General IAM Flashcards
Access Provisioning
Review how access is provisioned in the application and decide if you are going to collect access as an app role or entitlement
Rules about Rules
Not all rules are good rules
You shouldn’t have a rule unless you plan to do something about violators
Access Review
Review access at the same level it is commonly provisioned and de-provisioned
Output of Access Recertification
A list of removals is the only output
Mining for roles
Works once access has been cleared up through reviews
What type of system is required when access is collected as a granular entitlement
the system requires a 2-part or pair of attributes… Resource and Action. It is assumed that you will have both of these fields in your source data and they are coupled together like:
Resource - Action
Group A – READ
Customer 123 - ADMIN
If you are collecting granular entitlements, which two fields must be populated in your collector?
The Resource and Action field. The entitlement displayed in a review will show a colon between the two
i.e. Customer BigMart : Update
With granular entitlements, if there is no action, what are two common population tricks
- Populate the action field with a “Y” or “Yes”
2. Collect the resource as an application role
What are additional uses of ACM?
Enforcing policies Licencing Monitoring Fraud investigation evidence App usage and reduction strategies Monitoring requests/Approval routines
Which attributes should we capture?
attributes that would help an access reviewer make solid keep/remove decisions
ones that help with sorting
access needed to restrict forms
How does ACM view active and inactive identities?
ACM doesn’t care if identities are active or terminated at the company, but whether they are being collected or filtered out.
How many distinct processes occur in ACM?
2 (Identity and Target collections) These processes run independently and the logic used in one does not impact the logic used in the other
Can logic or values from the IDC be used to filter, sort, or populate data in a target collector?
No - logic or values from the IDC cannot be used to filter, sort, or populate data in a target collector
What is the only required filed in the Account collectors?
Account ID/Name, all others are optional but desired
With Account collectors what benefit is gained from collecting the name, last login date, and type of account flag?
Name - assist in resolving orphan accounts
Last Login -helps reviewers with their maintain/revoke decision process
Account Flag - Can later filter out reviews or ensure certain types of accounts arent deleted
What are the 5 R’s and an F of Access Management?
Reviews, Requests, Roles, Reports, Rules, and Fulfillment
What is the impact of running an Aveksa review?
It depends on configured fulfillment method for the application where the revoke is selected.
If the app is set to auto-provisioning then a revoke will wipe it out.
How are terminated users handled?
Terminated users should be flagged as terminated. The SQL query can be set to skip older terminated users and not collet them. If an identity was collected yesterday and skipped today, it will be stamped with a last seen on date and becomes inactive. Inactive dont count against licensing
What is supplied in a Soft appliance configuration
RSA Aveksa supplies the RSA Aveksa software, JRE, and the JBOSS application server. The Oracle database may be supplied by RSA Aveksa or the customer based on the customer’s choosing. The customer is responsible for supplying the hardware, operating system, and optionally the VMware
What are the components that make up an ACM installation?
Aveksa software JDK 1.6.0 Oracle Database 11.2.0.3 App Server - JBOSS, Weblogic 11g, Websphere 7.0 Red Hat version 5
What are the 4 dimensions of data collected to represent user entitlement information and complete basic access recertifications
Identity Data
Account Data
Entitlement data
Managed Data
What is necessary to create a complete record for users in order to synch records properly
a common unique field such as user ID or email address
What does Account data represent
The specific accounts in each target system for which you want to collect entitlements and perform certifications.
What does Entitlement Data represent
All of the specific rights or access granted to each account within your target system. You want to capture all entitlements that grant access to a resource and can be added or removed form an account.
What are the 3 dimensions in ACM that illustrate how entitlement data can be captured, populated, and represented in ACM
Application Role, Resource, and Action. Entitlements are represented by an App role or Resource/Action Pair
How do custom attributes benefit collected data?
Custom attributes can be added to the 3 dimensions of data to enrich collected data; these attributes can be collected or manually populated
What are the two types of certifications that can be generated?
User Access Review and Group Definition Review
What is the function of a User Access Review?
A User Access review will combine the data types previously mentioned and give reviewers the ability to:
- Maintain or revoke the entitlements assigned to a user account
- Maintain or revoke the user groups an account is a member of
What is the function of a group Definition Review?
A Group Definition review will combine the data types previously mentioned and give reviewers the ability to:
Maintain or review group memberships
Maintain or revoke the entitlements assigned to a user group
What is the Top Down Approach to Role Creation?
Business Roles are created which are tied to business processes, organizational structure, HR data, etc.
What is the Bottom up Approach to Role Creation?
Technical roles are created which are independent of the organization and combine like entitlements/functions at the application level
What are the 4 dimensions of data needed to create and manage roles and complete related access certifications?
Business Roles
Identity Data
Technical Roles
Managed Data
What are business rules based on?
Business processes, identity data, membership rules. They can be manually created or collected from existing sources
What are Identity Counts based on?
Based on the number of unique IDs being read into ACM.
If users have more than one unique ID – then there will be more than one identity being counted
If you do not filter out non-human accounts as identities (conf rooms, servers, etc) they will be included in the identity count
If you do not filter out terminated users – they will be included in the identity count
What happens when someone leaves, is terminated?
If we are filtering out terminated users, when we collect data the second time, it will not bring the terminated user in. ACM sees the person was collected one day but not collected the next day and the system marks them as inactive.,,,the no longer count towards your active identities or license total
What is the Account ID/Name field in CSV files used for?
It is required to connect the entitlement collector to the account collector
If an account has more than one role or entitlement, how should they be represented in the CSV file?
They should be captured on separate rows
Which fields should you bring in for Identity Collections?
Only fields that support rule automation, support reviewers, support reports. Any other fields pollute your database, make collections take longer and increase the opportunities for data integrity issues.
Logic or values from Identity collectors in target collectors
Logic or values from identity collectors can’t be used to filter, sort, or populate data in a target collector
What is the only required field in the account collector?
The Account ID/Name field is the only required field. This is used to link back to the Entitlements
How does the Last Login field help reviewers to make good decisions?
If someone hasn’t logged in for a while, probably safe to remove access
How is the Type of Account Flag used?
This flag can be used to filter certain accounts out of reviews and to ensure they won’t get deleted - service accounts system, training, shared accounts. Usually added as a managed attribute
Why is the Entitlement Risk Level attribute a common attribute?
It is used for filtering and running reviews on high risk items more frequently, usually a managed attribute.
How can knowing a little bit about the data assist with running your IAM program?
Help to identify trends, example resolving orphan for client system app. Several smiths as last name. If you know the app is client system can help you narrow down that orphan account quicker rather than going through multiple applications.
- 1 app they dump everyone every quarter and make people have to reapply for access
- An access review is not required because for auditors it happens every quarter
