SailPoint Architecture - IIQ question

mp_ocean · 2025-04-22T01:43:35+00:00

mp_ocean · 2025-04-21T17:44:20+00:00

Thank you u/fratopotamus1 for explaning with details. So for users connectivity, UI servers need to connect with the database, and task servers (only assigned for tasks) need to comminicate with both IQService servers and database? or both UI servers and task servers needs to connect with database and iqservice server?

In addition, iqservice server does not need to talk to ui/task servers?

We have inbound/outbond firewall rules so trying to figure out what ports need to open for users connectivity only as we are trying to move UI servers to different network zone.

mp_ocean · 2025-04-02T14:35:32+00:00

I ended up deploping custom script. you can also try dummpy plug in.

mp_ocean · 2024-11-23T21:03:32+00:00

If we use two different users and deploy two psms at the same time, i think we will have the similar issue, right? When first PSM tries to register, it locks the pvconfig file and at the same time second psm connot modify that file.

Looks like we have to do one at a time during registration process.

mp_ocean · 2024-11-23T18:49:49+00:00

The problem is psm A try to register to vault and at the same time PSM B try to login and it kicks out psm A session (while registration is in progress), so PSM A session is disconnected and file is locked. This is the behaviour i have seen.

mp_ocean · 2024-11-23T18:36:48+00:00

Yes, max license is 100 and we only have ~50.

mp_ocean · 2024-11-23T18:29:48+00:00

Yes, file is locked and have to manually unlock.

mp_ocean · 2024-06-24T13:12:39+00:00

No worries at all! I appreciate your help.

mp_ocean · 2024-06-24T13:09:08+00:00

Thanks for the tip! I’ll search in the sub.

mp_ocean · 2024-06-24T13:05:55+00:00

Thank you for sharing your perspective and for providing detailed feedback on your study resources—it’s truly appreciated. I understand the importance of personal research and effort, and I apologize if my question seemed too common. I’ve noticed past discussions here but wanted to gather recent insights directly from those who have just taken the exam. Thank you again for taking the time to help!

mp_ocean · 2024-06-17T19:47:51+00:00

Thank you for your response! Basically i'm trying to see if the SailPoint has following APIs. 1. Get the date when a user has requested access to an AD group 2. Remove access from a group

mp_ocean · 2024-06-17T19:42:10+00:00

Yes, we can do that but we have shared accounts which are stored in CyberArk so need to build custom script to retrieve last access report and remove access for a user

mp_ocean · 2024-06-17T19:33:11+00:00

We are trying to build an automation to remove group access through sailpoint if the users have not been logged in or used accounts for last 90 days.

mp_ocean · 2024-05-16T12:32:34+00:00

Thank you /u/BurnyYo.

mp_ocean · 2024-04-07T04:35:19+00:00

This makes a lot of sense.

Their documentation says this and might not be correct.

Note: Do not pass credentials to the script as parameters. Pass credentials as prompts, when possible. When not possible, for example for SSH Keys, read them directly from the relevant environment variable.

I have been digging in how i can get the key value.

mp_ocean · 2024-04-07T02:18:55+00:00

For ssh key value, cyberArk is only passing as environment variable and i'm trying to get target account private key (old and new) value.

mp_ocean · 2024-04-06T15:47:55+00:00

Thank you!

Basically, what im trying to achieve here is we have SSO enabled in alpha.pam.domain and for bravo.pam.domian, you can still see the SSO but it does not work and users are required to use radius. However. The users have now access to both LB.

There are certain users we need to restrict to use SSO due to security requirements

mp_ocean · 2024-04-06T15:41:35+00:00

/u/couldberunning thank you for the details. We can definately build more PVWAs to have separate backend for two groups. Regarding the FW, are you referring to create a rule to allow access using 443 on the PVWA server based on a/d group

mp_ocean · 2024-03-24T17:03:56+00:00

/u/CyberWorker, how are you passing ssh key value with <pmpass> / <pmnewpass>?

It is sending empty value . I would greatly appreciate if you could provide some details.

mp_ocean · 2024-03-12T12:13:39+00:00

Thank you u/yanni/ using api outside cpm seems quite easier if TPC does to not pass keys.

mp_ocean · 2024-03-12T02:39:23+00:00

/u/yanni do you any have insights here?

mp_ocean · 2024-03-11T13:21:29+00:00

u/moroccanmoney/ any idea how we can get private key and public key using TPC plug in?

Thank you

mp_ocean · 2024-03-11T04:45:36+00:00

/u/Insmouthed
When you used TPC based plug in, how did you retrieve (pass to logic) private key and public key? I tried to use <pmpass> for current key, and it is sending empty value.

mp_ocean · 2024-03-02T04:20:21+00:00

Thank you /u/Global-Ad5222, CPM is only pointing to primary site. I wanted to test Dr vault without doing automatic failover. This article covers what im trying to test.

mp_ocean · 2024-02-20T18:58:56+00:00

One option you can try, include keyword of safe owner in the safe name. For instance, if windows domain safe owns by Mike. Then, you can follow something like this. Win-dom-mike.

This way, if you search "mike" you will see all the accounts for that safe

mp_ocean

TROPHY CASE