permission collection and reconciliation service

Permission Collection and Reconciliation Service (PCRS)November 2014

Kamal NarayanSenior Product [email protected]

Rajiv KumarAssociate Senior [email protected]

#BrainShare #NetIQ7130

© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.2

Agenda

• Entitlements and Resources

• Current limitations

• PCRS

• PCRS components

• PCRS flow

• Troubleshooting tips

Entitlements and Resources


Entitlements

Model application permission

IDM Drivers have sample entitlements

Primarily managed by Designer

Sample entitlements may not be readily useful (AD vs JDBC)

Often application integration requires creating entitlements

Primarily used on subscriber channel with IDV as the source of truth

No out of the box solution for onboarding application assignments


Resources

Introduced during RBPM 3.7

Abstraction layer between driver entitlements and Roles.

Curatable, thus people friendly names unlike entitlements, approval workflow

Enables granular assignment status

Management via Designer/UserApplication interface

Bound to one entitlement only, static & dynamic assignments

No out of the box solution for onboarding application assignment


Resource model

Current limitations


Current Limitations

• Application on boarding requires custom

implementation to on-board existing permission

assignments

• Assignment state may quickly get out of sync unless

all permission changes are done from IDM

• Catalogue does not reflect the actual state

• Creating new entitlements is tedious


Current limitations

• Requires changes in multiple locations : resource

objects/policies

• Multiple tools/steps required to create a resource

associated with an entitlement

• Resource/Entitlement assignments are uni-

directional(subscriber only)


PCRS – What's new

• Easily create new Entitlements

• Seamless out of the box support for implementing

resource model for IDM drivers

• On-board application permissions and assignments

• Update assignment status changes on both channels

(publisher & subscriber)

• Simplified and quicker application integration

• Comprehensive permission catalogue

• Catalogue shows the actual state

• A common package for use with custom drivers


PCRS - Overview

PCRS components


PCRS components

Engine changes

Administrative accounts

Dynamic and Static

Resources

Packages JobAccess

Control List

GCV Controls


PCRS components

Engine changes


Dynamic and Static

Resources

Packages JobAccess

Control List

GCV Controls


Engine changesStartup/Shutdown policy containers

• Two new policy containers

• Startup container has policies for performing

initialization tasks

• All run-once policies required at startup can be added

here

• Policies are executed after driver start by the engine.

• Shutdown container can have policies for performing

finalization tasks

• Polcies to save state/info that may be needed at driver

shutdown

• Policies are executed before stopping the driver.


Engine changesStartup/Shutdown policy containers


Engine changesStartup/Shutdown policy containers - Benefits

• Cleaner implementation, easier to debug

• No need to perform checks in content to verify if the driver is up before executing initialization policies

• Run-once policies are outside of normal event-flow containers, reduced tracing

• Shutdown tasks can be performed, which is not possible otherwise.


Engine changesResource management API's

xmlns:ps=“http://www.novell.com/nxsl/java/com.netiq.resources.ProvisioningSchedu

ler”

// Provisions users to IDM resources in RBPM and reconciles the permissions of

// the user.

String ReconcilePermissions(String uaUrl, String uaUser, String uaPwd, String

recipient, int delay, String payload, boolean debugOn)

// Performs CodeMap Refresh of the Group Entitlement in RBPM

String RefreshCodeMapforGroupEntitlement(String uaUrl, String uaUser, String

uaPwd, String recipient, int delay, String payload, boolean debugOn)

// Reconciles resource assignments for groups in RBPM

String ReconcileGroupMemberPermissions(String uaUrl, String uaUser, String

uaPwd, String group, int delay, String payload, boolean debugOn)

// Check timestamp and allow grant or revoke if current timestamp is greater

// than or equal to that of the last update in the nrfResource history.

String AllowEntitlementGrantOrRevoke(String uaUser, String recvdEntTimeStamp,

String historyPayload, boolean debugOn)


PCRS components

Engine changes


Dynamic and Static

Resources

Packages JobAccess

Control List

GCV Controls



• Following administrative accounts are used

– IDV Administrator

– PCRS Administrator

• Password Policy should be assigned to both the

admin users.

• Distribution password for these users are utilized for

creating/updating various objects


Administrative accountsPassword policy assignment


Administrative AccountsIDV administrator/PCRS Administrator - Tasks

IDV administrator

Job execution

PCRS Administrator

Resource creation

Code-map refresh

Cache flush

Assign/revoke resources

Queries to user app


PCRS components

Engine changes


Dynamic and Static

Resources

Packages JobAccess

Control List

GCV Controls


ResourcesDynamic

• Default Configuration – resources created by PCRS

have dynamic values

• Requires creating fewer resources

• Simplifies resource management

• Easy to add/remove values instead of

creating/deleting resources.


ResourcesStatic

• Access to some resources/permissions may need to

be tightly controlled for e.g. financial, business, etc.

• Manually configured

• Catalog administrator can be used for creating static

resources.

