IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Using wildcard and special characters in LCR filters

  • 1.  Using wildcard and special characters in LCR filters

    Posted Mon February 08, 2021 03:32 AM

    Dear colleagues,

    defining filters in the Life Cycle Rules we have not able to use the expression ${role.errolename}, neither with wildcards nor special characters like '(', ')', … , although they are replaced by the '\' + ASCII code as it is defined in the RFC. Please, could you confirm that it is not possible?

     Thank in advanced for your support.



    ------------------------------
    Felipe Risalde Serrano
    Security Expert
    Banco de España
    ------------------------------


  • 2.  RE: Using wildcard and special characters in LCR filters

    Posted Mon February 08, 2021 04:01 AM
    Can you please show one or more  example of what you are trying to accomplish ? There are some limitations to the filters - but none that matches what you seem to struggle with :-)

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------

    Original Message


  • 3.  RE: Using wildcard and special characters in LCR filters

    Posted Thu February 11, 2021 06:40 AM
    Edited by Felipe Risalde Serrano Thu February 11, 2021 06:40 AM

    Hi Franz,
    let me show you some examples where it could be interesting. There is no doubt that there are workarounds for the issues we will see later, nevertheless this post it is just only to confirm that there are some limitations defining LCR with role names.

    Example1     
    The role name 'BE-WINDOWS (BDEEXP01)' must be renamed as 'BE-WINDOWS-BDEEXP01' for being able to use in the LCR definition: ' (${role.errolename}=BE-WINDOWS-BDEEXP01)'.

    Using escape characters in the filter, ie. '(${role.errolename}=BE-WINDOWS \28BDEEXP01\29)', is not an option due to it doesn't work.

    When the role name, instead of erglobalid, is used in the filter, it allows us to import the LCR to ISIM production from development enviroment. At the same time, the LCR is legible.

     

    Example 2.
    We would like to run a LCR for the users who are authorized to one application. As we are working in a RBAC modelo it could be done using a wildcard in the LCR filter, such as: '(${role.errolename}=W-APL.XXX*)'

    BTW: it would be great to be able to use role name in the dynamic rol definition for setting automatic dependences between roles without workflows customizations, neither managing role hierarchy.



    ------------------------------
    Felipe Risalde Serrano
    Security Expert
    Banco de España
    ------------------------------

    Original Message


  • 4.  RE: Using wildcard and special characters in LCR filters

    Posted Thu February 11, 2021 07:03 AM
    When building ldap filters you should use ldap filter escaping :-) 

    This should work : (${role.errolename}=BE-WINDOWS-\(BDEEXP01\))

    You are not the first in the world to do this mistake - see here : https://stackoverflow.com/questions/11582281/ldap-search-will-not-accept-filter-with-parentheses-in-the-search-input

    I will get back to you on your second example later...

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------

    Original Message


  • 5.  RE: Using wildcard and special characters in LCR filters

    Posted Mon February 15, 2021 01:01 PM
    Altough I would like to say your are rigth, I regret to say that it is not working.
    The definition of the filter is fine from the UI point of view, ie, while the LCR definition there is not syntaxic error, but once the LCR runs, no users are identified.

    Btw, I was using the syntaxic according to the RFC2254 (https://tools.ietf.org/html/rfc2254) which it is working in some LDAP clients, such as softerra and java browser, and it is mentioned in some ISIM documentation
    https://www.ibm.com/support/knowledgecenter/es/SSRMWJ_7.0.1/com.ibm.isim.doc/reference/ref/ref_ic_javext_personserchfiltr.html

    :-(

    ------------------------------
    Felipe Risalde Serrano
    Security Expert
    Banco de España
    ------------------------------

    Original Message


  • 6.  RE: Using wildcard and special characters in LCR filters

    Posted Tue February 16, 2021 02:55 AM
    Let me see your full filter - if you do want to post it here you can send it privately to me.

    Some times this can be confusing and you may have some subtle error - or you may need to double/quadruple escape characters (ISIM is java - and not all programmers are good at handling escape characters) - I hope this is not the case - but let me check that.


    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------

    Original Message


  • 7.  RE: Using wildcard and special characters in LCR filters

    Posted Tue February 16, 2021 08:56 AM
    Edited by Felipe Risalde Serrano Wed February 17, 2021 01:02 AM
    When I saw that it didn't work, and for avoiding any typo, I copied/pasted your filter '(${role.errolename}=BE-WINDOWS-\(BDEEXP01\))', but the error continued.

