The Access Review driver helps synchronize changes to identities and applications in Identity Governance with matching user and resource objects in Identity Manager. The driver provides Global Configuration Values (GCVs) that allow you to delete or disable user objects or delete resource objects in the Identity Vault. Alternatively, you can remove the association between the user object and the identity in Identity Governance.
For each application source in Identity Governance, you can reflect the collected permissions and assignments as resources in Identity Manager, with the exception of Identity Manager applications or child applications. With this setting enabled for an application, the Access Review driver can create resources in Identity Manager that match the permissions and permission assignments in Identity Governance. Identity Manager users can then request access to these resources even when the application is not a connected system in Identity Manager.
If an application source is also a connected system in Identity Manager and the driver uses entitlements, then you do not need reflection for that application source. However, if the driver does not use entitlements, the you might want to enable reflection for the application source.
When you reflect an application’s permissions, the Access Review driver creates a new container in the Identity Vault for the permissions and creates a new Resource Category for grouping the permission resources. The driver specifies the same name for the Resource Category that Identity Governance has for the application. For example, if an application source in Identity Governance is named “SAP Permissions,” then the driver creates a Resource Category named “SAP Permissions” in Identity Manager.
If you stop reflecting an application’s permissions, the application is no longer linked to the resource containers in the Identity Vault. Identity Manager uses Global Configuration Values (GCVs) to determine the course of action after you disable reflection. By default, a GCV instructs Identity Manager to delete the resource containers and the resource category in the Identity Vault. However, you can modify the GCV to keep the containers and category, which allows you to reestablish reflection. For more information about de-linking the application from the Identity Vault, see Synchronizing Data Changes between Identity Governance and Identity Manager.
When integrating application data with Identity Manager, the Access Review driver serves as the proxy for the application sources. The driver needs both a system account and a workflow in the User Application to create resources. For more information about configuring reflection, see Reflecting Permissions and Assignments from Applications Not Connected to Identity Manager.
When you stop reflecting an application’s permissions or you delete an application from Identity Governance, you can synchronize those changes with Identity Manager. For example, you replace ABC Money, a financial application, with its competitor DEF Accounting. You stop collecting data from ABC Money, and then delete the application from Identity Governance. When you publish the latest snapshot of collected data to Identity Manager, the Access Review driver uses the Publisher Resource Object Unlink GCV to communicate that the ABC Money application no longer exists in Identity Governance. Identity Manager responds according to the GCV’s setting.
After you have turned off reflection for an application, it is necessary to collect and publish both the application and the Identity Manager application in order to update Identity Governance with the changes made to Identity Manager when you turned off reflection. It is also necessary to review, and possibly modify, fulfillment settings for the application.
You can also synchronize changes to user identities. For example, in the latest collection of identities from the SAP application, Identity Governance notes that the identity for Joe Smith has been deleted. This generates an event in Identity Governance to delete the Joe Smith identity. The driver uses the setting for the Publisher User Object Deletion GCV to determine how to process deletions.
The Access Review driver creates user objects only for the identities that you add to Identity Governance after you enable synchronization. If you have identities in Identity Governance already, you can migrate those identities to the Identity Vault.
For more information, see the following sections: