IBM Security Verify

------------------------------
Roberto Cristaldo
------------------------------

I am not sure I understand exactly what your recertification policy scope really is. Is this person (roles) or groups. 

But here is my take (maybe somewhat complex but anyhow) : 

• Mandatory attributes - those are governed by role - so you need to recertify relevant roles for this. 
• Mandatory roles defined by Dynamic Roles (or other birthright mechanism)  should be recertified in a Role Governance setup  - this is NOT supported by ISVG IM/ISIM - but you can use reporting to help you
• Optional entitlements should be covered by the ISVG IM recertification policies.

This all together should ensure SOX compliance - but you cannot do it completely automated inside ISVG IM as the Role Governance lifecycle is not supported there - it is a process outside the system (there should be a Role Governance board/function that handles the birthrights and model).

Be aware that the ISVG IM Container version now has Account/Group Recertification Campaigns (similar to our ISV and IGI solutions) - these will at some time also cover Roles. I have not tested these personally yet - but I have customers doing this - they are being enhanced (new options coming in the next FP) and at sometime they should be able to replace the current recertification policies fully...

HTH 

------------------------------
Franz Wolfhagen
WW IAM Solution Engineer - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Tue March 19, 2024 07:15 AM
From: Roberto Cristaldo
Subject: ISIM - Recertification policy and mandatory parameters

Hi all, Years ago I opened a ticket about the functioninng of Recertification policy and mandatory parameters.

 

IBM support explained me that the parameters defined as mandatory will not send in the recertification document.

 

That is reasonable for me because I dont need to recertificate something that is defined mandatory.

 

The problem is that my client need to  recertificat every single access (the auditory says that is mandatory for sox regulation) but also he needs to mantain mandatory parameters to prevent inherith privileges.

 

My solution was put the Mandatory paramteres to Defualt via script, next execute the policy , when the campaing is over , I return to mandatory. 

 

But in other hand, maybe recertification of the provisioning policy instead of person could help me but that is not possible in ISIM as far I know.

 

What can I do in this scenario?

Thanks all.

------------------------------
Roberto Cristaldo
------------------------------

Original Message:
Sent: 3/21/2024 4:15:00 AM
From: Franz Wolfhagen
Subject: RE: ISIM - Recertification policy and mandatory parameters

I am not sure I understand exactly what your recertification policy scope really is. Is this person (roles) or groups. 

But here is my take (maybe somewhat complex but anyhow) : 

• Mandatory attributes - those are governed by role - so you need to recertify relevant roles for this. 
• Mandatory roles defined by Dynamic Roles (or other birthright mechanism)  should be recertified in a Role Governance setup  - this is NOT supported by ISVG IM/ISIM - but you can use reporting to help you
• Optional entitlements should be covered by the ISVG IM recertification policies.

This all together should ensure SOX compliance - but you cannot do it completely automated inside ISVG IM as the Role Governance lifecycle is not supported there - it is a process outside the system (there should be a Role Governance board/function that handles the birthrights and model).

Be aware that the ISVG IM Container version now has Account/Group Recertification Campaigns (similar to our ISV and IGI solutions) - these will at some time also cover Roles. I have not tested these personally yet - but I have customers doing this - they are being enhanced (new options coming in the next FP) and at sometime they should be able to replace the current recertification policies fully...

HTH 

------------------------------
Franz Wolfhagen
WW IAM Solution Engineer - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Tue March 19, 2024 07:15 AM
From: Roberto Cristaldo
Subject: ISIM - Recertification policy and mandatory parameters

Hi all, Years ago I opened a ticket about the functioninng of Recertification policy and mandatory parameters.

 

IBM support explained me that the parameters defined as mandatory will not send in the recertification document.

 

That is reasonable for me because I dont need to recertificate something that is defined mandatory.

 

The problem is that my client need to  recertificat every single access (the auditory says that is mandatory for sox regulation) but also he needs to mantain mandatory parameters to prevent inherith privileges.

 

My solution was put the Mandatory paramteres to Defualt via script, next execute the policy , when the campaing is over , I return to mandatory. 

 

But in other hand, maybe recertification of the provisioning policy instead of person could help me but that is not possible in ISIM as far I know.

 

What can I do in this scenario?

Thanks all.

------------------------------
Roberto Cristaldo
------------------------------