IBM Security Verify

 View Only
Expand all | Collapse all

ISIM Question: Multiple account for a user on same service...

  • 1.  ISIM Question: Multiple account for a user on same service...

    Posted Thu June 25, 2020 01:55 PM
    Hi All,
    I am implementing RBAC provisioning for different types of accounts for a user on same service apart from his/her individual account. So I am leveraging ownership type feature from ISIM here and have defined ownership types and their respective policies. So far it works fine as long as i need to provision one account per ownership type. So for instance if i have ownership type as Test then it works fine when i provision one Test account for user apart from his/her other account (individual and other ownership types). The situation gets complicated when i have to provision multiple account of same ownership type i.e. multiple Test account and that too with different set of permission. Inherently, this causes the same set of policies to be applied to all Test account which is not desired (but i know ISIM is working as designed here).
    So I am thinking of maintaining some kind of map on Person profile which will tell me which role/permission apply to which specific Test account so that i can refer it in provisioning policy and selectively apply permission that are applicable to specific Test account. 
    Am on right path here or is there better way to handle this?

    Thanks in advance.

    ------------------------------
    Sanjay Sutar
    ------------------------------


  • 2.  RE: ISIM Question: Multiple account for a user on same service...

    Posted Thu June 25, 2020 02:31 PM
    You are are on the right track here....

    I would wich that the architects that implemented this for PIM 1.0 had had a little more ideas of what they was implementing - having had a "Automatic" on the provisioning policies for non-individual ownership would solve most of the problems here - if you could raise an RFE I believe that there may be chance to get it solved.

    You can  create the accounts WITH the policies using the JAVA APPS API - I have some sample code that I will dig up for you (and the community) I have used to create a number of accounts based on a person attribute (to map users with multiple employments needing a "sso" account) i.e. attribute values [1,2,4] would create account acc1, acc2, acc4 - these we all governed by the same policy - but the API can specify ownership types when creating a new account IIRC...

    I will be back....

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 3.  RE: ISIM Question: Multiple account for a user on same service...

    Posted Thu June 25, 2020 02:43 PM
    Thank You Franz for quick response.
    I will look forward for your sample code.

    ------------------------------
    Sanjay Sutar
    ------------------------------



  • 4.  RE: ISIM Question: Multiple account for a user on same service...
    Best Answer

    Posted Thu June 25, 2020 03:13 PM
    Here we go....
    This is more or less how the workflow looks like (this is an early version - I also have a delete account loop) :

    In the PREPARE_ACCOUNT_CREATE I have this code :

    //PREPARE_ACCOUNT_CREATE
    //Check whether account exists
    
    //Java Packages used
    importPackage(Packages.com.ibm.itim.common);
    importPackage(Packages.com.ibm.itim.dataservices.model);
    importPackage(Packages.com.ibm.itim.dataservices.model.domain);
    importPackage(Packages.com.ibm.itim.apps);
    importPackage(Packages.com.ibm.itim.apps.identity);
    importPackage(Packages.com.ibm.itim.apps.provisioning);
    importPackage(Packages.com.ibm.itim.webclient.util);
    
    //Get the ID to work with
    var myId = ACCOUNTS_TO_CREATE.get()[loopcount-1]
    
    //Find the AD account ID
    personDN=owner.get().dn;
    var accountList = (new AccountSearch()).searchByOwner(personDN);
    //Go through the account list to find the AD account
    // Note - this will fail for multiple AD accounts... 
    var myADAccount = new String();
    for (var i=0; i<accountList.length; i++) {
    	accountClasses = accountList[i].getProperty("objectclass");
    	for (var j=0; j<accountClasses.length; j++) {
    		objclass = accountClasses[j].toLowerCase();
    		if (objclass == "eradaccount") {
    			myADAccount = accountList[i].getProperty("eruid")[0].toUpperCase();
    		}
    	}
    }
    
    
    //First search the new naming standard  
    //var myEruid = account.get().getProperty("my_username")[0] + myId;
    var myEruid = myADAccount + myId;
    
    Enrole.log("SCRIPT","########## myEruid : " + myEruid);
    
