IBM Security Verify

 View Only
Expand all | Collapse all

ISIM 6.0 - RACF Adapter Integration - Password Generation at ISIM

  • 1.  ISIM 6.0 - RACF Adapter Integration - Password Generation at ISIM

    Posted Wed January 19, 2022 03:51 PM
    Hi,

    We are looking at automated provisioning into RACF Database using the OOTB RACF Adapter and want to auto generate the password and also send that password to the the end user's manager post creation of the account . We want the user to be able to change the password on first login on RACF DB using the same password.

    Any pointers on how to randomly generate the password according to the password policy while provisioning to RACF Database would be helpful.

    where do I make the config to pass the password to the RACF Adapter during provisioning. Should I create a form field for password and auto populate the password using custom code in the provisioning policy . But how do I ensure that the adapter takes in the password and set on the form and set the same in RACF Database account?

    Thanks,
    Sahana

    ------------------------------
    Sahana Kakolu
    ------------------------------


  • 2.  RE: ISIM 6.0 - RACF Adapter Integration - Password Generation at ISIM

    Posted Sat January 22, 2022 04:05 AM

    Hi,

    I am so sorry but I don't understand the use case. In our case, we are working with ISIM and RACF adapter. ISIM provisions the RACF account, and the user logons in ISIM console to set his own password in RACF. It is just needed his initial ISIM password will be set by his manager.

     



    ------------------------------
    Felipe Risalde Serrano
    Security Expert
    Banco de España
    ------------------------------



  • 3.  RE: ISIM 6.0 - RACF Adapter Integration - Password Generation at ISIM

    Posted Sun January 23, 2022 07:37 PM
    Hello,

    Thank you , I could use that approach too , but how do you ensure that the end user has access to login to the self service portal and change RACF Account password ? I understand , in views for end user, we can allow change account password , but that wont be enough for the end user to reset the RACF Account password when he logs into the self service login page . How is that handled and configured. Please provide your inputs.

    Thanks,
    Sahana

    ------------------------------
    Sahana Kakolu
    ------------------------------



  • 4.  RE: ISIM 6.0 - RACF Adapter Integration - Password Generation at ISIM

    Posted Sun January 23, 2022 08:05 PM

    How do I ensure that end user can reset the RACF Account password post logging into Self service console . Whats the config which drives this ?

    Please provide your inputs.

    Thanks,
    Sahana

    ------------------------------
    Sahana Kakolu
    ------------------------------



  • 5.  RE: ISIM 6.0 - RACF Adapter Integration - Password Generation at ISIM

    Posted Mon January 24, 2022 02:31 AM
    Let me explain a couple of basic things for ISIM.
    The OOTB provisioning in ISIM works this way :
    • Automatic Account provisioning is policy based - for an identity (person) to receive an account a provisioning policy with an "automatic"  entitlement must included (role assigned to person on the policy)
    • The account is build according to all provisioning policies that the person is linked to via roles and conflicts are solved via join directives
    • The account object is fed to the operational workflow (Account Add) - this can either be a specific workflow for your RACF account (entity workflow) or a generic one for all accounts (entitytype workflow). When the account create extension is triggered the account password is created randomly according the password policy. This is also the workflow where you can get the password afterwards (decrypt method - look into the Java Script extension reference) and you can mail it to the manager - the default behavior in ISIM is to send it to the account owner - there is some work necessary to ensure your flow is as desired...
    • the account object (including password) is sent to the RACF adapter and created in RACF.
    I hope this clarifies the process somewhat more - my recommendation is that you get some help from either IBM Security Expert Labs services or an experienced IBM ISIM partner - though this is not rocket science an experienced ISIM specialist can spare you quite some time and pain :-)

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 6.  RE: ISIM 6.0 - RACF Adapter Integration - Password Generation at ISIM

    Posted Mon January 24, 2022 06:00 PM
    Thank you . 

    Regards,
    Sahana

    ------------------------------
    Sahana Kakolu
    ------------------------------



  • 7.  RE: ISIM 6.0 - RACF Adapter Integration - Password Generation at ISIM

    Posted Tue January 25, 2022 03:39 PM

    Hello,

    Automatic account creation is done in ISIM via provisioning policies. If any policy including RACF service is suitable for that "person" object, ISIM will automatically create an account.
    At this point if password syncronization is enabled ISIM will try to send the existing password of the person to the account.
    Where is the existing password?

    - During person creation, either by HR Feed or Manually, you can have the option to "set a password" for that person object. If this is done AND password synchronization is enabled RACF account will be created with the "same" password.
    If there is no existing password, or sync is not enabled then ISIM will generate a new one accordingly to "Password policies " that are selected for RACF service.

