Access Profiles Composition Certification Campaigns by Owner

Content Community Blog
, , , ,
1

This solution was the result of a collaborative effort with @mostafa_helmy, whose valuable insights and contributions played a key role in shaping the solution.

What are Access Profiles?

Access Profiles are predefined sets of permissions or entitlements that can be assigned to users. These profiles streamline the assignment of access rights by grouping together the necessary permissions required for specific roles or functions within the organization.

Key Features

  1. Simplification: Instead of assigning individual permissions to users one by one, access profiles allow administrators to bundle these permissions. This makes it easier to manage and reduces the complexity of access control.
  2. Consistency: By using access profiles, organizations ensure that users with similar roles or job functions receive consistent access rights. This helps in maintaining uniformity and avoiding access discrepancies.
  3. Efficiency: Access profiles speed up the process of onboarding new employees or changing the roles of existing employees. By assigning a profile, all necessary permissions are granted in one step.
  4. Compliance and Auditing: Access profiles facilitate easier tracking and auditing of who has access to what resources. This is crucial for compliance with various regulations and standards.
  5. Role-Based Access Control (RBAC): Access profiles are often used in conjunction with RBAC policies, where profiles are linked to specific roles within the organization. This aligns access rights with organizational roles and responsibilities.

Usage Scenarios:

  1. Onboarding New Employees: When a new employee joins, assigning them an access profile based on their job role ensures they have all the necessary access rights from day one.
  2. Role Changes: If an employee changes roles within the organization, administrators can easily update their access by assigning a new access profile, removing old permissions and adding new ones in a single step.
  3. Compliance Management: Regular audits of access profiles help in ensuring that only authorized users have access to sensitive information, supporting compliance with regulations like GDPR, HIPAA, etc.
  4. Access Reviews: Periodic reviews of access profiles help in identifying and revoking unnecessary permissions, thereby reducing the risk of unauthorized access.

Customers Expectation

  1. Regular Audits: Access profile owners are expected to regularly review the permissions associated with their profiles to ensure they are still relevant and appropriate for the roles or functions they support.
  2. Updates and Changes: They are responsible for updating the access profiles as needed, adding new permissions for new functionalities, and removing permissions that are no longer necessary or that pose a security risk.
  3. Compliance and Security: Ensuring that the access profiles comply with organizational policies and regulatory requirements is a key responsibility. This involves making sure that the permissions granted are the minimum necessary for the users to perform their roles.

The following solution facilitates the Access Profile Owners certification to maintain:

  • Automated Review Campaigns & Remediation: Regularly scheduled reviews where profile owners are prompted to review and certify the accuracy of access profiles, then automate the remediation of any changes made by the reviewers.
  • Audit Logs: Detailed logs of changes made to access profiles, which help in tracking and accountability.
  • Compliance Reports: Reports that show the status of access profiles and highlight any potential issues or areas that need attention.

Solution

Access Profiles Owner Certification

This solution is an example that combines the Webservice SaaS Connector with a Customizer using TypeScript SDK to model Access Profiles as Machine Identities Or Uncorrelated Accounts. This allows owners to certify the Access Profiles’ definitions (i.e. linked Entitlements) and automate the modifications tasks required to update Access Profiles.

High-Level

Utilizing the SaaS 2.0 WebService connector to loopback to the ISC tenant and aggregate the Access profiles as Machine Identities Or Uncorrelated Accounts. Then schedule an account owner Machine Identities certification campaign. Then all the account owner (Access Profile Owners) to certify the linked entitlement to their access profiles after activating the certification campaign.

Pros Cons
Leveraging the ISC OOTB capabilities: Workflows, SaaS 2.0 Connectors, Customizers and Certification campaigns wizard, Machine Identity Security Increase the number of Machine Identities OR Increase the number of uncorrelated accounts
Enhanced Reporting capabilities Requires Machine Identities Security License OR Requires a placeholder identity as source owner
OOTB Email notification Search API latency