    I have erased the '(' and ')' characters, even the '-' character, in the role name and in the LCR filter for checking that there is no an error in the LCR if not so how the characters are escaped, and it works.

    Could it be the ISIM version where I am running (6.0.18)? If it is working in your enviroment, I'll manage this as an incident.

    Find enclosed the screenshots.
    LCR filter
    Role members


    ------------------------------
    Felipe Risalde Serrano
    Security Expert
    Banco de España
    ------------------------------

    Original Message


  • 8.  RE: Using wildcard and special characters in LCR filters

    Posted Mon February 15, 2021 02:22 AM
    As promised a couple of guidelines on your second example. But first - sorry for taking my time - but I have been busy - answering questions here are not part of my formal work even though I regard it very important :-)

    I am not complete understanding what problem you are trying to solve - it looks to me that you are trying to implement some kind of birthright management - but exactly why you would need to do that is not clear to me.

    But let me give you some guidance in general - first: using a relationship filter like '(${role.errolename}=W-APL.XXX*)' is somewhat dangerous - be aware that this will result in a very long filter sent to the ldap server - if you are running SDS on Windows this will often fail as the filter limit is relatively small on Windows - if is significantly larger on linux/AIX. So if you use such filter ensure you are also using other filters to bring down the population of the search.

    On the subject of dynamic roles and role hierarchies - I also played around with this many years ago - it "partly" works - but I would not go down that route as it can turn really nasty. Instead I would look into the new functionally added in the newest SVG 10 ISIM release :

    Identity Manager console enhancements

    • An administrator can now specify schedules with multiple days of the week that must be executed. The REST and JAVA APIs are also enhanced as a part of this functionality.
    • An administrator can now define a provisioning policy with automatic entitlement for non-individual accounts.
    • While working with Role Hierarchies, you can now add a dynamic role as a child to the static role.
    You can find the "What's new" here : What's new in this release

    The 3 bullet is the one that is relevant here - the basic idea is that you can now use a dynamic role (representing the "who") and then lining to the actual static roles (the "what") - i.e. separating the who/what so that you do not need dynamic roles in the provisioning policies making management of birthrights much more flexible...

    Alas the role hierarchy system workflow is not open so you cannot insert you logic there - so you will still need either to use the person modify  workflow or work with a LCR for special purpose handling of the hierarchy...

    I hope this helps - let me know what you think...

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------

    Original Message


  • 9.  RE: Using wildcard and special characters in LCR filters

    Posted Mon February 15, 2021 01:28 PM

    First at all, please don't say sorry for the delay. It must not be seen as we are managing an incident with Support, if not just only sharing our thoughts, and so we do our best effort to enrich the forum.

    Going to the subject, as I said, more than to have an use cases, my questions started just for my better understanding (probably this user case happened when the '(' and ')' characters could be escaped and a wildcard tried to be used). Let me to invent an example where wildcards could be interesting. It could be needed you send an email to anyone who are authorized to one application. Taking into consideration in a RBAC model all of them belong to some application role, it could be fixed in an easy way by means of a LCR. I totally agree it can be used carefully.

    I keep my eyes in the new release due to it is in our plans to migrate to that one in the comings months



    ------------------------------
    Felipe Risalde Serrano
    Security Expert
    Banco de España
    ------------------------------

    Original Message


  • 10.  RE: Using wildcard and special characters in LCR filters

    Posted Tue February 16, 2021 03:47 AM
    The relationship expressions and the way they work on a RBAC model along with dynamic roles is a kind of interesting approach - but it misses one important feature which would provide some very advanced functionality that could simplify the "role proliferation" problem that is so imminent in the RBAC model. If the dynamic roles could provide their context to the provisioning policies (think ABAC concept) you could basically provide generic policies for many birthright cases where the birthright would depend on e.g. the OU placement of the Person in the Company OU tree (beware - I am not saying ISIM OU tree here - because that is an internal ISIM thing - I know that many clients are replicating the company OU tree in ISIM OU tree - but that is in general a very bad idea - it is better to have that separated e.g. having an attribute that handles that).

    I hope we will be able to enhance ISIM down that route - the imminent reason is to align the Hierarchy  model of IGI into ISIM so that the systems can be much more aligned (this is not the only thing needed I have say)  - but that would help both ISIM and also making integration with IGI significantly more simple.

    I do not know if the new functionality added to SVG 10 ISIM will be back tracked to 6.0 versions - but that is a possibility - I would not bet on that though.

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------

    Original Message