Version 8.3
We have the need to manage a huge amount of databases with same connector type, what is the prefered way to solve this?
(An identity is always correlated with same iiq-attribute.)
Is it required to copy x-times the connector or exists a way solve this with only one connector?
Hi Chris,
Technically speaking connector is one - but connector instances are multiple.
If you use JDBC connector or any other DB connector (if you want to manage database itself) you have to define separate application definition for each single database because of few reasons
Therefore if’s not a good idea to onboard for example 2000 standalone databases as separate applications to Sailpoint as it may significantly impact performance of the application. In this case I would rather build some LDAP and integrate DBs with it to just manage directory via Sailpoint.
But if you need to have just couple of DBs - I think it should not be a big problem. As long as you don’t have single point of contact (IP, Port, DBname, Credentials etc) you have to have separate app definition for each endpoint.
I can imagine building some small script which will allow you to generate app definitions automatically based on some provided list.
Hi @chriskk,
Maybe you can use multi connector adapter which helps consolidate multiple systems or similar sources under one connector. It is a powerful feature. for example, 100’s of databases are present where we need to manage all access via idenityiq solution then it can be used.
If you are already a customer using the Multi-Connector Adapter, you can get the latest documentation from your CSM (customer success manager). If you are a customer interested in this extension, please also contact your customer success manager.
Oh yes, thats true. I ment one connector with some instances (applications). And also true, we have many, but not realy a huge amount of 2000 
Actuall we talk around 30 OracleDBs with 3x possible accounts per identity, a default account, maybe an limited readonly account for some special analyses and a DBA account. The different accounts per user uses an own naming pattern and have currently different attributes in identityiq.
I was thinking that we need 30x3 applications, for 30x databases with 3x correlated attributes (db account names), wich would result in 90 applications. Maybe is the performance aspect already related?
The databases are separated on different IPs/Networks and/or Ports. The identities should have same credentials for same accounts across different databases, but an application will have different accounts per database.
In the project we work with HashiCorp Vault and using the delivered vault-template mechanism (is depending on GO-template) to fill username/password and customize some other details in the xmls. If there is another good approach, im open to your suggestion
I will discuss the suggestion with LDAP, maybe is this also a possible solution.
A multi-connector could also an approach, i will talk about this in the team.
We have started some internal discussions about our databases and what is a need and a must.
Currently we starts with “Oracle Database - Direct” connector und can manage db-users and db-roles.
https://documentation.sailpoint.com/connectors/identityiq8_3/oracle/database/help/integrating_oracle_database/introduction.html
(LDAP roles are for oracle not an option, this is a feedback from our database administrators.)
Now there comes a more detailed question about database permissions:
For some db-users are db-roles enough, but for many users we need a more detailed permission handling, depending on all possible database objects (schema, table, view, sequence, package, trigger, indizies, database links, …) + actions (insert, select, update, delete, create, alter, …).
Example for 1x table:
Results in 4x entitlements:
Depending on identity access management, all entitlements must individuall addable to an user.
Im arfraid this will be hard to manage with given oracle connector, or is there a way?
Probably is another jdbc connector required wich create per database object many entitlements per action and manages also the db-users and db-roles?
Another risk I see is the huge amount of database objects (with actions), wich results in maybe multiple entitlements and could result in a tricky entitlement search and asignment to an user.
What is the preferred way to solve this requirement with IdentityIQ?
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.