Announcement: Updates to Non-Employee Risk Management User Accounts

Announcements Product News
,
1

In order to better support authentication and access management via Identity Security Cloud, Non-Employee Risk Management will soon make some changes to User Accounts for ISC-connected tenants.

Why are these updates being made?

We will soon be enabling the Non-Employee Risk Management Users Connector in Identity Security Cloud, which will allow customers to manage their NERM Lifecycle user accounts and access via established ISC lifecycle and governance processes. This is being designed to replace the current approach, where NERM Lifecycle user access is managed via LDAP Directory groups.

In order to ensure that NERM Users will have the correct access on their accounts when customers make the change to leveraging the new connector, we need to ensure that the Users in NERM can be properly associated to a single identity in ISC. These changes will automate that association.

Which customers will be affected?

Any Identity Security Cloud + Non-Employee Risk Management customers who leverage Identity Security Cloud for authentication.

What updates are being made?

Lifecycle User Deduplication

In the past, it was possible for duplicate user accounts to be created in NERM in cases where the same users would authenticate through ISC using a local login (name and password) as well as using their Identity Provider (IDP).

For customers who have these duplicate user accounts, Non-Employee Risk Management will be consolidating these users under the same account. These accounts will be consolidated using the SailPoint Identity ID attribute, which is present on all Lifecycle user accounts in NERM and will always correspond to a single ISC identity.

Lifecycle User Attribute updates

Currently, lifecycle Users in NERM are created based on the data received from the Identity Provider. Their values of their user attributes in NERM, such as login, name, and email,will correspond to the values of these attributes that are received from the SAML claims from the IDP.

Going forward, the values for login, name, and email will correspond to the values for the Identity Attributes on the NERM users’ Identities in ISC.

ISC Identity Attribute NERM User Attribute
Display Name Name
Work Email Email
username login

How will NERM Lifecycle users be affected by these changes?

We anticipate the effects to be minimal.

What is staying the same

  • NERM Lifecycle users will not need to sign out.

  • NERM Lifecycle users will retain their existing access.

  • NERM Lifecycle users will continue to authenticate as normal.

  • New NERM Lifecycle users can be created as normal.

What is changing

  • User Account Consolidation: Duplicate accounts created via local authentication (when the primary account is managed through IDP) will be removed. This will not affect user access, as only redundant accounts are being deleted.

  • Attribute Updates: After the change, user attributes in NERM (such as display name and email) will be updated to match the information in ISC. This will happen when users authenticate. Users who do not log in will not see immediate changes until their next authentication.

What do you need to do?

  1. Review ISC Identity Data: Please review the identity data within your ISC tenant to anticipate potential changes to user attributes (display name, email) in NERM.

  2. Inform Users: Let your users know that their display names and/or email addresses in NERM might be updated to reflect the information in ISC.

When will these changes go into effect?

  • Dev/Sandbox: Monday, November 10

    • Lifecycle User Deduplication: Complete
    • Lifecycle User Attribute updates: Tuesday, November 18

  • Production: Monday, November 17

    • Lifecycle User Deduplication: Monday, December 1
    • Lifecycle User Attribute updates: Monday, December 1
2

UPDATE - November 17:
The Lifecycle User Deduplication task outlined above has been performed in customer Sandbox tenants.

The Lifecycle User Attribute updates have been delayed. We will instead be enabling these updates in Sandbox tenants tomorrow, Tuesday Nov. 18th
Also, we are pushing out the date that these changes will go into effect in Production, to allow our customers more time to observe the changes in their Sandbox tenants.

The above changes, both Lifecycle User Deduplication and Lifecycle User Attribute updates will be applied to customer Production tenants on Monday, December 1.

3

If you need to update a number of users to correct their Login / SailPoint Identity ID that was pre-provisioned with an incorrect value, below are some scripts to help that process.

Script to update users. You would have to modify a few values:

  • On line 6, change “TENANT” to your NERM tenant
  • On line 15, replace “API_TOKEN” with a token from NERM > Admin > System > API
require 'csv'
require 'json'
require 'net/http'

def makeAPIrequest (uriEnd, requesttype, jsonbody = '')
	uri = URI.parse("https://TENANT.nonemployee.com/api/#{uriEnd}")
  p uri
  if requesttype== 'get'
    request = Net::HTTP::Get.new(uri)
  elsif requesttype== 'patch'
    request = Net::HTTP::Patch.new(uri)
  end
	request.content_type = "application/json"
  request["Accept"] = "application/json"
	request["Authorization"] = "Token token=API_TOKEN"
	request.body = jsonbody unless jsonbody == ''

	req_options = {read_timeout: 50,use_ssl: true,verify_mode: OpenSSL::SSL::VERIFY_NONE}
	
	response = Net::HTTP.start(uri.hostname, uri.port, req_options) do |http|
	  http.request(request)
	end
end

updatejson = []

p "Reading in users from CSV"
CSV.foreach(("test.csv"), headers: true, col_sep: ",") do |row|
  rowData=row.to_hash

  updatejson << { 
    id: rowData["id"],
    name: rowData["name"],
    login: rowData["login"],
    email: rowData["email"],
    sailpoint_identity_id: rowData["sailpoint_identity_id"]
  }
end 

p "Updating users"
updatejson.each_slice(100) do |w|
	patchjson = JSON.generate({'users' => w})
	res = makeAPIrequest("users","patch", patchjson)
	p res.code
	p res.body unless res.code == "200" || res.code == "201" || res.code == "202"
end

p "Users updated"

If you need a way to get a list of users to then update, here is a script to Get users:

  • On line 6, change “TENANT” to your NERM tenant
  • On line 15, replace “API_TOKEN” with a token from NERM > Admin > System > API
require 'csv'
require 'json'
require 'net/http'

def makeAPIrequest (uriEnd, requesttype, jsonbody = '')
	uri = URI.parse("https://TENANT.nonemployee.com/api/#{uriEnd}")
  p uri
  if requesttype== 'get'
    request = Net::HTTP::Get.new(uri)
  elsif requesttype== 'patch'
    request = Net::HTTP::Patch.new(uri)
  end
	request.content_type = "application/json"
  request["Accept"] = "application/json"
	request["Authorization"] = "Token token=API_TOKEN"
	request.body = jsonbody unless jsonbody == ''

	req_options = {read_timeout: 50,use_ssl: true,verify_mode: OpenSSL::SSL::VERIFY_NONE}
	
	response = Net::HTTP.start(uri.hostname, uri.port, req_options) do |http|
	  http.request(request)
	end

  return response.read_body, response.code
end

users = Array.new
limit=1000
offset=0

p "Getting all Users:"
loop do
  response_body,response_code=makeAPIrequest("/users?limit=#{limit}&offset=#{offset}&metadata=true", 'get')
  break if response_code != '200'

  JSON.parse(response_body)["users"].each do |u|
    users << u
  end

  offset = offset + limit
end

p "#{users.size} found. Generating CSV"

CSV.open("nerm_users.csv", "w") do |csv|
  csv << ["id","uid","type","name","email","title","status","login","last_login","group_strings","sailpoint_identity_id"]
  users.each do |u|
    csv << [u["id"],u["uid"],u["type"],u["name"],u["email"],u["title"],u["status"],u["login"],u["last_login"],u["group_strings"],u["sailpoint_identity_id"]]
  end
end

p "CSV created"