www.novell.com Novell Training Services ATT LIVE 2012 LAS VEGAS Introduction to NetIQ Access Governance Lecture NIQ15 Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
Nove
Introduction to NetIQ Access GovernanceLecture
www.novel l .comNovell Training Services
AT T L I V E 2 0 1 2 L A S V E G A S
N I Q 1 5
ll, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
Novel
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2012 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or more additional patents or pending patent applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
Copying all or part of this manual, or distributing such copies, is strictly prohibited.To report suspected copying, please call 1-800-PIRATES.
Version 12
l, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
ATT Live 2012 A Governance Based Approach to Identity Management
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 2
Changing Identity Management Market
IT Focused
IT Administration
Business Focused
Business Process Management
IT & Help Desk Business
Solution
IT Efficiency Business Risk Management
2010+ 2000
User
Cause
Benefit
2000 2010+
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 3
First Generation Solutions Bottoms Up Identity • Looks at use case “Bottom Up”
• IT Centric – designed, built, deployed and used by IT staff
• Infrastructure Focused – plumbing, but with no tap!
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 4
Next Generation Identity Management A Governance Based Approach • Looks at Identity “Top Down”
1. Business Centric – Ease of use & full lifecycle controls 2. Policy Based - Strong desired state models 3. Last Mile Agnostic – Support multiple “last mile” fulfillment processes
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 5
Next Generation Identity Management A Governance Based Approach
1. Business Centric – Ease of use & full lifecycle controls
2. Policy Based - Strong desired state models
3. Last Mile Agnostic – Support multiple “last mile” fulfillment processes
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 6
Governance-based Approach 1. Business Centric – Easy to Use
• First generation IdM was built for IT administrators
• Multiple interfaces, no business context
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 7
• Dashboard For Business Level Identity Change Requests…
Governance-based Approach 1. Business Centric – Easy to Use
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 8
Joiners Movers Leavers
Business User Self
Service
UAR Certification
Analytics & Reporting
Compliance & Audit Proof
Audit
IT Sec
Help Desk
Biz User
Risk Model ?
• Provisioning &
Directory ✗
• Visibility • Business oversight
& transparency • Auditing & tracking
• Control of entire IAM
process
Governance-based Approach 1. Business Centric – Full Lifecycle Control
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 9
Next Generation Identity Management A Governance Based Approach
1. Business Centric – Ease of use & full lifecycle controls
2. Policy Based - Strong desired state models
3. Last Mile Agnostic – Support multiple “last mile” fulfillment processes
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 10
Role Model
Policy Model
Risk Model
Audit
Model
Controls Model
•Population Analysis •Role & Entitlement Mining •Dynamic Assignment Controls
•Defined Process •Sustainable Controls •Compliance Proof
•Clear Ownership •Defined Approvals •Tracked Actions
•Business Policies (SoD) •Orchestration Policies •Provisioning Policies
•Rate & Rank Risk •Assessment of Process •Trending & Analysis
Governance Based Approach 2. Policy Based – Strong Desired State Models
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 11
Business Processes IT Resources Fulfillment Processes
Service Provider
Help Desk
Automated Provisioning
Paper process
IT Admin Change
•Give new employee access
•Give temporary access to contractor
•Review access
•Approve role change
•Remediate policy violation
•Give new employee access
•Give temporary access to contractor
•Review access
•Approve role change
•Remediate policy violation
Governance Based Approach 3. Last Mile Agnostic – Support Multiple Fulfillment Processes
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 12
Business Processes IT Resources Fulfillment Processes
Help Desk
NetIQ IDM Provisioning
Engine
IT Admin Change
•Give new employee access
•Give temporary access to contractor
•Review access
•Approve role change
•Remediate policy violation
•Give new employee access
•Give temporary access to contractor
•Review access
•Approve role change
•Remediate policy violation
Service Provider
Governance Based Approach 3. Last Mile Agnostic – Support Multiple Fulfillment Processes
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 13
Governance Based Approach 3. Last Mile Agnostic – Support Multiple Fulfillment Processes
Business Processes IT Resources Fulfillment Processes
Help Desk
NetIQ Provisioning
Engine
IT Admin Change
•Give new employee access
•Give temporary access to contractor
•Review access
•Approve role change
•Remediate policy violation
•Give new employee access
•Give temporary access to contractor
•Review access
•Approve role change
•Remediate policy violation
Service Provider
