SOAPAPi Call and Reading

<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<Rule language="beanshell" name="WorkdayAccountsOrgRoleRuleLibrary">

  <Description> RuleLibrary for Workday OrgRole Hierarchy</Description>

  <Source><![CDATA[

/**************************************************************************

* Single file of all methods required in WorkdayAccounts OrgRole Hierarchy

*************************************************************************/

import java.io.File;

import java.util.Map;

import java.util.HashMap;

import java.io.IOException;

import java.io.OutputStream;

import java.io.FileOutputStream;

//Imports used for XML Reading and Processing

import java.net.URL;

import java.io.StringReader;

import java.io.BufferedReader;

import org.xml.sax.InputSource;

import org.xml.sax.Attributes;

import java.net.URLConnection;

import java.nio.charset.Charset;

import org.xml.sax.SAXException;

import java.io.InputStreamReader;

import java.net.HttpURLConnection;

import javax.xml.parsers.SAXParser;

import java.io.ByteArrayOutputStream;

import org.xml.sax.helpers.DefaultHandler;

import javax.xml.parsers.SAXParserFactory;

import javax.xml.parsers.ParserConfigurationException;

//Imports from IIQ

import sailpoint.tools.Util;

import sailpoint.tools.Message;

import sailpoint.object.Application;

import org.apache.commons.logging.Log;

import sailpoint.tools.GeneralException;

import org.apache.commons.logging.LogFactory;

private static Log logger = LogFactory.getLog("com.rule.WorkdayAccountsOrgRoleRuleLibrary");

/*****************************************************************************

*====== PrintOrgDataHandler Class extended from DefaultHandler Class =========

*****************************************************************************/

public class PrintOrgDataHandler extends DefaultHandler

{

private StringBuilder currentValue = new StringBuilder();

private StringBuilder orgdata = new StringBuilder();

public void startDocument()

{

logger.info("Start Document");

}

public void endDocument()

{

logger.info("End Document");

if(!file.exists())

{

file.createNewFile();

}

os = new FileOutputStream(file, true);

writeData(orgdata.toString());

//logger.debug("orgdata: " + orgdata);

}

public void startElement(String uri, String localName, String qName, Attributes attributes)

{

// reset the tag value

currentValue.setLength(0);

}

  

public void endElement(String uri, String localName, String qName)

{

String orgName = "", orgRefId = "", orgSuperRefId = "";

//logger.debug("End Element: "+ qName);

if (qName.equalsIgnoreCase("wd:Name"))

{

orgName = currentValue.toString();

//logger.debug("orgName:" + orgName);

orgdata.append(orgName + ",");

}

else if (qName.equalsIgnoreCase("wd:Reference_ID"))

{

orgRefId = currentValue.toString();

//logger.debug("orgRefId:" + orgRefId);

orgdata.append(orgRefId + ",");

}

else if (qName.equalsIgnoreCase("wd:Superior_Organization_Reference"))

{

orgSuperRefId = currentValue.toString();

//logger.debug("orgSuperRefId:" + orgSuperRefId);

orgdata.append(orgSuperRefId+"\n");

}

}

public void characters(char[] ch, int start, int length)

{

currentValue.append(ch, start, length);

}

}

/*****************************************************************************

*===== PrintPagingInfoHandler Class extended from DefaultHandler Class =======

*****************************************************************************/

public class PrintPagingInfoHandler extends DefaultHandler

{

private StringBuilder currentValue = new StringBuilder();

public void startDocument()

{

logger.info("Start Document");

}

public void endDocument()

{

logger.info("End Document");

}

public void startElement(String uri, String localName, String qName, Attributes attributes)

{

// reset the tag value

currentValue.setLength(0);

}

  

public void endElement(String uri, String localName, String qName)

{

if (qName.equalsIgnoreCase("wd:Total_Pages"))

{

totalPages = currentValue.toString();

logger.debug("totalPages:" + totalPages);

}

}

public void characters(char[] ch, int start, int length)

{

currentValue.append(ch, start, length);

}

}

/*****************************************************************************

*========================= Method to write Data ==============================

*****************************************************************************/

public void writeData(String data)

{

os.write(data.getBytes());

}

/*****************************************************************************

*================= Method to ProcessSoapAPI for Pagging ======================

*****************************************************************************/

public static String processSOAP(String username, String password, String wsEndPoint)

