Executes SailPoint IdentityIQ entitlement reviews including manager certifications, targeted access reviews, role verification, SoD remediation, and automated revocation workflows. For IGA compliance and access governance.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 合规性要求季度或年度访问认证活动(SOX、HIPAA、PCI-DSS)
Performs entitlement reviews and access certifications using SailPoint IdentityIQ, including manager certifications, SOD remediation, and revocation workflows. For compliance governance campaigns.
Performs entitlement reviews and access certifications using SailPoint IdentityIQ, covering manager certifications, SOD remediation, role validation, and revocation workflows. For periodic compliance campaigns.
Configures and executes access recertification campaigns in Saviynt EIC to verify user permissions, revoke excess access, and ensure SOX, SOC2, HIPAA compliance.
Share bugs, ideas, or general feedback.
不适用于实时访问控制决策;IdentityIQ 认证是周期性审查流程,旨在治理和合规验证。
规划认证范围和审查员分配:
// SailPoint IdentityIQ BeanShell - 活动配置
import sailpoint.object.*;
import sailpoint.api.*;
import java.util.*;
// 定义季度经理认证的活动计划
CertificationSchedule schedule = new CertificationSchedule();
schedule.setName("Q1-2026-Manager-Access-Review");
schedule.setDescription("所有在职员工的季度经理认证");
schedule.setType(Certification.Type.Manager);
// 配置活动范围
CertificationDefinition certDef = new CertificationDefinition();
certDef.setName("Q1 经理认证");
certDef.setOwner(context.getObjectByName(Identity.class, "cert-admin"));
// 设置认证选项
certDef.setCertifierSelectionType(CertificationDefinition.CertifierSelectionType.Manager);
certDef.setIncludeEntitlements(true);
certDef.setIncludeRoles(true);
certDef.setIncludeAccounts(true);
certDef.setIncludeAdditionalEntitlements(true);
// 从经理审查中排除服务账户
Filter exclusionFilter = Filter.ne("type", "service");
certDef.setExclusionFilter(exclusionFilter);
// 配置通知设置
certDef.setNotificationEnabled(true);
certDef.setReminderFrequency(7); // 天
certDef.setEscalationEnabled(true);
certDef.setEscalationDays(14);
certDef.setEscalationRecipient("security-governance-team");
// 设置活跃期
certDef.setActivePeriodDays(30);
certDef.setAutoCloseEnabled(true);
certDef.setDefaultRevoke(true); // 未审查则撤销
context.saveObject(certDef);
context.commitTransaction();
为高风险应用程序和特权权限设置重点审查:
// 针对特权访问审查的定向认证
import sailpoint.object.*;
import sailpoint.api.*;
CertificationDefinition targetedCert = new CertificationDefinition();
targetedCert.setName("特权访问定向审查");
targetedCert.setType(Certification.Type.ApplicationOwner);
// 限定为特定高风险应用程序
List applicationNames = new ArrayList();
applicationNames.add("Active Directory");
applicationNames.add("AWS IAM");
applicationNames.add("Oracle EBS");
applicationNames.add("SAP GRC");
applicationNames.add("CyberArk Vault");
targetedCert.setApplicationNames(applicationNames);
// 仅过滤特权权限
String entitlementFilter = "entitlement.classification == \"Privileged\" " +
"|| entitlement.riskScore > 800 " +
"|| entitlement.name.contains(\"Admin\") " +
"|| entitlement.name.contains(\"Root\") " +