Fully Automated
Provisioning? C
oord
inat
ion
& In
stru
men
tatio
n
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 14
THE THREE STEPS TO GOVERNANCE BASED IDENTITY CONTROLS
A Governance Based Approach to Identity Management
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 15
Where to Start with Identity Governance? Think GPS …
Current Location Destination Travel
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 16
Three Steps to Governance-based Provisioning
Governance Checkpoint (Understand Current State) •Build Entitlement Warehouse
•Establish Responsibility •Understand the data •Critical Remediation
Build Governance Model (Plan Desired State)
•Define Automated Controls •Model Roles & Policies
•Model Access •Define Approvals
Lifecycle Controls (Manage Ongoing Change)
•Deploy Request Services •Integrate Fulfillment Procedures
•Establish Closed-loop Audit •Monitor, Report, Refine
Tools Entitlement Warehouse
Certifications Policy Evaluation
Remediation Risk Assessment
Tools Role Engineering Policy Modeling Lifecycle Events Workflow & BP
Tools Request Management
Fulfillment Orchestration Write Connectivity
Monitoring & Reporting
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 17
CONCLUSION A Governance Based Approach to Identity Management
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 18
Conclusion
• New Approach To Identity Management – Business User Driven Identity Lifecycle Control
– Built on a Model & Policy Based Approach
– Support for Multiple “Last Miles”
• Three Steps to Identity & Access Governance – Understand Current State
– Model Desired State
– Manage the Entire Lifecycle
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 19
Introducing NetIQ Access Governance Suite 6
Compliance Manager Certification | Policy Evaluation
Lifecycle Manager Access Request | Business Event Triggers
Governance Platform
Role Management | Policy Engine | Risk Model | Provisioning Broker
Integration Module NetIQ IDM
Provisioning Engine
3rd Party Service Desk
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
Architecture/Installation
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 21
Hibernate
Core Application Components
Novell/NetIQ PIM
Broker
Identity Events
JDBC / LDAP
CSV / FILE
Custom
External Applications
Policy Engine
Database
Web Browser Interface
Cert Engine Identitizer
Scope / Capabilities Task Engine
Connectors (Read)
Workflow Engine Request Processor
API Layers
Spring Web Services
Integrations (Write)
CSV / FILE
Aggregation
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 22
Architecture Overview
- Provisioning - Access Control
IdMInfrastructure
Managed Resources
HTTPS
HTTPS
Application Server
RDBMS Repository
Hibernate Persistence
Remote Connection Protocols (Flatfile, SSH, LDAP, FTP, JDBC)
AJAX
J2SE Application Provisioning
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 23
Access Governance Suite 6 Installation/Deployment Process
• WAR File Deployment • Schema Modification/Generation (Optional) • Database Preparation/Table Creation • Initialization of Default System Objects • Apply Patches
Initial & Patch Deployment
• Initialization of Customized System Objects • Deployment of Custom Code • Deployment of Customized File-System Artifacts
Ongoing Deployment & Operation
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 24
Schema Configuration – Details
• Identity – default 10 searchable, 5 indexed, 20 max – Be Aware: Indexing speeds up searching, but slows down
updates to the identity cube
• Application — 4 extended attributes, 1 indexed
• Account (Link) — 5 searchable attributes,1 indexed
• Role (Bundle) — 4 extended attributes, 1 indexed
• Certification — 5 searchable attributes, 1 indexed
• Managed Attributes – 3 searchable, 3 indexed
• Identity to Identity – default 5, no indexed
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 25
Database Preparation • Database Scripts
– Using your database tools, create a database and all the necessary tables for AGS 6
– Scripts are provided out of the box if you want to use the default schema and for upgrade usage
– Location: /WEB-INF/database
– Examples: – create_ags_tables.mysql
– drop_ags_tables.mysql
– upgrade_ags_tables.mysql
– post_upgrade_ags_tables.mysql
• Note: If generating your own scripts, take care to load proper files. Look at date/time stamps to make sure you are using the most recently generated files.
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 26
Configure Access Governance Suite 6
• Startup Preparation – AGS 6 Root:
– Example: /srv/tomcat6/webapps/ags
– Set database connection parameters – <AGS 6 Root>\WEB-INF\classes\ags.properties
– If needed, you can use the ags encrypt command under the \web-inf\bin directory to encrypt passwords
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 27
Initialize AGS 6 Default Objects
• Creates initial objects within AGS 6 – Loads default objects into the empty AGS Instance
– Need to populate it with all the default objects
– Reports, Tasks, etc.
– Steps – command: /WEB-INF/bin/ags console
– > import init.xml
– Note: This process of loading an XML file can be used as a way to load your own files as part of your deployment
– Custom Rules, Tasks, Roles, etc.
