Standard solution or custom-made? Both!
Every corporate IT infrastructure has grown individually and is unique. In order to keep IAM projects lean, KOGIT endeavors to use the standard functions in the software products and extends these as required by customizing and/or own add-ons and plug-ins in order to adapt them to the individual system requirements of our customers.
With our SailPoint certified plugins SoD-Matrix, IIQ History Plugin, SAP Om Importer Plugin and Role Analytics Plugin we offer our customers additional functions that can be seamlessly integrated into SailPoint IdentityIQ. Furthermore, we offer the two AdOns SailPoint Tester and SP2Doc to SailPoint IdentityIQ customers.
Segregation of Duties Matrix for SailPoint IdentityIQ
The SoD Matrix Plugin complements SailPoint IdentityIQ with a graphical interface to maintain and visualize the segregation of duties (SoD).
The clear representation in the SoD-Matrix is ideal for mapping the personal separation of functions on the IT level. Conflicts, borderline cases and permitted combinations are marked according to a traffic light principle and thus optimally prepared for audits. Data maintenance is carried out in a time-saving manner by mouse click.
Easily overview and edit segregation of duties to save time
IdentityIQ from SailPoint integrates compliance management and provisioning into an efficient identity and access management solution and is therefore used worldwide in banks and large companies.
IdentityIQ’s standard features include enhanced role categories and policy guidelines, required to manage segregation of duties (SoD). This is the organizational separation of functions to avoid conflicts of interest. Until now, it was not possible to visualize and manage these role categories clearly in IdentityIQ. The KOGIT SoD-Matrix-Plugin closes this gap.
The SoD-Matrix-Plugin for IdentityIQ offers a graphical user interface with the extended role SoD and policy guidelines. With this feature, the company-wide SoD rules can be easily overviewed and maintained in a time-saving manner by mouse click.
The segregation of duties is clearly represented in the matrix that is based on the function categories and the policy guidelines in IdentityIQ. With this clear representation, the company-wide SoD rules can be configured according to the requirements of the MaRisk of the BaFin. Conflicts, borderline cases and permitted combinations are marked according to the traffic light principle and are thus optimally prepared for audits.
KOGIT IIQ History Plugin
SailPoint IdentityIQ tells you where sensitive data is and who is allowed to access it. With the IIQ History Plugin you can see where your data was stored and who had access to it. The KOGIT plugin complements IdentityIQ with an efficient archiving option for identities, roles and access rights. The clear representation of the historical data enables a fast search based on parameters, characteristics and the authorization status at a certain point in time.
KOGIT History Plugin for SailPoint's IdentityIQ
Who had access to which data at what time?
The Plugin supports archiving, reporting and analysis for historical IAM data – making it ideal for compliance with external audits and forensic investigations. Moreover, it helps companies fulfil statutory data retention requirements, which are typically ten years in many industries. Searches can be executed on archived data on the basis of attributes, values, and time/date of access activity.
The IIQ History Plugin enables companies to rapidly and precisely find answers to key questions such as: Where was sensitive data stored? Who accessed this data? Was the user authorized to access this data? And what evidence is available to document the activity?
And while auditors and investigators generally focus on point-in-time inquiries related to user access, user role, and policies, this powerful plugin goes further – for example, it is possible to identify who assigned or approved access rights and roles, and who had access to a specific transaction or data during a defined time period. KOGIT IIQ History Plugin allows organizations to provide this information to external parties quickly and without placing a major load on their IIQ environment. It generates historical data in a report-friendly format and has an intuitive user interface for reports, historical searches and the selection of filters by identities, by roles, by policies or workgroups.
Two new features with Version 2.1
The new Multi-Tenancy Capability allows users to store the assigned scope of historicized objects. The UI considers scoping to filter results, just like scopes in the IIQ core product. A new capability supersedes the scope filter, in all other cases, only historical objects in the controlled scope of the logged in user are returned as result records.
The second new feature is a set of reports which query’s the history database. The History Reports provide pre-configured reports that are available for Identities, Business Roles, IT Roles, Entitlements (identities with access) and Workgroup Membership and allow users to extract report results as PDF or CSV files.
The KOGIT IIQ History Plugin is based on a data model developed specifically for historical IIQ objects, and includes four custom tables for data on access activities. The “custom history object” table enables businesses to track changes to data. The “custom history string” table stores scalar object properties, and enables records to be kept of information such as who was a member of a certain department at a given time. The “custom history reference” table is similar, but also stores a reference ID, allowing it to track any renaming of objects. The fourth table, “custom history complex”, supports complex searches with a large number of variables.
The KOGIT IIQ History Plugin makes use of a highly configurable, smart ETL (extract, transform, and load) process which creates snapshots of IIQ objects and archives these in the history tables. New snapshots are only added to the database when changes to data have taken place. The ETL process can be configured in line with specific needs. The plugin includes a task definition template for scheduled historical data extraction from SailPoint IIQ and will also support an API method for ad hoc single object extraction.
