Identity Governance offers several ways to help you manage your data sources.
IMPORTANT:If your Identity Governance database environment runs Oracle, you must turn on the SQL Tuning Advisor to optimize queries in the Oracle database.
The ability to export and import collectors helps you manage your environment in several ways.
Back up a working collector
Replicate an environment
Update collector details in a text editor
Troubleshoot collections
Configuring collectors can take time and go through several iterations of trial and error. When you have configured a collector that achieves the results you want, you should export it and save it with your other backup files. You can also use exported collectors to replicate an environment, either in a test environment or to use in another office location.
You could decide that you need to change the predefined attribute mappings and value transformation policies of a template to meet your specific environment. If you find that you need to customize a collector template, rather than only editing the values in a collector, you can export and import collector templates under Configuration in Identity Governance. For more information, see Customizing the Collector Templates for Data Sources.
To export and import collectors:
Select a data source, and then select Test Collection and Troubleshooting.
Select Download and Emulation, and then select Download Data Source Configuration.
Select a location for the file, and then select OK.
If you make changes and want to import a collector, under Data Sources, select Identities or Applications, and then select Import an identity source or Import an application source.
Select the file to import.
Data policies can help you prove to auditors and internal risk partners that the data collected and published into the Identity Governance catalog is complete and accurate. Having data policies in place can promote confidence in your data collection processes and help you show others that your processes and configuration comply with a set of standards, reducing the need for further proof unless your process or configuration changes.
When you have defined data policies in place, you can compare collection and publication details from the same data source at two different collection or publication times. Identity Governance uses the defined data policies to produce the comparison details. For more information, see Comparing Collections and Publications.
Identity Governance provides separate tabs for data collection policies and data publication policies. Each set of policies contains separate tabs for identity and application data sources.
Log in as a Global or Data Administrator.
Under Data Administration, select Data Policy.
Navigate to the appropriate tab and select + to create a new policy.
Select the desired elements for the policy and specify criteria.
Save your settings.
Under Data Administration, select Data Policy.
(Optional) Select the policy, then select Edit to edit the policy.
(Optional) When editing a policy, select the trashcan icon to delete the policy.
(Optional) Select Estimate impact to show estimated violations for the policy.
After creating data policies, you can calculate violations on demand and resolve violations to reduce risk. Data policy violations can be addressed and resolved by:
Sending an email notification
Reviewing items in violation or in other words creating a micro certification or focused reviews
Creating change request
Once a micro certification is complete or once a change request has been fulfilled, you can recalculate the number of data policy violations. For more information about micro certification and fulfillment, see Section 10.3, Understanding Micro Certification and Instructions for Fulfillers
in the NetIQ Identity Governance User Guide.
If after the initial remediation type selection, administrators would like to change the remediation type for future violations then they can select the link under Remediation column on the Data Policy page and edit the remediation setup.
To calculate data policy violations:
Log in as a Global or Data Administrator.
Under Data Administration, select Data Policy.
Select Publication Data Policies tab.
Select Identity or Application tab.
Select one or more policies, and then select Actions > Calculate Policy Violations.
To remediate data policy violations:
Log in as a Global or Data Administrator.
Under Data Administration, select Data Policy.
Select Publication Data Policies tab.
Select Identity or Application tab.
Select Set Remediation.
Select Remediation Type.
If you selected Email Notification, select Email source and enter or search and select user or group as recipient of the email.
If you selected Change Request, select violation types, and provide instructions for fulfilling the change requests generated for selected violation types.
If you selected Micro Certification, configure the following settings:
Review Definition: Search and select a review definition from the selection dialog or specify the review definition name. Note that Identity Governance applies filters based on data policy and enables selection of only relevant review definitions.
Review Name: Specify a name for the micro certification.
Start Message: Specify message that will be displayed in the header area of reviews describing why the review was started.
Review Period: Leave this blank if you want to use the duration specified in the review definition. Otherwise specify a duration.
