Which IIQ version are you inquiring about?
8.4p2
We have been trying to implement a good solid stale account process for quite a while now. Our most recent attempts have left us wondering what other people are doing.
So, our goal is to get the lastlogontimestamp from AD, map it to an attribute in IIQ, and then use that attribute to determine if an account is stale or not. The challenge is that we have 8 Domain Controllers in production, and they can sometimes get out of sync until replication syncs everything up - there can be a two-week disparity in some cases. Our most recent attempts involved utilizing RPC Service to execute some powershell code in a beanshell rule to query each DC, and then sort the lastlogontimestamps so we have the most recent one. The problem with this approach is that it can take about 4-5 seconds for the powershell code to do its thing, and when you scale that up to the number of AD accounts we have in production, we’re looking at very (very) long runtimes, and we’ve seen that degrade system performance as well as cause issues with our aggregation and refresh tasks.
I wanted to see if there are any other solutions out there that might be viable for us - it’s clear that RPC Service isn’t the way to go. It tests fine in our lower environments, but those environments only have one Domain Controller and a significantly lower user count, and even trying to simulate the load in lower environments gave me false positives.
So - my questions would be:
-
What are other companies doing? We can’t be the only ones trying to manage stale accounts - so we’re thinking maybe we’re approaching this the wrong way.
-
Are there any kind of load-testing tools available for SailPoint so we get good reliable test results in lower environments?
We do have plans to at some point connect FAM to IIQ, and I know that FAM is collecting the most recent last logon timestamp from AD, so maybe that’s the route we should be exploring, but I wanted to reach out to you and see if we can come up with a solution that works for us.