Certifying identities that have a vast amount of access in IdentityIQ

Which IIQ version are you inquiring about?

8.4

Please share any images or screenshots, if relevant.

[Please insert images here, otherwise delete this section]

Please share any other relevant files that may be required (for example, logs).

[Please insert files here, otherwise delete this section]

Share all details about your problem, including any error messages you may have received.

We are currently facing an issue with handling identities that have a vast amount of access to be certified, including tens of thousands of roles and entitlements, within the Manager Certification campaign. This situation is causing performance bottlenecks during the generation of the certification campaign and is also making it challenging for the certifiers to certify such extensive access on the UI.

At present, we are excluding these identities from the regular manager certifications and storing them in a custom database table. However, we are on the lookout for a more efficient method to certify these user’s access.

I have explored the possibility of using Targeted Certification to certify this access from the custom database table, which seems feasible. The challenge, however, lies in filtering the roles or entitlements related to these users. The straightforward filters available on the Targeted Certification filter UI do not suffice, and we would need to apply some rules for this purpose.

Could someone please look into this scenario and provide some options to certify these user’s access more effectively?

Let me comment on that from the “Information Security Management” perspective.

Besides technical possibilities (even assuming you can do anything in gui) you will always end up with someone having to check unmanagable loads of role and entitlements (based on what you said).

This is pretty common in big companies. that is why in information security (you can check ISO27K, NIST) there is a notion of data classification which is supported by IIQ btw. So you mark roles and entitlements with hi, med, low classification (simplified) and if there are a lot you first certify hi ones, then if there is time you do the medium ones, and the low ones you just accept (of course going though your Security Officer).

So you have the tools to do this in IIQ, and if could be manageable for the managers.

Something to think about.

Regards Alek

You’re dealing with a common challenge in IIQ - certifying users with massive access volumes in a way that’s performant and manageable.

Aleksander gave you a start on a great strategy above. His suggesting to use data classification would be a wise starting point. Some technical options to consider while you re-evaluate a comprehensive strategy:

• Data classification based filtering
  • How to use: Tag roles and entitlements with classification levels (via extended attributes/metadata)
  • Use in targeted certifications: Create rules that only include “High” classification items for certification
  • Benefit: Reduce volume, focus certifier attention on critical access
• Segmented targeted certifications
  • Instead of certifying all access at once, you can break it up into:
    • By application
    • By entitlement
    • By classification level
• Bulk certification delegation
  • For users with excessive access, consider delegating certification to a security analyst or access owner rather than just the user’s manager
• UI Performance options
  • If UI rendering is the bottle neck ,you have options to improve performance such as optimizing the system/JVM memory

Thank you Aleksander. This is a good suggestion. I will try to initiate a discussion on this direction but alternatively will have to search for an option to efficiently certify this huge access in the mean time too.

Hello Dalton,
Thanks for responding to my query and providing the detailed suggestion.

I am actually looking out for a way if there is one, on how to achieve the below in targeted certifications which you have mentioned.

• Use in targeted certifications: Create rules that only include “High” classification items for certification

I understand that this can be done via the filters available in UI which does not suffice our requirement. Could you please share if there is any Rule that can be utilized to customize the entitlements as suggested.

In targeted certification you have the ability to filter based on classification attribute:

image2152×610 66.8 KB

and if this is no enough you could create additional attribute for Entitlement and filter on that

image1254×396 27.6 KB

Yes, but this option doesn’t suite for our implementation as its difficult the newly added extended attribute to be included/excluded in the certification as the inclusion criteria is very dynamic in nature depending on the certifying application. So, pre-calculating this additional attribute is not possible.

You can always use “none” target certification and implement Exclusion rule.

If you want to “hack” it: After generating certification in staging. Write a custom code that will just remove unwanted entitlements from generated certification.

Is it possible to use an exclusion rule in Targeted Certification Type ? I doubt its possible.
Could you please share if there is any possibility.

There is no such option in GUI I’m afraid.

To be clear, it’s not in the GUI but it is supported through the XML. We have it configured for many of our certification campaigns.

That’s good to know that the exclusion rule can be configured in a targeted certification too. Could you please share more details on how this can be achieved.

You just need to give an exclusionRuleName in the XML, just like in other types of certification definitions.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.