Cyber Security | IDM | Audit & Compliance

Tuesday, April 12, 2022

Should we perfrom User Access Review ?

What is User Access Review?

User Access Review or certification campaign is a process of re-evaluating the appropriateness of user access in a periodic manner. It is an important step of the user account management life cycle. Its an important feature in most of the IDM or IAG tools available in market.

Why User Access Review is performed?

· Identity and Access Governance process suggests to implement User Access Review processes to ensure that in an organization, users (employees, contingent workers, contractors, vendors etc.) are given correct access (often least privileges based on security guide line) to access critical systems based on their job function.

· Helps to achieve segregation of duties (SoD).

· Mandatory requirement for audits like SOX, PCI- DSS etc.

· To make sure there is no unwanted access to anyone.

· Helps to find the gaps in the request approval workflows or any human error in manual approvals.

Does it solve the purpose?

There are few known issues with User Access Review in general.

· Point-in-time data:

o User access review (UAR) is a process executed on point-in-time data. if anyone knows the kick-off date, he can avoid the process (by raising a revoke request of his access and request again just after kick-off).

o If anyone requests any access for a short time for a critical system and its between two UAR cycle, the review will not capture that.

o Many systems work on JIT access (just in time). the access is given for a particular time frame, those access are also will not be covered under review.

· Completeness and accuracy: There are always questions on data which is reviewed, if the completeness and accuracy is not guaranteed, the review will not be meaningful. Majorly two questions come here.

o If the scoping is correct?

o If the date under the campaign in accurate?

· Lack of Metadata: Often its observed that there is lack of meta data for the review line items, such as good description, different flags (e.g Risk Score) which categorize the data etc.

· Rubber Stamping: Since the reviews are heavily human dependent, its often become just an extra work to the reviewer and an obligation to him, and it can become just a rubber stamping or incorrect removal of access sometime.

How to make this process effective?

· Reduce manual request and approval: The access request process should be automated based on birthrights, ABAC, RBAC, Or PBAC that will help to reduce the scope of certification since the access is only given by some rules.

· Good orphan/ rogue monitoring process: Need to ensure there is no access is granted outside the defined process, and there should be automated removal for orphan or rogue access.

· Analytic based approach: Machine learning should be used to find the outliers and only generate review for outliers.

· Strengthen completeness and accuracy checks.

· The review should consider all access which the user has/had during the cycle including removed access. If any user has any removed access which he should not have, then perform the analysis to strengthen request/approval process.

Thursday, December 5, 2019

Sailpoint IIQ Vs OIM -Not a comparison but to find the match

There are many people like me who use to work in Oracle but moved to sailpoint IIQ and find it hard to match the concepts. Both the tool are architecturally different, however if we find match among this two, it will help to understand sailpoint easily. I will explain one by one

Connectors are the most useful component for any IDM team as it helps to integrate it with different target system.
The concept of connector is same in both the tool, Only different is the connectors comes OOTB for sailpoint but in OIM we need to install them separately. How I will discuss the internal components of the connectors like resource object, application instance etc. I will provide the mapping then from there we will go in details.

Resource Object (OIM) - Application (Sailpoint)
Adapter (OIM) - Provisioning Policy/ Provisioning Plan (Sailpoint)
Lookup (OIM) - Custom Objects (Sailpoint)
Access Policy - IT Role
Reconciliation - Aggregation
Linking to identity (happens through recon rule, part of reconciliation in OIM) - Correlation
Process Tigers - Attribute sync
SOA approvals - Workflow
Account - Link
Role - Bundle

I will write in details for each one of it.

Sunday, March 31, 2019

Enable LCM module in IIQ 7.3

1. Stop tomcat

2. Go to C:\apache-tomcat-8.5.39\webapps\identityiq\WEB-INF\bin path in command prompt.

3.. run the below command:

iiq console

> import init-lcm.xml

4. start tomcat.

Sailpoint IIQ 7.3 Basic installation step in windows desktop

Prerequisite: Mysql server 5.7 and tomcat 8.5 is already installed.

Assumption:

· Mysql server 5.7 and tomcat 8.5 is installed in same desktop.

· Its basic installation, did not encrypted the password and provisioning module (LCM) is not installed.

· Did not changed any default config in iiq.properties

1. Download identityiq-7.3 from compass

2. Uzip the installer zip

3. Create a folder identityiq_home and copy identityiq.war war file in it

4. Extract the war file

C:\identityiq_home>jar -xvf identityiq.war

5. Delete identityiq.war file from identityiq_home

6. Go to C:\identityiq_home\WEB-INF\database. create_identityiq_tables-7.3.mysql should be there

7. Open mysql command line client

8. I had a problem to run database. create_identityiq_tables-7.3.mysql file from the path, to avoid, I copied database. create_identityiq_tables-7.3.mysql to path of the C:\Program Files\MySQL\MySQL Server 5.7\bin and tan the below command.