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 28
Verify AGS 6 Installation
• After AGS 6 is deployed: – Startup the Application Server
– Access Governance Suite 6 Login – http://<server>:<port>/ags
– Server can be deployed at the root of app server if desired:
– Example: http://server.domain.com/
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 29
Deployment Strategy
• Development – Unit Test Environment – Usually many of them. Developers may have individual
systems for AGS 6 as well as a main Dev system. Typically limited memory, disk space and running in a VM. Avoid loading full data as this complicates development.
• Staging – Load Test Environment – Needs to be able to handle anticipated high-water marks for
performance and stress testing. Full data complement should be loaded here to validate design.
• Production Environment – Nearly identical to Stage but incorporates redundancy and
failover
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 30
Typical High-End Deployment
Backup Data Center (Hot Standby) Primary Data Center (Active)
Cluster Domain
Shared Storage
Database Cluster
VIP: UI Traffic
Cluster Domain
Shared Storage
Database Cluster
VIP: UI traffic VIP: Aggregation Traffic
Streams - Replication
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
Identity Cubes
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 32
Identity Cubes
Definition: Identity Cube
Term used to refer to each unique identity stored in the AGS 6 repository: “Cube” is used to denote the rich, multi-dimensional data available:
Tabs represent dimensions of Identity Cube
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 33
Identity Cubes – Detail • Identity Attributes (Name, Email, Department, etc.)
• Entitlements – Roles and individual entitlements
• Application Accounts
• Policy (any violations for this identity)
• Risk Scores
• History (Attributes, Roles, Entitlements, Accounts, Certification History)
• Activity
• User Rights (within AGS)
• Events (Identity Triggers, Role Sunrise/Sunset)
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 34
Identity Cubes “Cubes” are built through a discovery process from authoritative sources Refreshed dynamically with Account Aggregation tasks Snapshots may be maintained to drive historical analytics
Business Context
Identity Data
IT Environment
Identity Cubes
Business Environment
Dashboard Reports
Activity Data
Applications
Business Roles
Business Policy
Business Risk Provisioning
File Shares
Packaged Apps
Legacy Apps
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 35
How Cubes are Created
• Identity Cubes are created by bringing in user account data from Authoritative Applications
– Sources like HR/Directory systems – Example: AD/LDAP/HR Systems
– Multiple Sources (employees/contractors)
• Components – Connector - An AGS 6 component which communicates with
various targeted platforms, applications and systems to harvest application and account data. A connector is defined as part of an application. (Example: Delimited File Connector, JDBC, Active Directory, etc.)
– Application – A definition representing a target system. These include how a targeted system is accessed, how the accounts and entitlement data on that system are classified (Schema), associated Risk configuration, as well as a set of Rules specifying relationship data.
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 36
Applications – Specifying Schema
• Specifying Schemas – Account – Used to represent individual accounts
– Group – Used to represent individual group account
• Specifying Rules – Creation
– Configuration hook during Identity Cube creation
– Correlation – Defines Identity Cube search semantics
– Positive Correlation – Link to Identity
– Negative Correlation – Creation of Orphan Identity
– Manager Correlation
– Customization
• Specifying Activity Data Sources – Drives activity tracking and monitoring (logins/logouts, etc.)
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 37
Application Schema – Example
• Data Example employeeId,userId,groups,email
a1b2,FredFlintstone,Administrators,[email protected]
b1b2,BarneyRubble,Administrators,[email protected]
b1b2,BarneyRubble,VPN Administrators,[email protected]
• Which is – An Identity Attribute?
– A Display Attribute?
– An Entitlement?
– A Group?
– A Multi-Valued Attributes?