{

    logger.info("*****************************Start Method to ProcessSoapAPI for Pagging*********************************");

URL url = new URL(wsEndPoint);

URLConnection connection = url.openConnection();

HttpURLConnection httpConn = (HttpURLConnection) connection; //connection

// Passing Values in WebServices String

ByteArrayOutputStream bout = new ByteArrayOutputStream();

String xmlInput = "<soapenv:Envelope xmlns:bsvc=\"urn:com.workday/bsvc\" xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n"

+ "    <soapenv:Header>\r\n"

+ "        <wsse:Security xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">\r\n"

+ "            <wsse:UsernameToken wsu:Id=\"UsernameToken-29AD2DA69B7633231716503553476444\">\r\n"

+ "                <wsse:Username>"+ username + "</wsse:Username>\r\n"

+ "                <wsse:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText\">"+ password + "</wsse:Password>\r\n"

+ "                <wsse:Nonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">GaNTP/SvdGp77xCD2T2MhQ==</wsse:Nonce>>\r\n"

+ "            </wsse:UsernameToken>\r\n"

+ "        </wsse:Security>\r\n"

+ "    </soapenv:Header>\r\n"

+ "    <soapenv:Body>\r\n"

+ "        <bsvc:Get_Organizations_Request bsvc:version=\"v37.1\">\r\n"

+ "            <bsvc:Response_Filter>\r\n"

+ "                <bsvc:Count>10</bsvc:Count>\r\n"

+ "            </bsvc:Response_Filter>\r\n"

+ "            <bsvc:Response_Group>\r\n"

+ "                <bsvc:Include_Roles_Data>false</bsvc:Include_Roles_Data>\r\n"

+ "                <bsvc:Include_Hierarchy_Data>true</bsvc:Include_Hierarchy_Data>\r\n"

+ "                <bsvc:Include_Supervisory_Data>false</bsvc:Include_Supervisory_Data>\r\n"

+ "            </bsvc:Response_Group>\r\n"

+ "        </bsvc:Get_Organizations_Request>\r\n"

+ "    </soapenv:Body>\r\n"

+ "</soapenv:Envelope>";

byte[] buffer = new byte[xmlInput.length()];

buffer = xmlInput.getBytes();

bout.write(buffer);

byte[] b = bout.toByteArray();

httpConn.setRequestProperty("Content-Type", "application/xml");

httpConn.setRequestMethod("POST");

httpConn.setDoOutput(true);

httpConn.setDoInput(true);

OutputStream out = httpConn.getOutputStream();

// Write the content of the request to the outputstream of the HTTP

// Connection.

out.write(b);

out.close();

// Ready with sending the request.

// Read the response.

InputStreamReader isr = new InputStreamReader(httpConn.getInputStream(), Charset.forName("UTF-8"));

BufferedReader in = new BufferedReader(isr);

String responseString ="";

String returnString ="";

// Write the SOAP message response to a String.

while ((responseString = in.readLine()) != null) 

{

returnString = returnString + responseString.toString();

}

return returnString;

}

/*****************************************************************************

*================= Method to ProcessSoapAPI for OrgData ======================

*****************************************************************************/

public static String processSOAP(String username, String password, String wsEndPoint, String pageNum)

{

    logger.info("*****************************Start Method to ProcessSoapAPI for OrgData*********************************");

URL url = new URL(wsEndPoint);

URLConnection connection = url.openConnection();

HttpURLConnection httpConn = (HttpURLConnection) connection; //connection

// Passing Values in WebServices String

ByteArrayOutputStream bout = new ByteArrayOutputStream();

String xmlInput = "<soapenv:Envelope xmlns:bsvc=\"urn:com.workday/bsvc\" xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\r\n"

+ "    <soapenv:Header>\r\n"

+ "        <wsse:Security xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">\r\n"

+ "            <wsse:UsernameToken wsu:Id=\"UsernameToken-29AD2DA69B7633231716503553476444\">\r\n"

+ "                <wsse:Username>"+ username + "</wsse:Username>\r\n"

+ "                <wsse:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText\">"+ password + "</wsse:Password>\r\n"

+ "                <wsse:Nonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">GaNTP/SvdGp77xCD2T2MhQ==</wsse:Nonce>>\r\n"

+ "            </wsse:UsernameToken>\r\n"

+ "        </wsse:Security>\r\n"

+ "    </soapenv:Header>\r\n"

