Exclusion of identity cubes from SoD Policy

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Is it possible to exclude Identity Cubes or accounts from an SoD Policy?
Or withdraw/skip the creation of the Policy Violation?

As example: The CISO might have 2 admin roles, while no one else is allow to have both at the same time.

Without exclusion (or some sort filter), a violation is created for the CISO and it has to be approved every other x months, while this might be part of the agreed Target Operation Model of the company.

Any ideas are welcome :slight_smile:

  • Remold
2

Hello Romold,

Here are some ideas:

  1. We can consider to use Advanced Policy, there we can define a for flexible logic, Setup β†’ Policies β†’ create or edit an Advanced Policy β†’ Policy Rules section β†’ Create New Rule, there we jave several methods, here is a very simple example by using Match List.
    image
    image1306Γ—540 23.1 KB
  2. When the logic is more complex, then we can also use Rule, for more complex logic, we can also use a Rule to calculate the PolicyViolation. There is good example regarding the Rule on this compass post.
  3. Write your own policy executor, as a starting point here is the reference compass post. This is most likely similar to Adanced Policy with Rule implementation.
  4. In addition, from KOGIT, we have a plugin (KOGIT SOD Matrix Plugin there we not only calculate the SoD Policy in a Matrix strategy but we also have a framework to do β€œAllow List” which also fix into your scenario.

Hope this helps in your case. Good luck!

Thanks and Regards,
Mike

3

So the basic answer is:
This is not possible with any OOTB SoD policy :neutral_face:

But there are other options.

When manually creating a PolicyViolation: setLeftBundles() and setRightBundles() should provide the same look and feel an OOTB SoD policy for the endusers/application owners/managers.

– Remold

4

Hi @Remold ,
There might be no direct option available in SailPoint to skip certain users. As Mike mentioned, you can try using Advanced Policy and in order to have dynamic exclusion list, you can have a business Role/ Custom Object to store the list of users which should be excluded from policy validation. And even you can have periodic Access Review on the Exclusion Rule to review the exclusion users every 6 months.

5

Using the exclusion rule option, a Policy Violation will still be created and remains in the system (shows in the Policy Violation list etc) and the Policy Violation Owner will still be notified (if configured).

There is also an option to create a wrapper around the SODPolicyExecutor-class or create a new CustomSODPolicyExecutor-class, but that might be less future/upgrade proof.

The advanced is IMHO the best option :neutral_face:

I will talk with the client on what they would like as it still needs some extra work as it is not possible OOTB using the Role/Entitlement SOD Policy.

– Remold

6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.