September 10, 2010

Sailpoint IdentityIQ: Revoke a Policy Violation from Certification

If you had Policy Violations recorded in IdentityIQ and have included them in a Certification then normally it would be displayed as below.


You have only two options. Approve or Delegate. A general option of REVOKE is not provided for a policy violation.

However, there is a option to revoke the same if the certifier wishes to. Of course this is not told and not given. But its a simple change :-)

Open the Policy object and you would see something like below in the first line after XML declaration.

 
Notice the certificationActions tag?
Modify the same to look as below shown. 


Once you add the Remediated word to the tag, your certification automatically shows up the revoke button. Here's a screen shot of how it looks.



Hope this helps.

September 9, 2010

SailPoint Press Releases :: News & Events :: SailPoint Technologies

SailPoint Press Releases :: News & Events :: SailPoint Technologies

SP Identity IQ: Certification not updated to show revocations done

Okay! I am trying to be pretty descriptive here.

Suppose you have created a certification in Sailpoint's Identity IQ.
The Certification Owner has revoked a user and saved the certification. Then the certification header would be something like this.



An email is sent to the administrator to revoke the entitlement/account.
Administrator, being a good employee has done the revocation right away.
A scheduled Account Aggregation, in the next few hours, get kicked off and brings in the new data regarding the revocation.
An Identity refresh scheduled for the same night, updates the entitlements for the users.


Problem:
You still do not notice the update in the Certification header. It still shows a list of items, which were completed, as due.

Solution:
In every Certification configuration there is a parameter named nextRevocationsScantime

This has a default setting which is inherited from a SystemConfiguration setting.

remediationScanInterval set to 86400000 milliseconds

nextRevocationsScantime attribute is created along with remediationsKickedOff="2"

The above attribute is created, once you revoke someone and save the cert.

Later when you remove the entitlements in database and do an account aggregation and identity refresh; it shall not directly reflect in your cert. Once the nextRevocationsScantime is complete and PERFORM MAINTENANCE TASK runs then it scans and completes the process.








Later in the cert you will not see nextRevocationsScantime. Rather you would see this. remediationsCompleted="1" remediationsKickedOff="1"

Hope this helps to few consultants.

September 6, 2010

Attention Sun IdM Customers - "What's Your "Plan B"?


This is what Sailpoint says about SUN Identity Manager, its customers and the solutions they can offer to these customers. Interesting read.

It's always sad to see SUN Technologies dying.

September 1, 2010

epoch conversion tool

What is epoch time?

Short description from Wikipedia:
Unix time, or POSIX time, is a system for describing points in time, defined as the number of seconds elapsed since midnight proleptic Coordinated Universal Time (UTC) of January 1, 1970, not counting leap seconds.

Where do you find with respect to IAM parlance?
I have found that Sailpoint's IdentityIQ uses this convention for all dates. examples are create date, expiration date etc.

So if you want to understand what are the exact dates?