    Either way, password is available encrypted in workflow account object. (Manage operations -> Account - RACF account - add for example) .

    In order to get this password and send it to a manager, you have to edit the workflow. If you have experience with workflows, it is a simple thing actually, the critical method is this one- > var password = <personEntity>.getAndDecryptSynchPassword();

    So as you can see, you must know all of these and then can customize workflows accordingly.

    1. How persons are created?
    2. Is password set/generated during person creation?
    3. Password Syncronization is enabled or not?
    4. What's inside your RACF Service provision and password policy?
    After that it's simpler than writing this post. ...And I now saw Franz already explained it. Oh well. 😀 🤷🏻‍♂️

    ------------------------------
    Ali Malik Gürbüz
    Bilgibirikim Std.Lti - Turkey/EMEA
    IBM Business Partner
    9+ Years with ISIM/ISVG etc.
    5.2.5 Certified Exam Developer *I* - 2019
    ------------------------------



  • 8.  RE: ISIM 6.0 - RACF Adapter Integration - Password Generation at ISIM

    Posted Wed January 26, 2022 01:47 AM
    You added some of the details on the password logic I omitted which is good...

    That said - IMHO nobody in the year 2022 should use password synchronization - that is not a good idea and any IAM implementation should be designed to avoid that (Think Access Management/SSO - e.g. IBM Security Verify/Verify Access) to handle passwords.

    Yes - I know there are gaps (special tooling needed when working with e.g. RACF for SSO) and the real world is not simple - but if you are considering password synchronization in a new deployment you have more severe problems on your neck sooner than you believe...

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 9.  RE: ISIM 6.0 - RACF Adapter Integration - Password Generation at ISIM

    Posted Wed January 26, 2022 05:30 PM
    Thank you .

    We do have the password sync enabled , so I do see that the password is getting populated as the password assigned to the identity , when RACF Account is being provisioned from ISIM . I understand that to ensure RACF is excluded from password sync, the config needs to be done in enRole.properties (How to configure ISIM for selective password synchronization (ibm.com)) . Post this I understand, I can attach a password policy to the RACF Service . Now , will the password be autogenerated based on the password policy attached to the RACF Service by ISIM OOTB or should I write custom code in the provisioning policy and populate the password according to the password policy ?

    Background : Until now the RACF Adapter is only used for reconciliation from RACF->ISIM so we never had any issues . Also I do see that in the ChangePassword Operations at RACF entity level , the workflow is altered in the env so that the change password wont sync the password from ISIM->RACF

    Thanks in advance !

    Regards,
    Sahana


    ------------------------------
    Sahana Kakolu
    ------------------------------



  • 10.  RE: ISIM 6.0 - RACF Adapter Integration - Password Generation at ISIM

    Posted Thu January 27, 2022 02:48 AM
    Here is my advice :

    Password management is relatively easy - if your password policy is created and matches the RACF requirements passwords will be automatically created as random passwords according to the policy. The password can be retrieved in the account - this is the method that will help you : Account.getAndDecryptPassword() There is also methods in JavaScript to set a password if you need that level of control - and also to generate a password based on the service. But if you exclude the RACF from password synch  it should generate a random password for you and not use the synch password.

    If you plan to create accounts automatically you need to study the way Provisioning Policies works in ISIM. They are driven from Roles (internal ISIM RBAC) - roles can either be Static (membership is managed) or Dynamic (membership is derived by ldap attributes automatically). RACF is not the most simplest target to manage - so you may need to study some of complex attribute handler logic and also understand how join directives work (and the basic Provisioning Entitlements).

    Let us now if you run into problems - this community is normally very helpful

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 11.  RE: ISIM 6.0 - RACF Adapter Integration - Password Generation at ISIM

    Posted Sun January 30, 2022 08:45 PM
    Thank you for all the inputs . The below is what I am thinking .

    1. Exclude RACF from the password synchronisation -by editing the enRoles.properties file.
    2. Create a Password Policy specific to RACF Service.
    3.Attach the Password Policy to the RACF Service .
    4. Create  a Role and provisioning policy and attach the RACF service to it .

    The above would autogenerate a password during RACF Account creation from ISIM according to the password policy defined is what I understand . Am I correct ?

    Please provide your inputs.

    Thanks in advance.

    Regards,
    Sahana

    ------------------------------
    Sahana Kakolu
    ------------------------------



  • 12.  RE: ISIM 6.0 - RACF Adapter Integration - Password Generation at ISIM

    Posted Mon January 31, 2022 01:50 AM
    That sounds about right :-)

    One comment though - you should also consider the how the password is sent to the user. Just relying on sending the password using the default method will often result in calls to the help desk if the mail is not clear.

