Start With The End In Mind: Blog #7 – Lower the Cost of Compliance

SailPoint logo(Source: SailPoint Technologies, Inc. Identity and Access Management Buyers Guide)

Compliance can be complex and difficult — and as a result, costly. Meeting industry and regulatory mandates requires organizations to regularly review and certify user access privileges. This leaves many companies constantly battling with error-prone and inefficient processes such as manually generating access reports and manually remediating inappropriate user access privileges. Signs that show you need to cut compliance costs include:

  • Building or leveraging multiple, homegrown solutions to handle audit and compliance needs
  • Hiring full-time staff or consultants to handle compliance projects like access certifications and SoD policy enforcement
  • Using inefficient tools like spreadsheets and email to drive manual compliance processes
  • Treating high-risk and low-risk users the same, where insufficient attention is given to high-risk users, or too much time and effort is spent on low-risk users.

To gain better control of your identity and access data, including centrally defining policy and risk and automating your access certification process, you need to replace expensive paper-based and manual processes with automated tools. By doing so, not only can you significantly reduce the cost of compliance, you can also establish repeatable practices for a more consistent, auditable, reliable and easier-to-manage access certification effort. If you struggle to effectively implement compliance processes and integrate them into your systems and infrastructure, a governance-based identity and access management solution is the launching pad you need to improve your effectiveness and reduce the costs of sustainable compliance.

Check back for blog #8, Salvage or Replace an Existing Provisioning System

Visit SailPoint Technologies, Inc. here.

Learn more about PathMaker Group IAM MAP here. 

Security Directory Integrator – Custom SQL for JDBC Connectors

By Joshua Moore, PathMaker Group Consultant

Security Directory Integrator, formally known as Tivoli Directory Integrator, is a powerful tool that we often use to bulk load data into ISIM. Security Directory Integrator, otherwise known as SDI, has the capability of transforming data of one type to another. One of the challenges is querying specific data from a database source. For example, we often use a SDI to match existing system data to another source based on a User ID, Employee ID, or some type of unique identifier that is maintained in both systems.


For the purposes of this blog entry we will focus on the JDBC Connector provided with the standard SDI installation/configuration. As shown in “Figure 1” the connector properties are relatively standard. Providing the required connection parameters and connection to the database should be seamless.

Figure 1:


With connection properties configured link criteria can be provided to match input data, also known as “work,” and matched to data within the connected table. To provide the custom SQL to the database connection Lookup we will need to bypass the standard “Link Criteria” and feed in custom JavaScript back on the Connections tab as shown above. Leave “Link Criteria.”

Figure 2:

Context for this Example

In order to provide more context around this scenario, here is the background on the task at hand. A report (csv format) has been provided with a list of server names and supporting content. These server names have been abbreviated in ways to encompass more than one unique value, such as a wildcard character (i.e. myservername*001 or myservernamedev*.) The wildcards therefore denote only one instance in the report when realistically there could be multiple servers for all related supporting content of the report. For this scenario, the wildcard must be translated into a manner in which SQL can look up related server names and output the unique servers for each wildcard value.


To provide the JDBC connection with a custom SQL statement we need to tell SDI to use advanced JavaScript for the connection. On the connection tab for JDBC connector there is an “Advanced” option (Figure 3) below the standard connection criteria. 

Figure 3:

Connection Tab – Advanced Options

In this Advanced section, confirm that “Use custom SQL prepared statements” check box is checked. This tells SDI to use custom JavaScript and bypass the Link Criteria. The next step is to provide the custom JavaScript. Click on “SQL Lookup.” It does not look like much of a link but it will launch a new window (Figure 4). In this new window, you will provide the JavaScript to create, format, and customize your SQL to be used as “Link Criteria” for the JDBC connector.


As for our scenario, we are querying server names that have asterisks (*) as wildcard characters to denote more than one unique server. If you are familiar with SQL syntax you know that these asterisks cannot be used in a SQL query as wildcard characters. As noted in Figure 4, the SQL must be returned in a “string value.”

Figure 4:

Custom SQL Statement for JDBC connector:



There are a variety of use cases for providing custom SQL to complete the JDBC Connectors connection criteria. This simple example, although not exhaustive, was chosen to demonstrate how to provide the connector with the appropriate custom SQL using JavaScript. There is always potential for more work around types of “Link Criteria” to provide, but hopefully this will get you started on the right path.

Start With The End In Mind: Blog #6 – Eliminate Audit Deficiencies and Improve Audit Performance

(Source: SailPoint Technologies, Inc. Identity and Access Management Buyers Guide)

Identity management is a focal point for IT audits and one of the areas most commonly flagged for ineffective controls. During many Sarbanes-Oxley (SOX) audits, weak identity controls often receive negative audit findings in the form of control deficiencies or material weaknesses.

Here are some of the most common identity risks auditors are looking for:

  • Orphan accounts: Access that remains active for employees or contractors after termination due to failure to remove privileges
  • Entitlement creep: The accrual of privileges over time through transfers, promotions or other changes in roles resulting in employees with access beyond their job requirements
  • Separation-of-duty (SoD) violations: Inappropriate access resulting in excessive control over business transactions or the ability to perform conflicting duties
  • Poorly managed privileged user accounts: Anonymous accounts that are typically the domain of privileged users are managed using manual processes and are very difficult to audit
  • Lack of visibility into access by job function: Business users struggle to interpret technical IT data to make business decisions about what access is required to perform a specific job function.

If you’ve failed an audit due to weakness around any of these identity risks, we have good news. The right identity and access management solution will improve your visibility into risky or noncompliant areas and automate your processes for managing these risks. An enterprise-wide view of your identity data can help you to effectively analyze risk, make more informed decisions and implement the appropriate controls in an automated and more sustainable fashion. Further, aligning user access with job functions through an enterprise role model can strengthen user access controls by providing valuable business context around how specific sets of access map to the underlying business function being performed by an individual. The result? Less chances of negative audit findings or failing another audit. More chances of seeing audit performance improve over time.

Check back for blog #7, Lower the Cost of Compliance

Visit SailPoint Technologies, Inc. here.

Learn more about PathMaker Group IAM MAP here.