Scribd
Upload
205 views33 pages

Non - Authoritative Applications - 1

Uploaded by

Saeed Nashar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
205 views33 pages

Non - Authoritative Applications - 1

Uploaded by

Saeed Nashar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Onboarding Applications,

Correlation, and Data Transformation


Fundamentals of IdentityIQ Implementation
Overview
Onboarding Applications, Correlation, and Data Transformation
• Application and connector planning resources
• Defining non-authoritative applications
• Delimited File Connector

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 3


Planning Resources for
Onboarding

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 4


Planning Resources
Available on Compass
• Application
• Application Onboarding Questionnaire
• Helps ensure all information is gathered
• Identify connectivity plan, data format
• Identify entitlement data for requests and/or certification
• Determine application dependencies, aggregation schedules

• Connector
• SailPoint Functional Requirements template
• Gather connection parameters (username, password, host, port, etc.)
• Collect schema details
• Identify ownership for approval/certification responsibility

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 5


Planning
What information do we need?
• Accounts
• Represent user identities who may sign into that system
• Attributes
• Additional information associated with account
• Entitlements
• Specify what actions a user is authorized to perform in a given application (i.e. access
payroll)
• Account Groups
• Specify set of security rights/permissions (i.e. Administrator)
• Membership in group provides user with group’s access rights

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 6


Defining Non-Authoritative
Applications

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 7


Defining Non-Authoritative Applications
Process Overview
• Define application
• Select connector type
• Define account schema
• Used to represent individual accounts
• Define group schemas (if needed)
• Used to represent individual group rights
• Specify account correlation
• Define rules (if needed)
• Connector Rules
• Support Data Transformation operations
• Connector Rules vary based on the connector type
• Application Rules
• Act on accounts/account groups (Resource Objects)
• Available for all connector types
• Define aggregation task and schedule

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 8


Application/Connector Processing
Aggregation
Application
---- Yes
----- Acct 1
______
----
______
-----
______
-----
Creation Correlation
No

Acct 2 Customization
______
______
______

Connector Resource
Object
(Accounts/
Groups)

Data Manipulation
(Varies by Connector)
• Rules Target File
• Filtering or System
• Merging
Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 9
Connectors
• Application Type defines connector
• Provide for reading data from “applications”
Including:
• Files
• Databases
• Directories
• Mainframes
• Communication and collaboration tools
• UNIX
• …and more!
• Most provide for writing data to applications

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 10


Schemas
• Definition of what data to read from the application and how to interpret that data
• Schema types
• Account (required)
• Represents individual accounts on a target resource (Active Directory or SAP Accounts, for
example)
• Group (optional)
• Represent native account groups from target resource (LDAP Groups or Active Directory
Groups, for example)
• Certain connectors support multiple group schemas (6.4)
• JDBC, SQL Loader, Delimited File, and Oracle EBS

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 11


Account Schema
Review
• Identify key data to IdentityIQ
• Identity Attribute
• Display Attribute
• Specify account attributes to read
during aggregation

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 12


Account Schema
Entitlement Designations
• Identify attribute that lists user • Managed  Entitlement Catalog
entitlements • Assign ownership, display name,
• Entitlement  Identity Cube description
• Include in certifications • Request through LCM
• Include in role mining • Use in policy and risk calculations

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 13


Entitlement Catalog / Identity Cube

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 14


Group Schema

• Used to support native account group object model


• Provides framework for defining what group membership really means
• I am a member of Group 920-100, I can access the financial planning file share
• I am a member of Active Directory group VPN, I can log in to corporate VPN
• Groups managed in Entitlement Catalog

• Can represent indirect permissions data


• Permissions are direct
• Group-based permissions are indirect

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 15


Group Object Reference
Account Schema
• Identifies the attribute that holds user groups
• Used to identify group membership (groupmbr, memberOf)
• Available after Group Object has been defined

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 16


Account Correlation
Non-authoritative Applications
• Matches an account to an authoritative Identity Cube
• If no correlation, non-authoritative cube is created
• 4 correlation methods
• Correlation Wizard
• Correlation Rule
• Default Logic
• Manually

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 17


Account Correlation
Correlation Wizard
• Provides a set of ordered correlations
• Result is a reusable correlation configuration
• 2 types of correlations
• Attribute based Ex: Correlate account attribute mail with identity attribute email
• Condition based Ex: Correlate accounts where app2_service = true with Admin cube

