I posted this in the IDM forum as well.

Customer is wanting a way to help stop or prevent mass events that may
come from their authoritative systems. Example, someone does a huge
snafu with a data import that trickles down to IDM / eDirectory. AD or
other systems can prevent a mass deletion of x number of users coming
through.... Mass change in Oracle sends mass changes via JDBC driver to
eDirectory, etc.

We are going to be sending audit information to their SIEM. That may be
a way to analyze and send notifications...

There may be a way to capture those events and reverse them via IDM,
however, IDM isn't a great source without a lot of changes to each
authoritative driver where events would be flowing from. We would
essentially have to cache all the xml documents for a period of time and
analyze if there are bulk changes of a given type and do we want to
proceed or notify administration to look at as it may be a mass deletion
..... It would eliminate the event driven live / quick changes. Might as
well go with an Oracle IDM approach instead. Any delete event that is
processed to eDirectory could possibly have an obituary process also
kick off etc.

I'm wondering if an eDirectory enhancement would be better. A feature
that could be turned on or off. An AD recycle bin type of a feature...
To analyze data events in a window of time prior to executing events. To
cache certain events and restore those changes ... Obit process wouldn't
be able to process them for x amount of time... The only data that
would be cached and not proceed and replicated would be maybe a delete
event or a remove value event of a given object class and attribute

Allow administration to choose object class, attributes and operations
to monitor. When one of the operations happens, such as a delete event,
it will look to see if the object is for the restricted class, if so,
then it will hold the delete event in cache for 60 seconds. Prior to
acting on the delete after the 60 seconds, it will analyze the number of
delete events of that same object class in cache. If it is 100 or more
(configurable by administration) it will prevent the deletion and move
the cached items of those type to a "recycle bin" and notify
administration to act on it. If administration approves it, then it is
sent to the normal event processing with obituaries, etc processing.

With this type of a solution, it would be off by default.. would be
highly configurable (can shoot yourself in the foot) but you could
require auditing to be enabled as well so that one would know what has
been deleted and caught. Not designed to be full proof, but purely to
help having to do a restore of data especially in large environments...

thoughts? Should this be submitted? Has something like this already been
submitted? Being with a partner, I can submit it through my channels,
but it would mean more for customer's to request something like this.
Bugs are prioritized by customer input.


fp_IDMWORKS's Profile: https://forums.netiq.com/member.php?userid=9869
View this thread: https://forums.netiq.com/showthread.php?t=56241