Deployment Steps

  1. Create a new Webservice SaaS Connector:

image
image2362Ă—378 40.3 KB

image
image1767Ă—657 109 KB

  1. Configure a Webservice SaaS connector to loopback on your ISC tenant using a Oauth2.0 Authentication type and use Client Credentials client Id & client secret as the following:

image
image2796Ă—1508 474 KB

  1. In the HTTP Operations, you will configure 6 operations:
  2. Test Connection:
    1. Configure the general information:
    2. Request Type: API
    3. Context URL: /v3/search?limit=1
    4. HTTP Method: POST

image
image2358Ă—1690 183 KB

2. Headers
  1. Content-Type: application/json

image
image2264Ă—458 29.1 KB

  2. In the Body section select **Raw** and add the below search query:

{
    "query": {
        "query": "*"
    },
    "indices": [
        "accessprofiles"
    ],
    "includeNested": true,
    "queryResultFilter": {
    "includes": [
      "name",
      "id",
      "description",
      "entitlements",
      "enabled",
      "owner",
      "requestable",
      "created",
      "apps"
    ]}
}

3. In the Response Information add the success code: 2**

image
image2276Ă—520 29.7 KB

4. Save the Test Connection Operation
  1. Account Aggregation Operation: Access_Profiles_Aggregations
    1. Configure the general information:
    2. Operation Name: Access_Profiles_Aggregation
    3. Operation Type: Account Aggregation
    4. Request Type: API
    5. Context URL: /v3/search?limit=10000
    6. HTTP Method: POST

image
image2352Ă—1476 151 KB

2. Headers
  1. Content-Type: application/json

image
image2320Ă—548 40.5 KB

3. In the Body section select **Raw** and add the below search query:

{
    "query": {
        "query": "*"
    },
    "indices": [
        "accessprofiles"
    ],
    "includeNested": true,
    "queryResultFilter": {
    "includes": [
      "name",
      "id",
      "description",
      "entitlements",
      "enabled",
      "owner",
      "requestable",
      "created",
      "apps"
    ]}
}

4. In the Response Information
  1. Root Path: $
  2. Success code: 2**

image
image2338Ă—822 49.5 KB

5. Response Mapping:

image
image2346Ă—1536 206 KB

8. Save
  1. Get-Object:
    1. Configure the general information:
    2. Operation Name: Get Access Profile
    3. Operation Type: Get Object
    4. Request Type: API
    5. Context URL: /v3/access-profiles/$getObject.nativeIdentity$
    6. HTTP Method: GET

image
image2346Ă—1226 137 KB

2. Headers
  1. Content-Type: application/json

image
image2340Ă—562 41.2 KB

3. In the Response Information
  1. Root Path: $
  2. Success code: 2**

image
image2330Ă—812 46.3 KB

4. Response Mapping:

image
image2322Ă—1508 196 KB

5. Save
  1. Group Aggregation
    1. Operation Name: Entitlements Aggregations
    2. Operation Type: Group Aggregation
    3. Request Type: API
    4. Context URL: /v3/search?limit=10000
    5. HTTP Post: POST

image
image2344Ă—1464 148 KB

2. Header:
  1. Content-Type: application/json

image
image2336Ă—1412 120 KB

3. Body:
  1. Raw:

  {
    "query": {
        "query": "*"
    },
    "indices": [
        "accessprofiles"
    ],
    "includeNested": true,
    "queryResultFilter": {
    "includes": [
"entitlements"
    ]}
}

4. Response Information:
  1. Root Path: $..entitlements[?(@.id)]
  2. Success Code: 2**
5. Respond Mapping:

image
image2318Ă—1348 145 KB

7. Save
    1. Update Account
    2. General Information:
    3. Operation Name: Update Access Profile
    4. Operation Type: Update Account
    5. Request Type: API
    6. Context URL: /v3/access-profiles/$plan.nativeIdentity$
    7. HTTP Post: PATCH

image
image2334Ă—1396 148 KB

2. Header
  1. Content-Type: application/json-patch+json

3. Body
  1. Raw

$plan.entitlements$

image
image2376Ă—1160 101 KB

4. Response Information
  1. Root Path: $
  2. Success Code: 2**

image
image2360Ă—1042 98.4 KB

5. Response Mapping

image
image2260Ă—1516 195 KB

6. Save
  1. Update Account
    1. General Information:
    2. Operation Name: Update Access Profile Entitlements
    3. Operation Type: Remove Entitlement
    4. Request Type: API
    5. Context URL: /v3/access-profiles/$plan.nativeIdentity$
    6. HTTP Post: PATCH

image
image2358Ă—1264 139 KB

2. Header
  1. Content-Type: application/json-patch+json
3. Body
  1. Raw

$plan.entitlements$

image
image2376Ă—1160 101 KB

4. Response Information
  1. Root Path: $
  2. Success Code: 2**

image
image2360Ă—1042 98.4 KB

5. Response Mapping

image
image2260Ă—1516 195 KB

6. Save
  1. Save the HTTP Operations

image
image1632Ă—1526 143 KB

  1. Go to Additional Setting and check the boxes for :
  2. Add or Remove Entitlements in a Single Request
  3. Skip getObject Call during Create Provisioning

