Based on their business needs, authorized administrators can configure analytics, customize decision support visibility and role mining detection, create custom metrics, run metric calculations on demand, and download and import custom metrics in order to optimize your governance system.
To configure analytics and role mining settings:
Log in as a Global, Data, or Business Roles Administrator.
NOTE:Business Roles Administrator does not have the same access permissions as a Global or Data Administrator and can only configure role mining settings and collect business role mining metrics.
Select Configuration > Analytics and Role Mining Settings.
(Optional) Under Decision Support, specify if the following information is excluded or included in the guidance provided to reviewers, review owners, review administrators, and access approvers.
Deselect Show business role authorization status if business roles are not used or if the reviewer or access request approver does not need guidance about whether the review or request item was authorized by a business role.
Deselect Show similarity statistics in reviews and access requests if the reviewer of user reviews or access request approver does not need guidance about how many users have similar permissions.
Deselect Show login statistics for review item users and accounts if Last Login and Number of Logins attributes are not configured/collected/logged for the users and accounts.
Deselect Show review list statistics if the review related authorized user wants to hide the review item’s prior completion details, such as date of completion, name of the review run that included the review item, and decision made about the review item.
(Optional) Under Similarity Profile, select additional attributes to use in the similarity profile so that Identity Governance can provide decision support.
HINT:Use wildcard * to search for attributes.
Under Role Mining:
Specify the maximum number of results that should be returned when mining business roles using the directed role mining approach.
Specify which additional user attributes should be used for both directed and visual business role mining. For more information about which attributes to select, see Understanding Role Mining Settings.
Select Save to save all the settings.
(Optional) Next to Metrics Collection, select the + icon to create custom metrics. For more information, see Section 24.1.2, Understanding Metrics and Creating Custom Metrics.
Under Metric Collection, select one or more items, and then specify Actions > Set collection interval to change the default setting of 24 hours between metrics collections or disable collection.
HINT:Click on an item name to view detailed information about the metric, including list of metric columns’ aliases and corresponding data types.
Specify start date, time, and hours or deselect the Active check box to disable collection.
Click Save.
(Optional) Select one or more items and then select Actions > Collect metrics to initiate a metrics collection on demand.
HINT:Always collect metrics after a collection and publication to refresh charts on the Overview page.
(Optional) When a custom metric collection is running and you want to cancel it:
Select the item or items with an asterisk (*), and then select Cancel Collection
Click Cancel Collection to confirm the cancellation.
(Optional) Select one or more default and custom metric items and then select Actions > Download Metrics to download the metric results in CSV format.
NOTE:In addition to downloading the results, you can also download custom metric definitions and import them. For more information, see Downloading and Importing Custom Metric Definitions.
Roles in governance systems enable administrators to simplify security administration on systems and applications, by encapsulating popular sets of entitlements and assigning them as packages, rather than individually, to users. Identity Governance uses attributes specified in Configuration > Analytics and Role Mining Settings to provide recommendations for creating business roles. If the specifications do not meet certain conditions administrators may not see any recommendations when mining for roles. For more information about role mining, see Section 16.2.2, Understanding Business Role Mining
Log in as a Global, Data, or Business Role Administrator. When specifying attributes make sure that:
Specified attributes have values. User attributes with zero strength will not be displayed in the directed mining recommended attribute bar graph or visual attribute map.
In addition, in order for visual role mining to render recommendations make sure that:
At least two attributes are selected. For example, “Title” and “Department”.
Selected attributes share commonality. For example, departments A, B, and C have users with the same titles, such as Administrative Assistant and Department Lead.
NOTE:After customizing attributes, select Collect Metrics > Business Role Mining metrics to refresh data.
Identity Governance tracks key risk indicators so that administrators can monitor these risk factors in your governance system and make improvements based on the collected metrics. The key risk factors or facts extracted and collected from various data sources are stored in fact tables that are then used to calculate metrics and the results (metric tables) are published to the default or administrator-specified database.
Identity Governance default metrics analyze common risk factors and enable you to find answers for questions like how many average number of users are in an account, how many accounts are unmapped, and what proportion of your entitlements are assigned by policies versus assigned directly. In addition, authorized administrators can create custom metrics, using SQL statements and insight queries, to adjust metric calculations based on your business needs. For example, you can create a custom metric for calculating how many role policies are active.
Administrators cannot edit the default metrics but can view associated description and metric columns by selecting the metric name. The default schedule for all metric calculations is 24 hrs. Administrators can change the metric calculation schedule and set a start date for metric calculations by selecting Actions > Set collection schedule. Administrators can also download all metric results in CSV format.
Administrators can control how many metric collection can be collected simultaneously by using the Identity Governance Configuration Utility to configure com.netiq.iac.fact.collection.thread.pool.size. Currently, if an administrator chooses to run more than five metric collection then the first five collections will run simultaneously and the other collections will be queued and will run after the previous one finishes calculations. We recommend that administrators override the default 5 setting to a lower number if they observe metric collections impacting the system adversely. For more information about the Configuration Utility, see Using the Identity Governance Configuration Utility
in the Identity Governance 3.6 Installation and Configuration Guide.
You can store metrics data in Identity Governance databases, Vertica, or Kafka. Identity Governance enables you to select generic data types and translates them to a specific data type based on the type of storage as shown in the below table.
