Skip to content

Sharing IdentityIQ Data with AI-Driven Identity Security

IdentityIQ connects to AI-Driven Identity Security though a bespoke Identity Security Cloud tenant. Customers deploy an AI-Driven Identity Security Virtual Appliance for all communication, which requires configuration of a firewall to allow outbound HTTPS traffic.

For more information on the Identity Security Cloud tenant and the AI-Driven Identity Security Virtual Appliance, see Getting Started with AI-Driven Identity Security for IdentityIQ.

For each identity, customers can configure identity attributes collected during the provisioning of their tenant.

All data movements are done via encrypted channels, via Amazon Kinesis Data Firehose, which encrypts data using AWS Key Management Service, and AWS SQS.

IdentityIQ Data Collected for AI

Select data, as configured by each individual organization, is gathered by the AI-Driven Identity Security Virtual Appliance and stored in both Identity Security Cloud and AI-Driven Identity Security repositories. All data movements are done via encrypted channels. Data, once transmitted, is stored according to the mechanisms of the final repository.

These are the objects and the associated information that is collected from IdentityIQ and stored in the AI-Driven Identity Security repository:

Application

  • ID
  • Name
  • Created
  • Modified
  • Extended attributes (as defined in the ObjectConfig attribute definitions)
  • Connector
  • Type
  • isAuthoritative
  • Features
  • Owner

Bundle (Role)

  • Id
  • Name
  • Created
  • Modified
  • Type
  • Description
  • displayableName
  • Selector summary (getSelector().generateSummary()
  • roleTypeDefinition (used to determine if the role is assignable)
  • activationDate
  • deactivationDate
  • Owner
  • Profiles
  • Inheritance
  • Requirements
  • Permits

Certification

  • Id
  • Name
  • Created
  • Modified
  • isComplete
  • Phase
  • isBulkReassignment
  • Cert definition (used to calculate the due date)
  • Signed date
  • Finished date
  • Expiration date
  • Tags
  • isElectronicallySigned
  • isProcessRevokesImmediately
  • Application
  • certificationGroups
  • Reviewers
  • Signer
  • Manager
  • Parent certification (if there is one)

CertificationGroup

  • Id
  • Name
  • Created
  • Modified
  • Certification definition (used to find the cert type)
  • Status

CertificationItem

  • Id
  • Name
  • Created
  • Modified
  • Use item type and Identity name (to calculate item name)
  • Type
  • summaryStatus
  • hasDifferences
  • Subtype
  • Completed date
  • Action object
  • action.approved
  • action.status
  • action.decisionDate
  • action.isBulkCertified
  • action.isRemediationCompleted
  • action.remediationAction
  • action.mitigationExpiration
  • Certification
  • Id (of the identity)
  • Actor
  • Certification definition (used to check showRecommnedations)
  • Recommendation
  • DataOwner
  • nativeIdentity
  • Instance
  • isAccountOnly
  • Application
  • Related Link objects
  • Managed attributes tied to the entitlement
  • Type of Bundle (bundle id)
  • Type of PolicyViolation
  • constraint name
  • policy name
  • status
  • mitigationExpiration
  • identity
  • revokedRoleIds
  • revokedEntitlementReferences

Identity

For the Identity object, a configurable list of identity attributes is collected. These additional attributes include details such as first name, last name, department, and other attributes. These attributes are at the customer's discretion and are configured during the provisioning of the customer's tenant.

  • Id
  • Name
  • Created
  • Modified
  • Attributes (certain attributes can be excluded)
  • Score
  • Links
  • Manager
  • assignedRoles
  • detectedRoles
  • Workgroups
  • IdentityEntitlement objects
  • policyViolations
  • Type
  • softwareVersion
  • Administrator

For Workgroup Identities

  • Id
  • Name
  • Created
  • Modified
  • All attributes
  • Owner

IdentityRequest

Categorized as accessRequest, passwordRequest, identityChangeRequest, or identityRequest.

  • Id
  • Name
  • Created
  • Modified
  • Type
  • endDate
  • executionStatus
  • completitionStatus
  • Priority
  • requesterDisplayName
  • targetIdentity
  • Requester
  • affectedAccounts
  • affectedApplications
  • affectedBundles
  • affectedEntitlements
  • Items

IdentityRequestItem

  • Id
  • Name
  • Created
  • Modified
  • Application
  • Instance
  • nativeIdentity
  • displayName
  • Name
  • Value
  • Annotation
  • Operation
  • Startdate
  • Enddate
  • isApproved
  • isRejected
  • provisioningState
  • compilationStatus
  • expansionCause
  • Retries
  • provisioningEngine
  • Owner
  • Approver
  • targetIdentity (to get affected accounts)
  • affectedApplications
  • affectedBundles
  • affectedEntitlements
  • Recommendation
  • Number of attachments

For the Link object, a configurable list of identity attributes is collected. These additional attributes include details such as first name, last name, department, and other attributes. These attributes are at the customer's discretion and are configured during the provisioning of the customer's tenant.

  • Id
  • Name
  • Created
  • Modified
  • nativeIdentity
  • isDisabled
  • isLocked
  • Application
  • Attributes (certain attributes can be excluded)
  • Identity

ManagedAttributes

  • Id
  • Name
  • Created
  • Modified
  • displayableName
  • Attribute
  • Value
  • Description
  • isAggregated
  • isRequestable
  • Owner
  • Application
  • Permissions

PolicyViolation

  • Id
  • Name
  • Created
  • Modified
  • constraintName
  • policyName
  • Status
  • migrationExpiration
  • Identity
  • revokedRoleIds
  • revokedEntitlements

Profile

  • Id
  • Name
  • Created
  • Modified
  • accountType
  • Owner
  • Application
  • Bundle
  • Managed attributes (for entitlement references)