KOGIT Plugins for Sailpoint IIQ
Segregation of Duties Matrix Plugin for SailPoint IdentityIQ
The clear representation in the SoD-Matrix is ideal for mapping the personal separation of functions on the IT level. Conflicts, borderline cases and permitted combinations are marked according to a traffic light principle and thus optimally prepared for audits. Data maintenance is carried out in a time-saving manner by mouse click.
- It currently supports the following features:
- Add/ Remove SoD categories
- Change the risk score weights of category combinations in the matrix
- An advanced Policy rule which is using the SoD Matrix
- Detailed AuditEvents for all changes of the SoD Matrix
- Download of the SoD Matrix as xls format
SEGREGATION OF DUTIES MATRIX PLUGIN FOR SAILPOINT IDENTITYIQ
Download
We are currently working on getting the plugins up on this page. Until then please contact us at sales@kogit.de to acquire our SoD Matrix plugin.
Installing
We will provide you with a zip file that contains the plugin. Installation of the SoD Matrix plugin is the same as any other plugin. You can use the build installation method or install through IdentityIQ using the Plugin Manager Interface. Refer to the Identity Plugin Framwork (IPF) documentation for instructions on installing a plugin. If you have already installed the framework, you can visit your instance of IdentityIQ and selected ‘Plugins’ under the Gear dropdown menu in the upper right corner.
Feedback
Please report any bugs, feature enhancement requests, issues, or questions via the contact form on the left-hand side.
Release Note
KOGIT’s IIQ SoD-Matrix-Plugin version 1.2 is available. For further information please refer the Release Note
Developer Info
| Developer | KOGIT GmbH |
| Integration Name/Version | sod-matrix 1.2 |
| Certification Date | 3/9/2018 |
| Integrations | IdentityIQ 7.1+ |
Support and Licensing
The SoD Matrix Plugin is a KOGIT project and please contact us for licensing details. Access to the SoD Matrix plugin is provided via SailPoint’s Plugin Framework.
All support, help, bug and issue reporting and tracking is done here on the SoD Matrix home page. If you have any questions or issues whatsoever, please reach out to us at sales@kogit.de.
IMPORTANT NOTE: KOGIT GmbH does not provide any warranties covering the SoD Matrix Plugin, and specifically disclaims any liability for damages, including, without limit, direct, indirect, consequential, incidental, and special damages, in conjunction with the use of the SoD Matrix Plugin, its artifacts or any plugin running therein.
More information:
Archiving of historical data with the KOGIT IIQ History plugin
Archiving of historical data with the KOGIT IIQ History plugin
The KOGIT IIQ History Plugin extends your IdentityIQ installation with new features for generating historical data in a report friendly structure as well as archiving, reporting and analyzing historical IAM data in IdentityIQ.
The goal of this plugin is to provide a mechanism to archive data in SailPoint IdentityIQ in an efficient way. The archives created allow searching data based on the property, the value and when the data was productive in IdentityIQ.
The IIQ History Plugin shows where data was existing and who had access to it at what time, allowing you to ask specific questions such as:
“Back last March, what where the cost centers of the members at that time of a certain work group that today is called ‘Accounting’ but actually might have had a different name back then?”.
Furthermore, the plugin shows when members where assigned to those cost centers. The answers to such questions should not take long to compute and should not put a lot of load on the IdentityIQ environment.
Archiving of historical data with the KOGIT IIQ History plugin
Business Requirement
Auditors or forensic investigations require easy access to historical IAM data, usually for at least 10 years into the past. Standard questions are point in time inquiries about user access, role composition or policies. More advanced requirements include who assigned or approved past access rights or role assignments. And last but not least, the identity perspective is not sufficient. Who had access to a distinct transaction or data – e.g. during Q1 2013 – is a classical important question we should be able to answer by providing the entitlement perspective. The ‘KOGIT IIQ History Plugin’ enhanced the functionality of SailPoint IdentityIQ.
The plugin supplements IdentityIQ with a search function and an efficient archiving option for identities, roles and access rights.
