Introduction to NetIQ Access Governance Lecture...•Monitor, Report, Refine Tools Entitlement Warehouse Certifications Policy Evaluation Remediation Risk Assessment Tools Role Engineering

Nove

Introduction to NetIQ Access GovernanceLecture

www.novel l .comNovell Training Services

AT T L I V E 2 0 1 2 L A S V E G A S

N I Q 1 5

ll, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.

Novel

Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2012 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or more additional patents or pending patent applications in the U.S. and in other countries.

Novell, Inc.

404 Wyman Street, Suite 500

Waltham, MA 02451

U.S.A.

www.novell.com

Online Documentation: To access the latest online documentation for this and other Novell products, see the Novell Documentation Web page (http://www.novell.com/documentation).

Novell Trademarks

For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/trademarks/tmlist.html).

Third-Party Materials

All third-party trademarks are the property of their respective owners.

Copying all or part of this manual, or distributing such copies, is strictly prohibited.To report suspected copying, please call 1-800-PIRATES.

Version 12

l, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.

http://www.novell.com/info/exports/

http://www.novell.com/company/legal/patents/

http://www.novell.com/documentation

http://www.novell.com/company/legal/trademarks/tmlist.html

ATT Live 2012 A Governance Based Approach to Identity Management

Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.

© 2011 NetIQ Corporation. All rights reserved. 2

Changing Identity Management Market

IT Focused

IT Administration

Business Focused

Business Process Management

IT & Help Desk Business

Solution

IT Efficiency Business Risk Management

2010+ 2000

User

Cause

Benefit

2000 2010+



First Generation Solutions Bottoms Up Identity • Looks at use case “Bottom Up”

• IT Centric – designed, built, deployed and used by IT staff

• Infrastructure Focused – plumbing, but with no tap!



Next Generation Identity Management A Governance Based Approach • Looks at Identity “Top Down”

1. Business Centric – Ease of use & full lifecycle controls 2. Policy Based - Strong desired state models 3. Last Mile Agnostic – Support multiple “last mile” fulfillment processes



Next Generation Identity Management A Governance Based Approach

1. Business Centric – Ease of use & full lifecycle controls

2. Policy Based - Strong desired state models

3. Last Mile Agnostic – Support multiple “last mile” fulfillment processes



Governance-based Approach 1. Business Centric – Easy to Use

• First generation IdM was built for IT administrators

• Multiple interfaces, no business context



• Dashboard For Business Level Identity Change Requests…

Governance-based Approach 1. Business Centric – Easy to Use



Joiners Movers Leavers

Business User Self

Service

UAR Certification

Analytics & Reporting

Compliance & Audit Proof

Audit

IT Sec

Help Desk

Biz User

Risk Model ?

• Provisioning &

Directory ✗

• Visibility • Business oversight

& transparency • Auditing & tracking

• Control of entire IAM

process

Governance-based Approach 1. Business Centric – Full Lifecycle Control



Next Generation Identity Management A Governance Based Approach

1. Business Centric – Ease of use & full lifecycle controls

2. Policy Based - Strong desired state models

3. Last Mile Agnostic – Support multiple “last mile” fulfillment processes



Role Model

Policy Model

Risk Model

Audit

Model

Controls Model

•Population Analysis •Role & Entitlement Mining •Dynamic Assignment Controls

•Defined Process •Sustainable Controls •Compliance Proof

•Clear Ownership •Defined Approvals •Tracked Actions

•Business Policies (SoD) •Orchestration Policies •Provisioning Policies

•Rate & Rank Risk •Assessment of Process •Trending & Analysis

Governance Based Approach 2. Policy Based – Strong Desired State Models



Business Processes IT Resources Fulfillment Processes

Service Provider

Email

Help Desk

Automated Provisioning

Paper process

IT Admin Change

•Give new employee access

•Give temporary access to contractor

•Review access

•Approve role change

•Remediate policy violation



•Review access



Governance Based Approach 3. Last Mile Agnostic – Support Multiple Fulfillment Processes




Help Desk

NetIQ IDM Provisioning

Engine

IT Admin Change



•Review access





•Review access



Service Provider






Help Desk

NetIQ Provisioning

Engine

IT Admin Change



•Review access





•Review access



Service Provider

Fully Automated

Provisioning? C

oord

inat

ion

& In

stru

men

tatio

n



THE THREE STEPS TO GOVERNANCE BASED IDENTITY CONTROLS

A Governance Based Approach to Identity Management



Where to Start with Identity Governance? Think GPS …

Current Location Destination Travel



Three Steps to Governance-based Provisioning

Governance Checkpoint (Understand Current State) •Build Entitlement Warehouse

•Establish Responsibility •Understand the data •Critical Remediation

Build Governance Model (Plan Desired State)

