Checkbox | Code (XML Key) | Description |
---|---|---|
Optional filter string ... | filter | Filter string to limit users |
Optional list of group or population ... | filterGroups | Groups or Populations to only refresh |
Refresh identities whose last refresh date is before ... | thresholdDate | Threshold date for refresh |
Refresh identities whose last refresh date is at least ... | excludeWindow | Exclude window |
Refresh identities whose last refresh date is within ... | includeWindow | Include window |
Include modified identities ... | includeWindowModified | Include modified identities in the window |
Refresh only identities marked ... | filterNeedsRefresh | Only include identities marked as needing refresh after aggregation |
Do not reset the needing refresh ... | noResetNeedsRefresh | Does not reset the needsRefresh flag |
Exclude identities marked inactive | excludeInactive | Do not refresh inactive identities |
Refresh identity attributes | promoteAttributes | Compute identity attributes |
Refresh Identity Entitlements ... | refreshIdentityEntitlements | Update IdentityEntitlement objects |
Refresh Manager status | refreshManagerStatus | Refresh managers |
Refresh assigned, detected roles ... | correlateEntitlements | |
Provision assignments | provision | Add or remove entitlements when IT roles are assigned or de-assigned |
Disable deprovisioning of deassigned roles | noRoleDeprovisioning | When a role is removed, leave the entitlements |
Refresh role metadata for ... | refreshRoleMetadata | Refresh stats on all roles |
Enable manual account selection | enableManualAccountSelection | If a user has multiple accounts send work item to choose |
Synchronize attributes | synchronizeAttributes | Write identity attributes to targets |
Refresh the identity risk scorecards | refreshScorecard | Refresh just the identity portion |
Maintain identity histories | checkHistory | Save Identity History for debugging |
Refresh the group scorecards | refreshGroups | Refresh just the group portion |
Clean up groups definitions that are ... | deleteDormantGroups | Delete if no members |
Check active policies | checkPolicies | Forensic check of policies |
Keep previous violations | keepInactiveViolations | Do not delete violations |
Comma separated list of Policy Names | policies | Specific policies to check |
Refresh assigned scope | correlateScope | Refresh all scopes on the user |
Disable auto creation of scopes | noAutoCreateScopes | Do not assign scopes to the users |
Mark dormant scopes | markDormantScopes | Empty scope marked for reference |
Process events | processTriggers | Evaluate rules to trigger a response |
Disable Identity Processing Threshold | disableIdentityProcessingThreshold | Ignore threshold. |
Refresh logical application links | refreshCompositeApplications | Update composite applications |
Promote managed attributes | promoteManagedAttributes | Update entitlements if active |
Number of refresh threads | refreshThreads | Number of refresh threads |
Always launch the workflow | forceWorkflow | Launch a workflow each refresh |
Enable the generation of work items | doManualActions | Generate work items for unmanaged applications |
Disable connector lookup of managers | disableManagerLookup | Do not seek out manager, do not save if found |
Enable partitioning | enablePartitioning | Enable partitioning |
Number of partitions | partitions | Number of partitions |
Loss limit | lossLimit | Users re-refreshed on |
Do not schedule retry requests ... | noMaintenanceWindowRetry | Do not allow retries during maintenance window. |
Keith Smith's Blog - IDM, Engineering, etc.
Thanks for viewing my blog on Identity Management and Engineering (mostly IDM). Please follow and check out the advertisers.
Search This Blog
Friday, February 23, 2024
Programmatic Options for Identity Refresh
When running an identity refresh you have to feed a Map of values. This listing shows the names and the checkboxes it checks on the UI.
Friday, October 27, 2023
SailPoint reverse tokenization challenge
SailPoint's original XML Exporter was released with the Standard Services Build (SSB) in Java code, so that if users needed to customize it they could. I ran into several issues with the original code that I published on Compass to fix:
This was in 2018. After that I tackled the issue of reverse tokenization because the XML Exporter used a simple text replace and the IIQDA used an XPath method. I incorporated the XPath reverse tokenization into the XML Exporter java source and deployed that to several clients.
SailPoint has since taken, those concepts and made some of those features in their XML Exporter Plugin. At the same time, I also developed my own plugin from my original code and have expanded it.
But on a particular client, I realized that there are times when a simple replace reverse tokenization is needed. This is needed in two places: 1) When java code is tokenized, which the XPath cannot reach, a simple substitution is needed. 2) In IT roles inside the Profiles, there is no way you can adequately describe every XML element's XPath to tokenize the entitlements inside those profiles. This is required for roles that reference an LDAP domain. You want to have the LDAP Domain tokenized. Hence was my first challenge.
To accomplish this, I reactivated the simple reverse tokenization of the original code, which I had literally just coded around, and added a second file called the simple reverse tokenization file. Reading in that file would cause all of the code to have a simple replace operation on it.