- The advantages:
- Search by time period and/or by name
- Supports forensic inquiries
- Simplifies passing of external audits
- Clear presentation of historical data
- Pre-configured reports for e.g. Identities, Business Roles and Entitlements
Two new Features with Version 2.1:
The Multi-Tenancy Capability for storing the assigned scope of historicized objects and the History Reports which provide pre-configured reports for Identities, Business Roles, IT Roles, Entitlements (identities with access) and Workgroup Membership.
Download
We are currently working on getting the plugins up on this page. Until then please contact us at sales@kogit.de to acquire our KOGIT IIQ History plugin.
Feedback
Please report any bugs, feature enhancement requests, issues, or questions via the contact form on the left-hand side.
Release Notes
KOGIT IIQ History Plugin version 2.1 is available. For further informations please refer the Release Notes.
Developer Info
| Developer | KOGIT GmbH |
| Integration Name/Version | kogit-history-plugin-2.1 |
| Certification Date | 10/21/2018 |
| Integrations | IdentityIQ 7.1+ |
Support and Licensing
The KOGIT IIQ History Plugin is a KOGIT project and please contact us for licensing details. Access to the KOGIT IIQ History Plugin is provided via SailPoint’s Plugin Framework.
All support, help, bug and issue reporting and tracking is done here on the KOGIT IIQ History home page. If you have any questions or issues whatsoever, please reach out to us at sales@kogit.de.
IMPORTANT NOTE: KOGIT GmbH does not provide any warranties covering the KOGIT IIQ History Plugin, and specifically disclaims any liability for damages, including, without limit, direct, indirect, consequential, incidental, and special damages, in conjunction with the use of the KOGIT IIQ History Plugin, its artifacts or any plugin running therein.
More information:
The KOGIT SAP OM Plugin provides a task to load the following organizational data from SAP OM:
- Organzational Units,
- Positions,
- Jobs,
- Persons and
- Chief Positions.
The task can be configured to create a hierarchy of business roles in IdentityIQ corresponding the hierarchy in SAP OM from these objects. It supports automatically creating assignment rules to assign these roles to the identities assigned to these entities. A look-ahead and look-behind time period can optionally be configured to allow role assignments to take place before start or after the end of the actual association with an organizational structure in SAP OM. The role owner of the organizational unit role can be derived from the unit’s chief position holder.
Business Requirement:
Use Cases
The KOGIT SAP OM Plugin allows to load data from SAP OM to better support the following IAM scenarios:
Vacant Manager Position
In cases where manager positions are vacant the hierarchy can be used to determine the manager of the superordinate org unit and automatically appoint this person responsible as stand-in, avoiding identities without manager and the need for process to handle these exceptions.
Automatic Role Creation
Information on organizational units, positions and jobs can be used to automatically create, update and delete the corresponding business roles.
Automatic Role Assignments with grace period
The business roles for organizational units, positions and jobs can be assigned automatically to the members of an organizational unit or to the identities holding a job, respectively. This will also work for multiple positions being assigned to the same identity. Because SAP OM also provides detailed information on the dates of position changes and past position assignments, this information can be used to keep roles assigned for previous positions during a configured grace period, which can be used by users to hand over their previous responsibilities to their successors.
Multiple Positions and Managers
Often, employees are assigned to more than one position, resulting in more than one organizational context and more than one reporting line for that person. Loading this data from SAP OM allows making use of these data in approval processes and certifications, e.g. by routing requests for approval to the correct manager or using pre-delegation in certifications to involve the other mangers in access reviews.
Improve Mover processes
Detecting from an employee’s HCM employee record when or if a change in job takes place tends to be difficult. Using the job and position assignments from SAP OM greatly simplifies this task and allows to improve the mover process, also allowing for advance action like informing the future manager or IT support to prepare for the change, without having to analyze future actions on the personnel record.
Simulating Organizational Changes
Restructuring of a company is often prepared and modeled with SAP OM. To this end, SAP OM supports so-called plan variants. Loading the data from these variants can be used to simulate an organizational change in an IIQ staging environment
SAP OM Data
Within SAP OM the Organizational Structure is composed by the Enterprise Structure, the Personnel Structure, and the Organizational Plan.
SAP OM stores most of this information in two tables, one being the object table holding the different types objects; the other table stores the relationships between these objects.
