Failsafe mechanisms to mitigate outages in the authoritative source that lead to role deprovisioning

kenilelk1 · January 16, 2023, 8:44pm

Irene Torrubia:

The vendor responsible for the authoritative source of one of our clients had a critical outage that caused 4 attributes to be aggregated as empty for a couple of hours. This incident caused serious hindering in their business activities, given that their role assignment criteria depended on these attributes being correctly filled (think about attributes such as department). In short, roles were deprovisioned for most of the employees for a couple of hours.

We are aware that IdentityNow operates under the assumption that the authoritative source is reliable and stable, and outages on the vendor side are outside of our control. Still, the client has asked whether there are some mitigating measures that we could take in IdentityNow to prevent a future potential outage to have such a critical impact on the business operations.

I would like to ask the community whether you’ve encountered this issue as well, or whether someone has suggestions we could explore.

Hi Irene,
We designed and used different BuildMap Rules to make a relatively complex critical attribute substitution and attribute protection during the aggregation for different SAP and JDBC authoritative sources. In one of our use cases we implemented an intelligent amending in a BuildMap Rule for the managerID substitution in different critical use cases and/or assigned a LCM special state if an account has missing some critical attributes from a source…

Within another scenario we did a full script based pre-processing outside of IDN to protect data from cases with missing critical data of some SAP system flat text/CSV file with a quite rich multi-scenario. The script, when finished, runs the authoritative source aggregation via API. Any UI-based authoritative source aggregation in IDN was being switched off.

In your case you might not need to design such complex solutions, instead you could use an identity attribute previous value and a simple Transform.

Case 1. Protection of essential attribute using its previous value:
======Transform for Case 1=================

{
    "name": "critical_Attribute1_Protected",
    "type": "static",
    "attributes": {
        "requiresPeriodicRefresh": "true",
        "critical_Attribute1": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "attributeName": "critical_Attribute1",
                            "sourceName": "My_Authoritative_SourceName"
                        },
                        "type": "accountAttribute"
                    },
                    "null"
                ]
            },
            "type": "firstValid"
        },
        "critical_Attribute1_Past": {
            "attributes": {
                "values": [
                    {
                        "attributes": {
                            "name": "critical_Attribute1" <== previous non-empty attribute value kept at the identity
                        },
                        "type": "identityAttribute"
                    },
                    "null"
                ]
            },
            "type": "firstValid"
        },
        "value": "#if($critical_Attribute1=='null'&&$critical_Attribute1_Past!='null')$critical_Attribute1_Past#{elseif}($critical_Attribute1!='null')$critical_Attribute1#{elseif}($critical_Attribute1=='null' && $critical_Attribute1_Past=='null')default_value_for_critical_Attribute1#{else}$critical_Attribute1#end"

    },
    "internal": false
}

===========================
You may need to define the safe ‘default_value_for_critical_Attribute1’ for new employees/starters.

With kind regards,
Dimitri

Topic		Replies	Views
Source option for Disabling the account Deletion - how to detect such disconnected identities via API or Rule/Transform/WF? ISC Discussion and Questions apis , aggregation , identity-security-cloud , provisioning , sources	4	756	July 19, 2023
Authoritative source (RH) does not brings fired users on response list, how can identity being modified? ISC Discussion and Questions rules , aggregation , identity-security-cloud	24	416	November 25, 2023
Account deletion was skipped for Salesforce because the threshold of 64 was exceeded ISC Discussion and Questions aggregation , identity-security-cloud	7	701	June 28, 2023
Web Services Connector - Delta Aggregations ISC Discussion and Questions webservice-connector , identity-security-cloud	4	811	August 8, 2023
Detect large number of terminations ISC Discussion and Questions	2	843	July 19, 2023

Failsafe mechanisms to mitigate outages in the authoritative source that lead to role deprovisioning

Related Topics