One challenge on this is that the original code expected the tokens to be described like this:
%%TOKEN%%=Pattern
this is backwards and prevents the ability to have multiple patterns reverse tokenize to the same value, so I added the ability to have the tokens in the correct pattern like this:
Pattern1=%%TOKEN%%
Pattern2=%%TOKEN%%
This allows both patterns to create the same token, for example:
dc=example,dc=com=%%AD_DOMAIN%%
dc=test,dc=local=%%AD_DOMAIN%%
To solve this I wrote the following code:
/**
* Comb through to see if there is a match
*/
private String combAllCasePatterns(String word, String token, String replaceIn) {
log.debug("XML-400 Trying "+word+" on "+replaceIn);
String replaceOut=replaceIn;
word = word.toLowerCase();
long combinations = 1L << word.length();
for (long i = 0L; i < combinations; i++) {
char[] result = word.toCharArray();
for (int j = 0; j < word.length(); j++) {
if (((i >> j) & 1) == 1 ) {
result[j] = Character.toUpperCase(word.charAt(j));
}
}
log.debug("XML-400 Trying combination "+i+" of "+combinations+" :"+new String(result));
replaceOut=replaceIn.replace(new String(result), token);
if(!replaceOut.equals(replaceIn)) return replaceOut;
}
return replaceOut;
}
Credit to java - Finding all upper/lower case combinations of a word - Code Review Stack Exchange for the start of the comb method. That code actually wasn't 100% correct but I got it to work.
But then here is the real challenge: what if the data looks like this:
<String>CN=Employee,OU=Example Users,DC=example,DC=com</String>
When you are doing an xml.replace("dc=example,dc=com","%%AD_DOMAIN%%") there is no way to do a case insensitive replace, unless you want to translate the search string to regex.
In order to tokenize any capitalization version of the key, you literally have to try every combination of upper and lower case letters.
Do you see an issue here? The longer the search string the longer the computation - a 20 character value would take over a million computations. Also there is another complication - there are often non-alphabetics in the search string. In the example which has a 17 character string, only 14 of the characters are alphabetic. If you can remove those 3 non-alphabetic characters, then you can reduce the iteration from 131,072 to 16,384 iterations. Here is my logic to accomplish that:
/**
* Comb through to see if there is a match
*/
private String combAllCasePatterns(String wordIn, String token, String replaceIn) {
log.debug("XML-400 Trying "+wordIn+" on "+replaceIn);
String replaceOut=replaceIn;
String word=wordIn;
int wordlen=word.length();
log.debug("XML-401 word length is "+wordlen);
byte[] wordchars=word.getBytes(StandardCharsets.UTF_8);
byte[] packedchars=new byte[wordlen];
boolean[] isalphachar=new boolean[wordlen];
int packedlen=0;
for(int ipack=0; ipack<wordlen; ++ipack) {
byte chb=wordchars[ipack];
if((chb>=65 && chb<=90) || (chb>=97 && chb<=122)) {
packedchars[packedlen]=chb;
isalphachar[ipack]=true;
packedlen++;
}
else {
isalphachar[ipack]=false;
}
}
byte[] newpack=new byte[packedlen];
for(int ipack=0; ipack<packedlen; ++ipack) {
newpack[ipack]=packedchars[ipack];
}
word = new String(newpack, StandardCharsets.US_ASCII);
log.debug("XML-402 word length after removing non-letters:"+packedlen);
log.debug("XML-403 word after removing non-letters:"+word);
word = word.toLowerCase();
long combinations = 1L << word.length();
for (long i = 0L; i < combinations; i++) {
char[] result = word.toCharArray();
for (int j = 0; j < word.length(); j++) {
if (((i >> j) & 1) == 1 ) {
result[j] = Character.toUpperCase(word.charAt(j));
}
}
log.debug("XML-404 Trying combination "+i+" of "+combinations
+" :"+new String(result));
// Rebuild the word from the packed characters
packedlen=0;
for(int ipack=0; ipack<wordlen; ++ipack) {
if(isalphachar[ipack]) {
packedchars[ipack]=(byte)(result[packedlen]);
packedlen++;
}
else {
packedchars[ipack]=wordchars[ipack];
}
}
log.debug("XML-405 Trying combination "+i+" of "+combinations
+" :"+new String(packedchars,StandardCharsets.US_ASCII));
replaceOut=replaceIn.replace(new String(packedchars,StandardCharsets.US_ASCII), token);
// Stop on any replace
if(!replaceOut.equals(replaceIn)) return replaceOut;
}
return replaceOut;
}
This accomplishes the task. Challenge solved. Oh, in order to trigger the case insensitive replace I made the user add an extra % to the token, and caution the user to use the smallest search string and only apply to IT roles or whatever particular code you wish it on, or the computation time can be excessive.
Subscribe to:
Posts (Atom)