24.0 Synchronizing Permission Changes from the Connected Systems

Permission Reconciliation Services (PCRS) is simplified to Controlled Permission Reconciliation Services (CPRS). CPRS currently supports only Active Directory, Multi-Domain Active Directory (MDAD) and LDAP drivers. PCRS is supported for all other drivers.For more information on CPRS, see Using Controlled Permission Reconciliation Services in the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

You need additional functionality to synchronize the permission assignment changes from the connected systems to Identity Manager. A permission assignment changes when a connected system administrator provides additional permissions to the existing users or creates new users. In this case, an Identity Manager driver publishes these changes to the Identity Vault, but the changes are not directly reflected in the User Application Resource Catalog because the default content shipped with the driver does not have this capability. To reflect the current state of a connected system in the Resource Catalog, you need to customize the package content of the driver.

Identity Manager provides Permission Collection and Reconciliation Service (PCRS) that enables you to create custom entitlements for connected system roles and resources in order to synchronize the connected system permission assignment changes to the User Application Resource Catalog. When PCRS is enabled, you can update a resource when permission assignments are published to the Identity Vault as they occur in connected systems.

PCRS provides the following key features:

  • Supports easy creation of entitlements

  • Provides out-of-box support for implementing Identity Manager resource model

  • Supports onboarding of application permissions and assignments

  • Supports assignment status updates on Publisher and Subscriber channels

  • Supports bidirectional flow of resources and entitlements

  • Reconciles resource or permission assignments between the Identity Vault and connected systems

  • Provides integration between applications

  • Supports comprehensive permission catalog with actual status display

  • Provides a common package for custom drivers

An Identity Manager driver installed with the package content for enabling PCRS can update the Resource Catalog with the connected system changes. The driver can automatically assign or revoke resources to Identity Manager identities based on the changes made to the attribute values in the connected system.

For a newly installed driver with this package content, you can migrate users and groups (for example, Active Directory) into the Identity Vault, which updates the Resource Catalog with the current state of the connected system. For example, if User1 and User2 are part of Group1 with the required permissions in a connected system, a driver enabled with PCRS updates the user permissions in the RBPM when the users are migrated from the connected system to the Identity Vault. The PCRS policies receive this event (migration) and update the Resource Catalog with the resource assignments.

NOTE:NetIQ recommends that you migrate individual users from a connected system to the Identity Vault instead of migrating groups. Migrating a group is not recommended because of performance issues.

You can dynamically create resources with custom entitlements with permission values from a connected system, and also create permission assignments between Identity Manager resource model and connected systems. The following figure depicts how permissions flow from a connected system to the Resource Catalog and then into the Identity Vault.

This section provides information about implementing PCRS in your Identity Manager environment.