"|| entitlement.name.contains(\"DBA\")";
targetedCert.setEntitlementFilter(entitlementFilter);
// 指定应用所有者为认证员
targetedCert.setCertifierSelectionType(
CertificationDefinition.CertifierSelectionType.ApplicationOwner
);
// 配置审批工作流
targetedCert.setApprovalRequired(true);
targetedCert.setSignOffRequired(true);
targetedCert.setReasonRequired(true);
// 在认证期间启用 SoD 策略检查
targetedCert.setCheckSodPolicies(true);
targetedCert.setSodPolicyAction(CertificationDefinition.SodPolicyAction.Flag);
context.saveObject(targetedCert);
context.commitTransaction();
定义在审查期间标记违规的职责分离策略:
// 创建财务系统访问冲突的 SoD 策略
import sailpoint.object.*;
import sailpoint.object.Policy;
Policy sodPolicy = new Policy();
sodPolicy.setName("财务 SoD - 应付/应收冲突");
sodPolicy.setType(Policy.TYPE_SOD);
sodPolicy.setDescription("防止用户同时拥有应付账款和应收账款访问权限");
sodPolicy.setViolationOwner(
context.getObjectByName(Identity.class, "compliance-team")
);
// 定义冲突权限
SODConstraint constraint = new SODConstraint();
constraint.setName("AP-AR 分离");
// 左侧:应付账款权限
PolicyConstraint leftSide = new PolicyConstraint();
leftSide.setApplication("SAP ERP");
leftSide.addEntitlement("SAP_AP_PROCESSOR");
leftSide.addEntitlement("SAP_AP_APPROVER");
leftSide.addEntitlement("SAP_AP_ADMIN");
constraint.setLeftConstraint(leftSide);
// 右侧:应收账款权限
PolicyConstraint rightSide = new PolicyConstraint();
rightSide.setApplication("SAP ERP");
rightSide.addEntitlement("SAP_AR_PROCESSOR");
rightSide.addEntitlement("SAP_AR_APPROVER");
rightSide.addEntitlement("SAP_AR_ADMIN");
constraint.setRightConstraint(rightSide);
// 设置违规严重性和整改措施
constraint.setViolationSeverity("High");
constraint.setCompensatingControl("超过 $10,000 的交易需要双重审批");
sodPolicy.addConstraint(constraint);
context.saveObject(sodPolicy);
context.commitTransaction();
当认证员撤销权限时自动化访问移除:
// 配置已撤销权限的自动配置
import sailpoint.object.*;
import sailpoint.api.*;
// 创建整改工作流
Workflow remediationWorkflow = new Workflow();
remediationWorkflow.setName("认证撤销工作流");
remediationWorkflow.setType(Workflow.Type.CertificationRemediation);
// 第 1 步:创建撤销配置计划
Step createPlan = new Step();
createPlan.setName("创建撤销计划");
createPlan.setScript(
"import sailpoint.object.ProvisioningPlan;\n" +
"// 创建配置计划以移除权限\n" +
"ProvisioningPlan plan = new ProvisioningPlan();\n" +
"plan.setIdentity(identity);\n" +
"// 使用 Remove 操作添加账户请求\n" +
"return plan;"
);
// 第 2 步:执行带重试逻辑的配置
Step executeProvisioning = new Step();
executeProvisioning.setName("执行撤销");
executeProvisioning.setScript(
"import sailpoint.api.Provisioner;\n" +
"Provisioner provisioner = new Provisioner(context);\n" +
"ProvisioningResult result = provisioner.execute(plan);\n" +
"if (result.isCommitted()) {\n" +
" auditEvent(\"权限已成功撤销\", identity, plan);\n" +
"} else {\n" +
" openWorkItem(\"需要手动撤销\", identity, plan);\n" +
"}"
);
context.saveObject(remediationWorkflow);
context.commitTransaction();
跟踪认证完成情况并生成合规证据:
// 活动监控和报告脚本
import sailpoint.object.*;
import sailpoint.api.*;
QueryOptions qo = new QueryOptions();
qo.addFilter(Filter.eq("phase", Certification.Phase.Active));
