General IAM

Question 1

Access Provisioning

Answer 1

Review how access is provisioned in the application and decide if you are going to collect access as an app role or entitlement

Question 2

Rules about Rules

Answer 2

Not all rules are good rules

You shouldn’t have a rule unless you plan to do something about violators

Question 3

Access Review

Answer 3

Review access at the same level it is commonly provisioned and de-provisioned

Question 4

Output of Access Recertification

Answer 4

A list of removals is the only output

Question 5

Mining for roles

Answer 5

Works once access has been cleared up through reviews

Question 6

What type of system is required when access is collected as a granular entitlement

Answer 6

the system requires a 2-part or pair of attributes… Resource and Action. It is assumed that you will have both of these fields in your source data and they are coupled together like:
Resource - Action
Group A – READ
Customer 123 - ADMIN

Question 7

If you are collecting granular entitlements, which two fields must be populated in your collector?

Answer 7

The Resource and Action field. The entitlement displayed in a review will show a colon between the two
i.e. Customer BigMart : Update

Question 8

With granular entitlements, if there is no action, what are two common population tricks

Answer 8

1. Populate the action field with a “Y” or “Yes”

2. Collect the resource as an application role

Question 9

What are additional uses of ACM?

Answer 9

Enforcing policies
Licencing Monitoring
Fraud investigation evidence
App usage and reduction strategies
Monitoring requests/Approval routines

Question 10

Which attributes should we capture?

Answer 10

attributes that would help an access reviewer make solid keep/remove decisions

ones that help with sorting

access needed to restrict forms

Question 11

How does ACM view active and inactive identities?

Answer 11

ACM doesn’t care if identities are active or terminated at the company, but whether they are being collected or filtered out.

Question 12

How many distinct processes occur in ACM?

Answer 12

2 (Identity and Target collections) These processes run independently and the logic used in one does not impact the logic used in the other

Question 13

Can logic or values from the IDC be used to filter, sort, or populate data in a target collector?

Answer 13

No - logic or values from the IDC cannot be used to filter, sort, or populate data in a target collector

Question 14

What is the only required filed in the Account collectors?

Answer 14

Account ID/Name, all others are optional but desired

Question 15

With Account collectors what benefit is gained from collecting the name, last login date, and type of account flag?

Answer 15

Name - assist in resolving orphan accounts
Last Login -helps reviewers with their maintain/revoke decision process
Account Flag - Can later filter out reviews or ensure certain types of accounts arent deleted

Question 16

What are the 5 R’s and an F of Access Management?

Answer 16

Reviews, Requests, Roles, Reports, Rules, and Fulfillment

Question 17

What is the impact of running an Aveksa review?

Answer 17

It depends on configured fulfillment method for the application where the revoke is selected.
If the app is set to auto-provisioning then a revoke will wipe it out.

Question 18

How are terminated users handled?

Answer 18

Terminated users should be flagged as terminated. The SQL query can be set to skip older terminated users and not collet them. If an identity was collected yesterday and skipped today, it will be stamped with a last seen on date and becomes inactive. Inactive dont count against licensing

Question 19

What is supplied in a Soft appliance configuration

Answer 19

RSA Aveksa supplies the RSA Aveksa software, JRE, and the JBOSS application server. The Oracle database may be supplied by RSA Aveksa or the customer based on the customer’s choosing. The customer is responsible for supplying the hardware, operating system, and optionally the VMware

Question 20

What are the components that make up an ACM installation?

Answer 20

Aveksa software
JDK 1.6.0
Oracle Database 11.2.0.3
App Server - JBOSS, Weblogic 11g, Websphere 7.0
Red Hat version 5

Question 21

What are the 4 dimensions of data collected to represent user entitlement information and complete basic access recertifications

Answer 21

Identity Data
Account Data
Entitlement data
Managed Data

Question 22

What is necessary to create a complete record for users in order to synch records properly

Answer 22

a common unique field such as user ID or email address

Question 23

What does Account data represent

Answer 23

The specific accounts in each target system for which you want to collect entitlements and perform certifications.

