In Identity Governance, you associate user identities gathered from identity sources to the accounts and permissions assigned in the application sources. Many user identities are categorized by groups and have parent-child relationships with other identities or accounts. However, some application sources might define groups or parent-child relationships in a different way than Identity Governance. Also, some identity sources might be configured to generate incremental change events.
This section explains how to use the collector templates for the following application sources:
When your environment uses both Active Directory and Azure AD, some user identities might be unique to one of the applications while other identities might exist in both applications. If you use Active Directory and Azure AD with DirSync or AD Connect, you can create a single identity source for both applications by using the Azure AD User collector template.
In the collector template, specify an attribute that you want to use for merging duplicate identities and for matching identities to accounts and permissions. The attribute for the matching rule should contain a value that is unique to each identity. For example, in AD and Identity Manager, each user tends to have a unique Distinguished Name.
If you are using the Azure AD User collector, complete the following steps :
Enable the Azure Active Directory Graph API for your site and grant the following permissions to an account to access the API:
Directory.Read.All
User.Read
Generate an OAuth2 client and secret for API access.
Check that you can browse your Azure domain with the graph explorer using the account from Step 1. For more information, see https://developer.microsoft.com/en-us/graph/graph-explorer.
A CSV file provides a simple method for storing user account or permissions information that cannot be collected from other data sources. You can include group, account, permission, or user data in the file.
If you use a CSV file as an identity source, you might want to instruct Identity Governance to map the collected users to their collected group memberships. The Group Members (Users and Groups) setting allows you to specify an attribute in the CSV file that you want to use for mapping users and groups to groups. However, you can use this setting only when a given value for the specified attribute is not used to identify both a user and a group. For example, if you export data from Active Directory to the CSV file, you can use DN as the Group Members attribute. Otherwise, you can use Collect Group to User Membership or Collect Parent Group to Child Group Relationships to map users or groups to groups. These two settings match the specified attribute in the collected user or group data, respectively.
In preparing a CSV file, ensure that any values written into a column of the file do not contain any carriage returns and line feeds, since these characters define record boundaries in the CSV file.
NOTE:The CSV collector support TSV file. In the Column Delimiter field, you enter the word tab in uppercase, lowercase, or any combination.
Google Apps manage users, groups, and organizational units, including assigned roles and privileges. Collecting identities from Google Apps is similar to other data sources. However, to collect permissions, Identity Governance pulls information from Google Groups, which resembles discussion-based groups similar to those available in Usenet.
To gather information about actual user groups, Identity Governance collects from the Organizations (organizational units) in Google Apps. These organizational units can contain nested units. The top level organization is always called ‘root.’ During collection, Identity Governance translates the organizational units into Identity Governance-style groups. In Identity Governance, the root group lists all the users in that organizational unit. If you select one of the nested groups under the root group, Identity Governance lists only the individuals assigned to that group.
Identity sources with change events provide incremental change events for user and group data from certain identity sources to incrementally update the identity catalog. To periodically pull change events and incrementally make changes to your identity catalog, the following conditions must be met:
An identity source is configured as an identity event source, either by having created an identity source from a suitable template, or by having migrated a non-event-aware identity source by using the Identity Governance Migration Utility and selecting enabling event collection. For more information, see Creating Identity Sources and Section 5.4, Migrating an Identity Collector to a Change Event Identity Collector.
The identity source is the primary identity source. For example, it is either the sole identity source or an unmerged identity source.
The identity event source has been collected and published.
The configuration of the identity source and its collector has not changed since the last publication.
Identity event source collection, identity publication, or application publication is not in progress.
(Conditional) For eDirectory, the Change-Log module must be installed to support event processing. For more information, see Installing the Change-Log Module on a Remote eDirectory server
in the NetIQ Driver for Bidirectional eDirectory Implementation Guide.
(Conditional) For Identity Manager, the Identity Gateway Integration Module must be installed on the target Identity Manager server. Using Designer, install the following packages to support event processing:
Identity Gateway Integration Module Base
Identity Gateway Integration Module Default
Identity Gateway Identity Governance Integration Package
For more information, see the NetIQ Identity Manager Driver for Identity Gateway Integration Module Implementation Guide.
Once you enable event collection, Identity Governance uses the global configuration parameters: com.netiq.iac.rtc.event.polling.interval and com.netiq.iac.rtc.max.polling.timeout to determine the polling frequency for the identity context change event and time limit for batch event collection. Typically, events are collected in batches of up to 100 events. However, if the identity source’s Batch Size Limit as configured in the Service Parameters is less than 100, then that batch size is the upper limit for event collection.
IMPORTANT:The identity source with change event collectors is not intended to handle large-scale changes to the source directory, such as changes to the user population resulting from mergers or spin-offs, major changes to group memberships, or major reorganizations of any kind. In such cases, you should disable event processing and enable it after the major changes.
During event collection, Identity Governance treats a user record move in the underlying LDAP tree from outside of to inside of the scope of the configured Search Base as an ADD event. Likewise, Identity Governance treats a user record move to the outside of the Search Base scope as a DELETE event. The Data Sources > Activity page reports the number of events of each type that were processed in the most recent event processing period as part of the detail of the most recent collection for that collector.
For more efficient event processing, Identity Governance does not generate change events for any dynamic changes in eDirectory or Identity Manager dynamic groups. Also, removing a member from an eDirectory or Identity Manager group will not remove that member from any of the group's super groups if those groups have been configured to report nested members in membership query.
If you have upgraded from a previous version of Identity Governance, use the Identity Source Migration utility to update your Active Directory data collector, eDirectory data collector, and Identity Manager data collector to accept change events. For more information, see Section 5.4, Migrating an Identity Collector to a Change Event Identity Collector.
Microsoft SharePoint is a browser-based collaboration and document management tool that allows administrators to grant specified access rights to individual users and groups.
To gather information from SharePoint, the Service Account you use to configure SharePoint collection must be a member of the WSS_ADMIN_WPG local group on the SharePoint server.
NOTE:You cannot use the SharePoint collector for SharePoint Online.