IBM Security Verify

 View Only
  • 1.  Restore Multiple Accounts

    Posted Tue August 31, 2021 05:05 PM
    In ISIM, I want to prevent administrators restoring accounts which belong to an inactive person. If the process requester is system or workflow engine it will be accepted. In order to do this I put a control in Account entity type. I'm checking if the process.requestorType is "U". It works for single account restore operations. But, if the admin tries to restore multiple accounts of the inactive person, the process is done by System instead of the original requestor. So, the control is not working. For this case requestorType becomes "S" when the restore account is processed.

    How can we catch the requestor user in the account restore operation in case of multiple accounts selected to process?
    Or, is there another way to accomplish the purpose?

    Thanks

    ------------------------------
    Hakan Aydin
    Security Engineer
    Prime Therapeutics
    ------------------------------


  • 2.  RE: Restore Multiple Accounts

    Posted Wed September 01, 2021 02:32 AM
    When doing what you are trying to do you should look at the root process - not the process actually restoring the accounts. You can get the root process through the Process.getRootProcess() JavaScript extension - see https://www.ibm.com/docs/en/sim/6.0.2?topic=reference-process
    That said - it sounds like you are having administrators that are member of the system administrator group. Member of this group is supposed to be 100% trusted in what they do on the system - i.e. they are basically "root" and cannot be restricted by ACIs and will be able to circumvent what ever measure you set up.

    It would be better to create a high privileged "Administrator" group that had most access rights - then you could restrict Person Restore operation  not being allowed. One way to do this is also to move inactive persons to a separate OU - but this very much are architectural design decisions that are taken when building the system and is probably not easy to change in a running system - but it my advice is to have contact with an experienced ISIM architect (business partner of IBM Security Expert Labs) that can help you assess your system.

    HTH

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 3.  RE: Restore Multiple Accounts

    Posted Wed September 01, 2021 12:08 PM
    Hi Franz

    Process.getRootProcess() has solved the problem.
    Thanks.


    ------------------------------
    Hakan Aydin
    Security Engineer
    Prime Therapeutics
    ------------------------------



  • 4.  RE: Restore Multiple Accounts

    Posted Wed September 01, 2021 12:38 PM
    Thanks for confirming this - this helps all of us...


    I hope my other remarks is giving you feed for thoughts - just "fixing" this is the workflows is not a good solution.

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 5.  RE: Restore Multiple Accounts

    Posted Wed September 01, 2021 01:09 PM
    We have different type of restricted roles for user management in ISIM restricted by ACIs like service desk. The solution that I was searching for was a special condition and I think it must be caught in the process only.

    ------------------------------
    Hakan Aydin
    Security Engineer
    Prime Therapeutics
    ------------------------------