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 38
Applications – Rules
• Creation Rule – Hook for performing customizations at cube creation time, e.g. assigning AGS 6
capabilities or setting default passwords
– Not required
• Correlation Rule – Alternatively configured through GUI
– Determines whether native account results in creation of new identity cube or linkage to an existing one
– Not required when configuring Application – Implicit rule is to search on identity name attribute
• Manager Correlation Rule – Alternatively configured through GUI
– Used by AGS 6 to build and maintain manager relationship
• Rules provided a Fully programmable, Java-based implementation hook
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 39
Rules – Beanshell
BeanShell execution environment provides high-degree of programmability
<Source>
<![CDATA[
Map returnMap = new HashMap();
String email = account.getStringAttribute("email");
if ( email != null ) {
returnMap.put("identityAttributeName", "email");
returnMap.put("identityAttributeValue", email);
}
return returnMap;
]]>
</Source>
Refer to <AGSHOME>\WEB-INF\config\examplerules.xml
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 40
Identity Mappings
• Identity Mappings define which account attributes will be
maintained as top-level “Identity Attributes”
• Typically sourced from authoritative sources like HR and
Corporate Directory
– Can be sourced with a rule as well
• Persisted as part of the Identity Cube
• Can be marked as searchable
– Support correlation
– Support advanced analytics
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 41
Identity Mappings – Diagram
Account on HR Application
Identity
Authoritative Source
Account Aggregation
Authoritative HR Application
HR_ID
Name
Insurance Plan
Location
Name
Location
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 42
Identity Mappings Edit identity mapping allows multiple source mappings and precedence setting Advanced Options...
Group Factory: Controls whether attribute will participate in dynamic groups
Searchable: Determines whether attribute can be used in correlation rules and as criterion for advanced analytics
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 43
Account Aggregation
The process by which AGS 6 creates and updates Identity Cubes with account, attribute and entitlement data accessed through configured Applications. Account Aggregation executes in the context of AGS 6 Tasks (which can be scheduled.)
Link Attributes
Account attributes maintained (persisted) on the Application links stored within an Identity Cube. Link attributes my be promoted to Identity attributes based on the Identity Mappings configuration.
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 44
Account Aggregation
• Things to consider in Account Aggregation...
– Which Application should be aggregated first?
– Goal is to mint new Identity Cubes from “best” source (HR,
Corporate DIT)
– Consider correlation strategy to drive determination of proper
order
– Are Identity Mappings properly configured?
– Account Aggregator will use Identity Mappings as the guide
for promoting Link attributes
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 45
Manual Correlation • When Automatic Correlation falls short...
– Every organization has challenges in correlating identities across all systems
– AGS 6 provides Manual Correlation mechanism to expedite correlation clean-up
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
Application Onboarding
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 47
Application On-Boarding process
• Implementer and application owners will require several iterations of meetings on data
• Entitlement data and hierarchy must be clearly defined and understood
• Data aggregation schedule and dependencies must be captured and analyzed
• Data format and Connectivity mechanism must be clearly defined and agreed upon
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 48
Connector Types
• Connectors ACF2, AIX, AS400,ACE Server, Active Directory, BMC ESS, BEA
Aqualogic Enterprise Security, DB2,
Delimited File, HP-UX, IBM Lotus Domino, IBM Tivoli Directory Server, IBM Tivoli Identity Manager, ITSM, JDBC, LDAP, LDIF, Linux, Lotus Notes, Mainframe, MS SQL Server, MS Sharepoint, NIS, Novell, Oracle DB, Oracle Apps, Peoplesoft, RACF, Remedy, SAP, SAP HR, SAP Portal, Salesforce, Solaris, Sun IDM, Sybase, TopSecret, Unix, VMS, Windows Local
• Rule Based Connectors – Multiplex – Creates applications on the fly
– Logical – Creates logical application data on the fly
– RuleBasedFileParser – Create accounts from loosely formatted data
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 49
Connector Deployment Planning Dealing with data formats - indexing
• Data needs to be merged – indicates if connector needs to be aware of multiple rows.
• Index Column – the column name which indicates how similar rows are correlated.
• Which columns should be merged? – the columns that are used in the default merge.
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 50
Data Format & Indexing
• File or JDBC with the following result: username, firstname, lastname, scope, capability
nmcglennon, Neil, McGlennon, US, System Administrator
nmcglennon, Neil, McGlennon, US, Auditor
• Set the merging to the following: – Data needs to be merged : true
– Index Column : username
– Which columns should be merged? : scope, capability
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 51
Delimited File Applications
• Required: – File Transport – the method used to retrieve the file. Defaults
to “local” but “ftp” and “scp” are allowed as well.
– File Path – the path and name of the file being parsed.
• Recommended: – Delimiter – option to indicate the method to parse the file. Any
delimiter can be used. Escaped delimiters use the Unicode equivalent. Common options are “,” or “\u0009” (tab).
– File has column header on first line– option to indicate that the file has a header, and skip the first line of parsing.
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 52
Delimited File Applications (part 1)
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 53
Delimited File Applications (part 2)
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 54
JDBC Applications
• Fairly similar parsing to the Delimited File Connector.
• Required: – user – the username used to connect to the database.
– url – the JDBC URL used to connect to the database.