Question 24

What does Entitlement Data represent

Answer 24

All of the specific rights or access granted to each account within your target system. You want to capture all entitlements that grant access to a resource and can be added or removed form an account.

Question 25

What are the 3 dimensions in ACM that illustrate how entitlement data can be captured, populated, and represented in ACM

Answer 25

Application Role, Resource, and Action. Entitlements are represented by an App role or Resource/Action Pair

Question 26

How do custom attributes benefit collected data?

Answer 26

Custom attributes can be added to the 3 dimensions of data to enrich collected data; these attributes can be collected or manually populated

Question 27

What are the two types of certifications that can be generated?

Answer 27

User Access Review and Group Definition Review

Question 28

What is the function of a User Access Review?

Answer 28

A User Access review will combine the data types previously mentioned and give reviewers the ability to: - Maintain or revoke the entitlements assigned to a user account - Maintain or revoke the user groups an account is a member of

Question 29

What is the function of a group Definition Review?

Answer 29

A Group Definition review will combine the data types previously mentioned and give reviewers the ability to: Maintain or review group memberships Maintain or revoke the entitlements assigned to a user group

Question 30

What is the Top Down Approach to Role Creation?

Answer 30

Business Roles are created which are tied to business processes, organizational structure, HR data, etc.

Question 31

What is the Bottom up Approach to Role Creation?

Answer 31

Technical roles are created which are independent of the organization and combine like entitlements/functions at the application level

Question 32

What are the 4 dimensions of data needed to create and manage roles and complete related access certifications?

Answer 32

Business Roles Identity Data Technical Roles Managed Data

Question 33

What are business rules based on?

Answer 33

Business processes, identity data, membership rules. They can be manually created or collected from existing sources

Question 34

What are Identity Counts based on?

Answer 34

Based on the number of unique IDs being read into ACM. If users have more than one unique ID – then there will be more than one identity being counted If you do not filter out non-human accounts as identities (conf rooms, servers, etc) they will be included in the identity count If you do not filter out terminated users – they will be included in the identity count

Question 35

What happens when someone leaves, is terminated?

Answer 35

If we are filtering out terminated users, when we collect data the second time, it will not bring the terminated user in. ACM sees the person was collected one day but not collected the next day and the system marks them as inactive.,,,the no longer count towards your active identities or license total

Question 36

What is the Account ID/Name field in CSV files used for?

Answer 36

It is required to connect the entitlement collector to the account collector

Question 37

If an account has more than one role or entitlement, how should they be represented in the CSV file?

Answer 37

They should be captured on separate rows

Question 38

Which fields should you bring in for Identity Collections?

Answer 38

Only fields that support rule automation, support reviewers, support reports. Any other fields pollute your database, make collections take longer and increase the opportunities for data integrity issues.

Question 39

Logic or values from Identity collectors in target collectors

Answer 39

Logic or values from identity collectors can't be used to filter, sort, or populate data in a target collector

Question 40

What is the only required field in the account collector?

Answer 40

The Account ID/Name field is the only required field. This is used to link back to the Entitlements

Question 41

How does the Last Login field help reviewers to make good decisions?

Answer 41

If someone hasn't logged in for a while, probably safe to remove access

Question 42

How is the Type of Account Flag used?

Answer 42

This flag can be used to filter certain accounts out of reviews and to ensure they won't get deleted - service accounts system, training, shared accounts. Usually added as a managed attribute

Question 43

Why is the Entitlement Risk Level attribute a common attribute?

Answer 43

It is used for filtering and running reviews on high risk items more frequently, usually a managed attribute.

Question 44

How can knowing a little bit about the data assist with running your IAM program?

Answer 44

Help to identify trends, example resolving orphan for client system app. Several smiths as last name. If you know the app is client system can help you narrow down that orphan account quicker rather than going through multiple applications. - 1 app they dump everyone every quarter and make people have to reapply for access - An access review is not required because for auditors it happens every quarter