NOTE:Identity Governance publishes facts to Kafka as JSON strings.
|
Data Type |
Read from igops as |
Published to Vertica as |
Published to IG PostgreSQL as |
Published to IG Oracle as |
Published to IG MS SQL as |
|---|---|---|---|---|---|
|
Boolean |
BOOLEAN |
BOOLEAN |
boolean |
number |
bit |
|
Long |
INTEGER |
INTEGER |
integer |
number |
integer |
|
Float |
FLOAT |
FLOAT |
float |
float |
float |
|
String |
STRING |
LONG VARCHAR |
text |
nclob |
nvarchar(max) |
|
Date |
TIMESTAMP |
TIMESTAMP WITH TIME ZONE |
TIMESTAMP WITH TIME ZONE |
TIMESTAMP WITH TIME ZONE |
TIMESTAMP WITH TIME ZONE |
In addition to default metrics, Identity Governance provides the ability to query your operations database for additional statistics that could help you to better monitor the health of your governance system. The product also displays an asterisk (*) in front of the names of the custom metrics to distinguish them from default metrics. You can click the metric name to view the details of the metric.
To create a custom metric using a SQL statement:
Log in as a Global or Data Administrator.
Select Configuration > Analytics and Role Mining Settings.
Next to Metrics Collection, select the + icon and select New.
Specify a name for the new metric.
Optionally, select an existing category or create a custom category by selecting Add Custom.
Select where you want the custom metric results published, provide additional location information as required, and then specify a name for the metric table. For example, for large volume analytics you can set up a metrics archive in your Vertica or Kafka database. Provide that information in the storage related fields, and the metrics will collect to those tables, leaving your Identity Governance tables free for standard data processing.
NOTE:If you do not specify a table name for the metric table, Identity Governance creates a table with ex_randomGUID naming convention. However, it is recommended that you provide a meaningful table name.
(Conditional) If you select to store the metric in Vertica, specify the schema name in Table before the table name and separate these with a comma.
(Conditional) If you select to store the metric in Kafka using a secure connection, use the Identity Governance Configuration Utility to configure the following properties:
com.netiq.iac.kafka.publisher.truststore.location
com.netiq.iac.kafka.publisher.truststore.password
com.netiq.iac.kafka.publisher.keystore.location
com.netiq.iac.kafka.publisher.keystore.password
com.netiq.iac.kafka.publisher.key.password
For more information about the Configuration Utility, see Using the Identity Governance Configuration Utility
in the Identity Governance 3.6 Installation and Configuration Guide.
Click SQL Statement and enter a SQL select statement. For example, to calculate how many role policies are active enter select count(id) as active from role_policy where state = 'ACTIVE'.
NOTE:Identity Governance automatically checks for statement errors and potential SQL injections to prevent invalid or malicious code. However, ensure that you have defined your query correctly, since you cannot edit saved custom metrics. If needed, you will have to delete the custom metric, and then create a new one to change your definition.
Click Metric Columns.
Click Add Column and specify an alias and type for each column selected in the SQL statement. When specifying an alias:
Do not use SQL reserved keywords as an alias for a custom metric column. Using a reserved keyword as a column name will cause an error. If, for example, you use "end" as an alias name in your custom metric definition when Identity Governance is connected to a PostgreSQL database, the PostgresSQL client will display the following error message:
Fact validation failed: Unable to create table. Verify there are no reserved SQL keywords used as column aliases. ERROR: syntax error at or near "end" Position: 150.
SQL reserved keywords vary based on the database. Refer to your database documentation for a list of database-specific reserved SQL keywords.
Ensure that the alias in Metric Columns and the SQL query match. For example, add metric column active with a type of Long for the SQL statement example in Step 9.
Repeat the above step to add more columns.
Address metric column section warnings. Potential issues, such as metric column name mismatch, are indicated with a warning icon. Creating a metric with a warning might not work correctly.
Select Save.
To create a custom metric from an Insight Query:
Log in as a Global or Data Administrator.
Select Configuration > Analytics and Role Mining Settings.
Next to Metrics Collection, select the + icon and select New from Insight Query. For information about creating insight queries, see Section 11.6, Analyzing Data with Insight Queries.
Select the Insight Query to use, and then select Add.
Specify a name for the custom metric and adjust any other settings, including those populated based on the Insight Query and storage settings for metrics.
Select Save.
After creating custom metrics, you can collect them on demand by selecting one or more custom metrics and then selecting Actions > Collect metrics. In addition, you can also select Actions > Delete Custom to delete custom metrics.
In addition to creating a new custom metric using SQL statements or by using an Insight query, Identity Governance provides you the ability to download custom metric definitions so that you can edit and import them.
To download and import custom metric definitions:
Log in as a Global or Data Administrator.
Select Configuration > Analytics and Role Mining Settings.
Select names starting with an asterisk (*).
Select Actions > Download Definitions to download custom metric definitions.
To import custom facts, select Import Custom Metrics, browse for custom metric JSON files containing exported custom metrics, select entities to import, and then click Import.
(Conditional) If there is a conflict with an existing metric, resolve the conflict by selecting Import new to create a new custom metric or select Replace Existing to replace the existing metric.