20.1 Overview

Identity Manager uses a resource model for event-based reconciliation of external system permission assignments. This resource model was introduced in Identity Manager 4.0 to simplify the entitlement model and provide you a convenient way to perform resource-based provisioning actions. The resource-based provisioning actions allow you to manage resource definitions and resource assignments within your organization.

Figure 20-1 Identity Manager Resource Model

You can map resource assignments to users or to roles within your organization. For example, you can use resources to:

  • Make resource requests for users

  • Create resources and map them to entitlements

A resource is any digital entity such as a user account, computer, or database that a business user needs to be able to access. Identity Manager provides a way to manage permissions assignments in connected systems. You can think of an entitlement as a permission slip. A resource definition can have no more than one entitlement bound to it. You can bind a resource to the same entitlement more than once, with different entitlement values for each resource. For more information about entitlements in Identity Manager, see the NetIQ Identity Manager Entitlements Guide.

You can assign resources only to users. You cannot assign them to groups or containers. If the resource is mapped to a role then the role can be assigned to a group or container resulting in assignment of mapped resource to all the users in that group or container.

Before you can assign resources to users, these resources must be defined in the Identity Manager Resource Catalog. The Resource Catalog is a storage repository of all resources definitions and supporting data needed by the Role and Resource Subsystem. The Resources tab of the Roles and Resource Administrator allows you to view resources that have been previously defined in the Resource Catalog. It also lets you create new resources and modify, delete, and assign existing resources.

This model works well when the source of assignment changes or permission changes is Identity Manager and you need to update connected systems with these changes. However, you need additional functionality to synchronize the permission assignment changes from connected systems to Identity Manager.

For example, if a connected system administrator provides additional permissions to existing users or creates new users, the Identity Manager driver publishes these changes to the Identity Vault. With the default content shipped with the Identity Manager driver, the changes in the permission assignments are not directly updated to the User Application Resource Catalog. You need to customize the package content so that Resource Catalog reflects the current state of connected system.

Identity Manager now provides an out-of-box solution to update the resource when permission assignments are published to the Identity Vault as they occur in connected systems. It provides a way to dynamically create an entitlement and a dynamic resource for each permission and load entitlement values into the resource catalog of Identity Manager Roles Based Provisioning Module.

An Identity Manager driver installed with the Permission Collection and Reconciliation Service (PCRS) package content can update the Resource Catalog with the permissions in the connected system. The driver can automatically assign or revoke resources to Identity Manager identities based on attribute values changed in connected system. For a newly installed driver with this package content, you can migrate users and groups (for example, Active Directory) into the Identity Vault, which updates the Resource Catalog with the current state of connected system.

For example, you have User1 and User2 in the connected system (Active Directory). These users are part of a group namely Group1 with the required permissions. A driver enabled with PCRS allows you to update the user permissions in the RBPM. To achieve this, migrate the users from the Active Directory to the Identity Vault. The PCRS policies receives this event and updates the Resource Catalog with the resource assignments.

IMPORTANT:NetIQ recommends that you migrate the users from the connected system to the Identity Vault. Group migration is not recommended because of performance issues.

You can dynamically create resources with custom entitlements populated with permission values from the connected system, and permission assignments between Identity Manager resource/entitlement model and connected systems. Figure 20-2 depicts the flow of permissions from a connected system to the Resource Catalog and then into the Identity Vault.

Figure 20-2 Flow of New Users and Permission Assignments

You can use Designer to create custom entitlements on any driver enabled with this functionality to reflect the current state of connected systems. You use the entitlement attributes in the CSV file to create new custom entitlements. Ensure that you include the custom entitlements in the specified format in the CSV file.

The CSV file includes the entitlement value, entitlement display name on the User Application, and the description of the entitlement value. You can view the display name and the description for the custom entitlements in the User Application while assigning resources to the users.

Table 18-1 list the CSV file attributes:

Table 20-1 CSV File Attributes

Attribute

Description

entitlement value

The custom entitlement value you want to add to the Resource Catalog.

entitlement display name

The custom entitlement name you want to display in the User Application.

entitlement description

The description for the new custom entitlement value.

You must place the CSV file containing the entitlement values on the server where Identity Manager engine is installed. Ensure that you update the csvFile column in the PermissionNameToFile mapping table with the correct path for the CSV file.

Figure 20-3 illustrates how the driver updates the Resource Catalog with custom permission assignments in entitlement changes.

Figure 20-3 Custom Entitlements Creation

After you create, deploy, and start the driver, the driver automatically creates a new resource based on the entitlement configuration and populates the resource with the entitlement values from the CSV file. The new custom entitlement and the corresponding resource object is created in the PermissionEntMapping table. When the permission assignments change in connected system, the driver policies consume the modified permission values and update the Resource Catalog.

The workflow for Permission Collection and Reconciliation Service is as follows:

  1. Reads the CSV files containing entitlement values.

  2. Populates the <name>_Values objects.

  3. Creates a dynamic resource for assigning the new custom entitlement values to the users.

  4. Populates the PermissionEntMapping object with the Resource DN.

  5. Performs a refresh to recognize the new entitlements and values in the Role Based Provisioning Module.

IMPORTANT:You can create a new resource and map it to a custom entitlement and reconcile permission assignments. However, if Permission Collection and Reconciliation service is turned off, all resource assignments for the custom entitlement are disabled regardless of whether the resource is created through this service or not. The common package supplied with the Permission Collection and Reconciliation service is not supported on a driver that already supports entitlements.

The Identity Manager drivers installed with Permission Collection and Reconciliation packages perform the following actions:

  • Provide a way to create custom entitlements and resources specific to your environment.

  • Reconcile resource or permission assignments between the Identity Vault and connected systems.

20.1.1 CSV File Format

An Identity Manager driver can consume the entitlement information from the CSV file. The CSV should be placed on the same server where Identity Manager engine is installed. This file must contain values of the target system permissions in the format specified below. The target system administrator should maintain a separate CSV file for every custom entitlement. For example, a CSV file can contain details about granting access to the employees for the BuildingAccess entitlement. A CSV file that contains BuildingAccess entitlement details represents this information in the following format:

Building A, Engineering, The engineering building
Building B, Accounting, The accounting building
Building C, Facilities, The facilities building
Building D, Warehouse, The warehouse

where Building A is the entitlement value, Engineering is the display name in the User Application for the entitlement value Building A, and The engineering building is the description for the entitlement value that appears in the User Application.

20.1.2 Prerequisites

The following are the prerequisites for the drivers that supports Permission Collection and Reconciliation Service:

  • Designer for Identity Manager 4.0.2 AU4 and later

  • Identity Manager 4.0.2 with Engine Patch 4 and later

  • Managed System Gateway driver version 4.0.0.6 and later

  • Driver Set Package:

    • Common Settings Advanced Edition Package (NOVLACOMSET 2.0.0 and later)

  • Driver Package:

    • Driver-specific entitlements packages for Active Directory, LDAP, Delimited Text, and Loopback drivers. For example, use NOVLADENTEX for Active Directory driver, NOVLLDAPENT for LDAP driver, and NOVLDTXTENT for Delimited Text driver. For more information, see driver-specific implementation guides.

    • Permission Collection and Reconciliation service package (NOVLCOMPCRS 2.0.0 and later)

      This is the common PCRS package for defining custom entitlements on drivers such as SOAP and JDBC.