ETL Process and Working of CloverETL in Sailpoint IdentityIQ

As data is generated rapidly day to day, there is a need to organize it to generate useful results from data. It is essential to properly format and prepare the data before loading it into data storage systems for analysis. Otherwise bad data leads to inaccurate analysis that could have a great loss for the organization. In order to prevent these problems, the data needs to be processed and transformed into quality data, which generates a better analysis.

This can be achieved by using ETL process which Extracts, Transforms, and Loads the data. Each of these phases can include functionalities to process the data as required. There are various tools that perform ETL process. Sailpoint is flagship identity management tool, which uses CloverETL(CloverDX) to perform data processing.

The following presentation sheds light on ETL process and working of CloverETL in Sailpoint.

 

SOAP Error : Message request Authorization (SailPoint ServiceNow Service Integration )

Environment:

Java: jdk1.8

ServiceNow : Istanbul

SailPoint IdentityIQ version 7.1, 7.2

Problem Statement: 

javax.xml.soap.SOAPException: Message send failed: org.apache.axis2.saaj.SOAPMessageImpl cannot be cast to oracle.j2ee.ws.saaj.soap.MessageImpl===== reqeust ========Authorization:Basic

at oracle.j2ee.ws.saaj.client.p2p.HttpSOAPConnection.post2(HttpSOAPConnection.java:691)

at oracle.j2ee.ws.saaj.client.p2p.HttpSOAPConnection.post2(HttpSOAPConnection.java:691)

at oracle.j2ee.ws.saaj.client.p2p.HttpSOAPConnection$PrivilegedPost.run(HttpSOAPConnection.java:1502)

at java.security.AccessController.doPrivileged(Native Method)

 

Solution:

In the above error message it is clearly mention that it is an authorization error related with user privileged account.

Ensure that the following pre-requisites to be performed:

  • Create a ServiceNow Service Integration Module Administrator (ServiceNow user) for integration purpose with SailPoint and assign following roles.

SailPoint Administrator Role List in ServiceNow

Elevate Roles to security admin in ServiceNow for the user.

  • Use the same Integration Administrator in Application configuration of ServiceNow in SailPoint.
  • Use the same Integration Administrator credential in IntegrationConfig : ServiceNowServiceIntegrationModule.

 

 

Sailpoint – Service Now Integration

Ticketing systems form a great part of any enterprise’s IT infrastructure. Service Now is a global leader in cloud based ticketing systems and has been playing a visionary role in ITSM and ITOM.

Sailpoint integration with Service Now provides a great value when direct provisioning from Sailpoint is not possible.

It streamlines the manual provisioning by raising tickets on Service Now for provisioning. This provides a great visibility and accountability in the IT environments.

 

In the following presentation, we provide a detailed overview of Service Now integration with Sailpoint:

The following is a demo of various types of Service Now integrations that are supported by Sailpoint:

Sailpoint Unix Integration

Unix is the mother of all operating systems and also is the foundation for Tim Berner Lee’s invention.

Every enterprise has a huge Unix foot print spanning across thousands of servers running various legacy applications.

As part of the mammoth task of securing the IT environments, securing the Unix servers would be the first step.

At ENH iSecure, we thrive to achieve complete and impeccable solutions leaving nothing to chance.
As a part of these efforts, we are speaking about Identity Governance in Unix with the help of Sailpoint’s IIQ.

The following is a video where we speak about governance of Unix using Sailpoint’s IIQ.

The following is a demo on Unix integration with Sailpoint.

IdentityIQ parallel and serial approvals

 Introduction

Out of the box Sailpoint’s IdentityIQ provides numerous workflows for provisioning, we can implement our custom workflows according to the necessity. Similarly, parallel and serial approvals are workflows used in an enterprise to manage the access of the user.

Requirement

In the world of IAM, one thing every developer should remember is that “Right thing must be accessed by the Right user at a Right time“, from the above sentence we can say that an access must be rightfully distributed to the user.

In this requirement a user in an enterprise requested an entitlement or role using IdentityIQ then that access must be approved by the work groups which are maintaining that privilege.

Understanding parallel and serial approvals in IdentityIQ

The following video illustrates about parallel and serial approvals.

Working demo of parallel and serial approvals

The following video demonstrates how parallel and serial approvals accomplishes.

 

 

 

Solving problem SailPoint IdentityIQ “Mark Invalid Error”

Problem description 

When we try to correlate the accounts into SailPoint’s identityIQ using multiple authoritative sources the following
exception may arise.

Why this happens

The main reason for this error is ambiguity of accounts. After the account aggregation task completed when we try to run the task refresh identity cubes. Task is not running and error is displays as Task stopped by user. When you see the log file there a exception named Mark Invalid.

 

.erroe_scrn_sht

Case 1

The main cause for this error is, If you have added more than one authoritative sources marked for one identity. The following exception will arise. that means you have added two Authoritative sources representing the same data if run the aggregation task the accounts will be populated with their name then If we perform refresh identity cubes task the accounts will not linked its respective manager account because there will be an ambiguity between two accounts which has to be correlate as manager account.

Case 2

In other cases if you have any accounts or identities not properly deleted.

Solution

The solution I found is to get backup of the rules and application into a xml file using the console.Shutdown the application server and drop all the tables in database using the sql scripts provided by identityIQ then create the tables using the scripts. Import the init.xml using the iiq console.Then import the xml file which represents the application object. Then if you run the aggregation and correlation tasks you can see that all the identities and their managers are correlated in identity warehouse.

Using lists in Identity IQ workflows at approval steps

Sailpoint’s Identity IQ converts all the empty lists that go through an approval step in a workflow into NULL values. This does not hold the same with non-empty lists.

null diagram

For example, we have a global variable in the workflow which is an empty ArrayList ( [] ). It is going to be converted to ( NULL ) once it goes through an approval step. So in order that the lists work as per our need, we could provide a dummy value so that list is never converted to NULL when it goes through an approval.