permission collection and reconciliation service
Post on 17-Feb-2017
268 Views
Preview:
TRANSCRIPT
Permission Collection and Reconciliation Service (PCRS)November 2014
Kamal NarayanSenior Product Managernkamal@netiq.com
Rajiv KumarAssociate Senior Specialistkrajiv@netiq.com
#BrainShare #NetIQ7130
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.2
Agenda
• Entitlements and Resources
• Current limitations
• PCRS
• PCRS components
• PCRS flow
• Troubleshooting tips
Entitlements and Resources
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.4
Entitlements
Model application permission
IDM Drivers have sample entitlements
Primarily managed by Designer
Sample entitlements may not be readily useful (AD vs JDBC)
Often application integration requires creating entitlements
Primarily used on subscriber channel with IDV as the source of truth
No out of the box solution for onboarding application assignments
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.5
Resources
Introduced during RBPM 3.7
Abstraction layer between driver entitlements and Roles.
Curatable, thus people friendly names unlike entitlements, approval workflow
Enables granular assignment status
Management via Designer/UserApplication interface
Bound to one entitlement only, static & dynamic assignments
No out of the box solution for onboarding application assignment
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.6
Resource model
Current limitations
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.8
Current Limitations
• Application on boarding requires custom
implementation to on-board existing permission
assignments
• Assignment state may quickly get out of sync unless
all permission changes are done from IDM
• Catalogue does not reflect the actual state
• Creating new entitlements is tedious
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.9
Current limitations
• Requires changes in multiple locations : resource
objects/policies
• Multiple tools/steps required to create a resource
associated with an entitlement
• Resource/Entitlement assignments are uni-
directional(subscriber only)
PCRS
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.11
PCRS – What's new
• Easily create new Entitlements
• Seamless out of the box support for implementing
resource model for IDM drivers
• On-board application permissions and assignments
• Update assignment status changes on both channels
(publisher & subscriber)
• Simplified and quicker application integration
• Comprehensive permission catalogue
• Catalogue shows the actual state
• A common package for use with custom drivers
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.12
PCRS - Overview
PCRS components
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.14
PCRS components
Engine changes
Administrative accounts
Dynamic and Static
Resources
Packages JobAccess
Control List
GCV Controls
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.15
PCRS components
Engine changes
Administrative accounts
Dynamic and Static
Resources
Packages JobAccess
Control List
GCV Controls
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.16
Engine changesStartup/Shutdown policy containers
• Two new policy containers
• Startup container has policies for performing
initialization tasks
• All run-once policies required at startup can be added
here
• Policies are executed after driver start by the engine.
• Shutdown container can have policies for performing
finalization tasks
• Polcies to save state/info that may be needed at driver
shutdown
• Policies are executed before stopping the driver.
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.17
Engine changesStartup/Shutdown policy containers
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.18
Engine changesStartup/Shutdown policy containers - Benefits
• Cleaner implementation, easier to debug
• No need to perform checks in content to verify if the driver is up before executing initialization policies
• Run-once policies are outside of normal event-flow containers, reduced tracing
• Shutdown tasks can be performed, which is not possible otherwise.
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.19
Engine changesResource management API's
xmlns:ps=“http://www.novell.com/nxsl/java/com.netiq.resources.ProvisioningSchedu
ler”
// Provisions users to IDM resources in RBPM and reconciles the permissions of
// the user.
String ReconcilePermissions(String uaUrl, String uaUser, String uaPwd, String
recipient, int delay, String payload, boolean debugOn)
// Performs CodeMap Refresh of the Group Entitlement in RBPM
String RefreshCodeMapforGroupEntitlement(String uaUrl, String uaUser, String
uaPwd, String recipient, int delay, String payload, boolean debugOn)
// Reconciles resource assignments for groups in RBPM
String ReconcileGroupMemberPermissions(String uaUrl, String uaUser, String
uaPwd, String group, int delay, String payload, boolean debugOn)
// Check timestamp and allow grant or revoke if current timestamp is greater
// than or equal to that of the last update in the nrfResource history.
String AllowEntitlementGrantOrRevoke(String uaUser, String recvdEntTimeStamp,
String historyPayload, boolean debugOn)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.20
PCRS components
Engine changes
Administrative accounts
Dynamic and Static
Resources
Packages JobAccess
Control List
GCV Controls
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.21
Administrative accounts
• Following administrative accounts are used
– IDV Administrator
– PCRS Administrator
• Password Policy should be assigned to both the
admin users.
• Distribution password for these users are utilized for
creating/updating various objects
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.22
Administrative accountsPassword policy assignment
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.23
Administrative AccountsIDV administrator/PCRS Administrator - Tasks
IDV administrator
Job execution
PCRS Administrator
Resource creation
Code-map refresh
Cache flush
Assign/revoke resources
Queries to user app
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.24
PCRS components
Engine changes
Administrative accounts
Dynamic and Static
Resources
Packages JobAccess
Control List
GCV Controls
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.25
ResourcesDynamic
• Default Configuration – resources created by PCRS
have dynamic values
• Requires creating fewer resources
• Simplifies resource management
• Easy to add/remove values instead of
creating/deleting resources.
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.26
ResourcesStatic
• Access to some resources/permissions may need to
be tightly controlled for e.g. financial, business, etc.
• Manually configured
• Catalog administrator can be used for creating static
resources.