•Define Automated Controls •Model Roles & Policies

•Model Access •Define Approvals

Lifecycle Controls (Manage Ongoing Change)

•Deploy Request Services •Integrate Fulfillment Procedures

•Establish Closed-loop Audit •Monitor, Report, Refine

Tools Entitlement Warehouse

Certifications Policy Evaluation

Remediation Risk Assessment

Tools Role Engineering Policy Modeling Lifecycle Events Workflow & BP

Tools Request Management

Fulfillment Orchestration Write Connectivity

Monitoring & Reporting



CONCLUSION A Governance Based Approach to Identity Management



Conclusion

• New Approach To Identity Management – Business User Driven Identity Lifecycle Control

– Built on a Model & Policy Based Approach

– Support for Multiple “Last Miles”

• Three Steps to Identity & Access Governance – Understand Current State

– Model Desired State

– Manage the Entire Lifecycle



Introducing NetIQ Access Governance Suite 6

Compliance Manager Certification | Policy Evaluation

Lifecycle Manager Access Request | Business Event Triggers

Governance Platform

Role Management | Policy Engine | Risk Model | Provisioning Broker

Integration Module NetIQ IDM

Provisioning Engine

3rd Party Service Desk


Architecture/Installation



Hibernate

Core Application Components

Novell/NetIQ PIM

Broker

Identity Events

JDBC / LDAP

CSV / FILE

Custom

External Applications

Policy Engine

Database

Web Browser Interface

Cert Engine Identitizer

Scope / Capabilities Task Engine

Connectors (Read)

Workflow Engine Request Processor

API Layers

Spring Web Services

Integrations (Write)

CSV / FILE

Aggregation



Architecture Overview

- Provisioning - Access Control

IdMInfrastructure

Managed Resources

HTTPS

HTTPS

Application Server

RDBMS Repository

Hibernate Persistence

Remote Connection Protocols (Flatfile, SSH, LDAP, FTP, JDBC)

AJAX

J2SE Application Provisioning



Access Governance Suite 6 Installation/Deployment Process

• WAR File Deployment • Schema Modification/Generation (Optional) • Database Preparation/Table Creation • Initialization of Default System Objects • Apply Patches

Initial & Patch Deployment

• Initialization of Customized System Objects • Deployment of Custom Code • Deployment of Customized File-System Artifacts

Ongoing Deployment & Operation



Schema Configuration – Details

• Identity – default 10 searchable, 5 indexed, 20 max – Be Aware: Indexing speeds up searching, but slows down

updates to the identity cube

• Application — 4 extended attributes, 1 indexed

• Account (Link) — 5 searchable attributes,1 indexed

• Role (Bundle) — 4 extended attributes, 1 indexed

• Certification — 5 searchable attributes, 1 indexed

• Managed Attributes – 3 searchable, 3 indexed

• Identity to Identity – default 5, no indexed



Database Preparation • Database Scripts

– Using your database tools, create a database and all the necessary tables for AGS 6

– Scripts are provided out of the box if you want to use the default schema and for upgrade usage

– Location: /WEB-INF/database

– Examples: – create_ags_tables.mysql

– drop_ags_tables.mysql

– upgrade_ags_tables.mysql

– post_upgrade_ags_tables.mysql

• Note: If generating your own scripts, take care to load proper files. Look at date/time stamps to make sure you are using the most recently generated files.



Configure Access Governance Suite 6

• Startup Preparation – AGS 6 Root:

– Example: /srv/tomcat6/webapps/ags

– Set database connection parameters – <AGS 6 Root>\WEB-INF\classes\ags.properties

– If needed, you can use the ags encrypt command under the \web-inf\bin directory to encrypt passwords



Initialize AGS 6 Default Objects

• Creates initial objects within AGS 6 – Loads default objects into the empty AGS Instance

– Need to populate it with all the default objects

– Reports, Tasks, etc.

– Steps – command: /WEB-INF/bin/ags console

– > import init.xml

– Note: This process of loading an XML file can be used as a way to load your own files as part of your deployment

– Custom Rules, Tasks, Roles, etc.