Select Run Remediation on new violations when calculated check box to automatically run remediation after saving your remediation setup.
Click Save.
To run remediation, select Actions > Run Remediation.
Once you have created your data policies based on your business requirements, you can easily export the collection and publication data policies and publication data policy related review definitions as a zipped file and save it with your backup files. You can also use exported policies in another location or environment.
To export or import data policies:
Log in as a Global or Data Administrator.
Under Data Administration, select Data Policy.
Select Collection Data Policies or Publication Data Policies.
In the Identity or Application tab, select the policy or policies you want to export.
Select Export Data Policies or Actions > Export Data Policies. A zipped file containing publication data policies and review definitions files in JSON format will be downloaded to your default download location.
Extract the files if you want to import them later.
To import data policies, click Import Data Policies on the Data Comparison Policies page.
Navigate to the folder where your data policies file is located, and click Open.
Identity Governance detects whether you are importing new or updated policies and whether the updates would create any conflicts or have unresolved references.
Select how to continue based on what information is displayed. For example, under Updates, you can compare the imported values with current values for each entity by selecting the respective policy before selecting policies to import.
Select the policies you want to import, and then click Import.
When you need to show that you have complete and accurate data, you can compare collection and publication details from the same data source at two different collection or publication times. Identity Governance uses the defined data policies to produce the comparison details. For more information, see Section 3.4.2, Creating and Editing Data Policies.
To compare collections and publications from the same source:
Under Data Sources, select Activity.
(Optional) Select the calendar icon to focus the list on a specific time period.
Click on the advanced filter icon and select a data source name in the search to focus the list on specific data sources.
(Optional) Change the number of rows per page to show a longer list.
Select two listed collections or publications using the check boxes.
Under Action, select Compare.
(Optional) To quickly compare a collection or publication with the previous collection or publication, select the item from the Date and status column.
View changes and select links to view additional information about the changes. For example, if the number of changes is not zero, that number is a link. Selecting that link opens a quick view of the items that changed.
(Optional) To quickly view or open the applicable data policies, complete the following:
Select Refine comparison options.
Select or clear listed policies to change your comparison results.
Select Edit Policies to open the Data Administration > Data Policy page. For more information see, Creating and Editing Data Policies.
(Optional) Select Overview to see Data Policy Status details. For more information, see Section 19.2, Monitoring Your Identity Governance System.
When creating, updating, or troubleshooting data collectors, you can test all or part of the collections without publishing the results to the catalog. When you test a collection, you either ensure that the collector is correctly configured, or you have the ability to change the collector configuration and quickly test again to check the results.
You can view the collected data as soon as the test collection completes, or you can download the results to view later. Results of test collections remain available in Identity Governance until you delete them.
When you run a test collection, you have some options for the test data:
All records
Some records
Raw data
Transformed data
When you select a subset of records to collect, you cannot control which records to collect. You could use this option if you want to quickly spot check a collector configuration rather than waiting for all the data to be collected.
Raw data contains attribute names from the native application. These attributes have not yet been transformed based on the mappings in the collector. Testing the raw data collection lets you verify that you are collecting the data you intend to collect before Identity Governance transforms it.
Transformed data contains attribute names that you have mapped from the native application to the attribute names you are using within Identity Governance. Testing the transformed data collection lets you verify that your mappings within the data collector meet your expectations.
To test a sample collection from a data source:
Select a configured data source.
Select Test Collection and Troubleshooting.
Under Test Collection, select the collectors, and then select Run Test Collection.
Select the specific entities to collect and type the number of records to collect or leave All to collect all records.
Select the option for the type of collection to run.
After the test collection shows Complete, select Action to view, download, or delete test collection results.
You can more easily troubleshoot collection configuration outside your production environment by creating emulation packages for data collectors. An emulation package contains CSV files with the raw collected data from the data source and a CSV file containing data source configuration details. Emulation packages remain available in Identity Governance until you delete them.
