| Subcribe via RSS

SailPoint IIQ: Rule Modeling in Real Java :-)

I’ve been sitting on this article and concept for months and have had others ask me about it via email — whether I’ve ever done something like this before — and well… here it is.

Tired of No BeanShell Coding Validation!

It turns out I was sitting around in my hotel room in Bangalore on India Independence Day last year, whacking away on some client code, doing some data modeling using CSV. I had a somewhat involved BuildMap rule I was working on and I was getting a null pointer exception I simply could not find. A few hours and one simple coding mistake later, once discovered, I was finally on my way. But it was really discouraging to know that if I had been coding in Eclipse, the coding mistake would have been spotted immediately.

The next thought I had was actually two-fold. While I have at times actually written test straps in real Java using the Sailpoint IIQ Java libraries (ie. jars) and dropped my BeanShell code into procedures to instantly validate the syntax, I have also wanted at some point in time to be able to simulate or partially simulate rule modeling and data modeling outside of Sailpoint IIQ using Java I had complete control over writing and executing.

So on this particular day, being particularly irked, I decided to combine those two wishes and see what I could do about having a place I could not only drop, for instance, BuildMap rule code into Eclipse and instantly validate it, but also execute the code I intended for Sailpoint IIQ against connector sources I also had connected to Sailpoint IIQ (in development, of course!) and see and manipulate the results.

Once I was done iterating my development over a real dataset, I could take my validated Java code, drop it back into Sailpoint IIQ in BeanShell and have not only validated but also working code in Sailpoint IIQ with very little or no modification.

Establishing SailPoint Context

One thing you will need if you want to run your Java code in an actual Sailpoint IIQ context outside of Sailpoint IIQ proper is establishing SailPointContext in your code. This, I will tell you, while not impossible, is not easy to do. You need to implement the Spring Framework and a lot of other stuff. If you are interested in doing this and have access to SailPoint Compass, you can actually read about establishing SailPointContext here4.

Since doing that much work wasn’t something I had the time for doing, almost immediately I decided to implement a partial simulation that would allow me to (1) model and validate my rule and (2) also allow me to model my data very simply and easily without establishing SailPointContext. I could still achieve my goal of iterating the solution to produce validated and working code to drop back into Sailpoint IIQ in this way.

The Code

Amazingly, the code for simulating a BuildMap rule, pointing it to the actual CSV I intend for Sailpoint IIQ, and simulating an account aggregation task is not that complex. Once you have the code, if you understand how Sailpoint IIQ works in general, you could conceivably re-engineer and simulate other segments of Sailpoint IIQ processing or modeling other rule types and.or data outside of Sailpoint IIQ1.
More »

Tags: , , , , , , , ,

Stupid SailPoint Developer Tricks

Hello, mates — as they say Down Under, where I happen to be at the moment on a rather large Sailpoint engagement. It’s been a while, and I’m sorry for that. I keep promising more, new and better content and haven’t delivered.

The last couple of months however have been absolutely crazy and there have been some changes on my end, as you perhaps can see. Now that things have shaped up a bit, maybe I can get back to the business at hand here on the blog, again as I have time.

Stupid Pet Tricks

When I was growing up and in college, a famous comedian became famous (partially) by having a segment on his show called “Stupid Pet Tricks.” Some were hilarious and some… belonged on the 1980’s “Gong Show.” (If you’ve never heard of “The Gong Show,” trust me, you aren’t missing anything).

Since that time, I’ve always thought of various developer tricks in the same light. Some are quite slick and useful and some… really just need to be buried. I’ll leave it to you to decide on this one.

Out of sheer laziness, while onboarding Sailpoint applications that feature a BuildMap rule (eg. BuildMap, JDBCBuildMap, and SAPBuildMap), I sometimes utilize a method for “printing debug statements” that I can see directly and immediately in connectorDebug, without having to jump into or tail the Sailpoint IIQ log or application server logs.