An organizational structure typically consists of organizational units, each containing a set of positions and subordinate organizational units. Employees in turn are assigned to positions. Positions can optionally belong to jobs.
The Enterprise Structure represents formal and financial structures in a company and is basically composed by the company code, the personnel area, and the personnel subarea.
The Personnel Structure displays the relationship between employees and assigns them to certain employee groups and subgroups.
The structural and personnel company model is illustrated in the Organizational Plan.
An Organization hierarchy is therefore represented as relationships between organization objects.
To be more specific, SAP OM defines the following objects:
- Organization (type O)
This is just what it is called – an organizational object.
- Job (C)
A job describes the responsibilities and tasks that the holder of the job has to fulfill. The job is the modeling of the requirements that has been layed out in a job description being used to hire a person.
- Position (S)
A position is an instance of a job – usually assigned to one person. SAP also supports job sharing – assigning a position to several persons, usually part time workers.
- Person (P)
A person is an object linking the position to a master data record of someone managed within SAP HCM. A person can therefore be described as a holder of a position.
SAP OM has several models for describing the relationship between these objects. A position can be classified e.g. as chief position, team lead, CxO, etc. Usually there is one chief per organizational unit.
The relationships between positions form a reporting structure that can be evaluated separately from the org structure.
OOSP-Model
A default way that is used in a lot of organizations is the modeling of the reporting structure based on the assignment of positions to org units.
This approach is called the OOSP model because it links orgs to orgs, optionally orgs to Jobs, Org Units and/or Jobs to Positions and Positions to Persons.
In this case an additional reporting structure is not needed.
Supervisory Model
Another approach is to define a reporting structure by explicitly defining a person who is managing the organization. This is done by another relationship that is called managedBy. This relationship can form a completely separate tree that must not be in sync with the organizational tree. This approach is called the S-S model or supervisory model.
Quite often the types of relationships are customized to reflect a company’s specific requirements.
Content of the Plugin
The SAP OM Matrix plugin contains the following SailPoint objects:
Task Definition – Template: KOGIT SAP Org Importer
The task providing the import functionality of the plugin.
Rule: KOGIT SAP OM Person Customization
Example rule which demonstrates how the import can modify identities.
Rule: KOGIT SAP OM Role Customization
Example rule which demonstrates how the import can modify roles.
Download
We are currently working on getting the plugins up on this page. Until then please contact us at sales@kogit.de to acquire our SAP OM Importer plugin.
Feedback
Please report any bugs, feature enhancement requests, issues, or questions via the contact form on the left-hand side.
Developer Info
| Developer | KOGIT GmbH |
| Integration Name/Version | kogit-sap-om-importer-plugin 1.0.0 |
| Certification Date | 11/6/2019 |
| Integrations | IdentityIQ 7.1+ |
Support and Licensing
The SAP OM Importer Plugin is a KOGIT project and please contact us for licensing details. Access to the SAP OM Importer Plugin is provided via SailPoint’s Plugin Framework.
All support, help, bug and issue reporting and tracking is done here on the SAP OM Importer home page. If you have any questions or issues whatsoever, please reach out to us at sales@kogit.de.
IMPORTANT NOTE: KOGIT GmbH does not provide any warranties covering the SAP OM Importer Plugin, and specifically disclaims any liability for damages, including, without limit, direct, indirect, consequential, incidental, and special damages, in conjunction with the use of the SAP OM Importer Plugin, its artifacts or any plugin running therein.
More information:
The KOGIT Role Analytics Plugin simplifies navigation between different tasks and offers an intuitive viewing of roles, identities and entitlements in IIQ.
The plugin provides a user-friendly way for users to view identities, roles and permissions and their corresponding relationships. Daily tasks can be easily zoomed in and out, and the plugin’s search and display functionality is complemented by a role dashboard that highlights important KPI’s of role and permission status and usage.
The Advantages:
- Export option
- Graphical Interface designed for Business Users
- Simplifies day-to-day operation
- Prepared for custom extended attributes
- Viewing tool for roles, identities and entitlements in IIQ
- Representation of use and assignment of individual objects such as role composition
- Easy navigation between objects and relations
The Plugin provides visibility for the object types “identity”, “role” and “entitlement”. They each offer a Wildcard search, additional information on linked objects, Drill-down options and Export options.
