Posts Tagged ‘Paul Bedi’
Wednesday, January 18th, 2012
***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK. We do not guarantee this will work in your environment and make no warranties***
Oracle’s OID docs are pretty vague around indexing. In reality, there are really two options:
- When creating an attribute, check the “Indexed” box
- Create the index in the future (after you figure out OID needs it for something!)
In order to do #2, you should follow this procedure:
- Navigate to the $MW_HOME/<domain>/ldap/bin/catalog connect=”OIDDB” add=”true” attribute=”<the attribute name that you want to index>” debug=”true” verbose=”true”
If you try to check the box (as in #1) after you have used the attribute, the ODSM interface will check the box, and make you think the attribute has been indexed (but it really hasn’t!)
Questions, comments or concerns? Feel free to reach out to us at IDMWorks.
Tags: 11g, Identity Management, Indexing, Oracle Identity Manager, Oracle Internet Directory, Paul Bedi
Posted in Oracle, Oracle Fusion Middleware, Oracle Internet Directory, Tips & Tricks | No Comments »
Wednesday, January 26th, 2011
***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK. We do not guarantee this will work in your environment and make no warranties***
Often times our clients want to create another identity attribute that is “calculated“. Maybe this is an overall status, or perhaps it’s an overall supervisor. Either way, you can implement a customization to accomplish this (and it’s a little complicated so I have two sets of instructions, one for the business user, and the other for the technical user).
Business Instructions:
- Inventory the custom attributes that you would like to aggregate / evaluate (typically in the form of CUS_ATTR_CAS_1##)
- Develop a SQL query that does what you need to do with these attributes
- Put the SQL query in the correct package file
- Import the changes into the database
- Test your changes
Technical Instructions:
- Login to your database instance, query the database to find out the names of the attributes that you’re interested in:
e.g. select * from t_extensible_schema_columns where display_name like'%status%';
- Develop the SQL query based on these attributes that does what you need.
- Create the following directory
~oracle/database/packages/custom
- Copy over the .pkb and .pks files into this custom directory and add your changes to the .pkb file
- Launch sqlplus from the custom directory and login as AVUSER
- Now import the .pkb and .pks scripts as follows:
@'your_package_name'_Pkg.pks;
@'your_package_name'_Pkg.pkb;
- Now you can log back into the GUI and test your changes
For further information or to arrange an initial consultation, contact IDMWorks to discuss how we can help with a solution to address your needs.
Tags: Aveksa, Governance, GRC, IAM, Paul, Paul Bedi, Role Management
Posted in Access Management, Aveksa, Best Practices, Role Management, Security & Risk, Tips & Tricks | No Comments »
Sunday, January 2nd, 2011
My last blog post about Role Based Access Control (RBAC) had to do with Role Mining specifically around techniques used in larger firms.
Recently, I’ve been working with Aveksa Compliance Manager (ACM) to develop roles for an up-coming certification and I have a few thoughts to share:
- Have a good understanding of your data, or find somebody that does. ACM gives you so much flexibility that unless you have a firm grasp on your data, you will not chose the right path.
- ACM breaks down roles into three distinct categories
- Global Roles
- Business Roles
- Technical Roles
DRAW out how you want these to be used first (see recommendations below).
- Configure ACM to work within the constraints developed in Step #2. (Roles -> Configuration). This interface will allow you to configure Global, Business and Technical Roles and their membership constraints.
Now that you have made sense of your data and configured ACM to work within the boundaries of your Role Model, you can start creating or generating roles!
As I indicated above, I have some recommendations for you (not in any particular order):
- Group collected entitlements into Technical Roles. DO NOT add members to your Technical Roles.
- Create a Technical Role for any entitlement that you want to manage separately. In other words, if you want to create a Technical Role for Active Directory Administrators, great, but if you want to manage Schema Admins and Domain Admins separately then these should be in different Roles.
- Users will request access using the Business Role Name, so create Business Roles using names that make sense to Business users.
- Along those same lines, don’t rely on your glossary to make up for your cryptic naming conventions.
- Create a customer User View (Requests -> Configuration -> User Views) which lists all Business Roles when users request access.
- When role mining, DO NOT create roles based on an attribute (say Department) for a large set of data without testing with a few departments first as roles can only be deleted one at a time!
- Backup your database before you do any of this (this applies to all vendor tools btw, you will thank me for this later).
There’s probably 50 other things that I have learned in my RBAC travels; I’d love to share them with you and ensure that your ACM project is successful. Don’t hesitate to give us a call here at IDMWorks, the Identity (and RBAC) Professionals!
Tags: Aveksa, Paul, Paul Bedi, RBAC, Role Management, Roles
Posted in Aveksa, Best Practices, RBAC, Role Management | 1 Comment »
Thursday, November 25th, 2010
A few weeks ago, I wrote about Novell and the possibility of an acquisition, well today that “theory” has been validated. On 11/22/2010 Attachmate announced that they had come to a definitive agreement with Novell’s board and shareholder for the purchase of the company.
Attachmate, not having the same footprint in the IAM space as Novell, has decided to let Novell operate as Novell (smart move) but the strategy isn’t very clear, or is it?
Let’s analyze it, what does Attachmate bring to the relationship besides having enough cash to purchase Novell? Do they have the requisite experience in:
- Selling enterprise Software – check
- Maintaining their existing customer base – check
- Up-selling the existing customer base – check
- Identity Management / Security – nope. The closest they come to security is Systems Management, Configuration Management & SIEM software. All of which Novell brings to the table.
