Well - I suppose you are not needing the input to my second method then....
But here is the important steps (this is copied from an operational account workflow script - so it will need some small changes to run in SDI) - you will need to login into ISIM first and then these steps will calculate non-compliant attributes for an account :
myPersonMO = new PersonMO(platform,subject,new DistinguishedName(owner.get().dn))
myServiceMO = new ServiceMO(platform,subject,new DistinguishedName(service.get().dn))
myAccountMO = new AccountMO(platform,subject,new DistinguishedName(account.get().dn))
myAccountMgr = new AccountManager(platform,subject);
myAttrVals = myAccountMO.getData().getAttributes();
activity.auditEvent("Account has following attributeValues : \n" + myAttrVals.toString());
myCompliance = myAccountMgr.checkAccountCompliance(myPersonMO,myServiceMO,myAttrVals);
activity.auditEvent("Account has following non-compliant attributeValues : \n" + myCompliance.requiredChangesToString(myAttrVals));
This is quite simple - in SDI you can basically just search your non-compliant accounts and do the above directly using the account attributes...
------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------
Original Message:
Sent: Tue June 09, 2020 01:53 PM
From: Camilo Zamora
Subject: ISIM: Non-compliant attributes report
Hello and thank you Franz and Grey,
Tried Franz's third method and it worked perfectly!
Exported the appropiate records from PROCESSLOG as a CSV file with a basic query and IBM DataStudio, and parsed the XML output with a small(-ish) python script.
I might still open the RFE, would be a nice feature.
Thanks!
------------------------------
Camilo Zamora
Original Message:
Sent: Tue June 09, 2020 10:26 AM
From: Franz Wolfhagen
Subject: ISIM: Non-compliant attributes report
There are basically 2 ways to get the desired result - the first is probably the most quick and handy - but also the most ugly one. The second is to use ISIM APIs to perform the validation (e.g. from SDI) and is of course the best way compared to the first method :
- The first method is to run a provisioning policy review on the accounts you want to evaluate - this means that the persons must be member of one of more roles associated with a policy - in most cases you already have that - else it is very easy to build - you do not even need to save it - just a preview is the purpose. When the preview is performed the result is stored in the RDBMS - check the schema documentation here to find the relevant table : https://www.ibm.com/support/knowledgecenter/SSRMWJ_6.0.0.22/com.ibm.isim.doc/landing/dbschema_landing.html (I do not remember it out of my head - sorry). Next step is to export the data out of the table to something you can work with - use SDI/QMF or built-in tools - and when the export is done you can close the preview and the data will be cleaned from the table...
- The second method is to perform an account validation using the ISIM Java APIs - this can be done workflow or from an external application e.g. SDI. I have performed that stunt in the operational workflow some time ago - I will have to dig up the relevant piece of code later - pleas let me come back to you on that....
- While writing I actually got an idea on a third method - when you run a reconciliation (with policy evaluation performed) the PROCESSLOG table will actually contain a record of the evaluation - you can see that in the reconciliation request as "Noncompliant Accounts" under each "Enforce Compliance" entry. This is probably a little too complex as you will want to convert the embedded XML strings to something more workable (the format is not documented but is very generic and simple) - you can do this in SDI or using some very complex DB2 conversion to convert it to a rows in e.g. a new view (I hope I will be able to show how to do this some time - it is really nifty...)
I will be back - probably tomorrow with a little piece of Java api code (in JavaScript) that shows the second method...
------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
Original Message:
Sent: Mon June 08, 2020 03:43 PM
From: Camilo Zamora
Subject: ISIM: Non-compliant attributes report
Hello,
In our production environment the provisioning policy enforcement behavior is currently on "Mark". We would like to generate a report that shows the current non-compliant accounts and the attributes of them which are causing the compliance issues. The default "Non-compliant accounts" report shows the non compliant accounts but not their non-compliant attributes.
IBM Support tells me that the non-compliant attributes are generated at runtime as an XML and cannot be obtained either from LDAP or DB, and that the only way to check on them is one-by-one on directly on the console (not a nice task while having more than 2000 non-compliant accounts across all services). But I wonder if there is some option to do this either from SDI, an external script or somewhere else.
Does anyone know if there a way to generate a report like this?
Thanks.
------------------------------
Camilo Zamora
------------------------------