Verify AGS 6 Installation

• After AGS 6 is deployed: – Startup the Application Server

– Access Governance Suite 6 Login – http://<server>:<port>/ags

– Server can be deployed at the root of app server if desired:

– Example: http://server.domain.com/


http://server.domain.com/


Deployment Strategy

• Development – Unit Test Environment – Usually many of them. Developers may have individual

systems for AGS 6 as well as a main Dev system. Typically limited memory, disk space and running in a VM. Avoid loading full data as this complicates development.

• Staging – Load Test Environment – Needs to be able to handle anticipated high-water marks for

performance and stress testing. Full data complement should be loaded here to validate design.

• Production Environment – Nearly identical to Stage but incorporates redundancy and

failover



Typical High-End Deployment

Backup Data Center (Hot Standby) Primary Data Center (Active)

Cluster Domain

Shared Storage

Database Cluster

VIP: UI Traffic

Cluster Domain

Shared Storage

Database Cluster

VIP: UI traffic VIP: Aggregation Traffic

Streams - Replication


Identity Cubes



Identity Cubes

Definition: Identity Cube

Term used to refer to each unique identity stored in the AGS 6 repository: “Cube” is used to denote the rich, multi-dimensional data available:

Tabs represent dimensions of Identity Cube



Identity Cubes – Detail • Identity Attributes (Name, Email, Department, etc.)

• Entitlements – Roles and individual entitlements

• Application Accounts

• Policy (any violations for this identity)

• Risk Scores

• History (Attributes, Roles, Entitlements, Accounts, Certification History)

• Activity

• User Rights (within AGS)

• Events (Identity Triggers, Role Sunrise/Sunset)



Identity Cubes “Cubes” are built through a discovery process from authoritative sources Refreshed dynamically with Account Aggregation tasks Snapshots may be maintained to drive historical analytics

Business Context

Identity Data

IT Environment

Identity Cubes

Business Environment

Dashboard Reports

Activity Data

Applications

Business Roles

Business Policy

Business Risk Provisioning

File Shares

Packaged Apps

Legacy Apps



How Cubes are Created

• Identity Cubes are created by bringing in user account data from Authoritative Applications

– Sources like HR/Directory systems – Example: AD/LDAP/HR Systems

– Multiple Sources (employees/contractors)

• Components – Connector - An AGS 6 component which communicates with

various targeted platforms, applications and systems to harvest application and account data. A connector is defined as part of an application. (Example: Delimited File Connector, JDBC, Active Directory, etc.)

– Application – A definition representing a target system. These include how a targeted system is accessed, how the accounts and entitlement data on that system are classified (Schema), associated Risk configuration, as well as a set of Rules specifying relationship data.



Applications – Specifying Schema

• Specifying Schemas – Account – Used to represent individual accounts

– Group – Used to represent individual group account

• Specifying Rules – Creation

– Configuration hook during Identity Cube creation

– Correlation – Defines Identity Cube search semantics

– Positive Correlation – Link to Identity

– Negative Correlation – Creation of Orphan Identity

– Manager Correlation

– Customization

• Specifying Activity Data Sources – Drives activity tracking and monitoring (logins/logouts, etc.)



Application Schema – Example

• Data Example employeeId,userId,groups,email

a1b2,FredFlintstone,Administrators,[email protected]

b1b2,BarneyRubble,Administrators,[email protected]

b1b2,BarneyRubble,VPN Administrators,[email protected]

• Which is – An Identity Attribute?

– A Display Attribute?

– An Entitlement?

– A Group?

– A Multi-Valued Attributes?



Applications – Rules

• Creation Rule – Hook for performing customizations at cube creation time, e.g. assigning AGS 6

capabilities or setting default passwords

– Not required

• Correlation Rule – Alternatively configured through GUI

– Determines whether native account results in creation of new identity cube or linkage to an existing one

– Not required when configuring Application – Implicit rule is to search on identity name attribute

• Manager Correlation Rule – Alternatively configured through GUI

– Used by AGS 6 to build and maintain manager relationship

• Rules provided a Fully programmable, Java-based implementation hook



Rules – Beanshell

BeanShell execution environment provides high-degree of programmability

<Source>

<![CDATA[

Map returnMap = new HashMap();

String email = account.getStringAttribute("email");

if ( email != null ) {

returnMap.put("identityAttributeName", "email");

returnMap.put("identityAttributeValue", email);