It’s also just a bit less verbose as the Sailpoint IIQ logs typically have a large class identification prefix in front of them, which can get rather cumbersome and make it more difficult to pick out one’s intended debug output.

Plus I hate changing logging levels in log4j.properties even though the Sailpoint IIQ debug page allows me to load a new logging configuration dynamically. In short, I’m just a lazy, complaining type when it comes to Sailpoint IIQ debug statements.

Someone mentioned this would be worth blogging about, so here goes. (At the very least, this is an easy article to write and perhaps will get me back into the blogging swing?!)

__DEBUG__ Schema

Now, I would definitely recommend doing this only on a local or designated sandbox and then making sure you clean up before checking in your code. (You are using some form of source code control for your Sailpoint IIQ development, aren’t you?!)
More »

Tags: , , , , ,

SailPoint IIQ: Move Over, Rover

I’m getting ready to do some customer training on Sailpoint IIQ v6.0. Getting ready for the trip has been a good impetus to get my rear end in gear and get up to date. I’ve been running Sailpoint IIQ v5.5 “bare metal” on my MacBook Pro pretty much since Sailpoint IIQ v5.5 was released. I have procrastinated getting Sailpoint IIQ v6.0 installed on my laptop. (Mainly because I have Sailpoint IIQ v6.0p5 running in the mad scientist lab on ESXi accessible via VPN.)

Side By Side Approach

So, it was time to install Sailpoint IIQ v6.0, but… I don’t and didn’t want to obliterate my Sailpoint IIQ v5.5p6 installation; I have too many customizations, test applications and rules I don’t want to loose and still want to be able to run live. I’ve been running Sailpoint IIQ with a context root of /identityiq and with a MySQL database user of identityiq.

When I run multiple versions of Sailpoint IIQ side by side on the same machine, I’ve adopted the practice of running each installation as /iiqXY where XY is the version number. So I wanted to run /iiq55 and /iiq60 side by side from the same application server. (I could also take the approach of running multiple instances of application server and run one installation from one port, say 8080, and another from another port, say 8081.)

So how to “lift and load” the existing installation at /identityiq to /iiq55 without reinstalling everything and re-aggregating all my sources? Here’s what I did.

DISCLAIMER: I’m neither advocating nor de-advocating this. Do this at your own risk, especially if your environment differs from mine. I make no claims or warranty of any kind. This worked for me. If it helps you… great.

The Environment

Here was my environment:

Operating System Mac OS X, Mountain Lion, v10.8.3
Application Server Apache Tomcat v6.0.35
JRE Java SE JRE (build 1.6.0_43-b01-447-11M4203) (64-bit)
SailPoint IIQ SailPoint IIQ v5.5p6
IIQ Database MySQL 5.5.15

Shut Everything Down

First, I shut everything down. This basically meant just spinning down the entire Tomcat application server. The command you might use and the location of your application server scripts may differ:

$ cd /Library/Apache/Tomcat6/bin
$ ./shutdown.sh

More »

Tags: , , , ,

Oh Ye MacBook Pro Of Little Memory :-(

March 25th, 2013 | No Comments | Posted in General, IdM Infrastructure, Tools

I’ve been a Mac user ever since 1993 and have always been extremely pleased with the platform in so many ways. Recently, Apple seems to have finally been realized in the consumer market as superior — I see Macs everywhere I go. And in the developer/power user arena, Macintosh and Mac OS X is the absolute “cat’s meow,” especially if one is a JEE developer. I couldn’t do what I do in Identity Management for Qubera without my 15″ MacBook Pro. It just does what I want it to do — no PC fuss or muss.

