in IdentityIQ

07 Jul 2024

Special Considerations in IdentityIQ

The sources provide several special considerations related to configuring and managing IdentityIQ:

  • Database Encryption for Sqlserver JDBC Driver (Installation Guide): When using Sqlserver JDBC driver versions 10.2 and later, ensure that the Sqlserver database is encrypted. If connecting to an unencrypted database, explicitly add encrypt=false to the JDBC URLs within the iiq.properties file.
  • Java System Properties (Installation Guide): You may need to configure specific Java system properties, like proxy settings (http.proxyHost, http.proxyPort, etc.), for IdentityIQ to interact with external systems or services. Consult the documentation for your specific application server (e.g., Apache Tomcat) to understand how to add Java system properties to the environment. For instance, in Tomcat, you would define the JAVA_OPTS environment variable in the bin\catalina.bat or bin/catalina.sh file.
  • Message Broker for Data Extract and Access History (Installation Guide): Starting with version 8.4, IdentityIQ requires a message broker for the Data Extract and Access History features. While the installation defaults to an Embedded Broker service running an embedded ActiveMQ instance on port 61616, it is recommended to disable this and use an external broker instead. External brokers offer better administration features, message throughput tracking, and statistics.
  • Database-Specific Column Sizes for Extended Attributes (Installation Guide): When extending IdentityIQ objects by adding custom attributes, be mindful of database-specific column size limitations. The comments at the beginning of the IdentityExtended.hbm.xml file provide guidance on these considerations. Several XML files (IdentityExtended.hbm.xml, LinkExtended.hbm.xml, etc.) are used to define extended attributes for different object types within IdentityIQ.
  • Character Considerations for the IdentityIQ Password Policy (Password Management): When configuring the password policy specifically for IdentityIQ internal passwords, you have unique settings to define allowable character types (Digits, Uppercase, Lowercase/Non-English, Special Characters). Leaving these fields empty permits all characters. You can also set the password expiration duration for manually set passwords (through the Edit Preferences window) using the “Days until expiration for manually set passwords” option.
  • Special Characters in Multi-language Descriptions (System Configuration): When using multi-language description files, ensure that escaped HTML characters are formatted correctly to display as intended. For instance, to display text in bold, use <b>test</b> instead of just test. Similarly, use &lt;test&gt; to display <test> correctly. Failure to format escaped characters properly can result in unexpected display issues within descriptions.
  • Case Sensitivity in Native Change Detection (Release Notes): IdentityIQ includes a new option, detectNativeIdentityChangeCaseSensitive, which defaults to false. Enabling this option triggers a NativeIdentityChangeEvent even when the native identifier for an Account or Group differs only by case from the value stored in IdentityIQ. This can impact performance, so consider the implications before enabling it. You can enable this option by adding it to the Attributes Map of the System Configuration.

These considerations highlight specific configuration settings, database interactions, and potential issues related to managing IdentityIQ effectively.

Key Capabilities and Functionality Extensions of SailPoint's Plugin Framework

04 Jul 2024

Key Capabilities and Functionality Extensions of SailPoint’s Plugin Framework

The SailPoint Plugin Framework offers several key capabilities that allow you to extend the functionality of IdentityIQ. Here’s a breakdown:

Extensibility:

  • Class path isolation on the server side: This allows developers to leverage any third-party libraries or technologies for REST endpoints, background services, or Java classes called from scripts.
  • JavaScript isolation on the client side: Plugin developers can utilize any third-party client-side libraries without conflicts.
  • Core code protection: The framework ensures that plugins cannot override or modify the behavior of IdentityIQ’s backend code, ensuring security and facilitating smooth upgrades.

Integration:

  • Web service extensions: Developers can create custom REST endpoints to exchange data between their plugins and the IdentityIQ data model.
  • Plugin database access: Plugins can create and manage their own database tables within IdentityIQ, providing persistent storage for plugin-specific data.

UI Enhancements:

  • Plugin installation and removal: Plugins can be dynamically installed and removed, offering a user-friendly drag-and-drop experience or requiring installation before IdentityIQ starts.
  • UI Customization: Plugins can include user interface elements like:
    • Full-page applications: Create entirely new pages within IdentityIQ.
    • Snippets: Inject small pieces of code to modify existing IdentityIQ user interface pages, such as adding menu options or buttons.
    • Widgets: Develop reusable UI components that users can add to their IdentityIQ home pages.
  • SailPoint Angular components: Plugins can leverage the SailPoint Angular library to implement UI elements consistent with the IdentityIQ design, providing a seamless user experience.

Business Logic Implementation:

  • Plugin Java Classes: Developers can write Java classes to implement custom logic, including:
    • REST Classes: Extend IdentityIQ’s REST API by creating custom endpoints to handle specific actions.
    • Plugin Executors: Implement background tasks, services, or policies that can be invoked within IdentityIQ.

Security and Permissions:

  • Plugin authorization: Control access to plugin functionality by defining custom Capabilities and SPRights. This allows you to restrict access to UI components and secure REST endpoints.

Examples of Plugin Use Cases:

  • Integrating with a third-party service desk system (e.g., BMC Remedyforce) to create and track tickets for provisioning requests. The sources mention several Service Desk Integration Modules, including ones for BMC Helix Remedyforce, a generic one, and one for Cherwell. This indicates that creating plugins to interact with service desk solutions is a common use case.
  • Building a custom reporting dashboard to visualize IdentityIQ data in a specific way. While not explicitly mentioned, the sources provide extensive information on customizing reports in IdentityIQ, suggesting that plugins could be used to extend reporting capabilities even further.
  • Developing a custom workflow to automate a specific business process related to identity management. The sources highlight the use of plugins for custom tasks and executors, which can be used to create and manage custom workflows within IdentityIQ.

This response draws exclusively from the provided sources.