}

return returnMap;

]]>

</Source>

Refer to <AGSHOME>\WEB-INF\config\examplerules.xml



Identity Mappings

• Identity Mappings define which account attributes will be

maintained as top-level “Identity Attributes”

• Typically sourced from authoritative sources like HR and

Corporate Directory

– Can be sourced with a rule as well

• Persisted as part of the Identity Cube

• Can be marked as searchable

– Support correlation

– Support advanced analytics



Identity Mappings – Diagram

Account on HR Application

Identity

Authoritative Source

Account Aggregation

Authoritative HR Application

HR_ID

Name

Insurance Plan

Email

Location

Name

Email

Location



Identity Mappings Edit identity mapping allows multiple source mappings and precedence setting Advanced Options...

Group Factory: Controls whether attribute will participate in dynamic groups

Searchable: Determines whether attribute can be used in correlation rules and as criterion for advanced analytics



Account Aggregation

The process by which AGS 6 creates and updates Identity Cubes with account, attribute and entitlement data accessed through configured Applications. Account Aggregation executes in the context of AGS 6 Tasks (which can be scheduled.)

Link Attributes

Account attributes maintained (persisted) on the Application links stored within an Identity Cube. Link attributes my be promoted to Identity attributes based on the Identity Mappings configuration.



Account Aggregation

• Things to consider in Account Aggregation...

– Which Application should be aggregated first?

– Goal is to mint new Identity Cubes from “best” source (HR,

Corporate DIT)

– Consider correlation strategy to drive determination of proper

order

– Are Identity Mappings properly configured?

– Account Aggregator will use Identity Mappings as the guide

for promoting Link attributes



Manual Correlation • When Automatic Correlation falls short...

– Every organization has challenges in correlating identities across all systems

– AGS 6 provides Manual Correlation mechanism to expedite correlation clean-up


Application Onboarding



Application On-Boarding process

• Implementer and application owners will require several iterations of meetings on data

• Entitlement data and hierarchy must be clearly defined and understood

• Data aggregation schedule and dependencies must be captured and analyzed

• Data format and Connectivity mechanism must be clearly defined and agreed upon



Connector Types

• Connectors ACF2, AIX, AS400,ACE Server, Active Directory, BMC ESS, BEA

Aqualogic Enterprise Security, DB2,

Delimited File, HP-UX, IBM Lotus Domino, IBM Tivoli Directory Server, IBM Tivoli Identity Manager, ITSM, JDBC, LDAP, LDIF, Linux, Lotus Notes, Mainframe, MS SQL Server, MS Sharepoint, NIS, Novell, Oracle DB, Oracle Apps, Peoplesoft, RACF, Remedy, SAP, SAP HR, SAP Portal, Salesforce, Solaris, Sun IDM, Sybase, TopSecret, Unix, VMS, Windows Local

• Rule Based Connectors – Multiplex – Creates applications on the fly

– Logical – Creates logical application data on the fly

– RuleBasedFileParser – Create accounts from loosely formatted data



Connector Deployment Planning Dealing with data formats - indexing

• Data needs to be merged – indicates if connector needs to be aware of multiple rows.

• Index Column – the column name which indicates how similar rows are correlated.

• Which columns should be merged? – the columns that are used in the default merge.



Data Format & Indexing

• File or JDBC with the following result: username, firstname, lastname, scope, capability

nmcglennon, Neil, McGlennon, US, System Administrator

nmcglennon, Neil, McGlennon, US, Auditor

• Set the merging to the following: – Data needs to be merged : true

– Index Column : username

– Which columns should be merged? : scope, capability



Delimited File Applications

• Required: – File Transport – the method used to retrieve the file. Defaults

to “local” but “ftp” and “scp” are allowed as well.

– File Path – the path and name of the file being parsed.

• Recommended: – Delimiter – option to indicate the method to parse the file. Any

delimiter can be used. Escaped delimiters use the Unicode equivalent. Common options are “,” or “\u0009” (tab).

– File has column header on first line– option to indicate that the file has a header, and skip the first line of parsing.



Delimited File Applications (part 1)



Delimited File Applications (part 2)



JDBC Applications

• Fairly similar parsing to the Delimited File Connector.

• Required: – user – the username used to connect to the database.

– url – the JDBC URL used to connect to the database.