Apple’s Poor Memory Roadmap (IMO)

I’ve been disappointed however recently with one piece of the architecture: Apple’s maximum memory limits and their roadmap as it relates to upper memory limits on their non-Retina line of MacBook Pros. I feel it’s short sighted. (Even the new Retina MacBook Pros should max out at 32gb, not 16gb. Their memory footprints are just running behind the PCs at this point.) When I bought my MacBook Pro in early 2011, I laid out a lot of cash for this thing, and I instantly max’d the memory out at a {sarcasm}whopping{/sarcasm} 8gb, knowing I needed to run a lot of VMs, which Qubera uses for testing and support of customers.

Even more recently, after upgrading to Mountain Lion, I’ve pretty much bumped into the limit. I run a lot of stuff to do what I do in Identity Management, and I need it all open at once; Microsoft Word, Microsoft PowerPoint, Microsoft Excel, Google Chrome, Eclipse, emacs, Evernote, VMware Fusion and a Windows 7 VM (mainly for Visio, but also PC testing), Tomcat 6, MySQL, terminal windows galore, RDP sessions galore, calendaring, you name it. In recent weeks, I was beginning to despair a little bit. According to Apple, I had already max’d out my memory. 8gb just isn’t/wasn’t enough. What to do?!

Where Has All My Memory Gone?

I began trying to manage my memory better. I used Activity Monitor to monitor my memory, and I learned a lot about what was eating up memory. I didn’t realize I needed to treat just about every browser tab as it’s own application — there’s so much going on behind the scenes of every tab. I usually have a million tabs open too. But I need all this stuff opened. I can’t be closing it down, loosing context in my work.

I really needed a better solution. I began doing some research and in the end, I reached out to my good friends at The Chip Merchant for help. What I discovered was incredibly good news. Good enough news to document this in a blog entry.

8gb For i7-Based Macbook Pros Is NOT “The Max”!!

I’ve been using the guys at The Chip Merchant (in San Diego, CA) for over a decade. When it comes to memory, I know of no one better. These guys really know their stuff. I had a hunch that someone, somewhere HAD to be making an 8gb SODIMM that would fit the MacBook Pro. It turns out, after turning to The Chip Merchant, I was right.

If you go on Amazon and look for these memory SODIMMs, you’ll see they are available, but people are having mixed results with them per the reviews. I found out from The Chip Merchant that these are probably people running the i5-based MacBook Pro rather than the i7-based MacBook Pro, which is what I have. Crucial Memory makes an 8gb SODIMM that is stable and doesn’t over-heat in the i7-based MacBook Pros. For less than $150 to max my memory out at 16gb, it was a no brainer.

(The Chip Merchant really gave Crucial Memory the props as well — they said if Crucial Memory says it, you can book it. Something to remember when it comes to memory in the future.)

Ordering Information

So, there you have it. Despite what Apple indicates or recommends or states as the max for your i7-based MacBook Pro, Crucial Memory makes an 8gb SODIMM that fits and works — so 2x equals 16gb max. My life has been saved.

If you’re looking to upgrade your i7-based MacBook Pro to 16gb, give my friends over at The Chip Merchant a call. These 8gb SODIMMs are NOT in their online store at present, but they do have them and can get their hands on them. Worth every penny. Here is the item number from The Chip Merchant:

MEMCRL20413338G
CRUCIAL SODIMM DDR3 1333MHZ [8GB] 204P

Account rep. Devin Charters helped me with this. What a life-saver. :-) This probably extended the life of my MacBook Pro for another 3 years at least. Thanks The Chip Merchant!! Hope this helps someone else out there who is despairing as I was.

Tags: , , , , ,

SailPoint IIQ: Aggregating XML

From an answer to a client this morning on aggregating XML in Sailpoint IIQ. I hope this helps others out there:

Regarding your question this morning on aggregating XML… I have seen XML aggregated through the OOTB RuleBasedFileParser connector. That connector requires that a rule be written to run the parser and through that, you could parse and aggregate XML. I mentioned this to one of our Solution Architects after our meeting and he was aware of the RuleBasedFileParser type, but personally felt it was enough work such that you may as well write a custom connector using libraries Java has available to handle XML.

