Identity Defined Security Alliance

Putting Identity at the Center of Security

Privileged Access Management Governance

Provide feedback on Privileged Access Management Governance Security Control -

Does it meet a requirement in your organization?
Have you implemented it with IDSA vendors or other technology vendors?
What was your experience?
What are tips/best practices?
Other feedback?

We have it between One Identity Manager and our PAM product, Safeguard. We do not use the SCIM extension to achieve this because it is deficient in numerous ways.

I have zero problem having OIM work with another member or anyone else for PAG…if we knew the interface specs of those products… Or vice-versa. All of our products are API/CLI/PoSh enabled if anyone else wants to try something out.

https://github.com/OneIdentity
https://hub.docker.com/u/oneidentity/
https://www.powershellgallery.com/packages/safeguard-ps/2.4.181

My personal view is that we should define the use cases and then members can self-certify that they support those use cases. Stating that “SCIM” is the security control, imho, is simply the wrong way to approach this and if we were dealing in use cases that would show where SCIM lacks.

Not following your above post. SCIM isn’t mentioned anywhere. The focus of the IDSA is the collection of capabilities that are brought together to define a security control. We could create a topic to discuss possible integration methods, but that would be done in a separate category.

Sorry. At the end of the day I don’t care how it is achieved. I just want it use case based.

Have you had a chance to review the published use case:

https://www.idsalliance.org/idsa-rm-001/

Also the security control definitions can be defined in the capabilities spreadsheet topic:

https://forum.idsalliance.org/t/matrix-security-controls-use-cases-capabilities-etc/168/4

Interesting. I just read the use case and the implementation details.
What’s the meaning of “Generic Identity” in IGA?
A “dummy identity” so IGA can perform access review, or a “normal human identity” (representation of)? If the former, I then understand the “pull” model. In case of a “normal human identity” the push (provsioning) model should be valid as well.
Other practical issues I have:

  • The link to the IDSA Security control in the use case is broken (“Privileged Access Management Governance” .
  • I don’t have access to the second link of the previous post, about the “matrix-security-…”, Why?

The practical issue first. The reason you can not access the second link in above post, is because that link is to a working document accessible only by IDSA member companies. This document has details regarding capabilities each member company supports and how these are mapped to security controls. This information is also reflected in the content on IDSA portal, but the Excel file this link points to is not public. Sorry about this. Regarding your other comment, yes the “generic identity” refers to any identity (or “dummy identity” as state). Thanks for your comments.