General ACM

Question 1

What does access to the backend database provide you?

Answer 1

access to tables/columns that have acount and access and entitlment information

Question 2

What is the significance of more partitions?

Answer 2

makes it easier later on to extend the space for a particular file system e.g. the one used for the data collection files and e.g. the ASM partition of oracle. if everything is just one disk, it is harder to separate them out later. also, an overflowing /tmp would eat up all your diskspace that might be used under /home/oracle/AveksaExportImportDir

Question 3

How are service acounts mapped?

Answer 3

mapped to app owner, automaintain or include as review monitor or take out and let no one make a decision on it.

Question 4

Conversion of CSV file

Answer 4

you can have a script coded that converts file into CSV format or you can manually create the CSV based on the config file contents

If the application changes infrequently, probably not worth the effort of coding. For manual doesn’t leave options ope for provisioning down the road

Question 5

What is a strategy to use when you have to collect business descriptions for roles/entitements and you have alot of applcitions?

Answer 5

Collect data, and report by who has access. Then decided who can report on the applciation. The majority of people with entitilements in a particular division are group should be the owner or know the information regarding the entitlements

Question 6

How do you validate accounts after on-boarding?

Answer 6

irst look at orphans, the ones that pop up as orphans should they be orphans. Check accounts. Spot check orphans against user accounts, look for service accounts…the person icon brings up the unified user list —-if they don’t exist in unified user list, they are most likely terminated

Question 7

Where should the run-book be placed?

Answer 7

The runbook should be placed in a central location and updates should be made there.

Question 8

At what level should access reviews occur?

Answer 8

Access should be reviewed at the same level that it is provisioned and deprovisioned.

If admins grant and remove access at the group level, then groups are what you want to collect for access reviews

Question 9

What type of demographic data supports Accounts?

Answer 9

Accounts are supported by access data about “What can the account do

Question 10

What are the discreet packets of access that can be granted or removed from an account within an application/system?

Answer 10

Entitlements

Question 11

How are entitlements broken down?

Answer 11

Entitlements can be 1-part - “can update the customer table” or they can be 2-part “can update the customer table for Saturn Bank, but can only read the customer table for Jupiter Bank”.

In the latter scenario the entitlement actually has both a resource (Jupiter Bank) and an action (read). Both parts are needed to fully describe the access a user has.

Question 12

Do all applications have entitlements?

Answer 12

True -

All applications have entitlements but that may NOT be the level at which administrators add and remove access to/from accounts.

Some applications come packaged with the ability to create Application-Level Roles. These are predefined bundles of entitlements.

Many times the application comes with a few roles built-in but also allows the app admins to create their own.

Question 13

What is an Application-Level Role?

Answer 13

Application roles are a level of abstraction that allows the admin of a particular application to grant access more quickly and easily

Instead of having to grant 10 or 30 granular Entitlements to 5000 users, they can bundle those 10 or 30 Entitlements into an A-L Role and simply grant the 1 role each user.

Question 14

What are Groups

Answer 14

Roles are bundles of entitlements like Application level roles, but unlike A-L roles, they can cross multiple applications.

Typically groups are found in systems that already touch multiple applications like:

• Mainframes (using RACF, ACF2, Top Secret)
• Midrange (like AS/400 or I-series)
• Active Directory
• eDir and other Directories

Question 15

What are Roles (RBAC Roles or Job/Functional Roles)

Answer 15

Roles that are not based on any account, but rather on the identity information for a user. They may be based on a job title or job code or combinations of fields – that are all part of the user’s Identity record

They are more complex to setup and maintain than other access abstractions, but they generate a lot of value when implemented correctly.

Job/Functional Roles is don’t physically exist in the target applications or systems.

Question 16

Where do job/Functional Roles live?

Answer 16

In non-automated shops, they are purely theoretical and live either in someone’s head or on a piece of paper somewhere… a list of cross-application/system access that administrators follow when setting up a new user in a specific job

In shops with Roles automation, Job/Functional Roles exist in some 3rd party tool (such as Aveksa ACM) that sits apart from the target applications and systems.

Question 17

What is Role Mining?

Answer 17

looking at all of the current access of a population of users to see what they have in common – in order to incorporate that
common access into a Role.

Question 18

What are additional ways roles can be based?

Answer 18

Roles also can be based on a user’s location or based on whether they are a manager/senior executive or not – as well as ‘birthright’ Roles which are bundles of access that EVERY employee receives just through virtue of being employed by the organization.