I think between him and me, I would say the following:

(1) From an overall perspective, it’s technically possible using the RuleBasedFileParser connector to aggregate XML.

(2) There may need to be a discussion about the XML in consideration itself to determine the level of complexity of XML coming in, in which case:
(a)…The RuleBasedFileParser may be an adequate choice.
(b)…A custom connector for the XML may be in order.

One other approach could be:

(i) Use a DelimitedFile connector.
(ii) Write a pre-iterate rule leveraging the Java XML classes available to (a) read the XML and (b) create a CSV from the XML for the DelimitedFile connector to consume.
(iii) Use the post-iterate rule to clean up.

As you can see, there is more than one way to skin the XML cat here. This is the case as with most things in Sailpoint IIQ, as I demonstrate in at least one blog post, can be “tricked” in various places into doing what it is you ultimately want it to do.

As with any of this, it’s very common to have to sit down on an engagement and triage between a number of approach options to decide on the best implementation approach. I hope this information helps you with that process.

From the Twin Cities, where we shrug off the second day of Spring with a second helping of Winter, Amigos…

Tags: , , , , , ,

Ian Glazer: Killing IdM to Save It

February 22nd, 2013 | No Comments | Posted in General Idm/IAM, IdM Infrastructure

I recently watched Ian Glazer of Gartner‘s presentation on Killing IAM In Order To Save It and whole heartedly agree with a lot of what he advocates in this quick presentation. Enough to feature it here. You can view embedded below, but I also encourage you to visit the original posting on his site in order to view the valuable comments and dialogue others left there as well.

If you’ve been in Identity Management for very long, you should be able to relate to a lot of what Ian is presenting here. Great job.

Tags: , , , , , , , ,

SailPoint IIQ: Rule And Settings Overrides

January 18th, 2013 | No Comments | Posted in IAM Development, Vendor Specific

One of the primary reasons I write here is to clear up any minor points of confusion with our highly valued Qubera clients, and to enhance their understanding of products we have installed for them just a little better. Especially if I field similar questions across client engagements (eg. “Why does ‘it’ work that way?”), then I make a point to try and blog about those here.

What I want to point out today may not seem like a big deal to many of you, but this topic has come up a number of times with Sailpoint IIQ and I wanted to clarify it a bit more for some of you out there. This is a concept that I call “rule and settings overrides.”

Rule And Settings Overrides

You know the feeling you get when you jump into a fully loaded sports car at the dealership… all the buttons and knobs and dials. The “radio” does a million things by itself and then there’s on-board navigation/GPS, On-Star, rear camera, collision detection, choice of manual or automatic in the same transmission… it gets to be a bit overwhelming. “What do all these knobs and buttons DO?!” you think?! I would equate initially running Sailpoint IIQ and just about any feature-rich identity management product to be about like that.

It turns out with Sailpoint IIQ specifically, there are a number of places where if you turn on or flip or fill-in settings in one place, those settings can actually override options you have set (or thought you had set!) in another place. This can be confusing and may even lead to initial negative impressions of the product.

But with Sailpoint IIQ that’s far from being the reality. The designers of Sailpoint IIQ actually took a very straight forward approach in determining the “rules” around product features, and it’s really quite logical (and powerful) once you gain command of the product over time. No one blames the maker of an upscale sports car for its complexity, rather they embrace it and learn to leverage all the features over time. After all, that was the reason for selecting a sports car in the first place. :-)

Rules ARE Overrides

Rules are very easy to help level set in your understanding here. The thing to remember with rules, pretty much across the board with Sailpoint IIQ is this: Rules ARE overrides. I talked about this somewhat by going in depth with BuildMap rules here.

During aggregations, Sailpoint IIQ goes through a number of phases. (I discussed those phases somewhat at the link above.) At various points during those phases, the designers of Sailpoint IIQ provide you with the opportunity to step in and write your own custom logic to handle your enterprise business and technical use cases. That means that rules ARE overrides.

