Sailpoint Identity IQ: Refresh logging through IIQ console

Sailpoint IdentityIQ uses log4j framework for logging. “log4j.properties” is the file where all the logging related properties are configured. IdentityIQ Servers would a need a refresh of the log4j configurations after anything changes to log4.properties are made.

Usually this kind of refresh is performed through UI from the debug pages in IdentityIQ. Following are the steps to follow for refreshing log4j configurations through UI.

This image has an empty alt attribute; its file name is image-3-1024x279.png
  • Click on the “Logging” option in the menu.
  • Click on “Reload Logging Configuration”

Problem context:


log4j configurations whenever there are any changes have to refreshed across all the servers present in the environment. However, when a load balancer is configured, we might not have control to access individual servers through UI, thus making the refresh of log4j configurations through UI on each server.

Possible solutions:

There are 3 possible solutions for this problem.

  1. Temporarily re-directing load-balancer traffic to only one server and refresh the configurations on the same through debug pages. This process has to be repeated across all the servers.
  2. Accessing IdentityIQ through individual server host-names or IP addresses rather than load balancer URL. This may not be quite helpful as servers are usually configured in a way that individual servers redirect us towards load balancer URL.
  3. Best way in which this could be performed is through IIQ console.
    Following are the steps to follow for the same.
    • Launch IIQ console on one of the servers
    • Modify the log4j.properties as required.
    • Refresh the log4j configurations using the command “logconfig” as shown in the below screenshot.
  • Repeat the above steps for all servers in the environments.

SailPoint Identity Attribute – Configuration Challenges

Identity attributes in SailPoint IdentityIQ are central to any implementation. They usually comprise a lot of information useful for a user’s functioning in the enterprise.

Purpose: The blog speaks about a rare way of configuring the identity attributes in SailPoint which would lead to a few challenges.

Requirements Context: By nature, a few identity attributes need to point to another identity. 2 such use-cases would be:

  1. manager” is an identity attribute which refers to the manager of the employee/contractor.
  2. assistant” can be a custom attribute which refers to the assistant of the employee/contractor. Action items of an employee/contractor can be delegated to this assistant when employee/contractor is on a vacation.

Any identity attribute in IdentityIQ can be configured as either searchable or non-searchable attribute. A searchable attribute has a dedicated database column for itself. In case of attributes like manager, we would ideally need a lot of filtering capability on the attributes and this makes a perfect case for being searchable attribute. A few use-cases where having manager as searchable attributes would help are.

  1. Finding list of identities without managers.
  2. Finding a list of identities with inactive managers.

However, usage of assistant attribute is not quite similar. Not a lot of searching/filtering would happen in a typical IAM implementation based on assistant attribute. It would be preferable to have this attribute as a non-searchable attribute.

Implementation:

As part of the implementation, an extended attribute is configured in the Identity Configuration for assistant attribute as follows.

Assistant identity attribute configuration

The following configuration details are to be observed.

  1. Type of attribute is “Identity“.
  2. Identity attribute is not configured to be searchable as there is no extended number that is configured on this attribute.

Attribute population logic: The attribute is configured to fetch the assistant attribute from Active Directory application and populate the assistant attribute based on the assistant attribute from Active Directory.

Challenge faced: A specific challenge is faced when this type of configuration is used with identity attributes.

Scenario: There will be certain situations where the assistant attribute in Active Directory points to itself. For example, John.Doe’s assistant would be John.Doe himself. This configuration has lead to failure of a lot of operations/tasks due to a SailPoint behavior described below.


Root Cause: SailPoint uses a hibernate for object relational model. Tables in IdentityIQ database are represented by java classes in Identity IQ. In this case, spt_Identity table is represented by the class “sailpoint.object.Identity”. Objects of “sailpoint.object.Identity” class shall correspond to rows in the “spt_Identity” table.

SailPoint has to serialize this Identity objects in the process of storing them in the tables. Non searchable attributes are all stored in an XML CLOB in spt_Identity table. As per the SailPoint’s default behavior, non-searchable attributes are going to be serialized in a recursive fashion. Following the same, serialization shall be attempted on the identity pointed by the assistant attribute.

In the scenario mentioned above where an identity is his/her own assistant, a sub-serialization of same identity as part of assistant attribute serialization is attempted as shown in below diagram.

Recursive Serialization of assistant attribute

Possible Solutions: Above problem can be solved in 2 ways.

  1. Adding checks to avoid self-references.
    Logic to populate such type of identity attribute shall include a check to avoid self-referencing of non-searchable identity attributes.
  2. Using Searchable attributes.
    Avoiding the use of non-searchable attributes for identity attributes of type identity.

Rule Library in SailPoint IdentityIQ

Rule is an XML object with fully programmable java-based implementation hooks (Bean Shell). Rules can capture pieces of business-logic.SailPoint IdentityIQ is very much Rule-Driven, and thus very flexible.