    //Also search the old naming standard
    var myEruid1 = "00000000".substr(1, 8 - myId.length).concat(myId);
    Enrole.log("SCRIPT","########## myEruid1 : " + myEruid1);
    
    var myService = service.get().name;
    Enrole.log("SCRIPT","##########" + myService);
    var myAccount = (new AccountSearch()).searchByUidAndService(myEruid,myService);
    var myAccount1 = (new AccountSearch()).searchByUidAndService(myEruid1,myService);
    if (myAccount != null || myAccount1 != null){ //account found 
    	my_result = activity.REJECTED;
    } else {
    	my_result = activity.APPROVED;
    	//Create account using the APPS APIs so that we can populate the newAccount property
    	var myNewAccount = new com.ibm.itim.dataservices.model.domain.Account("MyAccountType");
    
    	//Get platform and subject for APPS API
    	var platform = ITIMPlatformContext.getInstance();
    	var myClass = java.lang.Class.forName("com.ibm.itim.util.LoginHelper");
    	var myMethod = myClass.getDeclaredMethod("gInstance",null); // null for no args
    	myMethod.setAccessible(true); //if security settings allow this
    	var loginhelper = myMethod.invoke(null,null); //use null if the method is static and null for no arg
    	var subject = loginhelper.getSystemUserSubject();
    
    	//Setup AccountManager with applicable Owner and Service 
    	var myPersonMO = new PersonMO(platform,subject,new DistinguishedName(owner.get().dn));
    	var myServiceMO = new ServiceMO(platform,subject,new DistinguishedName(service.get().dn)); 
    	var myAccountMgr = new AccountManager(platform,subject);
    	
    	//Create a value set
    	var myValues = myAccountMgr.getAccountParameters(myPersonMO, myServiceMO);
    	//Change userid (eruid) - use 0 prepadded syntax
    	var myValue = new AttributeValue("eruid", myEruid1);
    	myValues.put(myValue);
    	//Change userid (my_username)
    	var myValue = new AttributeValue("my_username", myEruid);
    	myValues.remove("my_username");
    	myValues.put(myValue);
    	
    	//Add service - necessary for add extension to work
    	myValue = new AttributeValue("erservice", service.get().dn);
    	myValues.put(myValue);
    	
    	Enrole.log("SCRIPT","##########" + myValues.toString());
    	myNewAccount.setAttributes(myValues);
    	
    	
    	Enrole.log("SCRIPT","##########" + myNewAccount.toString());
    
    	newAccount.set(myNewAccount);
    
    }
    activity.setResult(my_result,"");

    I hope this shows how to accomplish the account creation - you will need to use AccountManager.getAccountParameters
    with ownershiptype added as the third argument...

    I have not sanitized the code for unsupported API calls - IIRC the loginhelper class is  not public and there is a supported alternative - also be aware that I use reflection to instantiate static classes which requires you to remove the blocking in scriptFramework.properties (and beware - I believe the deny is added by applying a FP...)

    HTH

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 5.  RE: ISIM Question: Multiple account for a user on same service...

    Posted Thu June 25, 2020 03:21 PM
    Thank you so much Franz
    You are AWESOME.

    ------------------------------
    Sanjay Sutar
    ------------------------------



  • 6.  RE: ISIM Question: Multiple account for a user on same service...

    Posted Fri June 26, 2020 02:27 AM
    Just a quick followup on getting the subject in workflow engine in a supported way (as the loginhelper is not public). I got this from one of my IBM colleagues : 


    The second method is using public methods only so it should not created lifted eyebrows in IBM Support...
    You can also a variation on how to use the reflection API in JavaScript that may be a little more elegant than mine :-)

    HTH


    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 7.  RE: ISIM Question: Multiple account for a user on same service...

    Posted Fri July 17, 2020 02:26 PM
    I am trying to do something similar. Where handful of users, need a secondary 'privileged' account in active directory. I want for that account to have a different ownership type, and to be automatically created based on role membership. We would really need for the Provisioning Policy to allow automatic for a non-individual ownership type. I have submitted a RFE as suggested, but trying to figure out what to do in the meantime.