– driverClass – the Java classname of the JDBC driver used to connect to the database. Must be in $AGSHOME/WEB-INF/libs/
• Recommended: – password – a password used to connect to the database
– SQL – the query to fetch data from the database. Note: The JDBC Connector supports stored procedures.
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 55
LDAP Connector • Account and Group Schemas are pre-populated.
• Required: – authorizationType: None, Simple, or Strong. Default is Simple.
– user: User DN to bind to the directory as.
– port: Connection port of the LDAP server. Usually 389 or 636.
– host: Connection host IP or address.
– searchScope: Depth to search the LDAP tree. OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE.
• Recommended: – password: the credentials the user uses to bind to the directory.
– searchDN: The search starting point DN string.
– iterateSearchFilter: optional filter string to filter out objects.
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 56
LDAP Connector
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 57
What is a Logical Application? • A way to define an application “logically”
– Logical apps allow for the combining (previous composite behavior) and now subdividing of applications
– Examples: – AD group controls access to an application at company ABC. They want to
treat this application as a logical standalone application (Subdividing)
– Application is defined by Mainframe application access and SQL database access (Composite)
• Simplifies searches, certifications, etc. by treating these special types of applications as a logical entity.
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 58
What is a Logical Application?
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
Access Certification
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 60
Certification Types
• Different certification types allow you to certify everything from a users access, to role membership and more.
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 61
Certification Schedules
• Schedules – One Time (what we will do in testing during class)
– Runs a single unscheduled certification
– Great for testing/development
– Scheduled (Weekly, Monthly, Quarterly, Annually) – Runs on a repeatable schedule
– Great for production situations whereby certifications must happen at regular intervals
– Continuous – Certification never ends
– Individual Items are certified based on individual certification schedules (i.e. each entitlement is certified monthly, independently of other items.)
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 62
Certification Time Periods
Certification Certification
Certification
End
Remediation
Challenge Active
Cer
tifie
r
Generation
Notification
Sys
tem
R
emed
iato
r
Sign-Off
Revoke
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 63
Access Certification – Time Periods
• Pre-Certification – Certification Schedule Fires
– Access Reviews are created and owners are notified via email
• Active Period – Certifiers login and view certifications from Inbox or My Certifications page
– Certifiers make decisions, reassign, or delegate
– Users may challenge revoke decisions (configurable)
– Once all decisions are made, certifier signs off on certification
• Challenge Period – Users can challenge decisions
• Revocation Period – Period to allow revokes to occur (AGS scans during this time for changes)
– Certification no longer appears in Inbox
– Remediation requests passed on to Provisioning Broker
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 64
What to Certify – Manager Certification
• Manager Certification – Which specific managers/all managers
– Which applications/all applications
– Certify Entitlements or Accounts – Can certify if a user has an account on a system versus the specific
entitlements a user possesses
– For Entitlements – Include Additional Entitlements
– Include Roles
– Certify Accounts with no Entitlements (Y/N)
– Policy Violations
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 65
What to Certify – Application Owner Cert • Application Owner Certification
– Which applications/all applications
– Certify Entitlements or Accounts – Can certify if a user has an account on a system versus the specific
entitlements a user possesses
– For Entitlements – Include Additional Entitlements
– Include Roles
– Certify Accounts with no Entitlements (Y/N)
– Policy Violations
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 66
What to Certify – Entitlement Owner Cert • Entitlement Owner Certification
– Which applications/all applications
– Include un-owned Entitlements
– If yes, who will review un-owned Entitlements – default: Application owner
– Can define another user
– Note: Entitlement descriptions and ownership is defined by created Managed Entitlements
– Missing Managed Entitlements scan task
– Aggregating with “Promote managed entitlements” checked
– Using a “Managed Entitlement Customization Rule” as part of your application definition
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 67
What to Certify – Advanced Cert • Advanced Certification
– User group(s) to certify (Population or Group Factory) – Note: Rules can be used to assign certifiers to groups with a factory
– Other options are just like Manager Certification
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 68
What to Certify – Role Certs
• Role Membership and Role Composition Certification – These certifications will request that the owner of a role certify
the members of each role or the composition (makeup) of the role
– Which roles to certify – Choose specific ones
– By Type (IT/Business/etc.)