If you write a rule of any type anywhere in the product, then you are overriding Sailpoint IIQ‘s default, OOTB logic for that aspect of the product (eg. aggregations, certifications, identity attribute mappings, emails, etc.). And again, Sailpoint IIQ completely takes its hands off during processing of these customization rules, and provides you with full control at that point. All it does is:

(1) Provide you with objects very likely needed for your customization logic. These are the parameters you see when building Sailpoint IIQ rules.

(2) It expects a certain kind or kinds of acceptable return values.

That’s it. Whatever you do in between is up to you. (Needless to say, you can impact performance quite a lot by the type of logic you may choose to employ in any rule, so choose your logic wisely. If you are experiencing performance issues, especially surrounding certain areas of functionality, such as aggregations or certifications, this would be one place to check — check your rules.)

So in short, rules ARE overrides.1 It only makes sense.
More »

Tags: , , , , , ,

SailPoint IIQ: Best Practice – Native Change Detection

December 13th, 2012 | No Comments | Posted in IAM Development, Vendor Specific

This should be a short post. What I want to offer is longer than what I can fit into a tweet (@IdMConsultant), but pretty simple to state. (But since I’m blogging, I will expand slightly… :-))

Background

For the new Native Change Detection feature in Sailpoint IIQ v6.0, Sailpoint warns, NCD needs to be turned on after your first aggregation. Obviously, if NCD is turned on before this, all your “changes” on your first aggregation are going to kick off a lot of needless workflows (at best) and could result in some possibly serious consequences in terms of changes made downstream (at worst, depending on how you’ve customized the resulting LCE workflow, especially if you’ve elected a heavy-handed approach to NCD).

Native Change Detection Best Practice

I would further this recommendation and state, as a Best Practice, don’t turn on NCD until after the aggregations for an application have “matured.” That is, you’ve worked through all the kinks that typically come in a production aggregation scenario. Almost always, there is something “forgotten” in an initial aggregation or even the first two or three aggregations. A transformation rule has to be written… You forgot an attribute… Your app owner and you decide another attribute needs to be added to the application… You forget to mark an entitlement… You don’t realize immediately you aren’t getting all expected data… etc.

(You can “mature” or solidify your application aggregations in one of two ways or a combination of both:

(1) Work out your aggregation details in lower environments. Attributes and schemas here should match what you plan to place into production. But since your data isn’t always the same in your lower environments as in production, you should also…

(2) Allow for a number of aggregations in Production with production data. I would recommend at least 2-3 validated aggregations with Production data to solidify expectations.)

Native Change Detection is a powerful new feature of Sailpoint IIQ that is quickly positioning Sailpoint IIQ as THE authoritative governance application in the enterprise (NCD as well as other new features of Sailpoint IIQ v6.0). So to recap:

Recap

(1) Don’t turn on Native Change Detection until aggregations for an application have matured or been solidified.

(2) Turn on Native Change Detection only one application at a time!! Plan your usage of NCD, and either turn NCD on one application at a time or in small groups of related applications (eg. Active Directory and Exchange). I really recommend one application at a time. If you don’t take this #2 approach, I promise you… you are asking for trouble! :-)

(3) I would even go so far as to recommend enabling one NCD function (eg. create, modify, or delete) at a time. At least in your earliest uses of NCD. So one function per one application at a time.

Plan. Map. Forecast. Test. Execute. Mitigate. Don’t “willy nilly” with this. :-)

Rising above 15″ of snow in the Twin Cities and wishing you the best with this fantastic new feature of Sailpoint IIQ!

