Sie sind auf Seite 1von 34

#NAVIGATE17

Super Hero Extended Attributes


Simplify your Custom Logic using Extended Attributes
Menno Pieters
Solution Architect
Agenda

• What are extended attributes?

• “Mild-mannered” extended attributes (basic data providing)

• “Super hero” extended attributes (functionality driving)

• Customer use cases

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 3


Extended Attributes
(What and How)

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 4


What if…

Users could only request access that matched their job function
Certifications could contain extra information to help certifiers make
access decisions
Service accounts could be treated differently than user accounts

…and more!

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 5


Extended Attributes

Add implementation specific information to IdentityIQ objects


• Identity Cubes
• Entitlement Catalog Items (Managed Attributes)
• Roles (Bundles)
• Applications
• Accounts (Links)
• Certifications

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 6


Identity

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 7


Entitlement
Catalog Item

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 8


Application

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 9


Role

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 10


Key
Definitions

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 11


“Mild Mannered” Extended Attributes
(Default Behavior)

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 12


Default Behavior

Tracking business information


• Department, job title, region, etc. <Add picture of Clark Kent>
• SOX, PCI, etc.

Searching
• Ad hoc queries
• Access request process

Reporting
• Account Attributes
• Identity Attributes

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 13


Searching

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 14


“Super Hero” Extended Attributes
(Driving Functionality)

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 15


Driving Functionality
Conditional Logic
Business Modeling • Task filtering
• Defining Policy <Add picture• of
Rules
Super Man>
• Defining Risk • Approvals
• Certification exclusion
Matching • Custom provisioning
• Correlating
• Quicklink populations
• Role assignment rules
• Lifecycle event triggers

…and more!
Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 16
• Extending identities
• Extending roles
• Extending applications
Extended
Attribute • Extending accounts
Use Cases • Extending certifications
• Extending entitlement catalog items
• Extending multiple objects

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 17


Case Study Extending Identities
Identity Cubes

University The Problem: • Staff/students have access to multiple


University campuses
Access
Request • Each person has a primary campus
The Solution:
• Admins can only manage access for people
Identity who share the same primary campus
Attributes:
Primary_Campus
Campuses

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 18


Case Study Extending Identities
Identity Cubes Quicklink Population

University The Problem:


Beth (Admin)
Primary_Campus: West
Access Campuses: West

Request John
The Solution:
Primary_Campus: West
Campuses: North, South, West
Identity Rich
Attributes: Primary_Campus: North
Primary_Campus Campuses: North, East

Campuses Sue LCM: Select User


Primary_Campus: West
Campuses: North, East, West
Beth John Sue

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 19


Case Study Extending Identities

Correlating The Problem: • Hospital associates can have multiple employee IDs,
corresponding to multiple jobs
Multiple • Access corresponds to job
Personas • Need to correlate access for multiple IDs to one person
The Solution:
• Add extended attribute to identities
• Populate with encrypted hashed PII data from
HR system
Identity Attribute:
• Correlate multiple HR feed records per person
Correlation_ID
HR Records
Identity Cube Victor, Doctor, fff13289
Victor
Victor, Professor, fff13289
Correlation_ID: fff13289
Victor, Researcher, fff13289
Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 20
Case Study Extending Identities
Specify The Problem: • Specify unique owners for Service Identity
Owners for Cubes
Service Cube
Reviews • Do not provide additional abilities (i.e.
The Solution: manager) for service cube owner

• Use the owner to certify service accounts


Identity Attribute:
SrvCube_Owner
(data type: identity)

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 21


Case Study Extending Identities
Identity Cubes
Specify The Problem:
Service.Cube1
Owners for Manager: <empty>
Service Cube SrvCube_Owner: Denise.Hunt

Reviews Karen.Johnson
Manager:
The Rich.Simms
Solution:
SrvCube_Owner: <empty>

Identity Attribute:
SrvCube_Owner Advanced Certification
(data type: identity)

Run Time
If no SrvCube_Owner, exclude from certification
Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 22
Case Study Extending Roles

Mixed The Problem: • Some tools require manager approval


Approval • Some tools require no approval
Process • Omit unnecessary approvals
The Solution:
• Add extended attribute to roles
• Populate during role creation
Role Attribute: • Mark roles that do not need approval
Approval_Free • Add approval assignment rule

Run Time
If Approval_Free, bypass approval step

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 23


Case Study Extending Identities and Roles

Access The Problem: • Secure site where users must have a


minimum security level to request key roles
Security
?

