Preventative SOD between access policies

The intention here is highlight the policy violations and demonstrate the preventative SOD enforcements between policies. In this example, the word 'preventative' is used loosely. There are clear indications on the SOD enforcements though maybe not as expected.
March 22, 2013
OIA-11g

Firstly, I created two policies within OIA (Policy1 and Policy2). Once created, I can then populate OIA by highlighting that these policies will be a SOD violation if coupled together to a business role. The image highlights on the left the 2 policies that were created and the exclusion between the policies (on the right). In this example I am highlighting that Policy1 should not be assigned to Policy 2. If I clicked on Policy2, I would be able to see the reversed relationship.

https://technicalconfessions.com/images/postimages/postimages/_43_2_Exclusion_of_policies_within_OIA.png

To cause a violation, I must first couple these two policies with a business role (Called Role3). At this stage I am only preparing for approval so the preventative enforcement is yet to take place.

https://technicalconfessions.com/images/postimages/postimages/_43_3_Adding_policies_to_roles_OIA.png

I navigate into Role3 and assign both policies to the role then send this for approval request to the role owner. Being able to send an approval with a SOD violation suggests that a request can override the 'preventative' enforcement (Which I'm not sure is correct). Ideally, there should be an explicit enforcement to enforce the inability to submit a request containing a violation.

https://technicalconfessions.com/images/postimages/postimages/_43_4_selecting_policies_for_role_within_OIA.png

Until now,there has been no explicit flagging or indication that I have just committed an approval containing an SOD violation. The argument would suggest that It's essentially the role owners responsibility to ensure that no SOD enforcement should take place. So lets see what the approver would see when they receive a pending request.

https://technicalconfessions.com/images/postimages/postimages/_43_5_completed_request_of_roles_within_OIA.png

So the role owner has logged in and accepted the request. No changes to the policy were made meaning no policy approval has taken place. This now means that the SOD violation has now been accepted.

https://technicalconfessions.com/images/postimages/postimages/_43_6_reviewing_policy_within_request.png

If we review the completed request, we are able to see an implicit indication of the violation. In this example, there are only 2 policies so the violation is obvious if the individual reviewed the 'exclusion policy'. though we must remember that this should be a preventative enforcement rather than an indication.

https://technicalconfessions.com/images/postimages/postimages/_43_7_highlighting_preventatve_SODs.png

This indication could be potentially missed if multiple policies were involved. The associated violation may not be within the same request, meaning the navigator would require further analysis to determine if there's a possible violation.

https://technicalconfessions.com/images/postimages/postimages/_43_8_reviewing_access_control_of_role_within_OIM.png

We are able to see this violation by clicking the policy and acknowledging that there's a violation. The issue here is that based on human error, the approval can be easily missed.

https://technicalconfessions.com/images/postimages/postimages/_43_9_Viewing_3_policies_within_OIM.png

There is now a new active version of the role with the policies assigned. The best indication for the policy enforcement is that the policies are flagged as red within the OIA GUI highlighting a violation.

You are able to see this clear indication when I include another policy to the role which is not subjected to any other violation.

Even though there's a clear indication that there's a violation, we are still able to push this to the provisioning server and implemented into the real world Within OIM, if we click on Role3 we'd be able to see the access policies (policies assigned)


Conclusion

Even though there's a clear indication that there's a policy indication, I do not believe this enforcement is preventative as we are able to submit the request should be still have a simple workaround, this does not prevent the preventative enforcement to take place.

About the author

Daniel is a Technical Manager with over 10 years of consulting expertise in the Identity and Access Management space.
Daniel has built from scratch this blog as well as technicalconfessions.com
Follow Daniel on twitter @nervouswiggles

Comments

Other Posts

AWS-PHP integration - Email not sent. SMTP Error: Could not authenticate.

phpsmtpaws

February 6, 2020
Created by: Daniel Redfern
AS I was migrating my environment into an S3 environment, I wanted to leverage off the SES services that AWS provide, more specifically, to leverage the off the SMTP functionality by sending an email via PHP
Read More...

SOLUTION: no headers files (.h) found in softwareserial - Arduino

Arduino

February 24, 2019
Created by: Daniel Redfern
The WeMos D1 is a ESP8266 WiFi based board is an extension to the current out-of-the-box library that comes with the Arduino installation. Because of this, you need to import in the libraries as well as acknowledging the specific board. This process is highly confusion with a number of different individuals talking about a number of different ways to integrate.
Read More...

NameID element must be present as part of the Subject in the Response message

ShibbolethSAML

August 7, 2018
Created by: Daniel Redfern
NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration.
Read More...

HOW TO provision AD group membership from OpenIDM

OpenIDMICFAD-connector

June 15, 2018
Created by: Daniel Redfern
For what I see, there's not too many supportive documentations out there that will demonstrate how provision AD group membership with the ICF connector using OpenIDM. The use of the special ldapGroups attribute is not explained anywhere in the Integrators guides to to the date of this blog. This quick blog identifies the tasks required to provision AD group membership from OpenIDM to AD using the LDAP ICF connector. However this doesn't really explain what ldapGroups actually does and there's no real worked example of how to go from an Assignment to ldapGroups to an assigned group in AD. I wrote up a wiki article for my own reference: AD group memberships automatically to users This is just my view, others may disagree, but I think the implementation experience could be improved with some more documentation and a more detailed example here.
Read More...

ForgeRock OpenIDM - InvalidCredentialException: Remote framework key is invalid

ICFIDMOpenIDMOpenICF

November 8, 2017
Created by: Daniel Redfern
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...

org.forgerock.script.exception.ScriptCompilationException: missing ; before statement

IDMsync.confforgerockopenidm

November 8, 2017
Created by: Daniel Redfern
org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...

ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statemen

OpenIDMsync.confForgeRock

September 17, 2017
Created by: Daniel Redfern
ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...

Caused by: org.forgerock.json.resource.BadRequestException: Target does not support attribute groups

OpenIDMForgeRockICFConnector

September 17, 2017
Created by: Daniel Redfern
When performing the attempt of a reconciliation from ForgeRock IDM to Active Directory, I would get the following error
Read More...

ForgeRock OpenIDM - InvalidCredentialException: Remote framework key is invalid

OpenIDMForgeRockICFConnectorAD

September 17, 2017
Created by: Daniel Redfern
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...

ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_g

OpenIDMIDMGoogleGoogle-AppsICFreconciliation

September 12, 2017
Created by: Daniel Redfern
During the reconcilation from OpenIDM to the ICF google apps connector, the following error response would occur. ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_grant
Read More...