– driverClass – the Java classname of the JDBC driver used to connect to the database. Must be in $AGSHOME/WEB-INF/libs/

• Recommended: – password – a password used to connect to the database

– SQL – the query to fetch data from the database. Note: The JDBC Connector supports stored procedures.



LDAP Connector • Account and Group Schemas are pre-populated.

• Required: – authorizationType: None, Simple, or Strong. Default is Simple.

– user: User DN to bind to the directory as.

– port: Connection port of the LDAP server. Usually 389 or 636.

– host: Connection host IP or address.

– searchScope: Depth to search the LDAP tree. OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE.

• Recommended: – password: the credentials the user uses to bind to the directory.

– searchDN: The search starting point DN string.

– iterateSearchFilter: optional filter string to filter out objects.



LDAP Connector



What is a Logical Application? • A way to define an application “logically”

– Logical apps allow for the combining (previous composite behavior) and now subdividing of applications

– Examples: – AD group controls access to an application at company ABC. They want to

treat this application as a logical standalone application (Subdividing)

– Application is defined by Mainframe application access and SQL database access (Composite)

• Simplifies searches, certifications, etc. by treating these special types of applications as a logical entity.



What is a Logical Application?


Access Certification



Certification Types

• Different certification types allow you to certify everything from a users access, to role membership and more.



Certification Schedules

• Schedules – One Time (what we will do in testing during class)

– Runs a single unscheduled certification

– Great for testing/development

– Scheduled (Weekly, Monthly, Quarterly, Annually) – Runs on a repeatable schedule

– Great for production situations whereby certifications must happen at regular intervals

– Continuous – Certification never ends

– Individual Items are certified based on individual certification schedules (i.e. each entitlement is certified monthly, independently of other items.)



Certification Time Periods

Certification Certification

Certification

End

Remediation

Challenge Active

Cer

tifie

r

Generation

Notification

Sys

tem

R

emed

iato

r

Sign-Off

Revoke



Access Certification – Time Periods

• Pre-Certification – Certification Schedule Fires

– Access Reviews are created and owners are notified via email

• Active Period – Certifiers login and view certifications from Inbox or My Certifications page

– Certifiers make decisions, reassign, or delegate

– Users may challenge revoke decisions (configurable)

– Once all decisions are made, certifier signs off on certification

• Challenge Period – Users can challenge decisions

• Revocation Period – Period to allow revokes to occur (AGS scans during this time for changes)

– Certification no longer appears in Inbox

– Remediation requests passed on to Provisioning Broker



What to Certify – Manager Certification

• Manager Certification – Which specific managers/all managers

– Which applications/all applications

– Certify Entitlements or Accounts – Can certify if a user has an account on a system versus the specific

entitlements a user possesses

– For Entitlements – Include Additional Entitlements

– Include Roles

– Certify Accounts with no Entitlements (Y/N)

– Policy Violations



What to Certify – Application Owner Cert • Application Owner Certification


– Certify Entitlements or Accounts – Can certify if a user has an account on a system versus the specific

entitlements a user possesses

– For Entitlements – Include Additional Entitlements

– Include Roles

– Certify Accounts with no Entitlements (Y/N)

– Policy Violations



What to Certify – Entitlement Owner Cert • Entitlement Owner Certification


– Include un-owned Entitlements

– If yes, who will review un-owned Entitlements – default: Application owner

– Can define another user

– Note: Entitlement descriptions and ownership is defined by created Managed Entitlements

– Missing Managed Entitlements scan task

– Aggregating with “Promote managed entitlements” checked

– Using a “Managed Entitlement Customization Rule” as part of your application definition



What to Certify – Advanced Cert • Advanced Certification

– User group(s) to certify (Population or Group Factory) – Note: Rules can be used to assign certifiers to groups with a factory

– Other options are just like Manager Certification



What to Certify – Role Certs

• Role Membership and Role Composition Certification – These certifications will request that the owner of a role certify

the members of each role or the composition (makeup) of the role

– Which roles to certify – Choose specific ones

– By Type (IT/Business/etc.)

