When I’m interviewing candidates for SailPoint IdentityIQ work, I often ask the following question:
How would you configure an IIQ Role with the following criteria? The role should be granted if the Identity’s hrStatus is Active, unless the Identity has AD entitlements “VPN Override” or “IT VPN”.
This isn’t just complex for the sake of an interview. This sort of “all except” role structure is common when provisioning to a variety of systems. In this customer’s case, the VPN system could only handle membership in a single AD group to control access; having two would disable access altogether. IIQ doesn’t have a great way to handle these situations without writing custom Beanshell.
Complex role membership criteria
To resolve this problem in a generic way, we created the CRMP, our Complex Role Membership Plugin. The CRMP can, via configuration alone, make role assignments based on any combination of these criteria – called “selectors”:
- Identity attribute filters
- Account attribute filters
- Account existence (or account in a particular state, like Enabled AD Account)
- Entitlements
- IIQ Populations and Workgroups
- Assigned or detected roles
- Capabilities or rights
- HQL and SQL queries
- Beanshell rules or scripts
Selectors can be nested using boolean operations, with a convenience syntax for the “all except” scenario.
Over the years, our developers have made the CRMP extremely efficient. Selectors are compiled to an “abstract syntax tree” and cached, making repeated evaluations quick and easy. Even in the largest installations, with the CRMP controlling hundreds of roles via dozens of selectors each, a role membership refresh only takes a small fraction of a second.
The VPN problem
To resolve the interview problem with the CRMP, we can simply define the following:
<entry key="Default VPN User">
<value>
<Map>
<entry key="if" value="Filter: hrStatus == "Active""/>
<entry key="unless" value="Entitlement: VPN Override, IT VPN"/>
</Map>
</value>
</entry>That’s it.
Higher education
Complex, nested role assignment logic is very common in higher education. The higher ed community has even developed a powerful software tool entirely for group automation: Grouper. While we’ve assigned IIQ roles via Grouper at several institutions, this option isn’t always available, or desired. For security and efficiency, it is good practice to assign IAM roles close to the authoritative data sources and within the same system doing the provisioning.
Instrumental Identity has customers using upwards of 100 selectors to assign hundreds of IIQ roles, allowing IIQ to replace their prior custom IAM systems with minimal overhead. The CRMP can be used to assign access based on university affiliation, course registration, or other complex criteria. CRMP selectors are often used to determine academic affiliation in the first place.
Grace periods
The CRMP also supports grace periods.
IIQ customers frequently need to retain certain access for a period of time after an employee, student, or other affiliate leaves the institution. Students, for example, often retain their university email for one calendar year. Employees retain access to payroll systems until the following pay period ends.
When a role would ordinarily be de-provisioned (by no longer matching its criteria), the CRMP allows us to define a static number of days to retain access. Alternatively, a Beanshell script or a Java class can calculate a value dynamically. The role will be removed automatically when its grace period has elapsed, or it can be removed earlier by some another process if needed.
This configuration will assign the role “Payroll Users” when the Identity is active and has a userType of Employee. When either of those criteria are not met, the role would ordinarily be revoked immediately, but with this configuration, removal will be delayed for 30 days.
<entry key="Payroll Users">
<value>
<Map>
<entry key="if">
<value>
<String><![CDATA[
{Identity Status: Active} && {Filter: userType == "Employee"}
]></String>
</value>
</entry>
<entry key="Grace Period">
<value>
<Map>
<entry key="days" value="30"/>
<entry key="sticky" value="true"/>
</Map>
</value>
</entry>
</Map>
</value>
</entry>