+ "    <soapenv:Body>\r\n"

+ "        <bsvc:Get_Organizations_Request bsvc:version=\"v37.1\">\r\n"

+ "            <bsvc:Response_Filter>\r\n"

+ "                <bsvc:Page>"+ pageNum +"</bsvc:Page>\r\n"

+ "                <bsvc:Count>10</bsvc:Count>\r\n"

+ "            </bsvc:Response_Filter>\r\n"

+ "            <bsvc:Response_Group>\r\n"

+ "                <bsvc:Include_Roles_Data>false</bsvc:Include_Roles_Data>\r\n"

+ "                <bsvc:Include_Hierarchy_Data>true</bsvc:Include_Hierarchy_Data>\r\n"

+ "                <bsvc:Include_Supervisory_Data>false</bsvc:Include_Supervisory_Data>\r\n"

+ "            </bsvc:Response_Group>\r\n"

+ "        </bsvc:Get_Organizations_Request>\r\n"

+ "    </soapenv:Body>\r\n"

+ "</soapenv:Envelope>";

byte[] buffer = new byte[xmlInput.length()];

buffer = xmlInput.getBytes();

bout.write(buffer);

byte[] b = bout.toByteArray();

httpConn.setRequestProperty("Content-Type", "application/xml");

httpConn.setRequestMethod("POST");

httpConn.setDoOutput(true);

httpConn.setDoInput(true);

OutputStream out = httpConn.getOutputStream();

// Write the content of the request to the outputstream of the HTTP

// Connection.

out.write(b);

out.close();

// Ready with sending the request.

// Read the response.

InputStreamReader isr = new InputStreamReader(httpConn.getInputStream(), Charset.forName("UTF-8"));

BufferedReader in = new BufferedReader(isr);

String responseString ="";

String returnString ="";

// Write the SOAP message response to a String.

while ((responseString = in.readLine()) != null) 

{

returnString = returnString + responseString.toString();

}

return returnString;

}

/*****************************************************************************

*=============================== Main Code ===================================

*****************************************************************************/

//Variable Decleration

logger.info("*****************************Start Rule*********************************");

OutputStream os = null;

String filePath = config.get("fileNameWithPathAndExtension");

logger.debug("filePath: " + filePath);

File file = new File(filePath);

os = new FileOutputStream(file);

writeData("OrganizationId,OrganizationName,OrganizationSuperId\n"); //writing headers in file

Map connectionMap = new HashMap();

String totalPages = "";

SAXParserFactory factory = SAXParserFactory.newInstance();

SAXParser saxParser = factory.newSAXParser();

//PrintOrgDataHandler orgDataHandler8 = new PrintOrgDataHandler();

//PrintPagingInfoHandler pagingDataHandler8 = new PrintPagingInfoHandler();

try

{

//Fetching API Connection Details

Application application = context.getObjectByName(Application.class, "<>");

logger.debug("application: " + application.getName());

if(application!=null)

{

connectionMap = application.getAttributes().getMap();

logger.debug("Connection Map: " + connectionMap);

}

    

String username = connectionMap.get("user");

logger.debug("username: " + username);

String password = context.decrypt(connectionMap.get("password"));

logger.debug("password: " + password);

String contextUrl = connectionMap.get("url");

logger.debug("contextUrl: " + contextUrl);

    

// Gathering paging & number of results information

String pagingResponse = processSOAP(username, password, contextUrl);

saxParser.parse(new InputSource(new StringReader(pagingResponse)), new PrintPagingInfoHandler());

logger.debug("totalPages: " + totalPages);

//Generating csv file with Role OrgData

int pages = Util.atoi(totalPages);

for(int i=1; i<=pages; i++)

{

String orgResponse = processSOAP(username, password, contextUrl, Util.itoa(i));

saxParser.parse(new InputSource(new StringReader(orgResponse)), new PrintOrgDataHandler());

}

os.close();

taskResult.addMessage(new Message(Message.Type.Info, "Task is successfully executed. OrgFile is created", null));

}

catch (GeneralException generalException)

{

taskResult.addMessage(new Message(Message.Type.Error, generalException.printStackTrace(), null));

}

]]></Source>

</Rule>

Write statements in File instead of Tomcat OutPut

How to write statements in file instead of Tomcat Output

import org.apache.log4j.Logger;

import org.apache.log4j.Level;

Logger log = Logger.getLogger("sailpoint.services.bshdemo");

log.debug("hello debug world");

log.info("hello info world");

log.warn("hello warn world");

log.error("hello error world");   

return; 

Database Tips and Tricks

1. How to extract a string from CLOB datatype in SQL?

>dbms_lob.substr( clob_column, for_how_many_bytes, from_which_byte );

Using this function, we can extract a string.