– All Roles
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 69
What to Certify – Account Group Certs
• Account Group Permissions and Membership Certifications
– These certifications will request that the owner of an account group certify the actual entitlements/permissions granted to each the Account Group or the Membership of the Account Group
– Which applications to certify – Choose or All Applications
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 70
Access Certification - Configuration – Schedule
– Run Once, Scheduled or Continuous
– Duration and types of Phases – Active Period
– Challenge Period
– Revocation Period
– Automatic Closing (Rule, Revoke, Allow, Exception)
– Email notification parameters – Certification Reminders and Escalation
– Revocation Reminders and Escalation
– Advanced – Exclusions and Pre-Delegations
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 71
Access Certifications – Global Config
• If there are things you are configuring often, You can set them in the global settings
– System Setup Compliance Configuration
– Configure Global Settings that apply to all certifications
– Can be overridden on per-certification basis
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 72
Certifications – Rules • Time Period Rules
– Active Period Enter Rule – Challenge Period Enter Rule – Revocation Period Enter Rule – End Period Rule – Closing Rule
• Escalation – Escalation Rule for Expirations and Revocations
• Certification Control – Exclusion Rule – Pre-Delegation Rule – Sign Off Approver Rule
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 73
Managing Certification Access Reviews • Inbox or Manage My Access Reviews
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 74
Managing Access Reviews
• Click on Access Review Work Item
• View – Worksheet or Identity
• Make Decisions and Sign Off
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 75
Access Certification – Decision Details • Revoke
– Request the removal of an identity’s access to the specified business role or entitlement, or the removal of a permission or member from an account group
– Revocation options are configurable
– Revocation requests are not sent until certifications are signed off or the challenge period has ended
– Identity-type revocation requests are driven by the challenge and remediation periods or phases
– Revocation can be automated through configuration with a provisioning provider
– Revocation can be performed as a bulk action or on an item by item basis
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 76
Access Certification – Decision Details • Delegate
– Delegate the task of performing all or part of a certification to a different certifier
– Delegation options are configurable
– Delegate and certifier communicate through certification comments
– Delegate can reject delegation requests
– Delegate can forward request to another certifier
– Delegate has the same certification decision options as the original certifier
– When a delegation work item is marked as complete the decision shows up in the certification as complete
– Delegation can be performed as a bulk action or on an item by item basis
• Reassign – Reassign multiple identities or account groups to a different certifier from
the identity or account group list page – Reassignment is only available as a bulk action
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 77
Certifications – Monitoring Progress
• Monitor Certifications
• Oversee progress as certification progresses
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 78
Reporting – Certifications
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 79
Certifications from Advanced Analytics • Analyze Advanced Analytics
• Select and Certify
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 80
Certifications from Risk Scoring
• Manage Identity Risk Scores
• Select and Certify
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
Roles, Policies and Risk
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 82
Overview Business Domain
Populations (Dynamic & Static)
Assignment Rules
Job Functions
Responsibilities
Business Analysis Organizational Data
Security Model Resources
IT Domain
Authorizations
Entitlements
Targets
Rights
Business Roles
Technical Roles
Mandatory (Requires)
Discretionary (Permits)
Relationships Policy Model
Workflow Approvals
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 83
Flexible Role Types • Business Roles
– An articulation of a business function, responsibility or duty
– Often grouped by organization, business process or projects
– Users are directly associated with business roles (“subject groupings”)
– Often using dynamic “assignment” rules based on identity data
• Technical (IT) Roles
– Are sets of entitlements managed together for organizational and operational efficiency
– Often grouped by application or related set of system components
– Defines and controls actual instance attributes for a given entitlement “profile”
– Provides a level of abstraction for complex entitlements
• Custom Roles
– Allow optional inheritance, entitlement profiles, and meta-data
– Facilitate construction of an effective role solution without requiring the business to change to fit product
A/P Clerk Financial Accountant Sales Manager Shipping Clerk
Business Roles IT Roles
ERP A/P Access Finance Group Membership CRM Approval Access Ship on Inventory System
Roles
Custom Roles Security Clearance I
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 84
Extensible Roles Are Key Modeling Different Types Of Roles
Provisioning Roles
IT Roles
Compliance Roles
Resource Roles
Organizational Roles
Business Functional
Roles Metadata
Behaviors
Controls
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 85
IT Role IT Role IT Role IT Role IT Role IT Role
Business Roles
Business Roles
Static & Dynamic Assignment
Business Roles
IT Roles IT Roles IT Roles
Permits & Requires Relationships
Policy Engine
Workflow Model
Dynamic Assignment Manual Self-Service
Identity/Role Admins
Identity Attribute Data
Static Assignment Delegates Self-Service
Business Self/Service
Approvals Controls, Audit
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 86
Assigned vs Detected Roles Role
Assignment Rules Relationship Rules Controls Metadata
