One of the items we’ve been asked to integrate into SailPoint IIQ recently has been file shares. We want to be able to pull in permissions on folders and files within the file shares to certify their access within SailPoint IIQ. There isn’t a specific connector within IIQ for file shares. SailPoint’s documentation states that an unstructured data is “any data that is stored in a format that is not easily readable by a machine.” In our case, the unstructured data are the permissions in the file shares.
To aggregate the data for certification, we must use the unstructured target portion of an existing application. Active Directory is normally the best application to use to aggregate in the file shares because of the objectSid, which we’ll cover in a minute. A couple of prerequisites before we try to configure the unstructured targets are:
- Working AD application in IIQ – We need a working set of AD users and data to correlate the file share information against. it is preferred to use a new and separate AD application setup specifically for the unstructured target to avoid errors.
- Installed IQService – We need the API and methods available through the IQService in order to aggregate the file shares
At this point, we’re ready to configure the unstructured targets. To do this, follow the steps below:
- In AD application mentioned above, go to Unstructured Targets tab and click on New Unstructured Data Source
- Enter a name for the data source
- Select “Windows FileShare Collector” as the Target Source Type
- Enter the IQService host name and port number
- Configure each file share
-
- Enter the path to the file share
- Enter the credential into the administrator and password field to connect to the file share
- Configure the “directories only”, “directory depth”, and “wildcard” to the desired options
- Remember to click “Add” when you’re done to commit the file share
-
- Save the new unstructured target and the AD application
At this point, you should be able to run the connectorDebug and iterate unstructured accounts and see what the data looks like. The identities will have multiple digits and hyphens. This attribute represents the objectSid of the AD account that has access to the file share. The next step is to correctly correlate the file share accounts to the AD accounts. To correlate the accounts correctly, do the following:
- In the AD application setup, check objectSid as a Correlation Key in both account and group schema
- Create a new Account Attribute called objectSid that maps to the objectSid in AD
- Create a correlation rule to correlate the accounts
import sailpoint.api.Correlator;
Map map = new HashMap();
if(isGroup) {
map.put(Correlator.RULE_RETURN_GROUP_ATTRIBUTE, "objectSid");
map.put(Correlator.RULE_RETURN_GROUP_ATTRIBUTE_VALUE, nativeId);
} else {
map.put(Correlator.RULE_RETURN_LINK_ATTRIBUTE, "objectSid");
map.put(Correlator.RULE_RETURN_LINK_ATTRIBUTE_VALUE, nativeId);
}
return(map);
- Create a creation rule if needed
After the correlation is setup you’ll have to run a full Aggregation of AD and then create a Target Aggregation selecting the AD application and the name of the unstructured target object. After both aggregations have run, run an identity refresh to promote the attributes and assign the permissions correctly. The file share permissions will then be seen in the Entitlements tab on an individual identity.