Tags: , , , , ,

Tomcat: Open Document Directory Listings

December 6th, 2012 | No Comments | Posted in General Idm/IAM, IdM Infrastructure

A lot of us IdMers deploy and run our favorite flavors of IdM tools to and on Apache Tomcat in our personal sandboxes. It’s just an easy servlet container to deploy to. Sun Identity Manager/Oracle Waveset and Sailpoint IIQ come to mind. While this article isn’t necessarily written to plug Sailpoint IIQ, my desire to allow the PDF documents that ship with IdentityIQ to display in my sandbox Tomcat installation did lead to this article being written.

Configuring Tomcat To Allow Directory Listings

Tomcat used to set directory listings to true out of the box. It seems somewhere along the line, this default behavior reverted to false. I’m not sure when. As with plain vanilla Apache HTTP Server, Tomcat does provide directory listings of URLs which don’t point to servlets and other configured objects. It does this through a default servlet (so a servlet is still running — as you might imagine.)

This default servlet can be configured to display directory listings. To do so:

(1) Navigate to the root of your Tomcat installation.

(2) Edit the ./conf/web.xml XML config file.

(3) Look for this section of code and make sure the listings parameter is set to true

<servlet>
   <servlet-name>default</servlet-name>
   <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
   <init-param>
      <param-name>debug</param-name>
      <param-value>0</param-value>
   </init-param>
   <init-param>
      <param-name>listings</param-name>
      <param-value>true</param-value>
   </init-param>
   <load-on-startup>1</load-on-startup>
</servlet>

(4) Restart Tomcat

(NOTE: Be aware this changes the directory listing behavior for ALL APPLICATIONS deployed to Tomcat. If you want directory listings turned off in other applications, you need to make a choice of which web.xml‘s to edit to gain the desired result!)

XSLT Transformations

For those looking to take things into the bonus round, just so you know, the Tomcat default servlet runs these directory listings through an XSLT transformation. If you are especially ambitious, you can override these XSLT transformations with transformations of your own. “Skin” your own directory listings, essentially. If your company for instance insists on proper branding no matter what is served, or, if you were serving this listing up in an iframe on another server, this would be the way to transform the look and feel of the Tomcat directory listing to your liking.

I’m not going to do that here.

SailPoint IIQ PDF Documentation

Now we can navigate to where the Sailpoint IIQ PDF documentation is kept and view these docs right in our browser:

SailPoint IIQ PDF Documents Directory Listing

A really nice benefit is that each time you patch Sailpoint IIQ, this exact directory will be updated with the latest and any changed docs from Sailpoint. As you can see above, I’ve already patched my Sailpoint IIQ v6.0 installation to v6.0p1, and as a result, I have the corresponding v6.0p1 docs as well as the original v6.0 docs.

For IdentityIQ, Delete In Production

While we’re here, just another security pointer… I recommend deleting the PDFs in your production install of IdentityIQ, no matter which application server you choose to install to. It only makes sense. While the docs may not be served via HTTP, there are other people who have access to the file system (system and network admins, etc.) and you want to keep your security documentation inhouse.

@IdMConsultant for IdM Related Tweets

December 2nd, 2012 | No Comments | Posted in General Idm/IAM, IAM Development, IT Industry, Security

I’ve been wanting for a while to create a dedicated channel on Twitter for tweeting content specific to Identity & Access Management. As of now, I’ll be doing exactly that via a new @IdMConsultant Twitter account. (Totally shocked that that Twitter account was actually available!)

So look for short, I-hope-to-be-handy tweets on the various IdM products we implement, support and provide expert advisory services on through Qubera Solutions. Expect tweets such as Implementing Full Text Search for #SailPoint #IIQ6? Don’t forget to copy the resulting index files across your server farm! Qubera Solutions is IdM/IAM vendor agnostic — we advise and implement solutions that fit your specific needs and requirements, so expect tweets that are vendor agnostic as well, but narrowed to just IdM/IAM.

(Traffic on my older and still existing @TechnologEase Twitter account will carry more general content relating to technology in general and what TechnologEase exists for which is Internet Consulting. Done Right.)

Tags: , , , ,