2. How to copy database within same server?

1. Dump database objects and data into SQL file using the mysqldump tool. 

2. 1>mysqldump -u root -p <database_to_copy> > D:\Temp\<database_to_copy>.sql

2 Enter password: **********

3. >mysql -u root -p <New_database> < D:\Temp\<Copied_database>.sql 

2 Enter password: **********

2. How to copy database from server to another?

1 CREATE DATABASE <database_name>;
2
3 USE <database_name>;

1>mysql -u root -p <database_name> < D:\Temp\<database_to_copy>.sql

Using Stored Procedure in Provisioning

Steps to create a procedure in MySQL

1. Starts MySql and use the required database with the help of use query.

 (Example: - mysql>use identityiq;)

 2. Use delimiter to change the end point of query.

 (Example:- mysql>delimiter /)

 3. Run the query to make a procedure.

 Example: - mysql>create procedure insert_emp
                   (IN EmpId varchar(20),IN firstName varchar(30),IN lastName varchar(30),IN managerId varchar(20),IN FullName varchar(70),IN email varchar(50),IN department varchar(30))
                  begin
                  insert into employees(EmpId,firstName,lastName,managerId,FullName,email,department) values(EmpId,firstName,lastName,managerId,FullName,email,department);
                  end;
                  /

 4. Procedure has been created successfully.

Using procedure in Provision Rule to write the data in database

 1. Import java.sql.CallableStatement in your code.

 2.   Paste this line into your code after editing as per your code requirement.

     <CallableStatement statement = connection.prepareCall("{call insert_emp(?,?,?,?,?,?,?)}");>

 3. Save your code and try to provision one identity.

 After provision a new identity will reflect in your table.

Procedure to fetch data from database

1. Run the query to make a procedure. Example: -

  mysql> delimiter /
  mysql> create procedure getdata_emp()
          -> begin
          -> select * from employees;
          -> end;
          -> / 

 2. Procedure has been created successfully. Call it in your application SQL query and test connection.

 

 3. Hit save and you have successfully called the procedure to fetch data from database. 

Steps to create a Custom Quick-link

Steps to create a Custom Quick-link

1. Code the xml file as per your requirement.(Below is an example of custom quicklink)

      <?xml version='1.0' encoding='UTF-8'?>
      <!DOCTYPE QuickLink PUBLIC "sailpoint.dtd" "sailpoint.dtd">
      <QuickLink action="ActionName" category="Custom" messageKey="Message to Display" name="Custom QL Name ">
               <Attributes>
                        <Map>

                             <entry key="ActionName" value="Provide Name of Action"/>

                         </Map>

              </Attributes>
      </QuickLink>

 2. Import the xml file from Global Settings or go to Debug page, select object as quicklink. From right corner dropdown, select New and paste the xml then hit save.

 

 3. Navigate to Global Settings>QuickLink Populations.
 Select the population according to your requirement or you can create your custom population from  right corner New+.
 Configure your custom population and in quicklink tab check the box of your custom quicklink.

 4. Once done, hit save.
 Now open the Debug Pages, under Configuration Objects> select System configuration.

 Edit the file as mentioned below:
 i) Search for QuiclinkCategory in the file
 ii)  Add a row in that category.
 Code:- 
  Add only highlighted row as per your custom quicklink.

<entry key="quickLinkCategories">

        <value>

          <List>

            <QuickLinkCategory cssClass="quickLinkCategoryTasks" messageKey="quicklink_category_all_tasks" name="Tasks" ordering="1"/>

            <QuickLinkCategory cssClass="quickLinkCategoryAccess" messageKey="quicklink_category_access" name="Access" ordering="2"/>

            <QuickLinkCategory cssClass="quickLinkCategoryManage" messageKey="quicklink_category_manage" name="Manage" ordering="3"/>

            <QuickLinkCategory cssClass="quickLinkCategoryCustom" enabled="true" messageKey="quicklink_category_custom" name="Custom" ordering="4"/>

          </List>

        </value>

      </entry>

 5. Once done, hit save. Logout from IIQ and stop tomcat.
 6. Start tomcat and login as spadmin. You will able to see your custom quiclink.