9. Run the command Show databases the new schemas should be shown.

10. Create a folder identityiq in C:\apache-tomcat-8.5.39\webapps

11. Copy the content of identityiq_home in identityiq directory.

12. Start tomcat

13. Access http://localhost:8080/identityiq

Saturday, August 25, 2018

Run Sailpoint Client Code from Eclipse

To run Sailpoint client code from Eclipse the below structure should be there in eclipes
1. src
- spclient .java (given in this blog)

- iiq.properties ( copy from C:\<application server>\webapps\identityiq\WEB-INF\classes\ path)

- iiqBeans.xml ( unzip C:\<application server>\webapps\identityiq\WEB-INF\lib\identityiq.jar and copy iiqBeans.xml in Eclipes Src folder)

2. Lib
- Copy all jar from C:\<application server>\webapps\identityiq\WEB-INF\lib\
- Add all jars in java build path.

Please note: The IIQ path mentioned in the code should be accessible by Eclipse.

Hit the run button :)

Source code:

import sailpoint.api.SailPointContext;

import sailpoint.api.SailPointFactory;

import sailpoint.object.Identity;

import sailpoint.spring.SpringStarter;

import sailpoint.tools.GeneralException;

public class spclient {

/**

* Create Sailpoint context

* @return

private SailPointContext getSailpointContext() {

SailPointContext context =null;

String override=null;

SpringStarter ss= new SpringStarter ("iiqBeans.xml",override);

String configFile=ss.getConfigFile();

System.out.println("config File::"+configFile);

String[] services = {"Task","Request"};

SpringStarter.setSuppressedServices(services);

SpringStarter.suppressSchedulers();

SpringStarter.setSuppressVersionChecker(true);

ss.start();

System.out.println("HERE");

try {

context= SailPointFactory.createContext("identityiq");

if(context !=null) {

System.out.println("Got Connection "+context);

context.authenticate("spadmin", "admin"); //Provide current id password.

}else {

System.out.println("null Connection ");

}

}catch(Exception e) {

e.printStackTrace();

}

return context;

}

/**

* Search Identity

* @param context

* @param identiyName

* @return

private Identity searchIdentity (SailPointContext context, String identiyName) {

Identity identity =null;

Boolean inactivityflag=true;

System.out.println("Nirupam");

try {

identity= context.getObject(Identity.class,identiyName);

System.out.println("First Name::"+identity.getFirstname());

System.out.println("Last Name::"+identity.getLastname());

inactivityflag=(Boolean) identity.getAttribute("inactive");

System.out.println("inactivityflag::"+inactivityflag);

} catch (GeneralException e) {

// TODO Auto-generated catch block

e.printStackTrace();

}

return identity;

}

public static void main (String[] args) {

String path= "C:\\Tomcat8\\webapps\\identityiq"; // provide the path from your install Directory

System.setProperty("SPHOME",path);

System.setProperty("SP_HOME",path);

System.setProperty("sailpoint.home",path);

SailPointContext context =null;

System.out.println("Establishing Connection ");

spclient sc=new spclient();

context =sc.getSailpointContext();

sc.searchIdentity(context,"spadmin");

try {

context.close();

} catch (GeneralException e) {

e.printStackTrace();

}

Saturday, February 10, 2018

Start a Service in windows using script

Save the below lines of code in a .bat file. I am trying to start MySQL57 service if its not running already.

for /F "tokens=3 delims=: " %%H in ('sc query MySQL57 ^| findstr "        STATE"') do (
  if /I "%%H" NEQ "RUNNING" (
    net start MySQL57
  )
)

Wednesday, October 5, 2016

Run query form java code using OIM Client login

import Thor.API.Security.XLClientSecurityAssociation;
import com.thortech.xl.client.dataobj.tcDataBaseClient;
import com.thortech.xl.dataaccess.tcClientDataAccessException;
import com.thortech.xl.dataaccess.tcDataProvider;
import com.thortech.xl.dataaccess.tcDataSet;
import com.thortech.xl.dataaccess.tcDataSetException;
import com.thortech.xl.orb.dataaccess.tcDataAccessException;

public void connectOIMDB(OIMClient oimClient){
XLClientSecurityAssociation.setClientHandle(oimClient);
tcDataProvider dataProvider = new tcDataBaseClient() ;
String query ="SELECT * FROM USR WHERE USR_LOGIN = 'XELSYSADM'";
tcDataSet dataSet = new tcDataSet();
dataSet.setQuery(dataProvider, query);
dataSet.executeQuery();
System.out.println("Login ID: "+dataSet.getString("USR_LOGIN"));

}