Let me just add my opinion based on many year experience in the identity space and add to Grey's advice.
ISIM and Secret Server a both individual products with a lot of process/functional capabilities - a lot of these capabilities overlap and both products can be extended/customized to solve gaps in the out-of-the-box delivered capabilities.
But when you design your IAM enterprise architecture it is extremely important that place functionality within the right products - i.e. you should look at what the native core capabilities are and not selecting something that is is added to the product to cover a functional gap in a standalone deployment.
That said - ISIM revalidation has some shortcomings - but it is build to be generic - where as ISSS revalidation is for a specific purpose for ISSS - so what the best solution is not easy so say - but be careful - decisions here are expensive to revert.
Governance products are built for generic recertification of entitlements. So if this is what you want to do you should look into those functionality as well.
HTH
------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------
Original Message:
Sent: Thu May 07, 2020 01:50 PM
From: Grey Thrasher
Subject: Intergration of Thycotic Secret Server 10.7 Platinum edition with IBM Security Identity Manager
Not sure I understand what you mean by "revalidation". If you're referring to recertification of the Account, ISIM has Recertification Policies, not sure how you'd pass that duty off to Secret Server (so I'm thinking I'm missing something here). Can you provide a bit more detail and/or use-case example?
------------------------------
Grey Thrasher
IBM
Original Message:
Sent: Thu May 07, 2020 11:26 AM
From: himanshu ranjan3
Subject: Intergration of Thycotic Secret Server 10.7 Platinum edition with IBM Security Identity Manager
Hi Grey,
Thank you so much for fast response. Just to clarify bit more about our requirement - Yes, we are already creating shared ids (linux, windows and vault) using ISIM. We are looking secret server to utilize options like revalidation and other benefits which is bit restricted in ISIM. So we are looking to send all shared id info from ISIM to secret server and then secret server can use them for rest of the processes. May be I can give more inputs on this later but on high level this is what we are looking between ISIM and secret server adapter integration. Could you please provide your input.
------------------------------
himanshu ranjan3
Original Message:
Sent: Thu May 07, 2020 10:39 AM
From: Grey Thrasher
Subject: Intergration of Thycotic Secret Server 10.7 Platinum edition with IBM Security Identity Manager
Hi Himanshu...
The Secret Server Adapter for ISIM (listed in the link you pasted above), allows ISIM to manage the lifecycle (create, read, update, delete) of the Secret Server Accounts (the Accounts Users use to login to Secret Server). The Adapter manages what Secret Server Groups the Accounts are members of, as well as what Folders and Secrets the Accounts have rights to, within Secret Server.
I'm not sure if this is what you were looking to do with the above...or if you'd looking to be able to create privileged accounts on endpoints (linux, ad, etc) with ISIM and have Secret Server share those privileged accounts. Sounds like you might be asking for the latter...or combination of both?
If the latter, it's possible, but not necessarily directly out of the box.
There are a couple ways you could do this though:
1) Configure ISIM to create/manage the privileged accounts on the endpoints, then Secret Server could "Discover" the accounts from the endpoints (as Secret Server would typically do). This would be less "custom" work, but Secret Server cannot "Discover" passwords (not a problem if you've configured Secret Server to change passwords for Secrets using another Secret with a known password....or are not using RPC at all in Secret Server).
OR
2) Create custom scripts that call the Secret Server REST APIs to create new Secrets. This script could be called via postexec on the ISIM Adapter(s) after successfully creating the privileged accounts on the endpoint(s). This would be more work and would involve creating/maintaining custom script(s) for each Adapter instance/type....but would be more real-time than waiting for Secret Server Discovery to execute and you would be able to set the current/valid password on the Secret during creation.
------------------------------
Grey Thrasher
IBM
Original Message:
Sent: Thu May 07, 2020 10:16 AM
From: himanshu ranjan3
Subject: Intergration of Thycotic Secret Server 10.7 Platinum edition with IBM Security Identity Manager
Hi, I have one query and need your input. We are using IBM Security Identity Manager version 6. We are looking an option to use IBM Security Secret Server and Thycotic Secret server for all shared id related stuff. I see that ISIM has adapter for this. Could you please tell me if this integration is possible and can work smoothly -
Intergration of Thycotic Secret Server 10.7 Platinum edition with IBM Security Identity Manager
If this integration is possible, can secret server will be able to read all ids from ISIM and perform shared id related activities.
https://www.ibm.com/support/knowledgecenter/SSIGMP_1.0.0/com.ibm.itim_pim.doc/c_adapters_intro.htmhttps://www.ibm.com/support/knowledgecenter/SSIGMP_1.0.0/com.ibm.itim_pim.doc/c_adapters_intro.htm
------------------------------
Himanshu Ranjan
------------------------------