• Existing static resources may be added to the

StaticValueEntitlementMap


PCRS components

Engine changes


Dynamic and Static

Resources

Packages JobAccess

Control List

GCV Controls


PackagesDriverset

• New driverset package(NOVLACOMSET) introduced

to specify

– User application URL

– Administrative user for performing PCRS actions


PackagesDriverset - screenshot


PackagesDriver

Specialized package

Active Directory Entitlements and Exchange Mailbox Support

Package

LDAP Entitlements Package

Delimited Text Entitlements Package

Loopback Entitlements Package

Common package

Permission Collection and Reconciliation Service

Package

[Validated for SOAP driver]


PackagesDriver

• Common Package - NOVLCOMPCRS


PackagesMapping Table - PermissionNameToFile

• Contains entitlement configuration data specified

during package installation in designer.


Driver objectsPost deployment


Driver objectsPost driver start


PackagesMapping Table - PermissionEntMapping

• Contains mapping of entitlement and the respective

resource objects.

• Mapping table is empty at deploy time.


PackagesMapping Table – PermissionEntMapping

• The specified entitlement is created by the driver

startup policies.


PackagesEntitlement object


PackagesMapping Table - PermissionEntMapping

• The resource object is created by the Job object.


PackagesMapping Table - StaticValueEntitlementMap

• Contains configuration data for static valued resources

• Mapping table is empty at deploy time.

• Manually populated

• Used for granular control.


PackagesMapping Table - <Entitlement>_Values

• Contains values for an entitlement if values are

specified by a csv file

#

#CSV File containing entitlement values

#

Building A, Engineering, The engineering building

Building B, Accounting, The accounting building

Building C, Facilities, The facilities building

Building D, Warehouse, The warehouse



• Created by startup policies to store the entitlement

values.



• Contains entitlement values read from csv file

providing the entitlement values.


PCRS components

Engine changes


Dynamic and Static

Resources

Packages JobAccess

Control List

GCV Controls


JobPermission onboarding

• IDM Job object.

• Configured during driver start-up.

• Admin user account and password automatically

configured by the start-up policies.

• Not scheduled by default

• Executed during driver startup – invoked by startup

policies

Requires appropriate rights on PCRS objects


JobPermission Onboarding - Tasks

• Reading CSV files containing Entitlement Values and populating <name>_Values objects

• Creating a Dynamic Resource for assigning Entitlement Values to Users

• Populating PermissionEntMapping object with the Resource DN

• Triggering RBPM code-map refresh to recognize the new entitlements and values


JobPermission onboarding


PCRS components

Engine changes


Dynamic and Static

Resources

Packages JobAccess

Control List

GCV Controls


Access Control ListPCRS Objects

Permission Onboarding Job

[Trustee]

[Entry Rights] → Browse

[All Attributes] → Supervisor

PermissionEntMapping

<ENTITLEMENT>_Values

<ENTITLEMENT>


PCRS components

Engine changes


Dynamic and Static

Resources

Packages JobAccess

Control List

GCV Controls


GCV controls

• PCRS package – reconcile all entitlements

• PCRS package – reconcile select entitlement


GCV controls

• Specialized PCRS entitlement package

PCRS flow


Publisher Channel update


Subscriber channel Attribute assignment


Subscriber channel RBPM assignment

Troubleshooting tips



• Use the PCRS admin user for PCRS automation only

– Do not perform any modification from the

UserApplication/Aqua UI using this user

– Changes performed by the PCRS admin are vetoed out by the

policy as a part of loopback detection.

• The entitlement attribute name in the entitlement-to-

file mapping table should be in Identity manager

namespace.



• Job does not executes at driver startup

– Verify that password policies are enabled and the Identity

vault administrator has an assignment.

– Check Identity vault administrator’s password has been set

after enabling the password policy.

• Resource assignment not working

– Check the status of the “User Application” and “Role and

Resource” service drivers. The drivers should be in running

state.



• Permission on boarding job does not update the

catalogue for assignment changes

– Verify that password policy is enabled and the PCRS

administrator has an assignment.

– Verify that the correct connection values are provided in the

driverset advanced common settings package.

– Verify that the PCRS administrator has resource management

rights.

Is Permission Collection and Reconciliation GCV Enabled ?



• Steps to clean-up PCRS objects and resources

– Stop the driver

– Using User Application UI, delete all the resources specified in

the “PermissionEntMapping” mapping table under the

“resourceDn” column

– Delete all the “<entitlement>_values” objects under the driver

objects

– Delete the entitlements specified in the “entitlementDn”

column of the “PermissionEntMapping” mapping table

– Delete the entries of the “PermissionEntMapping” mapping

table


+1 713.548.1700 (Worldwide)888.323.6768 (Toll-free)[email protected]

Worldwide Headquarters515 Post Oak Blvd., Suite 1200Houston, TX 77027 USA

www.netiq.com/communities

mailto:[email protected]

http://www.netiq.com/

http://www.netiq.com/communities

http://www.linkedin.com/groups?gid=2745833

http://www.linkedin.com/groups?gid=2745833

http://www.facebook.com/netiq

http://www.facebook.com/netiq

http://www.twitter.com/netiq

http://www.twitter.com/netiq

This document could include technical inaccuracies or typographical errors. Changes are

periodically made to the information herein. These changes may be incorporated in new

editions of this document. NetIQ Corporation may make improvements in or changes to the

software described in this document at any time.

Copyright © 2014 NetIQ Corporation and its affiliates. All Rights Reserved.

ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the

cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration

Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy

Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit,

PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite,

Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ

Corporation or its subsidiaries in the United States.

permission collection and reconciliation service

Presentations & Public Speaking