    Using the Person Modify operation, once I have checked the users roles, I would like to pass on appropriate information to the createAccount extension, including specifying the ownership type 'privileged'. The input that I am not clear on is defining the object for the Account parameter. Using some of the above code, I first got a reference error for 'com' (com.ibm.itim.dataservices.model.domain.Account). Then when trying to shorten that to new Account("ADAccount") got "Error while calling java constructor 'com.ibm.itim.script.wrappers.generic.ProtectedAccountWrapper(string)' (java.lang.reflect.InvocationTargetException)".

    What options are available to establish the new Account object, so that I can set initial attribute values, and then pass to the createAccount extension?

    ------------------------------
    Kurt Ramsey
    ------------------------------



  • 8.  RE: ISIM Question: Multiple account for a user on same service...

    Posted Sun July 26, 2020 07:47 AM
    If you take a look at my code further up in this thread in the paragraph starting with
    //Create a value set​
    In that section I use the AccountManager.getAccountParameters​() to fill in the values as they are governed by the provisioning policies. Unless you eruid is also in your provisioning policies (it should NOT be - that is a bad practice - the eruid should be generated in the identity policy) you will need to add that as well - you can add other values also - but again I would stick to a pure provisioning policies implementation to avoid problems.

    Regarding your RFE - there is activities going on inside IBM to look at fixing this - I hope we can come out with some good news about this soon.

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 9.  RE: ISIM Question: Multiple account for a user on same service...

    Posted Wed April 20, 2022 09:33 AM
    Edited by Medha Parekh Mon May 02, 2022 12:04 PM
    Hi,
    We are trying to create multiple accounts for the same user on the same service with different ownership types. We are currently running ISIM 6 where automatic provisioning of accounts with other ownership types than individual is not available.

    Using ISIM APIs through TDI I have managed to create accounts inspired by the code above from Franz.

    However, I'm are struggling to do this from a workflow. In the code above, "ITIMPlatformContext.getInstance()" is used to get the platform.
    Where can I find this method?
    Any help with how to get platform from within a workflow would be much appreciated!

    Best regards

    ------------------------------
    SW
    ------------------------------



  • 10.  RE: ISIM Question: Multiple account for a user on same service...

    Posted Thu April 21, 2022 02:53 AM
    Edited by Franz Wolfhagen Thu April 21, 2022 05:35 AM
    The com.ibm.itim.webclient.util.ITIMPlatformContext is not a documented class - so you are excused :-)

    We have had many discussion inside IBM on this topic - I have decided to use it as the risk of this changing is very little and if it would be changed I am pretty sure it would be to make it part of the public APIs.

    If you look at the code sample I always start my script with as set of
    importPackage​
    statements - I do this for 2 reasons :
    1. To avoid having to use the full class name in all my script
    2. To show what classes are used - so that these can easily be setup in scriptframework.properties.

    Here is my entry for the com.ibm.itim.webclient.util.ITIMPlatformContext class :
    ITIM.java.access.util2=com.ibm.itim.webclient.util.*​


    I forgot one important piece of information : If you are on ISVG 10 IM you can auto-create multiple accounts using the ownershiptype functionality as it now allows you to also have automatic entitlements : https://www.ibm.com/docs/en/sig-and-i/10.0.0?topic=overview-whats-new-in-this-release

    HTH



    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 11.  RE: ISIM Question: Multiple account for a user on same service...

    Posted Tue May 03, 2022 08:42 AM

    Thanks Franz!

    I also had to add 'isimsystem' (the ejbuser) as a user in ISIM with admin privileges for the authentication to work - I saw a post from you about this in another forum post. :)

    Best regards,



    ------------------------------
    S W
    ------------------------------



  • 12.  RE: ISIM Question: Multiple account for a user on same service...

    Posted Wed May 04, 2022 03:12 AM
    I am sorry I forgot that - but I have this setup in most of my test systems so I seldom think about anymore.
    It would be nice if this was part of the out-of-the-box setup - but I will not expect our Product Management to support that :-) 

    Did you have a chance to look into using ownershiptypes ?  That gives a policy based possibility to handle this that IMHO is much better...