 Notes: - 
 1. You can create your custom category to create a quicklink or you can create in existing cateogry.
 2. There are 4 categories: - Manage, Access, Tasks and <Custom>.
 

Database(MySql) Provisioning using JDBC

Database Provisioning using JDBC

 Steps to create JDBC application in IIQ and table in Database: -

1. Login as spadmin and navigate to application definition.

(Application>Application Definition>Add new Applicatoin).

2. Fill in the details as per your requirements and select application type as JDBC.

(Provide the connection settings, SQL statement, Discover the schema, define Identity attribute and preview the table, Provide provisioning policy as per requirements(Create, update, delete etc.) and also provide the global provision rule. Hit on test connection to test connection.)

Note: - Red asterisk fields are mandatory. 

3. Once all things has been configured properly, hit save.

4. JDBC application has been created successfully.

Create table in Database(MySQL): -
1. Make connection to database(MySQL).
2. Run the create query according to required fields.
3. Table created.

Steps to raise access request from any identity(spadmin/Manager): -
1. Create identities as per requirements.
   (Click on extreme right corner, 3 horizontal bar>Manage Identity>Create Identity)

2. Login as spadmin/manager and Navigate to Manage Identity.
  (Click on extreme upper left corner, 3 horizontal bar>Manage Access>Manage Accounts)

 3. Select the identity for which you want to raise a request and click on Manage.

 4. Raise a request account from upper right corner.

 5.Once the request has been made, it should be approved by the application owner.
 6. Once approval process has been completed, provision process starts and completed at the backend.
 7. Run the query of MySQL to view table contents.

Meaning of Database Provisioning: - 
Database provisioning means that account creation on target application and the account's data will be written to database.

Things to remember: - 
1. account.getNativeIdentity(); is the function to call identity attribute value.
2. Discovering the schema in application is mandatory as the same attributes will be defined in Provisioning policy as well as in your provision rule code.
3. To add a new field in create identity form, add a new attribute in Identity Mapping and make it searchable.

IdentityIQ Glossary

IdentityIQ Glossary (abbreviated)

Access Request

Systems or processes used to request new access, make changes to existing access, or remove access to resources within an organization.

Access Review

A component of a Certification. See Certification.

Activity

The normalized representation of the raw activity data collected from an activity data source such as a Windows Event Log or Syslog. Activity is represented as a java object (ApplicationActivity) and persisted in the database.

Additional Entitlement

Additional entitlements are any entitlements to which the identity has access but that do not comprise a complete role. For example, if a role is comprised of entitlements A, B, and C, but the identity only has access to entitlements A and B, A and B are included in the list of Additional Entitlements. Also, if the identity is assigned entitlements A, B, C, and D, and A, B, and C are grouped as the role, D is added to the Additional Entitlements list.

Aggregation

Aggregation refers to the discovery and collection of information from the applications configured to work with IdentityIQ. For example, IdentityIQ uses an Identity Aggregation task to pull the values associated with the identity attributes specified during the configuration process from user accounts on the designated applications. That information is then used to create the foundation of the IdentityIQ Identity Cubes.

Application

1. The generic term used to refer to any data source with which IdentityIQ communicates to manage governance, risk management and compliance for your enterprise.

2. The term used to refer to an instance of a configured IdentityIQ connector. Applications encapsulate the details of how a targeted system is accessed (Connector parameters), how the accounts and entitlement data on that system is classified (Schema) and how the accounts on that system are correlated to existing Identity Cubes.

Authoritative Application

The identity authoritative application is the main repository for employee information for your enterprise, for example a human resources application. This might not be an at risk application, but it is the system of record from which the majority of the IdentityIQ Identity Cubes are built.

Business Process (aka Workflow)

A Business Process is a sequence of operations or steps executed to perform work. The IdentityIQ Business Processes ‐ both the standard “out of the box” and custom, written for a specific installation ‐‐ are triggered by system events or by a user request. A business process is launched as a side effect of some IdentityIQ operation such as editing a role, updating an identity, or the discovery of a policy violation. The available triggering events include: • Role creation • Identity update • Identity refresh • Identity correlation • Deferred role assignment/deassignment • Deferred role activation/deactivation • Any Lifecycle Manager event • Any Lifecycle Event (marked by changes to an Identity's attributes)

You cannot schedule a business process, but you can schedule a custom task that launches a business process.