The KOGIT Role Analytics Plugin offers a Top Down & Bottom Up view
Ergonomics in/of IdentityIQ offer many dialogues, but no continuous ones. The KOGIT Role Analytics Plugin provides one dialog with a continuous navigation for users.
The Role Analytics Plugin:
- Contains search option
- One entry point
- Continuous navigation
- Starting point remains unchanged
- New insights not provided by SailPoint (use of entitlements, use of IT roles)
Download
We are currently working on getting the plugins up on this page. Until then please contact us at sales@kogit.de to acquire our Role Analytics plugin.
Feedback
Please report any bugs, feature enhancement requests, issues, or questions via the contact form on the left-hand side.
Developer Info
| Developer | KOGIT GmbH |
| Integration Name/Version | kogit-role-analytics-plugin 1.0.0 |
| Certification Date | 11/6/2019 |
| Integrations | IdentityIQ 7.1+ |
Support and Licensing
The Role Analytics Plugin is a KOGIT project and please contact us for licensing details. Access to the Role Analytics Plugin is provided via SailPoint’s Plugin Framework.
All support, help, bug and issue reporting and tracking is done here on the Role Analytics home page. If you have any questions or issues what so ever, please reach out to us at sales@kogit.de.
IMPORTANT NOTE: KOGIT GmbH does not provide any warranties covering the Role Analytics Plugin, and specifically disclaims any liability for damages, including, without limit, direct, indirect, consequential, incidental, and special damages, in conjunction with the use of the Role Analytics Plugin, its artifacts or any plugin running therein.
More information:
The SIEM Plugin is an essential building block of the architecture for secure identity access management that integrates IAM, PAM and SIEM solutions.
The customers requirement for integration of IdentityIQ with a SIEM requires an interface to deliver protocol data from IdentityIQ to a SIEM. In this context log data refers to the AuditEvents in IdentityIQ. Further technical or business log data like Syslog or ProvisioningTransaction are not considered.
The plugin transmits the AuditAction events from IdentityIQ to the SIEM system via syslog in a Common Event Format. For this purpose, a so-called Scheduled Task is configured. It is not a real time procedure but can be used as a near time procedure by appropriate clocking.
The SIEM Export plugin offers the following Advantages:
- A plugin for exporting syslog events in Common Event Format (CEF)
- The task only needs the IP address and the port of the SIEM/Syslog receiver
- The task regularly exports all configured AuditEvents from IdentityIQ to the defined address
Download
To request access to the plugin please use the “request download” bottom above or contact us at sales@kogit.de.
Installing
We will provide you with a zip file that contains the plugin. Installation of the SIEM Export plugin is the same as any other plugin. You can use the build installation method or install through IdentityIQ using the Plugin Manager Interface. Refer to the Identity Plugin Framwork (IPF) documentation for instructions on installing a plugin. If you have already installed the framework, you can visit your instance of IdentityIQ and selected ‘Plugins’ under the Gear dropdown menu in the upper right corner.
Feedback
Please report any bugs, feature enhancement requests, issues, or questions via the contact form on the left-hand side.
Developer Info
| Developer | KOGIT GmbH |
| Integration Name/Version | kogit-siem-export-plugin 1.0 |
| Certification Date | 1/2/2219 |
| Integrations | IdentityIQ 7.3+ |
Support and Licensing
The SIEM Export Plugin is a KOGIT project. Please contact us for licensing details. Access to the SIEM Export plugin is provided via SailPoint’s Plugin Framework.
All support, help, bug and issue reporting and tracking is done here on the SIEM Export home page. If you have any questions or issues whatsoever, please reach out to us at sales@kogit.de.
IMPORTANT NOTE: KOGIT GmbH does not provide any warranties covering the SIEM Export Plugin, and specifically disclaims any liability for damages, including, without limit, direct, indirect, consequential, incidental, and special damages, in conjunction with the use of the SIEM Export Plugin, its artifacts or any plugin running therein.
More information:
