1.1 Understanding the Identity Governance Components

Understanding How Identity Governance Uses Java

Identity Governance uses Java to perform all of the data processing in your environment to create reports and reviews, and perform many other actions. You must have the open Java version from Zulu installed and running on the same server where you install Apache Tomcat and Identity Governance. Zulu provides the Java Developer Kit (JDK). The Zulu Java Runtime Environment (JRE) comes with the Zulu OpenJDK.

For more information, see Section 3.3, Installing Zulu OpenJDK.

Understanding the Application Server

Identity Governance is a web application that requires a web application server to run the user interface. For this release, Identity Governance supports Apache Tomcat as the web server that runs the Identity Governance user interface application.

Because the user interface is a web application, people that are inside or outside the firewall can access and use Identity Governance as long as they are authorized users and have the proper credentials. For more information, see Section 3.4, Installing the Apache Tomcat Application Server.

Understanding the Catalog

Identity Governance collects account data, permissions, and access information for all of the users in your IT environment. Identity Governance stores the collected data in a catalog. Identity Governance stores the catalog in an external databases and it uses that data to generate reviews and reports to help ensure that you comply with any applicable regulations. Identity Governance requires that you install a database server or use a database instance in the cloud before you start to install Identity Governance. The database installation and configuration are not part of the Identity Governance installation process.

For a production environment, we recommend that you have the databases installed on a dedicated server that runs only the databases. Having any other Identity Governance components or any Identity Manager components installed on the database server slows down the performance of Identity Governance.

Identity Governance contains multiple databases. There are the main databases that make Identity Governance work and there is an additional separate database for Identity Reporting. The installer creates and populates the database for you. If your policies do not allow external programs to modify database server, the installer generates a SQL script file that you can use to create the required databases and populate them correctly for Identity Governance and Identity Reporting to use. For more information about the databases, see Section 5.0, Creating Databases for Identity Governance and Identity Reporting.

Understanding the Bootstrap Administrator for Identity Governance

The bootstrap administrator account is an account that you define during the Identity Governance installation that can immediately log in and configure Identity Governance before importing any identity data from the systems in your environment. You can have an LDAP-based or file-based bootstrap administrator account. The file-based bootstrap account is useful if you do not have an authentication server installed that contains your administrator accounts before installing Identity Governance. For more information, see Section 4.1.1, Using the Bootstrap Administrator.

Understanding the Identity Service

The identity service is an LDAP server that contains the user accounts that access and use the features in Identity Governance. This service allows Identity Governance to control which accounts in the IT environment have access the features in Identity Governance. To grant users access to Identity Governance and its features, you must add the users to the identity service (LDAP server) and import their account information into Identity Governance using an identity source. For more information, see Section 3.6, Preparing or Installing an Identity Service.

Understanding the Authentication Services

Identity Governance uses an authentication service to provide authentication methods for the authorized user accounts stored in the identity service. By default, Identity Governance uses the LDAP account name and password as the authentication method for the authorized users. However, this means that users must remember a separate user name and password to access Identity Governance.

Identity Governance provides additional authentication methods through the two supported authentication services: One SSO Provider (OSP) and NetIQ Access Manager. Both of these authentication services allow you to create a single sign-on experience for your users and they provide advanced authentication options like two-factor authentication or biometric authentication for the authorized users. OSP or Access Manager can be a shared service providing single sign-on across Identity Governance, Identity Manager, and Identity Reporting services. You must select one of the authentication services for your Identity Governance deployment. For more information, see Section 4.0, Installing an Authentication Service.

Understanding Collectors

Collectors are templates that you add to Identity Governance for each data source to map the identity data and application data to a minimum standard schema that Identity Governance uses. The standard schema allows Identity Governance to understand and translate the data to match the definitions in the Identity Governance schema. Identity Governance requires that you add the connection-specific information, such as accounts and passwords or API keys and access tokens, in the collector templates to be able to save the templates and collect the data from the sources. For more information, see Understanding Collector Templates for Identity Sources in the Identity Governance 3.6 User and Administration Guide.

Understanding Identity Sources

Identity Governance imports identities from many identity sources, such as NetIQ Identity Manager, databases, LDAP directories, and CSV files. You use the collectors in Identity Governance to define the same name space for these identity sources that Identity Governance uses. This allows Identity Governance to perform the required analysis to ensure that you comply with your industry regulations. For more information, see Creating Identity Sources in the Identity Governance 3.6 User and Administration Guide.

Understanding the Application Sources

Identity Governance imports application data, application account information, and application permissions to ensure that the users have the correct access to the correct applications and the data stored in those applications. You use the collectors in Identity Governance to define the same name space for these application sources as Identity Governance uses. This allows Identity Governance to perform the required analysis to ensure that you comply with your industry regulations. For more information, see Creating an Application Source in the Identity Governance 3.6 User and Administration Guide.

Understanding Auditing

Identity Governance generates common event format (CEF) events that you can forward on to an audit server to analyze the events and to create reports. Identity Governance events contain an authentication tracking identifier to correlate audit events from multiple systems. Identity Governance also generates audit events for Identity Governance, Identity Reporting, and OSP.

If you have the audit server details when you install Identity Governance, you can configure them during the installation. If your audit server uses TLS, you can retrieve the certificate during installation. You can also add or change your audit server details after you install Identity Governance. For more information, see Section 11.3, Enabling Auditing after the Installation.

Identity Governance supports the following audit servers:

For more information about supported versions, see Section 2.4.5, Audit Server System Requirements.

Understanding How to Send Email Notifications

Identity Governance can send emails to people who must take action in Identity Governance or it can send emails to administrators if something is wrong with the system. Identity Governance requires that you install ActiveMQ to be able to send the emails. After you install ActiveMQ, you must configure Identity Governance to send the email notifications through the ActiveMQ server. For more information, see Section 11.4, Enabling Email Notifications after the Installation.

Understanding Identity Reporting

Identity Reporting generates reports that show critical business information about various aspects of your Identity Reporting and Identity Manager configuration, including information collected from the identity services and managed systems such as Active Directory or SAP. Identity Reporting provides a set of predefined report definitions that you can use to generate reports. It also gives you the option to import custom reports.

Identity Reporting generates a snapshot of the catalog and the state of permissions or reviews. You can use the reports to comply with applicable regulations for your business. You can also create custom reports if the predefined reports do not meet your needs. The user interface for Identity Reporting makes it easy to schedule reports to run at off-peak times for optimized performance. For more information, see Section 7.0, Installing Identity Reporting.