Introduction
A requirement that I've seen repeatedly being asked by SailPoint IdentityIQ clients is the ability to perform a manager certification for a single Active Directory Group (or subset of groups). For this requirement, I've compared three different routes for generating a certification for a subset of Active Directory Groups (In theory these options can be utilized for any entitlement not just Active Directory Groups).
First some background on the environment that I've performed the tests in:
Number of Identities: 186,873
Number of Application Accounts (Active Directory): 177,721
Number of Task Servers: 2 (Each w/6 CPU, 12 GB of RAM - 6GB dedicated for IIQ)
Manager Certification Partition (RequestDefinition): maxThreads=6
Option 1: Manager certification
The first option entails creating a Manager Certification. In the Manager certification select "All Managers" for the Recipient in the "What to Certify" section. In the "Included Applications", select the name of your Active Directory application.
Lastly, for the exclusion rule select "AD Group Exclusion Rule":
import sailpoint.object.*;
import sailpoint.tools.*;
import sailpoint.api.IdentityService;
import sailpoint.api.certification.DataOwnerCertificationBuilder.DataOwnerCertifiable;
import sailpoint.api.certification.DataOwnerCertifiableEntity.DataItem;
import java.util.List;
import java.util.ArrayList;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
private Log logger = LogFactory.getLog("rule.ADGroupExclusion");
if(null!=items){
if (state == null){
logger.debug("Initialize state object...");
state = new HashMap();
}
List adEntitlements = (List) state.get("adEntitlements");
if (null == adEntitlements || adEntitlements.isEmpty()){
//Get List of entitlements to include in certification from a custom object
Custom inclusionCustom = context.getObjectByName(Custom.class, "AD Group Inclusions Custom");
List customInclusionList = inclusionCustom.getList("ADGroupInclusion");
adEntitlements = customInclusionList;
//Instead of having to get the inclusion custom object each time the exclusion rule is processed we put it in the state object
state.put("adEntitlements", adEntitlements);
}
Iterator it = items.iterator();
while (it.hasNext()){
Certifiable certifiable = it.next();
Entitlements ents = null;
Identity identity = null;
logger.debug("Certifiable is Entitlements");
if(certifiable instanceof Entitlements){
ents = (Entitlements) certifiable;
}
else if(certifiable instanceof DataOwnerCertifiable){
logger.debug("Certifiable is DataOwnerCertifiable");
ents = certifiable.getEntitlements();
}
if(null!=ents){
Attributes attrs = ents.getAttributes();
List entlist = attrs.getKeys();
Iterator entit = entlist.iterator();
while(entit.hasNext()){
String entAttrName = entit.next();
String entAttrVal = attrs.getString(entAttrName);
if(null!=adEntitlements && !adEntitlements.contains(entAttrVal)){
//Exclude all entitlements on the identity that are not in the custom inclusion list
itemsToExclude.add(certifiable);
}
}
}
}
items.removeAll(itemsToExclude);
}
return "";
Note: Don't forget to check "Enable Partition" before generating the certification.
The exclusion rules references a custom object which contains a list of Active Directory Groups that should be included in the Certification. The custom object has the full distinguishedName of the entitlement because the exclusion rule is getting the value of the entitlement:
<Custom name="AD Group Inclusions Custom">
<Attributes>
<Map>
<entry key="ADGroupInclusion">
<value>
<List>
<String>cn=contractors,ou=Groups,dc=test,dc=com</String>
</List>
</value>
</entry>
</Map>
</Attributes>
</Custom>
Option 2: Identity certification
Navigate to the Advanced Analytics and select Identity Search. In the Entitlement section, select just the entitlements that you want included in the Certification and click the Run Search button.
If the results match what you're expecting, you can either Save the results as a Population (More on this in option 3) or select all users returned and click the "Schedule Certification" button. For this option, we'll go with Schedule Certification.
Once that's selected, under "What to Certify" select "Assign to Manager(s)" (Note you have to set a default certifier as well). Then under included applications select the name of your Active Directory application. Lastly, for the exclusion rule select "AD Group Exclusion Rule" (Same as in option 1).
Option 3: Advanced Certification
This last option is similar to Option 2. After running the Identity Search, instead of pressing the "Schedule Certification" button, select "Save Identities as Population" from the drop down.
Now in the Certification Tab, in the "New Certification" dropdown select "Advanced".
In the "What to Certify" section, select the Population that you just created and set a default certifier. Then under included applications select the name of your Active Directory application.
On the last page of the Certification Wizard, you'll need to set the exclusion rule as you did in Options 1 and 2. In addition to that you'll also need to set the "Pre-delegation Rule" to "Manager Delegation Rule". This will assign all the certification to the proper manager:
Map results = null;
String idName = entity.getIdentity();
Identity identity = context.getObject(Identity.class, idName);
Identity recip = null;
Identity manager = identity.getManager();
if (manager != null && !manager.isInactive()){
recip = manager;
}
else if(manager != null){
Identity indManager = manager.getManager();
if (indManager != null){
recip = indManager;
}
}
else{
logger.debug("Manager is null");
}
if (recip != null){
results = new HashMap();
results.put("recipient", recip);
results.put("reassign", true);
results.put("description", "Please certify " + identity.getDisplayableName());
results.put("comments", "Please determine the appropriate access for " + identity.getDisplayableName());
results.put("certificationName", "Manager Access Review for " + recip.getDisplayableName());
}
return results;
Summary of results
So you might be wondering why choose one method over another? In testing, I found significant performance improvements for Option 2 and Option 3 over Option 1. For the Identity Certification and Advanced Certification, the certification generated in roughly ~4 seconds and had excluded 169 entitlements. The Manager Certification meanwhile took ~46 minutes to generate and excluded 2,007,133 entitlements. That was with "Enable Partitioning" checked for the Manager Certification and no other tasks running at the time.
The reason is that the Manager certification has to cycle through every identity and exclude users/entitlements that don't match the exclude rule. For the Identity and Advanced Certification it's only cycling through the users who are in the Group that you are certifying (In this test only 5 identities). We only need to exclude the other Active Directory entitlements that those 5 users had.
Lastly, if you're trying to determine whether to use the Identity Certification or Advanced Certification, I generally lean towards using the Advanced Certification. The reason I choose Advanced Certification is because of the out of the box (OOTB) reports for the Advanced Certification. If you choose to do an Identity Certification, make sure to include an unique tag every time, so you can run the OOTB "Access Review Decision Report" on that single certification.
Any and all feedback on the options is welcome. In the attached files, I've included a GroupDefinition and Custom Object file for 2 Active Directory groups to show how it would work for multiple groups.
P.S. Credit to Ross Shwarts who I may or may not have stolen parts of the code from.