Entitlement Model Attributes & Values
Resources Attributes & Entitlements
Model View (Desired State)
Actual View (Actual State)
Assigned Via Assignment Rules Manual Assignment
Identity Assigned Roles Detected Roles
Additional Entitlements Detected
Entitlements & Matched
Roles
Aggregation
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 87
Role Definition and Mining • Top-Down Business Role Modeling
– Captured via business analysis and organizational modeling
– Enhanced using automated analysis of identity data
– Supported heavily by role membership certification
• Bottom-Up IT Role Mining
– Driven by algorithmic analysis and an analytics-focused mining processes
– Derived from data pulled from the central repository or “actuals”
– Supported heavily by role composition certification and analysis and “review” of those actuals
• Collaborative Association
– Key to the hybrid approach
– Join business & IT roles using the model
– What if modeling & impact analysis
– Population analysis
Bottom-Up Role Mining
Controlled Association
Top-Down Business Role Modeling
Business Role Mining Organizational Modeling
Roles
Actuals
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 88
Mining, Analytics & Engineering • Top Down
– Population Analysis & Automated Discovery – Populations, Work Groups & Assignment Rules & Business Roles
• Bottom Up
– Entitlement Patterns, Group / Set Analysis – Entitlement Expressions, Profiles & IT Technical Roles
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 89
Extensible Role Model
System Setup Role Configuration Out of the box
– IT Roles (for detection/provisioning)
– Entitlement Roles (for detection/provisioning)
– Business Roles (for assignment)
– Organizational Roles (for containment)
Additional Roles? – Create New Types
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 90
Out of the Box Role Types
Type Business IT Entitlement Organizational
Allow Inheritance of other roles Yes Yes Yes Yes
Allow other roles inheriting this role Yes Yes No Yes
Auto Detection with Profiles No Yes No No
Entitlement Profiles No Yes Yes No
Automatic Assignment with Rule Yes No No No
Assignment Rule Yes No No No
Manual Assignment Yes No Yes No
Permitted Roles List Yes No No No
Allow being on permitted roles list No Yes Yes No
Required Roles list No Yes No No
Allow being on a Required Roles list No Yes Yes No
Allow granting of IIQ rights No No No No
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 91
Sunrise/Sunset of Roles
Global Configuration System Setup AGS 6 Configuration Miscellaneous
Role Activation Define Roles
– Activate date
– Deactivate date
Used for roles that have limited time usage or delayed activation
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 92
Definition: Policy
Policies are defined specifically for your enterprise and used to monitor for identities that are in violation of those policies. For example, a separation of duties policy might disallow one identity from requesting and approving purchase orders or an activity policy might disallow an identity with the Human Resource business role from updating the payroll application even though they do have view access to that application. Violations on each of a policy’s rules, when detected, are stored in the identity cube. These violations also appear on identity score cards and enable you to identify high-risk employees and act accordingly.
Policy
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 93
Policy Violation Types • Role SOD Policy
• Entitlement SOD Policy
• Activity Policy
• Account Policy
• Risk Policy
• Advanced Policy
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 94
Policy – Role SOD Policy
• SOD Policy is composed of one or more SOD rules • An SOD rule is comprised of the following:
– Summary: A brief title for the rule – Description: Short text which describes the rule – State: A flag indicating whether the rule is active or not – Compensating Control: A brief description of the
remediation steps or exceptions to the rule – Role Conflicts: A list of roles which conflict with each
other
SOD rule definitions provide a framework for policy enforcement (Ex: Cannot have “Approve Vendor” Role and “Pay Vendor” Role.)
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 95
Policy – Entitlement SOD Policy
• SOD Policy is composed of one or more SOD rules • An SOD rule is comprised of the following:
– Summary: A brief title for the rule – Description: Short text which describes the rule – State: A flag indicating whether the rule is active or not – Compensating Control: A brief description of the remediation
steps or exceptions to the rule – Entitlement Conflicts: A list of entitlements which conflict with
each other – Note: can also use Identity Attributes for conflict analysis
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 96
Policy – Activity Policy
• Activity Policy consisting of one or more activity rules • Example: Login after hours
• An Activity rule is comprised of the following:
– Summary: A brief title for the rule – Description: Short text which describes the rule – State: A flag indicating whether the rule is active or not – Compensating Control: A brief description of the
remediation steps or exceptions to the rule – Identity Filters: A filter of identities to apply this rule to – Activity Filters: A list of activities to detect
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 97
Policy – Account Policy
Account Policy is composed of a single rule: Does a user have more than one account on any given applications
– Summary: A brief title for the rule
– Description: Short text which describes the rule
– State: A flag indicating whether the rule is active or not
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 98
Policy – Risk Score Policy
Risk Score Policy is composed of a single rule
– Summary: A brief title for the rule
– Description: Short text which describes the rule
– State: A flag indicating whether the rule is active or not
– Policy Attributes – Composite Score Threshold:
– A risk score value to use when detecting violations:
– Example: All identities with risk score > 800 receive this policy violation
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 99
Policy Violations – Where to see them?