What this tells us is that Attachmate is going to further their brand loyalty by selling Novell and attaching all of the great things that they have learned selling mainframe software.
Who would their potential customers be? Well, why not just look at Attachmate’s rolodex, I can’t think of a single Fortune 1000 client that doesn’t use their products, can you?
And for those nagging questions I had about the status of Novell’s SUSE UNIX? Apparently it isn’t going anywhere.
And for those nagging questions I had about the status of VMWare getting a hold of Novell? Well Microsoft put an end to that as well.
I think they can officially call it a dog-fight. Oracle and the likes, get ready for some serious competition from Attachmate.
Tags: aquisition, attachmate, Microsoft, netiq, Novell, Paul, Paul Bedi, SUSE, VMWare
Posted in Identity Management, linux, Novell, Novell Access Manager, Novell Identity Manager | No Comments »
Thursday, September 23rd, 2010
***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK. We do not guarantee this will work in your environment and make no warranties***
If you ever wondered how easy it is to upgrade Aveksa Compliance Manager (ACM), here’s the step-by-step:
- As Oracle, backup your database
- There’s a script called AVDB_Export_AVUSER.sh in the directory/home/oracle/database/DBA/AVDB/scripts
- Make sure you get a message stating “Done !”
- e.g. $script_path/AVDB_Export_AVUSER.sh -t_401_upgrade_backup
- As root, copy over the following files to /tmp/aveksa/packages
- jdk1.6.0_18_x64.tar.bz2
- asmlib-004-x64.tar.gz2
- oraApplication.10.2.0.4_p9119284.x64.tar.bz2
- aveksa-4.1.tar.bz2
- Create a staging directory
- e.g. mkdir /tmp/aveksa/staging
- Extract the new Avkesa tar ball into this directory
- e.g. tar -jxvf $tmp_path/aveksa-4.1.tar.bz2
- Execute the script called install.sh
- e.g. ./install.sh
- Next, answer the installer questions:
- An existing database was found. Do you want to keep this database [Y]? Y
- Migration is necessary when upgrading. Do you want to migrate the database [Y]? Y
- Reboot and you should be good to go.
This is probably one of the best/easiest upgrades I’ve done in a couple of years.
Questions? Feel free to reach out to us at IDMWorks.
Tags: Aveksa, Novell, Paul, Paul Bedi, SUSE
Posted in Aveksa, PCI Compliance, Role Management, Tips & Tricks | No Comments »
Thursday, September 23rd, 2010
If you haven’t already heard, VMWare is thinking about buying Novell’s Linux platform, SUSE Enterprise Linux (a rumor since late August). This is a bold move for VMWare who has been seeing increasing competition from Microsoft and Oracle in the virtualization space. Also, it will give Red Hat a run for its money in the Enterprise Linux business.
Questions abound…
1) What space will Novell concentrate on?
- Identity & Security – check
- Cloud – check
- File Management Solutions – check
- Platspin and other niche technologies – check
2) Does this mean that Novell is a better acquisition target now that they are a little smaller?
3) Will this cause any uncertainty when folks are buying Novell software?
All of this Novell acquisition talk makes me wonder about what the true Novell strategy is.
4) why would Novell give up a fantastic distribution of Linux (and all of the tools that come with it such as SuSE Studio)?
5) Given that some of our customers are VMWare and SuSE customers, this is fantastic news, however, for those that are VMWare and *nix customers, is this bad news?
I’m eager to see how this plays out in the next few weeks, even more eager to see what our customers will do should this purchase go through…
Any comments?
Tags: Identity Manager, NIM, Novell, Paul, Paul Bedi, SUSE
Posted in Identity Management, Identity Provisioning, Novell, Novell Identity Manager, Roadmap, SLES, VMWare | 3 Comments »
Monday, August 2nd, 2010
I have been at three separate companies as of late that all strive to have the “perfect role model” for their enterprise. This desire is usually coupled with the desire to have some irrational number of roles to show that their role model was successful.
<Sidebar> Let’s say your company has 100,000 people worldwide, how on earth could you believe that you’re going to end up with 10 roles?
The answer to the number of roles is generally a product of how you want to create enterprise roles (this includes Business and/or IT roles). There are few options when it comes to designing roles, to list a few:
- Bottom-up, Top-down and Intersection Analysis (yawn, that’s so 2009)… and the result being a set of IT roles that map to resources, and business roles that map to the IT roles.
- Allow Supervisors to control # of roles, they decide what goes in their roles, and your systems make sure that they haven’t put any “toxic combinations” in their roles.
- Use #1 & #2 with a standard set of entitlements that everybody gets based on some organizational data.
- Allow a product to analyze your data and suggest candidate roles.
(All of these mean nothing unless your roles are “in-context”… to be covered in my next post.)
Now comes the part where I give my prescriptive advice on which of the 4 options to use. The answer: RBAC is art, not science, you should try all of the above, at least see if they pass the litmus test for your organization (better yet, call IDMWorks and we can help you figure it out).
Once you’ve figured out what direction you are going with roles, the next step is to stuff all of that in a product. Might I suggest Aveksa as it is the one of the best products in the industry, and use it to manage your roles, entitlements, segregation of duties rules and certifications.
Tags: Aveksa, Bedi, Governance, Paul Bedi, RBAC, Roles, SailPoint
Posted in Aveksa, Governance, RBAC | No Comments »