Capabilities

Capabilities control access within the IdentityIQ product. Access is controlled at the page, tab, and field level.

Certification

Certification enables you to automate the review and approval of identity access privileges, account group membership and permissions, and role membership and composition. IdentityIQ collects fine-grained access (or entitlement) data and formats the information into reports (called Access Reviews), which are routed to the appropriate reviewers. Each access review is annotated with descriptive business language - highlighting changes, flagging anomalies and calling out violations where they appear.

Identity certifications enable reviewers to approve certifications for identities, or take corrective actions (such as removing entitlements that violate policy).

Role membership and composition certification enables reviewers to approve the composition of roles - the entitlements and roles that define the role being reviewed, and the identities to which the role is assigned, or take corrective actions.

Account group membership and permission certification enables reviewers to approve the permissions assigned to account groups and the members that make up the group, or take corrective actions.

Certification Periods

Certifications progress through phases as they move through their life-cycle: Staging, Active, Challenge, and Revocation. The phases associated with each certification are determined when the certification is scheduled.

Connector

Connectors provide the means by which IdentityIQ communicates with targeted platforms, applications and systems. Connectors are Java classes that implement the IdentityIQ Connector interface.

There are two types of connector in IdentityIQ, application-type connectors that collect account information, and activity-type connectors that collect activity information. IdentityIQ uses the information from both types to maintain the identity cubes.

Correlation

Correlation refers to the process of correlating, or combining, all of the information discovered by IdentityIQ (identity attributes, entitlements, activity, policy violations, history, certification status, etc.) to create and maintain the IdentityIQ Identity Cubes. Correlation does not involve accessing external application to discover information. Correlation reviews the information contained within the IdentityIQ application and updates identity cubes as necessary.

Correlation Key

The attributes that IdentityIQ can use to correlate activity discovered in the activity logs for this application with information stored in identity cubes.

For example, activity logs might contain the full name of users instead of unique account ids. Therefore, correlation between the activity discovered by an activity scan and the identity cube of the user that performed the action must key off of the user’s full name.

Data Source

A data source is a file, database, or repository of the HR and/or entitlement information required to determine a user’s accounts and access to an application. An application can have entitlement information stored in several data sources. For example, a user might need to be a member of a particular Active Directory group in order to get access to the application, then the specific application role for the user might be defined in a relational database, and certain administrative functions might require access to a Windows file share.

Entitlement

An entitlement is either a specific value for an account attribute, most commonly group membership, or a permission.

Entitlement Catalog

A business friendly dictionary of user access descriptions that can be associated with individual entitlements and permissions.

Group

Groups are used to tracked accessibility, activity, and monitored risk by group membership. Risk scores are displayed on the Dashboard. Groups are defined automatically by values assigned to identity attributes or by account group membership. Account groups are based on common entitlement within an application, not common qualities as defined within IdentityIQ.

Group Factory

The Group Factory defines groups automatically by values assigned to identity attributes such as Department, Location, Manager and Organization.

Hierarchical role model

In role based access control, the role hierarchy defines an inheritance relationship among roles. For example, the role structure for a bank may treat all employees as members of the 'employee' role. Above this may be roles 'department manager' and 'accountant,' which inherit all permissions of the 'employee' role

Identity Cube

Multi-dimensional data models of identity information that offer a single, logical representation of each managed user. IdentityIQ automatically builds, manages and securely stores Identity Cubes, including both current and historical views. Each Cube contains information about entitlements, activity, and associated business context.

Integration Modules

An Integration Module is an interface from IdentityIQ to a provisioning product from another vendor (e.g., Oracle Identity Manager or IBM Tivoli Identity Manager) or a service desk product (e.g., BMC Remedy or ServiceNow). These two types of integration modules are called Provisioning Integration Module (PIM) and Service Desk Integration Module (SIM) respectively.

Lifecycle event

An identity-related event in which a user's relationship with the organization undergoes a chance - e.g. new user is on boarded, existing user is promoted.

Lifecycle management

The end-to-end process of managing user access throughout a user's lifecycle within the organization.

Logical Application

A logical application is a way to define an application “logically”, simplifying searches, certifications, etc. by treating these special types of applications as a logical entity.