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 18


Account Correlation
Manual Correlation
• Manually assign accounts to identities • Correlation permanently retained
• Identities  Identity Correlation

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 19


Application Rules

• Correlation Rule (when matching isn’t enough)


• Build and maintain account correlations
• Customization Rule
• Modify/normalize incoming account data prior to saving to an Identity
• Managed Entitlement Customization Rule
• Set fields such as owner, requestable, or descriptions on ManagedAttributes (entitlements,
groups)

• Primarily used with Authoritative Applications


• Manager Correlation Rule
• Build and maintain manager hierarchy
• Creation Rule
• Perform customizations at cube creation time
Example: Set default IdentityIQ password

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 20


Aggregation & Correlation
Application
Schema Authoritative Resources
---- ---------
----- --------- Yes Rules
---------
---- ---------
--------- Correlation
----- ----------
---------
----- ---------- ---------
Connector ---------
---------
---------
---------
---------
Configuration ----------
---------
---------
----------
No Rules ---------
----------

---------
---------
Aggregation Task
---------
----------
Additional Application

1. Non-authoritative application contains accounts


2. Application/Connector defines what to read, how to connect ---------
---------
---------
3. Aggregation task runs ---------
---------
----------
---------
---------
---------
4. Connector reads accounts, tries to correlate to existing ----------
---------
Account ----------
Identity Cubes • User Name
5. Positive Correlation – add account to existing cube • Email Address
6. Unsuccessful Correlation – add account to new cube (mark • First Name
as un-correlated) • Last Name
• Groups

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 21


Application Activity Data Sources
Optional
• Utilize externally collected activity tracking and monitoring data
• Use in Policies and Risk

• Gathering activity data


• Define how to access the source
• Define what data to retrieve
• Define rules for correlation and transformation
• Enable per user or per role
• Define Activity Aggregation task

• Standard sources
• JDBC, Log File, RACF Audit Log Collector, Windows EventLog Collector
• Integration module
• HP ArcSight

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 22


Knowledge Check

Copyright ©© SailPoint
Copyright SailPoint Technologies,
Technologies, Inc.
Inc. 2017.
2017. All
All rights
rights reserved.
reserved. 23
Delimited File
Connector

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 24


Delimited File
File and Transport

File Path

Delimiter

Column
File Transport
Header
Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 25
Present?
Delimited File
Filtering

Exclude data

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 26


Delimited File
Merging
• Example data
dbid, firstname, lastname, groupmbr
bsmith, Bob, Smith, Accounts Payable
bsmith, Bob, Smith, Accounting
bsmith, Bob, Smith, Payroll

• Best practice
• Pre-sort data by Index Column

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 27


Delimited File
Connector Rules • Runs for every line in the file
• Converts incoming data into map

• Runs once for each aggregation


• Can do any pre-processing

• Runs once for each aggregation


• Can do any post-processing

• Performs final conversion to


Resource Object
• Runs once for each account or
group
• Runs after merging

• Performs merging processing


• If default merge capabilities aren’t
enough, a rule here can control
merging
Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 28
Delimited File Processing
Application Yes
----
-----
----
-----
-----
Creation Correlation

No

Customization

Resource
Notes: Connector Object

• PreIterate rule runs once prior to


aggregation Non-iterative
Map To ResourceObject
• PostIterate rule runs once after PostIterate*
aggregation Delimited
Filter File
• Remaining rules are iterative PreIterate*
MergeMaps

Build Map
Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 29
Writing to CSV Files
SQL Loader Connector
Overview
• Provides SQL query option to read/write data from CSV/Text files
• Based on JDBC Connector architecture
• Data can be pulled from multiple files
• Support direct Permission functionality

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 30


Knowledge Check

Copyright ©© SailPoint
Copyright SailPoint Technologies,
Technologies, Inc.
Inc. 2017.
2017. All
All rights
rights reserved.
reserved. 32
Next Step?

Practice
Exercises

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 33


Exercise Preview
Section 1, Exercises 5, 6
Systems of Record
Users Groups
Employee

LDAP
(Directory)
File
(HR)
Contractor
PRISM
Users Groups
JDBC
File (Purchasing)
(Contractor Maintenance)
#5 #6 TRAKK
Users
PAM JDBC
Financials (Time Tracking)
PAM PAM
Users Groups
Systems
Of
File File File
(Financial App)
Interest
Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 35
(Financial App)

You might also like