Leveraging Intelligent Recommendations for Operational Transformation. AMS Partners click HERE | EMEA/APJ Partners click HERE |
on 03/02/2023 10:58 AM
Problem statement :
How do you configure the detection of out-of-band access for endpoints.
Context:
Ideally an account is provisioned to a User in one of the following ways :
What is out of band access?
An out of band access is access provided to a user account, not from EIC, but access provided from the third-party application. Access given to a user account outside EIC is known as out of band access.
EIC provides an out-of-band access detection functionality that detects and revokes accesses that are assigned by the target system and not EIC.
For example, if there is an access that does not have a Task ID associated with account to entitlement mapping, the above mentioned feature detects that out-of-band access assigned directly in the system or through a co-existing IAM system is not assigned without an audit trail.
Note: You can set the out-of-band access detection configuration at the endpoint level.
EIC enables you to create Deprovision Access or Deprovision Access and Re-create Access Request for the access that is not provisioned through EIC by executing Revoke Out of Band Access Job based on the option selected in Action for Out of Band Access Detection configuration from the Endpoint Details tab (ADMIN > Identity Repository > Security Systems > Endpoints).
Solution :
Perform the following actions to activate the out-of-band access:
1. Bootstrap the existing access at the endpoint. This requires you to update a dummy task key for all the existing account entitlement entries for the endpoint to baseline the current status.
2. Update the endpoint:
3. Run the Revoke Out of Band Access job (RevokeOutOfBandAccessJob) from the Job Control Panel (Admin > Job Control Panel) to revoke the out-of-band access provided to the user.
Note: Deprovisioning tasks are created for the accesses whose task is not present in EIC (empty taskkey in account entitlements table).
Dummy taskkey ? What is dummy value ? Is it same for all endpoints