    So looking at the different usecases when a user receives a RACF account and ensure that the initial logon is described well in the communication is key to avoid problems :-)

    HTH

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 13.  RE: ISIM 6.0 - RACF Adapter Integration - Password Generation at ISIM

    Posted Fri February 04, 2022 02:06 AM

    Hi,

    Performed the below :

    1. Exclude RACF from the password synchronization -by editing the enRoles.properties file.

    2. Create a Password Policy specific to RACF Service.

    3.Attach the Password Policy to the RACF Service .

    4. Create a Role and provisioning policy and attach the RACF service to it .

    In the provisioning policy , I added Password as parameter and gave a default value and it worked. But if I removed the password attribute from provisioning policy , a new account creation failed - ISIM is not generating the password automatically .

    Is this the default behavior ? Wont ISIM autogenerate the account password based on the password policy attached ?

    I have created a password policy using the Create Password Policy in ISIM and attached it to RACF Service .

    I tried to attach a javascript to passsword field in provisioning policy which randomly generates the password based on basic rules and I am able to provision account to RACF . But in the logs I am seeing that it prints error messages initially telling password is too long and then it generates the password again and the account creation works successfully. why is this so .

    Also I tried to edit the add Operation at RACF entity level to send email to myself post addition of RACF Account . It did not work as expected . Where can I enable the logs to check more details why did not work . Also what loggers to enable in specific.

    I want to send a notification with the RACF Account details to the end users manager post provisioning of the RACF Account to the user through addition of the Role -Provisioning policy -racf entitlement. Am I on the right track? Am I missing something . How do I debug/troubleshoot if the add Operations workflow is not working as expected post modification .

    ====================

    Please provide your inputs.

    Thanks,

    Sahana



    ------------------------------
    Sahana Kakolu
    ------------------------------



  • 14.  RE: ISIM 6.0 - RACF Adapter Integration - Password Generation at ISIM

    Posted Fri February 04, 2022 02:24 AM
    Passwords should be generated by the password policies - not by the provisioning policies even if it possible (there may be exceptions to this - but they are rare). You should ensure that your password policy is matching the defined policies on RACF - but the way the creation of a actual password is performed may require the password generator to run multiple times to generate a password that matches - that may be what you are seeing and is normally a sign that the policy can be improved to be more accurate - but if works for you then this should only be regarded as warnings...

    Do NOT use entitlement workflows when automating things - these are developed for manual provisioning purposes and will basically create you a lot of problems. What you need to look at are the operation workflows under "Configure System" - and the actual operation you want to use is the Entity Account Add for RACF profile. As mentioned earlier here you can retrieve the password on the account in a Mail extension that is sent to the manager of the account owner.

    HTH

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 15.  RE: ISIM 6.0 - RACF Adapter Integration - Password Generation at ISIM

    Posted Mon February 07, 2022 08:04 PM
    Hi ,

    Thank you , yes I edited the add operations and I was able to send the password in an email . 

    I have one question , We currently have accounts created directly in RACF and they are reconciled into ISIM. Now lets say I create a Role , Provisioning Policy and also a rule like 'employeetype=A'  and make sure this flow has entitlement as RACF Account in the Provisioning Policy .
    So for the users who have the RACF Account, if they have employeetype = A then the Role will be auto provisioned . Will this also detect that the user already has account provisioned and not do anything ? Also when the Role is removed , the RACF Account needs to be disabled /suspended , how do i achieve this ?

    Thanks,
    Sahana

    ------------------------------
    Sahana Kakolu
    ------------------------------



  • 16.  RE: ISIM 6.0 - RACF Adapter Integration - Password Generation at ISIM

    Posted Mon February 07, 2022 09:22 PM
    I understand that when the user is removed from Role membership the RACF Account needs to be suspended/inactive too . But where do we specify this config in ISIM. 

    Also in our env there is one more provisioning policy which sets the status of RACF Account to be in sync with Identity/Person status. This has a higher priority , I think this is the reason why the RACF Account status is currently not changing to inactive when the user is removed from the Role (THis is created by me which has a Provisioning policy and custom password generation code as per the above mail thread).

    Is my analysis corect?

