SailPoint

PSA: Generic Cloud Rule now called Transform Rule

Hi Folks,

It’s been a while since my last post, but I have an important update for you all.

Public Service Announcement (PSA):

The latest release of Rule Validator 3.0.38 introduces a new enforcement: all rule types must now include a tag. If you attempt to run your previous Generic Rule against this validator, you’ll encounter the following error:

To resolve this, you need to make two simple changes to your rule:

  1. Add a type to your rule tag:

Update your rule tag:

          2. Rename your file:

    Change the filename:

    That’s it! Your rule should now pass the validator without any issues.

    Note:

    • This change does not affect the functionality of your rule. Your rule logic will continue to work as before.
    • If you edit an existing Generic rule in your tenant and submit it, you must change it to the Transform type as described above; otherwise, it will not pass the latest rule validator.
    • The rule documentation will be updated soon to reflect these changes.

    Thank you for your attention, and happy coding!

    By Piyush Khandelwal, ago

    Fix DNS issue for Domains ending with .local and SailPoint VA

    So I came across a client who has a domain ending with .local and stumbled across a weird issue with our SailPoint Linux VAs.

    Now, I am no DNS / Linux expert and not saying that you will have this issue if you have a .local domain. So YMMY

    The VA could do nslookup on the domain but couldn’t do ping / openssl and other such commands. Thus  couldn’t connect to the server via domain name and SSL verification broke and connector didn’t work. 

    For example, the AD domain was call “abc.local” and after the VA setup, it could do a nslookup but couldn’t do openssl command. Which means the connector couldn’t connect via domain name and verify SSL certificate. Workaround was to connect via IP address but then the certificate didn’t contain IP address and thus SSL config didn’t work. This also affected all other servers we need to connect which are domain joined and had a .local in the end.

    After doing some research, I found many articles which pointed to /etc/nsswitch.conf file and one particular line 

    hosts: files usrfiles resolve [!UNAVAIL=return] myhostname dns

    This line needs to be changed to (remove [!UNAVAIL=return])

    hosts: files usrfiles resolve myhostname dns

    I won’t go into details on why and what it does – plenty of articles explaining DNS and Linux interactions – I am no expert on this.

    Now previously we couldn’t edit the file directly in our VA due to the locked down nature of it. So I worked with our internal team and have finally got a fix out if you are in this situation. 

    For this to work charon version needs to be atleast 1624. You can check your charon version by running the following command

    sudo docker images | grep charon

    Note: If you don’t have the version, don’t worry – will get rolled out per standard updates in coming months.

    Fix

    Run the following commands

    To revert the changes

    That should re-create the original symlink.

    NOTE: A wrong edit to this file can cause DOS. So please do be careful and test it in SB and have direct access to the box if needed. Please be careful and test this out before prod implementation and have direct access to VA to restore file if needed.

    By Piyush Khandelwal, ago

    SailPoint Developer Days 2023 Session Video

    Hey Folks

    As you may be aware, I gave a presentation at SailPoint Developer Days 2023 on IDN Admin Console

    The video link is up. I hurried it up a bit so missed some features and probably came out bad and rushed

    All links the event

    Let me know what you think…

    By Piyush Khandelwal, ago

    Pet Project: IDN Admin Console

    Hi All

    This has been a long time coming!!! This has been my personal goal to drive this and to get help to build something for the community. Thanks for the great internal support this vision is finally coming true for me!!!

    I am not a coder and definitely have 0 knowledge on Angular. But just have been looking and improvising on some existing codes after building a framework with someone who had the know-how. Have had a great support team to help build with me. Weekends, nights.. all sweat and blood 🙂 

    NOTE: This application is not developed, maintained or supported by SailPoint. It is built and based on a community effort. We are hoping people will contribute and help it grow.

    About the tool

    The goal of this project was to lessen the pain we saw in the field during deployment and go-live and by clients during daily op. I also wanted to drive the goal of a GUI model for easy and codeless interaction for end users for some basic tasks.

    GitHub Repo: https://github.com/piyush-khandelwal-sp/idn-admin-console

    SailPoint Developer Community Post: https://developer.sailpoint.com/discuss/t/tool-idn-admin-console/4688

    Goal

    In an ideal world, wish we had dedicated time and knowledge on how to keep building on this but…

    We are looking for (list is not exhaustive)

    • Help from internal and external community if they are interested in spreading the word
    • Help from keen internal and external community to help us build more features and extend existing ones.
    • GitHub and Actions know-how to help management and auto build / deploy / version et al
    • Help us make the Angular framework better and plug holes if any.
    • Help us enhance it (pagination, current build documentation / standardizing and refactoring code et al .. list is endless)
    • Testing, finding, and reporting and hopefully help fixing bugs – we are bound to find lot of issues to being with as its very new and not many people have used it. Please use in sandbox environment first.
    • Looking for contributors for the repo to help us set it up properly

