IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Remediate ISIM compliance issues using Cloud Identity Analyze (CIA) insights with custom actions

By Gaurav Bhattacharjee posted Mon October 28, 2019 04:42 PM

  

By Gaurav Bhattacharjee and Aditya Joglekar

Introduction 

CIA helps identify inconsistencies in the IAM systems in accordance with parameters like incorrect configurations or usage, compliance risks etc. These inconsistencies are presented in form of Policy violations on the CIA dashboard.  

Identity administrators can act on these inconsistencies through unique feature known as Remediation actions. 

Through remediation actions you can take corrective measures against a policy violation reported in CIA thereby affecting underlying entities of identity manager.  

Example:  

  1. If a violation is on a user-entitlement that was added without any approval, through remediation actions one can send it for recertification.  
  1. If a violation is on user-account where someone is using a de-provisioned account turning it in to an active state then through remediation actions that account can be suspended. 

Suspend is the only default action supported out of the box from CIA for ISIM. However, users can configure any amount of custom actions according to their needs. 

This blog covers the steps in brief regarding what configuration is required in the CIA bridge as well as ISIM identity system to work with the remediation actions which CIA presents after a risk analysis is done by CIA.  
 
The use case for this blog is to remediate non-compliant account actions in ISIM. An account is considered non-compliant when one or more of its intended attribute values (as set by the application administrator) does not comply with the actual attribute value. Remediation action here would force set all the non-compliant attribute values to the compliant once, thereby ensuring that the account would adhere to the organization policies for the application. 
 
Prerequisites 

IBM Cloud Identity Analyze deployed and configured with ISIM source.  
An example of such a configuration is shown below. For detailed steps, please refer the CIA documentation 
 
 
 

 

 

 

Creating a custom action Correct Non-compliance 

  1. Create a custom action from CIA bridge UI, named Correct Non-compliance. Set target as ISIM, policy as ‘Account is non-compliant’.  

 

Note the id of the new action that was created. The id would be required later on when configuring the ISIM workflow extension. 

 

  1. Observe that newly added action is available on CIA UI for the Non-compliance related violation. 

 

 

Once you click on the above button, the action is queued up in the underlying CIA db and is accessible via a rest endpoint that CIA bridge provides. This rest endpoint will later be used in the custom workflow extension that you will create to fetch the queued actions in CIA.  

Creation of ISIM workflow extension 

As mentioned earlier, the use case of this blog is to remediate non-compliant account actions in ISIM. One such example of non-complaint account action is shown in the figure below where an account’s password’s maximum age has been set as 365 days whereas as per the policy in ISIM, it should have been 90 days.  

  

You will add an implementation in ISIM for the custom action that you created in CIA. The implementation will be divided into following: 

  1. Create a custom workflow extension that will read from the CIA rest endpoint and fetch the queued actions in CIA. The rest endpoint that extension would invoke would be like the following url 
    https://<ciabridgeip:port>/analytics-rp/api/v1.0/remediationActions?includeDocs=true&filterFields=[%22status:CREATED%20AND%20actionId:correct_non-compliance%22] 
    In the url above notice the actionId. This id is the same as what we created for the custom action in the CIA settings. 
  1. The output of rest call will basically give the person details, service details and account details (this corresponds to the row in CIA UI for invoked the custom action) for which the non-compliance must be remediated. For the given account, the extension will fetch account meta data to get all the non-compliance attributes associated with an account and set it in the account object. 
     
    The following figure shows an example of the output of the rest call. 
     
     
  1. Create an ISIM workflow that will have the custom workflow extension as one of the extension nodes. 
  1. In the ISIM workflow, the custom workflow extension will output list (output would be list since you could choose multiple rows in the CIA UI and invoke the custom action) of the data containing person, service and account objects and this output would be passed to a loop node. 
  1. Loop node would be iterated through a script node and an out of the box extension called modifyAccount. The modifyAccount extension accepts person, service and account objects as parameters. This will result in setting all the non-compliant account attribute values to compliant state.  
  1. Roughly your workflow will look like as shown in the following figure 
     

 

Summary 

CIA can help identify the various inconsistencies in the ISIM system and as well help the ISIM admin with remediation decisions. The blog takes you through the steps required to create custom remediation actions and use them to remediate underlying ISIM non-complaince issues.   

Authors 

Gaurav Bhattacharjee (gaurav.bhattacharjee@in.ibm.com) and Aditya Joglekar (adijogle@in.ibm.com) 

 

0 comments
6 views

Permalink

https://community.ibm.com/community/user/blogs/gaurav-bhattacharjee1/2019/10/28/remediate-isim-compliance-issues-using-cloud-ident