    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 13.  RE: ISIM Question: Multiple account for a user on same service...

    Posted Wed May 04, 2022 10:04 AM

    Yes we are using ownership types, but in ISIM 6.0.2 I don't see the option to automatically provision accounts with other ownership types than Individual.
    We plan to migrate to ISIM10 later on but we need a way to create multiple accounts on the same service before that, without doing it manually in the GUI.

    I'll explain our use case and planned setup briefly:
    In addition to the Individual accounts that all our users has on the service, we have 4 other account types that the user should be able to request.
    For each of the account types I have set up an ownership type, a role, a provisioning policy and a life cycle rule.

    The user is added to the role when the new account is requested.
    The life cycle rule filter on role members and triggers an operation that checks if the account already exists. If the account doesn't exist,
    we fetch the account attributes set by the provisioning policy with AccountManager.getAccountParameters() with the ownership type specified and then create the account.
    If the role is removed from the user the account gets deleted since it is no longer allowed.

    It works, but of course it would be much nicer (and quicker) if everything could be handled by the provisioning policy..

    Best regards

    ------------------------------
    S W
    ------------------------------



  • 14.  RE: ISIM Question: Multiple account for a user on same service...

    Posted Wed May 04, 2022 10:08 AM
    That was what I was hoping to hear :-)
    Adding the possibility to automatically create accounts using non-individual ownershiptypes was added in 10.0.0 - but you should of course go to 10.0.1 to be relieved of the Java applets :-)

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 15.  RE: ISIM Question: Multiple account for a user on same service...

    Posted Wed August 23, 2023 02:13 PM

    Hi Everyone,

    When i try to use the same code and tweak it a little from the workflows to use it for performing a different operation but using similar methods
    i am getting script error java not found for the below line.

    Any idea on why this is happening

    var myClass = java.lang.Class.forName("com.ibm.itim.util.LoginHelper");

    Regards,

    Alex



    ------------------------------
    Alex Mathew
    ------------------------------



  • 16.  RE: ISIM Question: Multiple account for a user on same service...

    Posted Thu August 24, 2023 03:03 AM

    This is because IBM has decided that you should not use java.lang.Class.forname() in your JavaScript as this can potentially be risk as it circumvents which classes you can use in JavaScript as made available in the scriptframework.properties.

    You will find the following snippet in scriptframework.properties : 

    # Deny Java Method Configuration
    #
    # This property is added to prevent remote code injection through
    # reflection used in the script.
    #
    # To deny Java methods in scripts, add the Java methods
    # that you need to deny here.  You can add a full java
    # method name.
    #
    # To deny Java methods in scripts, the key must start with
    # "ITIM.java.method.deny". If you have multiple statements each key must be unique.
    #
    # This is a feature of using the IBMJS engine only.
    #
    # Examples:
    # ITIM.java.method.deny.forName=java.lang.Class.forName
    # ITIM.java.method.deny.exec=java.lang.Runtime.exec
    ITIM.java.method.deny.forName=java.lang.Class.forName
    

    This statement can of course removed - but will be reinserted on each Fixpak applied to ISVG IM - so the real solution is to avoid using the Java reflection classes unless necessary.

    I should have updated the samples long ago - but time is limited - so I will the opportunity here to show how to use static methods of Java classes.

    The most simple way is simply to specify the full name of the class + method - the sample below demonstrates that for getting the (system) platform/subject as needed - and as you can see this is much simpler than using Java Reflection : 

    //Get platform and subject for APPS API
    var platform = com.ibm.itim.webclient.util.ITIMPlatformContext.getInstance();
    //var loginhelper = com.ibm.itim.util.LoginHelper.gInstance(); 
    var subject = com.ibm.itim.util.LoginHelper.gInstance().getSystemUserSubject();
    Enrole.log("SCRIPT","##########" + subject.getPrincipals())

    I also believe you can use the "Packages" JavaScript command to achieve the same - but as this works with no hazzle (and also works in SDI btw) I would recommend this for readability and simplicity :-) 

    HTH



    ------------------------------
    Franz Wolfhagen
    WW IAM Solution Engineer - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------