The Solution:

Identity: ?
Security_Level
Role:
Req_Sec_Level ?

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 24


Case Study Extending Identities and Roles
CONFIGURATION
Access The Problem:
ACCESS REQUESTS

Security Roles
Identity Cubes Access Options
John ?
Spy Super User
Security_Level: 7
Req_Sec_Level:
The Solution: 10
Susan
Identity: Spy Audit ?
Security_Level: 12
Security_Level Req_Sec_Level: 10

Role: Ian
Spy Data Entry
Req_Sec_Level Security_Level: 2 ?
Req_Sec_Level: 5

Run Time
Is Req_Sec_Level less than user’s Security_Level?

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 25


Case Study Extending Identities and Roles
CONFIGURATION
Access The Problem:
ACCESS REQUESTS

Security Roles
Identity Cubes Access Options
John Spy Data?Entry
Spy Super User
Security_Level: 7
Req_Sec_Level:
The Solution: 10
Susan Spy Super User
Identity: Spy Audit Spy Data?Entry
Security_Level: 12
Security_Level Req_Sec_Level: 10 Spy Audit
Role: Ian
Spy Data Entry
Req_Sec_Level Security_Level: 2 <No Spy ?Options>
Req_Sec_Level: 5

Run Time
Is Req_Sec_Level less than user’s Security_Level?

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 26


Case Study Extending Applications

Priority The Problem: • Flag applications for


applicable regulations
Based
• Run Q1 certification for high
Certification priority SOX applications
The Solution:
• Add extended attributes to
Application Applications
Attributes:
• Populate during onboarding
SOX
• Use exclusion rule to selectively
SOX Priority certify
PCI Run Time
If not high priority, exclude

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 27


Case Study Extending Accounts

Manage The Problem: • Need better insight into application risk


application • Certify privileged and service accounts on
stricter schedule
risk
The Solution: • Add extended attributes to accounts
Account
Attributes: • Privileged and Service sourced from account data
Dormant • Dormant calculated from last login date

Privileged • Set risk score for each account attribute and calculate
application risk scores
Service
• When certifying, identify privileged and service accounts

Run Time
If not Privileged or Service, exclude

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 28


Case Study Extending Accounts and Certifications

List Account The Problem: • Inform certifier if an account is privileged


Status in
Certification
The Solution:

Account Attribute:
Privileged

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 29


Case Study Extending Accounts and Certifications

List Account The Problem: Account Certification Item


Extended Attributes Extended Attributes
Status in
Certification Privileged: true Privileged: true

The Solution: UI Configuration


Add column entry for Privileged

Account Attribute:
Privileged

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 30


Case Study Extending Entitlement Catalog Items

AD Group The Problem: • When requesting access, allow users to find AD


Group to request based on Windows servers
Windows
• During certification, display which Windows
Servers servers a user’s AD group gives access
The Solution:

• Add extended attribute to Entitlement Catalog Items


• Populate via group aggregation refresh rule
Entitlement Catalog
Item Attribute: • Create certification
Windows_Servers • Add certification item customization rule

Run Time
For AD group, set existing custom certification field to Windows_Servers

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 31


Case Study Extending Roles, Applications & Accounts

Synchronize The Problem: • ServiceNow application is definitive source for


Owners with owners of applications and roles
ServiceNow
• Synchronize application and role ownership in
The Solution: IdentityIQ with that listed in ServiceNow
Role:
CID
Application:
CID
Account:
SYS_ID

Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 32


Case Study Extending Roles, Applications & Accounts

Synchronize The Problem:


Application Workgroup Workgroup
Owners with Name: Finance Name: Fin_Workgrp Name: LLP_Workgrp
ServiceNow Owner: Fin_Workgrp Members: Members:
CID: 637 Jon.Wu
John.Galt Sue.Jones
The Solution: Lisa.Timms
Role
Role: Name: LLP
CID Owner: LLP_Workgrp App/Role Owner Identity
CID: 114
Application: 637 123 Jon.Wu
CID ServiceNow Accounts 114 274 Sue.Jones
Account: Sys_ID Identity
SYS_ID 123 Jon.Wu Run Time
274 Sue.Jones Read owners from ServiceNow
Lookup owners in IdentityIQ
Update owner workgroups
Copyright © SailPoint Technologies, Inc. 2017. All rights reserved. 33
Thank You