To create an emulation package:
Select a configured data source.
Select Test Collection and Troubleshooting.
Under Download and Emulation, select Create emulation package.
When the emulation status shows Complete, select Action to view, download, or delete the emulation package.
If you have upgraded from a previous version of Identity Governance or if you want to migrate an existing identity collector to one that accepts change events, use the Identity Source Migration utility to update your Active Directory, eDirectory, or Identity Manager data collector to accept change events. The identity collector you are migrating must publish using the Publish without merging or the Do not publish setting.
NOTE:Identity Governance 3.0.1 and later support change event identity collectors.
Upgrade to Identity Governance 3.5.1 or later and make sure that Identity Governance is up and running.
Verify that the idgov/bin/rtc-migration.sh (Linux) or c:\netiq\idm\apps\idgov\bin\rtc-migration.bat (Windows) file references the jar file idgov/lib/ig-migration.jar (Linux) or c:\netiq\idm\apps\idgov\lib\ig-migration.jar (Windows).
Run the command-line utility from the server where Identity Governance is installed.
Linux: Default location of /opt/netiq/idm/apps/idgov/bin/rtc-migration.sh, then enter ./rtc-migration.sh
Windows: Default location of c:\netiq\idm\apps\idgov\bin\rtc-migration.bat, then enter rtc-migration.bat from a command line.
Provide the information needed to connect and authenticate to Identity Governance and the authentication server. When the utility successfully connects, it displays a numbered list of discovered identity sources.
Enter the number displayed next to the identity source to migrate.
After the utility runs checks to determine migration suitability, either confirm to proceed with the migration, if the checks succeeded, or review messages for failed checks and either address the problem areas, select a different source, or quit the utility.
(Conditional) If you confirm to proceed with migration, enter a local file name for the utility to back up the current collector configuration.
After the utility applies updates and exits with a success message, review the following updates to the collector configuration when viewed in Identity Governance:
The template (just under the name of the collector) has been changed to the with changes template corresponding to the one prior to the update.
After the Collector name is a new Enable Change Event Collection option, which is unchecked. To enable event processing, select this option, and then collect and publish the identity source.
The Service Parameters remain unchanged.
Under Collect Identity (the user view):
The Base Dn parameter is no longer required, but the value has not been changed. Omitting a value here will cause the entire LDAP tree to be collected.
(Conditional) For Active Directory identity change event source, a new parameter, LDAP Search Filter for Identity Object Changes, has been added, with the value (objectClass=user). This parameter identifies events in Active Directory DirSync or AD Connect that should be delivered in this view to Identity Governance. Only modify this parameter if you have other object classes in the local AD that correspond to users and only by adding other objectClass terms to an LDAP expression.
(Conditional) For Active Directory identity change event source, a new parameter, AD Object Categories for Changes, has been added with the value user. You can modify this value if needed by adding other object category names in a comma-separated list.
User ID from Source has been set to OBJ_ID. Do not change.
The Object GUID parameter is now required. Its value is set to objectGUID. Do not change.
LDAP Distinguished Name has been set to OBJ_ID. You can remove this value if you do not need to collect the dn separately from the userId. Do not assign any other value.
Under Collect Group (the group view):
The Base Dn parameter is no longer required, but the value has not been changed. Omitting a value here will cause the entire LDAP tree to be collected.
A new parameter, LDAP Search Filter for Identity Object Changes, has been added with the value (objectClass=group). This parameter identifies events in Active Directory DirSync or AD Connect that should be delivered in this view to Identity Governance. Only modify this value if you have other object classes in the local AD that correspond to groups and only by adding other objectClass terms to an LDAP expression.
A new parameter AD Object Categories for Changes has been added with the value group. You can modify if needed by adding other object category names in a comma-separated list.
Group ID from Source has been set to OBJ_ID. Do not change.
A new parameter, Object GUID, has been added with value objectGUID. Do not change.