Iterator certIterator = context.search(Certification.class, qo);
while (certIterator.hasNext()) {
Certification cert = certIterator.next();
System.out.println("活动: " + cert.getName());
System.out.println(" 类型: " + cert.getType());
System.out.println(" 阶段: " + cert.getPhase());
System.out.println(" 截止日期: " + cert.getExpiration());
CertificationStats stats = cert.getStatistics();
int totalItems = stats.getTotalEntities();
int completedItems = stats.getCompletedEntities();
int pendingItems = totalItems - completedItems;
double completionPct = (completedItems * 100.0) / totalItems;
System.out.println(" 总项目数: " + totalItems);
System.out.println(" 已完成: " + completedItems + " (" +
String.format("%.1f", completionPct) + "%)");
System.out.println(" 待处理: " + pendingItems);
// 识别逾期认证员
List certifiers = cert.getCertifiers();
for (Object certObj : certifiers) {
CertificationEntity entity = (CertificationEntity) certObj;
if (!entity.isCompleted() && cert.isOverdue()) {
System.out.println(" [逾期] 认证员: " +
entity.getCertifier().getDisplayName());
}
}
}
导出认证结果供审计人员审查:
// 生成已完成认证的审计报告
import sailpoint.object.*;
import sailpoint.api.*;
import sailpoint.tools.Util;
QueryOptions qo = new QueryOptions();
qo.addFilter(Filter.eq("phase", Certification.Phase.End));
qo.addFilter(Filter.ge("signed", Util.stringToDate("2026-01-01")));
qo.addFilter(Filter.le("signed", Util.stringToDate("2026-03-31")));
List results = context.getObjects(Certification.class, qo);
StringBuilder auditReport = new StringBuilder();
auditReport.append("访问认证审计报告\n");
auditReport.append("时间段: Q1 2026\n");
auditReport.append("生成时间: " + new Date() + "\n");
auditReport.append("=".repeat(50) + "\n\n");
for (Certification cert : results) {
CertificationStats stats = cert.getStatistics();
auditReport.append("活动: " + cert.getName() + "\n");
auditReport.append(" 已审核项目: " + stats.getTotalEntities() + "\n");
auditReport.append(" 已批准: " + stats.getApprovedCount() + "\n");
auditReport.append(" 已撤销: " + stats.getRevokedCount() + "\n");
auditReport.append(" 已签署: " + (cert.isSignedOff() ? "是" : "否") + "\n\n");
}
System.out.println(auditReport.toString());
| 术语 | 定义 |
|---|---|
| 认证活动 | 一个有组织的审查流程,指定认证员验证用户是否应在一个或多个应用程序中保留当前的访问权限 |
| 访问审查 | 活动中的单个审查单元,认证员检查特定用户权限并做出批准/撤销决策 |
| 权限 | 在目标应用程序上授予身份的特定权限、组成员资格、角色或访问权利 |
| 认证员 | 负责做出访问决策的审查员,通常为经理、应用所有者或数据所有者 |
| 撤销 | 从用户移除权限的决策,触发对目标应用程序的配置请求以移除访问权限 |
| SoD 违规 | 职责分离冲突,用户持有来自两个或多个相互冲突的访问组的权限,产生分离风险 |
| 整改 | 根据认证决策从目标系统移除已撤销访问的自动或手动流程 |
背景:一家上市公司必须根据 SOX 第 404 条展示对所有财务应用程序的季度访问审查。此前的手动审查流程需要 6 周并产生不一致的结果。
方法:
常见误区:
访问认证活动报告
=======================================
活动: Q1-2026 经理访问审查
类型: 经理认证
时间段: 2026-01-15 至 2026-02-14
状态: 已完成
覆盖范围
已审查身份: 2,847
在范围内的应用: 34
权限总数: 18,392
决策摘要
已批准: 16,841 (91.6%)
已撤销: 1,203 (6.5%)
已缓解: 198 (1.1%)
已委派: 150 (0.8%)
撤销状态
已配置: 1,089 / 1,203 (90.5%)
待处理: 87
失败: 27(已创建手动工作项)
SoD 违规
已标记: 43
已整改: 31
补偿控制: 12
认证员合规性
准时完成率: 89.3%
需要升级: 14 位认证员
平均审查时间: 每项 3.2 分钟
签署
活动签署: 2026-02-14,由 compliance-admin 签署
审计证据: 已导出至 /reports/Q1-2026-cert-evidence.pdf