– All Roles



What to Certify – Account Group Certs

• Account Group Permissions and Membership Certifications

– These certifications will request that the owner of an account group certify the actual entitlements/permissions granted to each the Account Group or the Membership of the Account Group

– Which applications to certify – Choose or All Applications



Access Certification - Configuration – Schedule

– Run Once, Scheduled or Continuous

– Duration and types of Phases – Active Period

– Challenge Period

– Revocation Period

– Automatic Closing (Rule, Revoke, Allow, Exception)

– Email notification parameters – Certification Reminders and Escalation

– Revocation Reminders and Escalation

– Advanced – Exclusions and Pre-Delegations



Access Certifications – Global Config

• If there are things you are configuring often, You can set them in the global settings

– System Setup Compliance Configuration

– Configure Global Settings that apply to all certifications

– Can be overridden on per-certification basis



Certifications – Rules • Time Period Rules

– Active Period Enter Rule – Challenge Period Enter Rule – Revocation Period Enter Rule – End Period Rule – Closing Rule

• Escalation – Escalation Rule for Expirations and Revocations

• Certification Control – Exclusion Rule – Pre-Delegation Rule – Sign Off Approver Rule



Managing Certification Access Reviews • Inbox or Manage My Access Reviews



Managing Access Reviews

• Click on Access Review Work Item

• View – Worksheet or Identity

• Make Decisions and Sign Off



Access Certification – Decision Details • Revoke

– Request the removal of an identity’s access to the specified business role or entitlement, or the removal of a permission or member from an account group

– Revocation options are configurable

– Revocation requests are not sent until certifications are signed off or the challenge period has ended

– Identity-type revocation requests are driven by the challenge and remediation periods or phases

– Revocation can be automated through configuration with a provisioning provider

– Revocation can be performed as a bulk action or on an item by item basis



Access Certification – Decision Details • Delegate

– Delegate the task of performing all or part of a certification to a different certifier

– Delegation options are configurable

– Delegate and certifier communicate through certification comments

– Delegate can reject delegation requests

– Delegate can forward request to another certifier

– Delegate has the same certification decision options as the original certifier

– When a delegation work item is marked as complete the decision shows up in the certification as complete

– Delegation can be performed as a bulk action or on an item by item basis

• Reassign – Reassign multiple identities or account groups to a different certifier from

the identity or account group list page – Reassignment is only available as a bulk action



Certifications – Monitoring Progress

• Monitor Certifications

• Oversee progress as certification progresses



Reporting – Certifications



Certifications from Advanced Analytics • Analyze Advanced Analytics

• Select and Certify



Certifications from Risk Scoring

• Manage Identity Risk Scores

• Select and Certify


Roles, Policies and Risk



Overview Business Domain

Populations (Dynamic & Static)

Assignment Rules

Job Functions

Responsibilities

Business Analysis Organizational Data

Security Model Resources

IT Domain

Authorizations

Entitlements

Targets

Rights

Business Roles

Technical Roles

Mandatory (Requires)

Discretionary (Permits)

Relationships Policy Model

Workflow Approvals



Flexible Role Types • Business Roles

– An articulation of a business function, responsibility or duty

– Often grouped by organization, business process or projects

– Users are directly associated with business roles (“subject groupings”)

– Often using dynamic “assignment” rules based on identity data

• Technical (IT) Roles

– Are sets of entitlements managed together for organizational and operational efficiency

– Often grouped by application or related set of system components

– Defines and controls actual instance attributes for a given entitlement “profile”

– Provides a level of abstraction for complex entitlements

• Custom Roles

– Allow optional inheritance, entitlement profiles, and meta-data

– Facilitate construction of an effective role solution without requiring the business to change to fit product

A/P Clerk Financial Accountant Sales Manager Shipping Clerk

Business Roles IT Roles

ERP A/P Access Finance Group Membership CRM Approval Access Ship on Inventory System

Roles

Custom Roles Security Clearance I



Extensible Roles Are Key Modeling Different Types Of Roles

Provisioning Roles

IT Roles

Compliance Roles

Resource Roles

Organizational Roles

Business Functional

Roles Metadata

Behaviors

Controls



IT Role IT Role IT Role IT Role IT Role IT Role

Business Roles

Business Roles

Static & Dynamic Assignment

Business Roles

IT Roles IT Roles IT Roles

Permits & Requires Relationships

Policy Engine

Workflow Model

Dynamic Assignment Manual Self-Service

Identity/Role Admins

Identity Attribute Data

Static Assignment Delegates Self-Service

Business Self/Service

Approvals Controls, Audit



Assigned vs Detected Roles Role

Assignment Rules Relationship Rules Controls Metadata

Entitlement Model Attributes & Values

Resources Attributes & Entitlements

Model View (Desired State)

Actual View (Actual State)