Logical applications allow for two types of functionality:

Combining -- treating multiple applications as a single logical application. For example, an application may be defined by Web Application access, Mainframe application access and SQL database access

Subdividing -- treating users with a certain LDAP or AD group as account holders on an application. For example, an AD group may control access to a web application at company XYZ. They want to treat this web application as a logical standalone application for requesting access and certifications.

Managed Attribute

An attribute that has been defined on an application schema to have additional meta-data maintained about that attribute. For each value read for the attribute from the Application during aggregation, an entry will be created in the Entitlement Catalog.

Mitigation

Mitigation refers to any exceptions that are allowed on policy violations discovered during a certification process.

Offboarding (aka “Leaver” processing)

The process initiated when IdentityIQ determines that a worker has left the company, whether through aggregation from an authoritative source like the HR system or through someone using a “Terminate Immediately” button. This process usually includes disabling or deleting all of the worker’s accounts and sending notifications as appropriate.

Onboarding (aka “Joiner” processing)

The process initiated when a new employee, contractor, or other type of worker is made known to IdentityIQ, whether through aggregation from an authoritative source like the HR system or through someone using the Create Identity functionality in LCM. This process usually includes creating accounts, adding group memberships, and granting other access required for the new worker to be productive when he/she starts his/her new job. The basic access required for a new worker is sometimes referred to as “birthright” access.

Permissions

The authorization given to users that enables them to access specific resources on the network, such as data files and applications. They also designate the type of access: for example, can data only be viewed (read only) or can they be updated (read/write). Also called user rights, user authorizations and user privileges.

Permitted (optional) Role

A role that is not automatically granted to a user, but may optionally be requested or assigned. Permitted roles are associated with higher-level business roles and allow the organization to enforce least privilege while controlling the total number of roles required to model access rights within the enterprise.

Policy

Policies are comprised of rules used to enforce any policies, separation of duty, activity or risk, defined within your enterprise. For example, a rule might be defined that disallows a single IdentityIQ identity from having roles that enable them to both request and approve purchase orders.

Population

Populations are query based groups created from the results of searches run from the Identity Search page. Searches that result in interesting populations of identities can, optionally, be saved as populations for reuse within IdentityIQ. Members of a population might not share any of the same identity attributes or account group membership. Population membership is based entirely on identity search parameters.

Profile

A profile is a set of entitlements on an application. An entitlement is either a specific value for an account attribute, most commonly group membership, or a permission. Profiles can be used in multiple roles.

Profile Class

An optional class used to associate an application with a larger set of applications for role modeling purposes.

For example, you might set a profile class of XYZ on all of the applications on which any user that has read account privileges should be assigned the role XYZ Account Reader. You can then create a single profile for that role instead of a separate profile for each instance of the applications. During the correlation process any user with read account privileges on any of the applications with the profile class XYZ is assigned the role XYZ Account Reader.

Provisioning

The process of granting, changing, or removing user access to systems, applications and databases based on a unique user identity. Automated user provisioning is intended to make the creation, management and deactivation of login IDs, home directories, mail folders, security entitlements and related items faster, cheaper and more reliable. This is done by automating and codifying business processes such as onboarding and termination and connecting these processes to multiple systems.

Reassign

Use the reassign feature to reassign certifications to the appropriate owner. Access reassignment is performed at the identity level. Identities that are reassigned are removed from the identities list and do not reflect as part of the completion status for this certification. All reassigned identities must be acted upon, however, before you can sign-off on the certification.

Bulk reassignment enables you to reduce cumbersome identity certification lists by reassigning identities to appropriate certification approvers. For example, if you are the owner of an application with thousands of accounts, you can use this feature to reassign identities for certification by department or manager.

Refresh/Identity Refresh

Refresh refers to the process of updating the values on the Identity Cube through promotion of Identity Attributes as defined in the Identity Mappings. The default Refresh Identity Cube task includes promotion of account entitlements to the cube and calculation of risk and policy violations.

Refresh does not involve accessing external applications to discover information. Refresh reviews the information contained within the IdentityIQ application and updates identity cubes as necessary

Report

A report is a special type of task that extracts data from the IdentityIQ database and presents it on the screen, with an option to export as PDF and/or CSV.

Required Role

A role that is automatically provisioned to a user once the user is assigned to the higher-level role containing the required role.