Rules can reference other Rules! Helpful with creating Rule Libraries.

Rule Libraries are collections of methods that have been grouped together and stored in IdentityIQ as a Rule object. They contain a set of related but unconnected methods that can be invoked directly by workflow steps or other rules.

Continue reading

Bulk Provisioning – Batch Request in SailPoint IdentityIQ

Batch Requests enable you to generate specific types of access requests for more than one user at a time. The required data is gathered from a prepared comma-delimited file for each request type. The batch files require comma-delimited data that represents the individual requests. In most cases the native identity or identity name can be used to specify the request target.

In this presentation, we will be discussing on batch requests in SailPoint IdentityIQ, different methods involved in batch requests, complete explanation on individual types implementation with the Active Directory and Azure Bulk Provisioning.

Bulk Provisioning – Batch Request in SailPoint IdentityIQ
Continue reading

Securing SailPoint Deployed on Tomcat Server

Secured Socket Layer (SSL) is a protocol which provides the secured way of communication between the client and server with the help of the certificates. When using Apache Tomcat as a server for the deployment of SailPoint, the data that we are dealing with is sensitive in nature. With the help of Self Sign certificates, we can secure Sailpoint IdentityIQ which is hosted on tomcat server without the need of certificate authority (CA).

1 . Creation of Self Sign Certificate

Step 1: Open up the command prompt

Continue reading

Filters in Refresh Identity Cube Task of IdentityIQ

Refresh Identity cube task is one of the most popular predefined tasks in SailPoint IdentityIQ. Refresh Identity cube task performs a full refresh of the identity cubes and aggregates the data from external sources for all identities. The task has the features to specify which identities are needed to be refresh, by the use of Filters. Filters are used in many places throughout IdentityIQ to allow actions to be applied to a subset of system objects. Filters in Refresh Identity cube task make use of filter strings, which will refresh all the identities which meet the filter constraint mentioned in the task.

The following presentation discusses in detail about the different filters used in the Refresh Identity cube task.

The following is the demonstration of the usage of different filters on Refresh identity cube task.

ETL Process and Working of CloverETL in Sailpoint IdentityIQ

As data is generated rapidly day to day, there is a need to organize it to generate useful results from data. It is essential to properly format and prepare the data before loading it into data storage systems for analysis. Otherwise bad data leads to inaccurate analysis that could have a great loss for the organization. In order to prevent these problems, the data needs to be processed and transformed into quality data, which generates a better analysis.

This can be achieved by using ETL process which Extracts, Transforms, and Loads the data. Each of these phases can include functionalities to process the data as required. There are various tools that perform ETL process. Sailpoint is flagship identity management tool, which uses CloverETL(CloverDX) to perform data processing.

The following presentation sheds light on ETL process and working of CloverETL in Sailpoint.

 

SailPoint IdentityIQ Applications Credential Cycling Using PAM Solution

A large number of applications on SailPoint IdentityIQ rely on using service accounts to communicate with the application targets. These accounts have the authorizations to perform identity management tasks and should be treated as privileged accounts. When a privileged account management solution like CyberArk or BeyondTrust is used in the organisation, the credentials of the privileged account would be stored on the PAM solution and retrieved by IdentityIQ whenever required. The feature of credential cycling introduced in IdentityIQ 7.3 allows this to be configured with ease.

 

The following presentation discusses the need for credential cycling and how it works:

The following demonstration illustrates a use case where credential cycling is configured with the CyberArk PAM solution:

The next video demonstrates credential cycling when configured with the Thycotic Secret Server PAM solution:

Integrating CyberArk with SailPoint using SCIM

Privileged accounts are considered to be “keys to the kingdom” in any IT Infrastructure. Almost every cyber attack that has ever happened involved compromises at the privileged account level. PAM Solutions usually help in managing such accounts, keys or files that would lead to escalated access.

CyberArk is the global leader in PAM solutions with a holistic approach towards privileged account management. It covers not only traditional PAM problems but also extends its capabilities with various features like managing hard-coded application credentials, analytics, on-demand privileges escalation and managing end-user devices like desktops.

Securing and streamlining identity and privileges data present with such solutions is of very high importance.

In the following presentation, we provide a detailed overview of CyberArk integration with SailPoint by integrating Cyberark as a SailPoint’s application.

In the following video, we provide a detailed demo of this integration.

Sailpoint : IdentityIQ Console

Sailpoint IdentityIQ Console is the command line utility for interfacing with IdentityIQ.
It is a powerful tool that allows the user to view objects, execute workflows, import and export data, and much more.

In the following presentation, we have discussed how to launch the IIQ console, usage, and syntax of the frequently used console commands.

 

 

The following demonstration presents the usage of frequently used console commands along with some examples.