    Thanks

    ------------------------------
    Sahana Kakolu
    ------------------------------



  • 17.  RE: ISIM 6.0 - RACF Adapter Integration - Password Generation at ISIM

    Posted Tue February 08, 2022 02:55 AM
    This has been raised as a wish/RFE several times IIRC but alas the "suspend on no entitlements" functionality is not existing as a setting or policy in ISIM.
    There are several ways to implement this - a simple one is to implement an operational workflow that checks RACF accounts without entitlements and suspends them (but remember you also need to restore when entitlements are added...)
    Another way is to implement it in the account modify operation.

    Here is an example of how this could look like (this was for SAP NW accounts) :

    The implementation can be tricky and this not that simple to implement - but I hope you get the idea...

    HTH

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 18.  RE: ISIM 6.0 - RACF Adapter Integration - Password Generation at ISIM

    Posted Thu March 10, 2022 10:00 PM
    Please help me understand .

    what I want to achieve is , I have a Role , Provisioning policy and the RACF Service attached to Provisioning policy. When user is added to Role , RACF Account is automatically provisioned. When user is removed as a member of the role I am expecting the RACF Account to be suspended and that's not happening 

    Any idea why?

    Thanks,
    Sahana

    ------------------------------
    Sahana Kakolu
    ------------------------------



  • 19.  RE: ISIM 6.0 - RACF Adapter Integration - Password Generation at ISIM

    Posted Fri March 11, 2022 02:18 AM
    You are missing several points here - but let me try to explain how basic provisioning works in ISIM. There are many variables in so it is not really straight forward. And you cannot really expect to have a good answer with the level of detail you provide...

    First - lets look at the Provisioning Policy Entitlement. To make it simple I will only discuss Target Type that is a Service (think you RACF service). When you add an entitlement it can either have Provisioning Option "Manual" or "Automatic" - if "Automatic" is on an entitlement and and a person being subject to this entitlement does not own an account on this service it is being provisioned i.e. the Account Add workflow is initiated. The account object fed to workflow will be created using all parameters/account defaults that is in scope.

    Now - if the person having an account is removed from all entitlements that allows to own account (and this is important - ISIM may have created a policy that allows all persons to own a RACF account when you created the service) e.g. by being removed from a role - the result will be that the account is now "disallowed" in ISIM. Depending on the Policy Enforcement for the Service (Mark, Suspend, Alert or Correct) an action will be performed.

    NOTE - only Mark and Correct will do what you expect - Suspend/Alert are really not working for real life use cases - so do not spend any time on them - all experienced ISIM people have been there and found that the pain of  them is not worth going through....

    In case of Mark the only thing that happens is that the account will be flagged as "Disallowed" but no workflow will be initiated. In case of Correct the system will initiate Account Delete (not Suspend).

    So - the standard out of the box functionality will not do what you want - so you have to modify the e.g. the Account Delete workflow to obtain the suspend - but be aware if the service Policy Enforcement is "correct" the system will still try to remove the account even if it is suspended - the trick here is either to transfer the ownership to a technical person in ISIM where the account is allowed or otherwise ensure that it is allowed (there can be many ways of doing that..)

    HTH

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 20.  RE: ISIM 6.0 - RACF Adapter Integration - Password Generation at ISIM

    Posted Tue February 08, 2022 02:44 AM
    Let me try to answer you question - it is not as straight forward as the timing of events influence what happens. There is (at least) 3 different cases :
    1. The account has been created in RACF but not yet reconciled to ISIM. In this case ISIM will try to create the account as it does not know of the account and the account creation will fail in the adapter
    2. The account has been reconciled to ISIM but not matched to the person (orphan account - adoption policy not able to match correct). In this case the account add operation will fail (unless there is a check/adoption implemented in the workflow) 
    3. The account has be reconciled to ISIM and matched to the user. In this case - depending on whether policy evaluation is turned on for reconciliation (it is by default and should be in 99% of all cases) the policies will be evaluated and the eventual resulting policy compliance will be reflected on the account. If the RACF service is set to "correct compliance" the resulting changes will be written to RACF. Be aware - this last case is only relevant if a previous attempt (when the person was added to the role) failed or was not enforced.

    There are many factors that drives what happens here as you can see - and there are good reasons for each of them. The real complexity is that ISIM to perform automated provisioning requires the services enforcement to be "correct compliance" - else it is just setting the compliance status on the account. Account creation is driven by the "Automatic" policy entitlement which may seem a little counter intuitive. It would be nice if enforcement was also part of the provisioning policies - but alas this is not so - so if you need a mixture of automatic policy driven provisioning for some accounts and manual provisioning for others (on the same service - this is what w call "hybrid provisioning") you need to be able to have some scheme for what is managed fully and what is not - the most common way is to use a naming scheme on the entitlements (groups).

    HTH

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------