Revocation

Use revocation to request the removal of an identities access to a specified role or entitlement. No action is taken on a revocation request until the certification containing the request is completed and signed off on. This is done to ensure that no entitlement is removed until final confirmation has been received from the requestor.

Entitlements that are assigned to more than one role are not revoked with the role. For example, if role A is made up of entitlements X, Y and Z, and role B is made up of entitlements W and X, revoking role A only revokes entitlements Y and Z.

Risk

The IdentityIQ risk-management scoring system applies analytics to identity and activity data to pinpoint areas of risk and enable you to focus your compliance efforts where they are needed most. IdentityIQ uses configurable algorithms to assign a unique risk score. Scores are based on multiple factors and updated regularly. Using this risk scoring system, you can configure IdentityIQ's automated controls to lower user risk scores and their overall corporate risk profile.

Role (aka Bundle)

A role is a collection of entitlements or other roles that enables an identity to access resources and to perform certain operations within an organization. A simple role is a collection of entitlements defined within the context of a single system. For example, one role might enable the request of purchase orders and another might enable the approval of purchase requests. Roles are used to simplify security administration on systems and applications, by encapsulating popular sets of entitlements and assigning them as packages, rather than individually, to users. IdentityIQ uses roles to monitor these entitlements, identify separation of duty policy violations, and compile identity risk scores to enable you to maintain compliance.

Role Assignment

The process of granting roles to users. Can be performed through self-service tools or via an automatic assignment rule.

Role Creation

The process of defining roles within a role model and mapping those roles to the appropriate set of access privileges based on business process and job function.

Role Certification

The periodic review of a role or roles in order to validate that the role contains the appropriate access privileges and that members of the role are correct. Role certifications are commonly used as an internal control and a way to prevent role proliferation.

Rules

Rules are the constuct through which IdentityIQ allows the addition of custom business logic at specific points within the execution flow of the product. Rules are written in BeanShell, a lightweight scripting language based on Java. Rules are created as part of the configuration process of IdentityIQ. Rules are used extensively throughout the IdentityIQ product.

Schema

A schema is a component of an application defined in IdentityIQ. The schema defines what data to read from the target resource and how to interpret that data. There are two common types of schemas:

Account – represent individual accounts on a target resource (AD or SAP Accounts, for example)

Group – represent native account groups from target resource (LDAP Groups or AD Groups, for example)

Scope

A scope is a container within the product in which objects can be placed to restrict access. IdentityIQ’s scoping functionality provides an additional level of control over the segments of data on which a user can perform these tasks. With scopes, customers can subdivide their data into logical groups and grant access based on those subdivisions. For example, perhaps a Compliance Officer for the Americas region should only be able to see details about the Identities within the Americas region. This can be managed by defining scopes based on Identities’ Region attributes.

There are two subtypes of scopes that control access:

Controlled Scope — a scope over which an identity has access. This is combined with the identity's capabilities to determine to which objects a user has access. Every identity in the system can control zero or more scopes.

Assigned Scope — a scope in which an object lives and is used to control who can view and manage the object. Every object in the product is assigned zero or one scopes. By default, an object that does not have an assigned scope is available to everyone. The default behavior can be changed during configuration.

Script

A script is a segment of Beanshell code that is included in an object and only used within the given location, such as a Workflow step.

Self-service

Software that allows users to request access to resources using a self-service interface, which uses workflow to route the request to the appropriate manager(s) for approval.

Task

Tasks are used to automate the processes which build, update, and maintain the information contained within IdentityIQ. They can be launched from the MonitoràTasks UI or scheduled. Tasks invoke a compiled Java class and have access to the IdentityIQ API, including the database where IdentityIQ stores all of the identity information.

User

Anyone who accesses the IdentityIQ User Interface is a user. This includes certifiers, approvers, people requesting access for themselves or others, and people with administrative access to IdentityIQ. Specialized terms such as administrators (people with administrative access), help desk personnel (people with help desk access), certifier (someone completing an access review), approver (someone approving a request for access), and general user (the general population who has no special access and no work items assigned) refer to users with specific types of access (or lack thereof) or specific work to do.

Workgroup

A group of users within IdentityIQ that can perform actions (e.g. approvals) or own objects (e.g. roles, policies) within the system.

Work Item

A work item is anything that requires action by a human being before it is completed. Work items can be entire processes, such as certifications, or any piece of a process, such as the approval of one entitlement for one identity on one application.