image
image2560Ă—733 192 KB

  1. Save and Review and test the connection.
  2. In the Connector, navigate to Account Schema
  3. Configure the Account schema to look like:

image
image2560Ă—1089 310 KB

In the Connector, navigate to Entitlement Type

  1. Configure the Group schema to look like:
    image
    image2560Ă—885 235 KB

Then, deploy the Account Update customizer code from GitHub Repo, this code is used to prepare the account update request body. the code checks the revoked entitlements:

  • If the reviewer has revoked all the access profile entitlements, it disables the access profile.
  • Otherwise, it removes the revoked entitlements from the access profile.

Pre-reqs to deploy the Customizer code

How to deploy the Customizer code

  1. Manually download & extract the code from GitHub, or use the git command line to clone the repo:

git clone https://github.com/mostafa-helmy-sp/isc-saas-customizer-access-profile-beforeupdate.git

  1. Building a connector customizer is similar to building a SaaS Connectorm, then package it using the following commands:

npm install npm run pack-zip

  1. Upload the created customizer zip file to the ISC tenant by ID:

sail conn customizers upload -c Customizer_ID -f .\dist\my-connector-customizer-0.1.0.zip

  1. Note the Customizer ID returned by this command for later use.
  2. List the current connector instatnce and save your Connector ID

sail conn instances list

  1. Link your customizer to your connector:

sail conn customizers link -i Connector_ID -c Customizer_ID

For more information about customizer: Connectivity Customizers | SailPoint Developer Community

Attached the Web Service SaaS Source where you can import it and change the configuration:
Access Profiles Aggregation Source-20250704-144515.json (14.4 KB)

Now choose which approach to follow:

1- Machine Identities Approach:
Note: Requires Extra license

In the connector configure the Machine Identity Security to Map the access profiles to their owners:

  • Navigate to the Machine Account Classification:
  • Enable Classification
  • Choose Classify all accounts
  • Click on Save & Process Classification

image
image2798Ă—904 152 KB

Then Navigate to Mappings

  • Choose Machine account Owner → Account to Identity

image
image1410Ă—888 59.1 KB

  • Then map the Account Attribute (“owner”) [Access Profile Owner] to the human Identity attribute (“name”)

image
image2744Ă—806 152 KB

  1. In the Connector, navigate to Account Aggregation → start aggregation and schedule it if necessary.
  2. In the Connector, navigate to Entitlement Aggregation → start aggregation and schedule it if necessary.

The Access Profile owner Identity page looks like:

image
image3430Ă—1252 235 KB

Now, let’s generate the Access Profile Composition certification Campaign:

Enjoy certifying the Access profiles entitlements now

image
image3374Ă—1446 350 KB

2- Uncorrelated Accounts Approach:
Note: No Extra license is required

We must perform a certification reassignment logic to the Access Profile Owner

Certification Reassign Logic

Using PowerShell Script

The PowerShell script hosted on the GitHub Repo needs to be run manually by an admin with the SailPoint PowerShell SDK installed to reassign each uncorrelated account item (Access Profile) to its current owner instead of the Source Owner.

The Certification ID (or Name), and the Source Owner ID and Name must be supplied to the script to find the correct certification and reassign from the source owner to the rightful owner.

Then,

  1. Navigate to search → Certification Campaigns → New Campaign → Uncorrelated Accounts

image
image2560Ă—948 132 KB

  1. Select the Access Profile SaaS WebService source that we have created earlier:

image
image2560Ă—683 116 KB

  1. Then, Certify these account and Give the Campaign a unique name as this name should be the same name used in the script earlier filter, Enable Email Notifications and complete the other campaign options.

4- Run the PowerShell script to do the required reassignments.
5- Activate the Campaign so the access profile owners can certify their access profiles.

1 Like
2

Are these not licensed entities?

3

Yes, Machine Identity Security “MIS” requires a license.

We can aggregate Access Profiles “AP” as uncorrelated account and use the uncorrelated accounts certification campaign but this will require:

  • The source owner should be a placeholder identity.
  • Develop a custom code using our SDKs preferred PowerShell SDK to re-assign the APs to their owners then start the campaign.

We’ve already test it but it’s a bit complicated.