    Features

    Current Feature list is

    • Find Multiple Accounts in source and download report
    • Sources
      • Bulk Manage Aggregation Schedules (enable / disable / backup and restore accounts & entitlement)
      • Bulk Manage Source Owners
      • Bulk Run Aggregations (unoptimized/file upload)
    • Rules
      • Download Cloud Rules
      • Manage Connector Rules (Add / update / delete / download)
    • Roles
      • Bulk Manage Roles (Enable/disable/mark unmark as requestable/delete)
      • Bulk Manage Source Owners
    • Misc
      • Check and Set Org Time

    Screenshots

    Technical

    It is an Angular app and using Electron to build for various environments. There is some technical how-to in the readme file. Currently hosted on GitHub repo and open source with MIT license.

    I really hope this tool helps you in some way and feel free to enhance it and spread the word!!!

    Till the next time…

    By Piyush Khandelwal, ago

    How to attach a rule in IdentityNow #IDN101

    Happy New Year Folks!!!

    Hopefully this year is better than previous and as always.. stay safe!!!

    Anyone who would have worked with IDN would have used or encountered rules. They are wildly used and inevitable component of any deployment to achieve your requirements. So you must be well aware that no client, partner and in fact most of internal SailPoint PS/ES also don’t have access to deploy their rules to their tenants. These rules are reviewed by a specialist team within ES and they upload it to the tenant. There are some very good reasons for doing so due to the SaaS nature of our product and IDN architecture.

    There is a lot of work being done to reduce dependency on rules and also a lot in pipeline to make this process simpler. This also does increase our own workload on tickets, review and deployment and we want to reduce it too as IDN has exploded into the world in past few years and new tenants onboarding everyday.

    Current Process of Rule upload

    • Send it to SailPoint as an ES ticket. Support will forward it to ES if not as rule review is a billable task.
    • Rule review is done and uploaded to tenant.
    • Ticket is responded to and closed after confirmation.

    To make this process faster and seamless do follow some best practices

    • Read the whole rule guide .
    • Run the rule validator and send us the output of it.
    • Make sure the naming convention is followed for the rule names
    • Best to keep the same structure and print of code so it’s easy to see the difference in git for us.

    Once the rule has been uploaded to your tenant, there might be a need of additional steps to attach the rule to your source (depending on the type of rule). Once the rule is uploaded you will need the RuleID for some of the rules (mentioned below) to attach it to your source. Please ask the ES person for it if not already given. It will be a long random GUID. We use Postman to execute the API calls but feel free to use your choice of client.

    There is a great guide written internally by Neil McGlennon but I am expanding on it.

    Few common things found below

    • {ruleID}: This is the rule ID generated after rule is uploaded to your tenant. Ask ES for it if not given already
    • {Rule Name}: This is the name of your rule.
    • {id}: This is the externalID of the source you want to attach it to. It is a long GUID and NOT the shortID found in the URL. You can obtain it by few different methods but simplest is by doing a GET /cc/api/source/get/{shortSourceID} where “shortSourceID” is the ID of the source found in the URL when clicking on it in the tenant.
    • All the API calls use https://{tenantname}.api.identitynow.com/ as the URL (before /beta/…)
    • All of these examples use a PATCH for a partial source update, however PUT operations will work too, as long as the entire source object model is provided.
    • For the PATCH operations, a op key has to be provided. For new configurations this is typically set to add as our example shows, however they can be any of the following:
      • add – Add a new value to the configuration. Use this operation if this is the first time you are setting the value, i.e. it has never been configured before.
      • replace – Use this operation to change the existing value. Use this operation if you are updating the value, i.e. you want to change the configuration.
      • remove – Removes a value from the configuration. Use this operation if you want to unset a value.

    Beware! Removals can be destructive if the path isn’t configured properly. This could negatively alter your source config!

    Identity Attribute Rule

    This rule doesn’t need to be attached via API as it can be seen via UI under Attribute Mappings

     

    Account Profile Attribute Generator

    This rule doesn’t need to be attached via API as it can be seen via UI under Create Profile for any source which has one.

     

    Account Profile Attribute Generator (from Template)

    This rule doesn’t need to be attached via API as it can be seen via UI under Create Profile for any source which has one. (as above)

    Correlation Rule
    Manager Correlation Rule
    Before Provisioning Rule
    AfterCreate, AfterModify, AfterDelete, BeforeCreate, BeforeModify, BeforeDelete Rules
    Build Map Rule
    JDBC Provisioning Rule
    WebServiceBeforeOperation Rule
    WebServiceAfterOperation Rule

     

    Once any of the rule is attached, it’s ready for use immediately by the source or profile.

    Hopefully this covers all rule types and if you have any issues with attaching a rule in your tenant, please feel free to reach out to me or to Support / ES team.

    By Piyush Khandelwal, ago