• After refresh, Policy Violations are visible: – On the Identity Cube
– On the Manage Policy Violations tab
– During Certifications
– Using Reports
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 100
Policy Violations – Identity Cube
• On the Policy tab of the identity cube:
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 101
Policy Violations – Managing • Manage Policy Violations
– Take action on Policy Violations page
– List of all active violations in your enterprise
– Accessible to policy owners, such as
Compliance Officers
– Actions include certifying identity or allowing exceptions
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 102
Policy Violations – Certifications
• Take action on policy violations from an Access Review
– Configure Certification to include Policy Violations
– During Access Reviews, certifiers can allow exceptions or remediate
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 103
Policy – Reporting Options
Reports available: – Policy Violation Archive Report
– Policy Violation Detail Report
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 104
Risk Modeling – Risk and Risk Scoring • Definition: Risk Modeling
– Applying risk scores to various objects based on behaviors or criteria possessed by the various objects
• AGS 6 supports risk modeling for: – Identities
– Roles/Entitlements
– Violations
– Certification Age
– Applications – # of Service, Privileged, Inactive
and Dormant Accounts
– # of accounts owned by risky identities
– # of accounts owned by identities with policy violations
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 105
Modeling – Identity Risk Scoring Config
• Determine overall scoring weights under “Composite Scoring” and “Baseline Access Risk”
– Roles – Entitlements – Policy Violations – Certification Age
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 106
Where to see Risk Scores
• Identity Risk Tab (Breakdown of score calculation)
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 107
Where to see Risk Scores
• Application Risk Tab (Breakdown of score calculation)
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 108
Where to see Risk Scores • Manage Tab
– Identity Risk Scores – Sort scores by risk score
– See scores by risk band (low/med/high)
– Perform Certifications
– See Score Breakdown
– Application Risk Scores – Sort application risk scores
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 109
Advanced Analytics and Risk
• Risk scores are a searchable value in Analytics
• Can use risk scores to define high risk populations for more aggressive certification actions
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 110
Risk Scoring – Reporting
• Reporting is available for:
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
Lifecycle Manager
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 112
Key Features/Considerations • LifeCycle Requests
– What do you want people to be able to do? – Request Roles/Entitlements
– Manage Accounts/Passwords
– Add/Edit/View Identities
– Who should be able to do what? – Order for themselves? Self-Service
– For others? Managers/Help Desk/All Users
– What can be requested? – Controlled by managed entitlement configuration
– Scoping
– Rules
– Business Process (Workflow)? – What to do for each type of request…
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 113
Request Management Dashboard
Manager, Help Desk or
Employee Requests
Self-Service Requests
Role Based Request
Entitlement Based
Request
Role Repository
Entitlement Dictionary
Model Resolution &
Data Collection
Policy Evaluation &
Approvals
Provisioning Broker
Request
Manual Lifecycle Change Events
Checkout Fulfill Shop
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 114
Managing LifeCycle Requests
• Request for Others – Managers, Help Desk Administrators, and other users based
on configuration.
• Request for Me – Self Service Requests
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 115
Requesting Access
• Search for entitlements/roles
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 116
Submitting a Request
• Clicking Submit starts Business Process (workflow)
• At this point, workflow takes over and handles policy checks, approvals, gathering needed information, etc.
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 117
Managing Access Requests
• Fully Traceable/Trackable Identity Requests
• Manage Access Requests
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 118
Account Request Details
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
© 2011 NetIQ Corporation. All rights reserved. 119
+1 713.548.1700 (Worldwide) 888.323.6768 (Toll-free) [email protected] NetIQ.com
Worldwide Headquarters 1233 West Loop South Suite 810 Houston, TX 77027 USA
http://community.netiq.com
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. Copyright © 2011 NetIQ Corporation. All rights reserved. ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States.
Novell, Inc. Copyright 2012-ATT LIVE-1-HARDCOPY PERMITTED. NO OTHER PRINTING, COPYING, OR DISTRIBUTION ALLOWED.