• Existing static resources may be added to the
StaticValueEntitlementMap
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.27
PCRS components
Engine changes
Administrative accounts
Dynamic and Static
Resources
Packages JobAccess
Control List
GCV Controls
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.28
PackagesDriverset
• New driverset package(NOVLACOMSET) introduced
to specify
– User application URL
– Administrative user for performing PCRS actions
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.29
PackagesDriverset - screenshot
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.30
PackagesDriver
Specialized package
Active Directory Entitlements and Exchange Mailbox Support
Package
LDAP Entitlements Package
Delimited Text Entitlements Package
Loopback Entitlements Package
Common package
Permission Collection and Reconciliation Service
Package
[Validated for SOAP driver]
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.31
PackagesDriver
• Common Package - NOVLCOMPCRS
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.32
PackagesMapping Table - PermissionNameToFile
• Contains entitlement configuration data specified
during package installation in designer.
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.33
Driver objectsPost deployment
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.34
Driver objectsPost driver start
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.35
PackagesMapping Table - PermissionEntMapping
• Contains mapping of entitlement and the respective
resource objects.
• Mapping table is empty at deploy time.
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.36
PackagesMapping Table – PermissionEntMapping
• The specified entitlement is created by the driver
startup policies.
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.37
PackagesEntitlement object
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.38
PackagesMapping Table - PermissionEntMapping
• The resource object is created by the Job object.
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.39
PackagesMapping Table - StaticValueEntitlementMap
• Contains configuration data for static valued resources
• Mapping table is empty at deploy time.
• Manually populated
• Used for granular control.
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.40
PackagesMapping Table - <Entitlement>_Values
• Contains values for an entitlement if values are
specified by a csv file
#
#CSV File containing entitlement values
#
Building A, Engineering, The engineering building
Building B, Accounting, The accounting building
Building C, Facilities, The facilities building
Building D, Warehouse, The warehouse
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.41
PackagesMapping Table - <Entitlement>_Values
• Created by startup policies to store the entitlement
values.
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.42
PackagesMapping Table - <Entitlement>_Values
• Contains entitlement values read from csv file
providing the entitlement values.
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.43
PCRS components
Engine changes
Administrative accounts
Dynamic and Static
Resources
Packages JobAccess
Control List
GCV Controls
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.44
JobPermission onboarding
• IDM Job object.
• Configured during driver start-up.
• Admin user account and password automatically
configured by the start-up policies.
• Not scheduled by default
• Executed during driver startup – invoked by startup
policies
Requires appropriate rights on PCRS objects
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.45
JobPermission Onboarding - Tasks
• Reading CSV files containing Entitlement Values and populating <name>_Values objects
• Creating a Dynamic Resource for assigning Entitlement Values to Users
• Populating PermissionEntMapping object with the Resource DN
• Triggering RBPM code-map refresh to recognize the new entitlements and values
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.46
JobPermission onboarding
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.47
PCRS components
Engine changes
Administrative accounts
Dynamic and Static
Resources
Packages JobAccess
Control List
GCV Controls
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.48
Access Control ListPCRS Objects
Permission Onboarding Job
[Trustee]
[Entry Rights] → Browse
[All Attributes] → Supervisor
PermissionEntMapping
<ENTITLEMENT>_Values
<ENTITLEMENT>
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.49
PCRS components
Engine changes
Administrative accounts
Dynamic and Static
Resources
Packages JobAccess
Control List
GCV Controls
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.50
GCV controls
• PCRS package – reconcile all entitlements
• PCRS package – reconcile select entitlement
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.51
GCV controls
• Specialized PCRS entitlement package
PCRS flow
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.53
Publisher Channel update
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.54
Subscriber channel Attribute assignment
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.55
Subscriber channel RBPM assignment
Troubleshooting tips
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.57
Troubleshooting tips
• Use the PCRS admin user for PCRS automation only
– Do not perform any modification from the
UserApplication/Aqua UI using this user
– Changes performed by the PCRS admin are vetoed out by the
policy as a part of loopback detection.
• The entitlement attribute name in the entitlement-to-
file mapping table should be in Identity manager
namespace.
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.58
Troubleshooting tips
• Job does not executes at driver startup
– Verify that password policies are enabled and the Identity
vault administrator has an assignment.
– Check Identity vault administrator’s password has been set
after enabling the password policy.
• Resource assignment not working
– Check the status of the “User Application” and “Role and
Resource” service drivers. The drivers should be in running
state.
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.59
Troubleshooting tips
• Permission on boarding job does not update the
catalogue for assignment changes
– Verify that password policy is enabled and the PCRS
administrator has an assignment.
– Verify that the correct connection values are provided in the
driverset advanced common settings package.
– Verify that the PCRS administrator has resource management
rights.
Is Permission Collection and Reconciliation GCV Enabled ?
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.60
Troubleshooting tips
• Steps to clean-up PCRS objects and resources
– Stop the driver
– Using User Application UI, delete all the resources specified in
the “PermissionEntMapping” mapping table under the
“resourceDn” column
– Delete all the “<entitlement>_values” objects under the driver
objects
– Delete the entitlements specified in the “entitlementDn”
column of the “PermissionEntMapping” mapping table
– Delete the entries of the “PermissionEntMapping” mapping
table
© 2014 NetIQ Corporation. All rights reserved.61
Thank you.
Don’t miss the Identity-Powered Experience in IT Central.
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.62
+1 713.548.1700 (Worldwide)888.323.6768 (Toll-free)info@netiq.comNetIQ.com
Worldwide Headquarters515 Post Oak Blvd., Suite 1200Houston, TX 77027 USA
www.netiq.com/communities
This document could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein. These changes may be incorporated in new
editions of this document. NetIQ Corporation may make improvements in or changes to the
software described in this document at any time.
Copyright © 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the
cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration
Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy
Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit,
PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite,
Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ
Corporation or its subsidiaries in the United States.
top related