Hi,
Question: do we have any specific event in IDN if a particular object (identity in our case) got a new tag? We were not able to find any tagging-related records in the event log or in the account history.
And a second question: could we find, control and audit about people as the Actors who added a tag to the object?
According to the IDN beta API documentation and IDN Admin documentation, anyone could do tagging via API, and any who has an access to the IDN Search UI holding a specific Role in IDN user level role matrix.
I suspect that both answers to my questions will be ‘No’ and ‘Impossible’, but still hope it is not true for mature IAM system IDN is.
.
Thanks in advance.
Audit events for tagging does not appear to be supported at this time. If you want to see more information about who tagged an object and when they tagged it, please submit an idea. If it gets enough votes, then our product team will look into adding this.
How could we get an object with specific tag using Identity Attribute Rule, Generic Rule, or Account Profile Attribute Generator Rule? It seems there are no any references to the object Tags in theJavaDocs.
@colin_mckibben
Thank you for answer, surpisengly good news.
What are exact http client types, interfaces and classes that are avaliable in IDN Java/BeanShell cloud executed rules?
For example, could we use the next Java 9/11 classes and interfaces?
The HttpClient class, java.net.http.HttpClient ()
The HttpRequest class, java.net.http.HttpRequest
The HttpResponse interface, java.net.http.HttpResponse
The WebSocket interface, java.net.http.WebSocket
Either Apache HttpComponents, OkHttpClient, or Spring WebClient?
If you are able to use a Connector rule for your task we are a little more flexible with these rules. You could use any of the following classes for external web requests.
@tyler_mairose ,
Thank you for clarification, indeed, it matches my previous knowledge about native cloud Rules in IDN and the fact that the external calls are technically possible but prohibit to use.
About four years ago I tried to deploy my cloud executed rule for AD account true unique name checking generator that based on JNDI (as Sailpoint unique generator ignored possible conflicts of a generated name with uncorrelated AD objects). I was told it is disallow.
JNDI external calls are a quote standard solution for IIQ rules/plugins, but not for IDN even if an out-of-box Sailpoint attribute Generator Rule uses something similar utilizing an external LDAP query.
The goal we try to achieve now, is to sync a list of existing object Tags as a string for the identity attribute in context - via Transform, direct identity mapping, or via identity Attribute / General Rule.
Currently I can do it only via IDN custom Loopback helper connector and IDN ‘Search’ API call outside of IDN.
If you could advise different and more straightforward way to sync the identity tags to the identity custom attribute, please advise.
We are quite happy with IDN Tag features excepting the tagging / de-tagging operations are poorly controlled (no tag operation audit, no Tag events etc.), and there is no simple way to sync the tag(s) to the identity or other IDN object (like Entitlement, AP or Role) inside IDN (not inside a separate and isolated ‘Search’ interface)…
The using of a Web Services tag-sync dedicated connector with connector Rule is understandable way if nothing else is available, thanks for the http client details, …