The KOGIT IIQ History Plugin is quickly installed and easy to use. In a short video we demonstrate the functionality of the plugin.
KOGIT Role Analytics Plugin
The KOGIT Role Analytics Plugin simplifies navigation between different tasks in IIQ.
The plugin provides a user-friendly way for users to view identities, roles and permissions and their corresponding relationships. Daily tasks can be easily zoomed in and out, and the plugin’s search and display functionality is complemented by a role dashboard that highlights important KPI’s of role and permission status and usage.
KOGIT Role Analytics Plugin for SailPoint IdentityIQ
The KOGIT Role Analytics Plugin for SailPoint IdentityIQ was developed at the request of our customers for a simpler role navigation in IIQ. With the latest KOGIT plugin, users now have a simple tool to zoom in and out of details to perform daily tasks without having to conduct a new search for each task.
In addition to the search and display services, the Plugin enhances IIQ and adds a role dashboard that highlights important KPIs.
Furthermore, it offers the following advantages (among others):
- Export Options
- A viewing tool for roles, identities, and entitlements
- Representation of the use and assignment of individual objects, such as role compositions
- Dashboard with key figures for using entitlements and roles
Datatransfer from SAP to SailPoint IdentityIQ
The KOGIT SAP OM Plugin allows users to load data from SAP OM to better support a number of IAM scenarios. Some of these include:
- Vacant manager position,
- Automatic roll creation,
- Automatic role assignments with a transition period,
- Improve mover processes and
- Simulating organizational changes.
KOGIT SAP OM Importer Plugin for SailPoint IdentityIQ
Companies using the SAP Organizational Management (OM) often need the information, that is contained in SAP OM, in SailPoint IdentityIQ as well. The new KOGIT plugin enables this for users. The KOGIT SAP OM Plugin provides an IdentityIQ task that connects to an SAP HCM system, loads the organizational structure and stores it in IdentityIQ. Since IdentityIQ does not contain its own hierarchical object, roles can be used to model hierarchical structures. Therefore, the KOGIT SAP OM Plugin maps the SAP objects to role objects.
The KOGIT SAP OM Importer Plugin provides a task to load the following organizational data from SAP OM:
- Organizational Units,
- Persons and
- Executive positions.
The task can be configured to create a hierarchy of business roles in IdentityIQ from these objects, that corresponds to the hierarchy in SAP OM. It supports the automatic creation of assignment rules to assign these roles to identities that in turn are assigned to entities.
Optionally, role assignments, that take place before or after the actual assignment, can be configured to an organizational structure in SAP OM begins or ends.
The interface from IdentityIQ to a SIEM
The SIEM Plugin is an essential building block of the architecture for secure identity access management that integrates IAM, PAM and SIEM solutions.
To deliver log data (AuditEvents) from IdentityIQ to a SIEM requires an interface. The Advantages:
- A plugin for exporting syslog events in Common Event Format (CEF)
- The task only needs the IP address and the port of the SIEM/Syslog receiver
- The task regularly exports all configured AuditEvents from IdentityIQ to the defined address
KOGIT SIEM Export Plugin for SailPoint IdentityIQ
The customers requirement for integration of IdentityIQ with a SIEM requires an interface to deliver protocol data from IdentityIQ to a SIEM. In this context log data refers to the AuditEvents in IdentityIQ. Further technical or business log data like Syslog or ProvisioningTransaction are not considered.
Technical log data of the web server can be collected via the operating system monitoring of the SIEM.
The plugin transmits the AuditAction events from IdentityIQ to the SIEM system via syslog in a Common Event Format. For this purpose, a so-called Scheduled Task is configured. It is not a real time procedure but can be used as a near time procedure by appropriate clocking.
The plugin is currently being supported in English and German.
Simple documentation with SailPoint2Doc
With the SailPoint2Doc AddOn from KOGIT, customer-specific adaptations to SailPoint installations can be displayed in a clear form, easily and without system access. Project managers, consultants and developers receive an interactive documentation of the complete workflows at the push of a button. This reduces the amount of training required for new project staff. SailPoint2Doc shows an interactive summary of the most important parameters of the adjustments instead of the code of the XML files and visualizes all connections between the objects – thus the result is also well readable and understandable for project members who are lacking the detailed technical knowledge of SailPoint products. While manually created documentation quickly becomes obsolete, SailPoint2Doc offers the advantage of the created documentation always being up-to-date.
Automated tests for SailPoint IdentityIQ workflows and rules
The efficient testing of project-specific adaptations for SailPoint IdentityIQ is an essential component in the quality assurance of every implementation project. The SailPointTester is a Java-based add-on that allows automatic (Junit-)tests of rules, workflows, email templates and much more, which integrate seamlessly into the development process. With the SailPointTester, rules or individual workflow steps can be executed locally in the development environment without connection to a database and the results verified. For more extensive tests, the SailPointTester supports offline mode as well as tests against a real IdentityIQ database. A must for every complex implementation project.