Assigned Via Assignment Rules Manual Assignment

Identity Assigned Roles Detected Roles

Additional Entitlements Detected

Entitlements & Matched

Roles

Aggregation



Role Definition and Mining • Top-Down Business Role Modeling

– Captured via business analysis and organizational modeling

– Enhanced using automated analysis of identity data

– Supported heavily by role membership certification

• Bottom-Up IT Role Mining

– Driven by algorithmic analysis and an analytics-focused mining processes

– Derived from data pulled from the central repository or “actuals”

– Supported heavily by role composition certification and analysis and “review” of those actuals

• Collaborative Association

– Key to the hybrid approach

– Join business & IT roles using the model

– What if modeling & impact analysis

– Population analysis

Bottom-Up Role Mining

Controlled Association

Top-Down Business Role Modeling

Business Role Mining Organizational Modeling

Roles

Actuals



Mining, Analytics & Engineering • Top Down

– Population Analysis & Automated Discovery – Populations, Work Groups & Assignment Rules & Business Roles

• Bottom Up

– Entitlement Patterns, Group / Set Analysis – Entitlement Expressions, Profiles & IT Technical Roles



Extensible Role Model

System Setup Role Configuration Out of the box

– IT Roles (for detection/provisioning)

– Entitlement Roles (for detection/provisioning)

– Business Roles (for assignment)

– Organizational Roles (for containment)

Additional Roles? – Create New Types



Out of the Box Role Types

Type Business IT Entitlement Organizational

Allow Inheritance of other roles Yes Yes Yes Yes

Allow other roles inheriting this role Yes Yes No Yes

Auto Detection with Profiles No Yes No No

Entitlement Profiles No Yes Yes No

Automatic Assignment with Rule Yes No No No

Assignment Rule Yes No No No

Manual Assignment Yes No Yes No

Permitted Roles List Yes No No No

Allow being on permitted roles list No Yes Yes No

Required Roles list No Yes No No

Allow being on a Required Roles list No Yes Yes No

Allow granting of IIQ rights No No No No



Sunrise/Sunset of Roles

Global Configuration System Setup AGS 6 Configuration Miscellaneous

Role Activation Define Roles

– Activate date

– Deactivate date

Used for roles that have limited time usage or delayed activation



Definition: Policy

Policies are defined specifically for your enterprise and used to monitor for identities that are in violation of those policies. For example, a separation of duties policy might disallow one identity from requesting and approving purchase orders or an activity policy might disallow an identity with the Human Resource business role from updating the payroll application even though they do have view access to that application. Violations on each of a policy’s rules, when detected, are stored in the identity cube. These violations also appear on identity score cards and enable you to identify high-risk employees and act accordingly.

Policy



Policy Violation Types • Role SOD Policy

• Entitlement SOD Policy

• Activity Policy

• Account Policy

• Risk Policy

• Advanced Policy



Policy – Role SOD Policy

• SOD Policy is composed of one or more SOD rules • An SOD rule is comprised of the following:

– Summary: A brief title for the rule – Description: Short text which describes the rule – State: A flag indicating whether the rule is active or not – Compensating Control: A brief description of the

remediation steps or exceptions to the rule – Role Conflicts: A list of roles which conflict with each

other

SOD rule definitions provide a framework for policy enforcement (Ex: Cannot have “Approve Vendor” Role and “Pay Vendor” Role.)



Policy – Entitlement SOD Policy

• SOD Policy is composed of one or more SOD rules • An SOD rule is comprised of the following:

– Summary: A brief title for the rule – Description: Short text which describes the rule – State: A flag indicating whether the rule is active or not – Compensating Control: A brief description of the remediation

steps or exceptions to the rule – Entitlement Conflicts: A list of entitlements which conflict with

each other – Note: can also use Identity Attributes for conflict analysis



Policy – Activity Policy

• Activity Policy consisting of one or more activity rules • Example: Login after hours

• An Activity rule is comprised of the following:

– Summary: A brief title for the rule – Description: Short text which describes the rule – State: A flag indicating whether the rule is active or not – Compensating Control: A brief description of the

remediation steps or exceptions to the rule – Identity Filters: A filter of identities to apply this rule to – Activity Filters: A list of activities to detect



Policy – Account Policy

Account Policy is composed of a single rule: Does a user have more than one account on any given applications

– Summary: A brief title for the rule

– Description: Short text which describes the rule

– State: A flag indicating whether the rule is active or not



Policy – Risk Score Policy

Risk Score Policy is composed of a single rule

– Summary: A brief title for the rule

– Description: Short text which describes the rule

– State: A flag indicating whether the rule is active or not

– Policy Attributes – Composite Score Threshold:

– A risk score value to use when detecting violations:

– Example: All identities with risk score > 800 receive this policy violation



Policy Violations – Where to see them?

• After refresh, Policy Violations are visible: – On the Identity Cube

– On the Manage Policy Violations tab

– During Certifications

– Using Reports



Policy Violations – Identity Cube

• On the Policy tab of the identity cube:



Policy Violations – Managing • Manage Policy Violations

– Take action on Policy Violations page

– List of all active violations in your enterprise

– Accessible to policy owners, such as

Compliance Officers

– Actions include certifying identity or allowing exceptions



Policy Violations – Certifications

• Take action on policy violations from an Access Review

– Configure Certification to include Policy Violations

– During Access Reviews, certifiers can allow exceptions or remediate



Policy – Reporting Options

Reports available: – Policy Violation Archive Report

– Policy Violation Detail Report



Risk Modeling – Risk and Risk Scoring • Definition: Risk Modeling

– Applying risk scores to various objects based on behaviors or criteria possessed by the various objects

• AGS 6 supports risk modeling for: – Identities

– Roles/Entitlements

– Violations

– Certification Age

– Applications – # of Service, Privileged, Inactive

and Dormant Accounts

– # of accounts owned by risky identities

– # of accounts owned by identities with policy violations



Modeling – Identity Risk Scoring Config

• Determine overall scoring weights under “Composite Scoring” and “Baseline Access Risk”

– Roles – Entitlements – Policy Violations – Certification Age



Where to see Risk Scores

• Identity Risk Tab (Breakdown of score calculation)



Where to see Risk Scores

• Application Risk Tab (Breakdown of score calculation)



Where to see Risk Scores • Manage Tab

– Identity Risk Scores – Sort scores by risk score

– See scores by risk band (low/med/high)

– Perform Certifications

– See Score Breakdown

– Application Risk Scores – Sort application risk scores



Advanced Analytics and Risk

• Risk scores are a searchable value in Analytics

• Can use risk scores to define high risk populations for more aggressive certification actions



Risk Scoring – Reporting

• Reporting is available for:


Lifecycle Manager



Key Features/Considerations • LifeCycle Requests

– What do you want people to be able to do? – Request Roles/Entitlements

– Manage Accounts/Passwords

– Add/Edit/View Identities

– Who should be able to do what? – Order for themselves? Self-Service

– For others? Managers/Help Desk/All Users

– What can be requested? – Controlled by managed entitlement configuration

– Scoping

– Rules

– Business Process (Workflow)? – What to do for each type of request…



Request Management Dashboard

Manager, Help Desk or

Employee Requests

Self-Service Requests

Role Based Request

Entitlement Based

Request

Role Repository

Entitlement Dictionary

Model Resolution &

Data Collection

Policy Evaluation &

Approvals

Provisioning Broker

Request

Manual Lifecycle Change Events

Checkout Fulfill Shop



Managing LifeCycle Requests

• Request for Others – Managers, Help Desk Administrators, and other users based

on configuration.

• Request for Me – Self Service Requests



Requesting Access

• Search for entitlements/roles



Submitting a Request

• Clicking Submit starts Business Process (workflow)

• At this point, workflow takes over and handles policy checks, approvals, gathering needed information, etc.



Managing Access Requests

• Fully Traceable/Trackable Identity Requests

• Manage Access Requests



Account Request Details



+1 713.548.1700 (Worldwide) 888.323.6768 (Toll-free) [email protected] NetIQ.com

Worldwide Headquarters 1233 West Loop South Suite 810 Houston, TX 77027 USA

http://community.netiq.com


http://www.facebook.com/netiq

http://www.twitter.com/netiq

http://www.linkedin.com/groups?gid=2745833

mailto:[email protected]

http://www.netiq.com/

http://community.netiq.com/

http://community.netiq.com/

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. Copyright © 2011 NetIQ Corporation. All rights reserved. ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States.


Introduction to NetIQ Access Governance Lecture...•Monitor, Report, Refine Tools Entitlement Warehouse Certifications Policy Evaluation Remediation Risk Assessment Tools Role Engineering

Documents