The Identity Vault contains all information that Identity Manager requires. The Identity Vault serves as a metadirectory of the data that you want to synchronize among the connected systems. For example, data synchronized from a PeopleSoft system to Lotus Notes is first added to the Identity Vault and then sent to the Lotus Notes system. The Identity Vault also stores information specific to Identity Manager, such as driver configurations, parameters, and policies.
The Identity Vault uses a NetIQ eDirectory database. For more information about using eDirectory see the NetIQ eDirectory 8.8 Administration Guide.
The Identity Manager engine processes all data changes that occur in the Identity Vault or a connected application. For events that occur in the Identity Vault, the engine processes the changes and issues commands to the application via the driver. For events that occur in the application, the engine receives the changes from the driver, processes the changes, and issues commands to the Identity Vault. Drivers connect the Identity Manager engine to the applications. A driver has two basic responsibilities: reporting data changes (events) in the application to the Identity Manager engine and carrying out data changes (commands) submitted by the Identity Manager engine to the application. Drivers must be installed on the same server as connected application.
The Identity Manager engine has also been referred to as the Metadirectory engine. The server on which the Identity Manager engine runs is referred to as the Identity Manager server. You can have more than one Identity Manager server in your environment, depending on server workload.
The Identity Manager Remote Loader loads drivers and communicates with the Identity Manager engine on behalf of drivers installed on remote servers. If the application runs on the same server as the Identity Manager engine, you can install the driver on that server. However, if the application does not run on the same server as the Identity Manager engine, you must install the driver on the application’s server. To help with the workload or configuration of your environment, you can install Remote Loader on a server separate from the application servers and the Identity Manager server.
For more information about Remote Loader, see the Section 15.2, Understanding the Remote Loader.
Identity Manager includes the Identity Information Warehouse, which is an intelligent repository of information about the actual and desired states of the Identity Vault and the connected systems within your organization. The Identity Information Warehouse gives you a 360-degree view of your business entitlements, providing the knowledge you need to see the past and present state of authorizations and permissions granted to identities in your organization.
When you query the Identity Information Warehouse, you can retrieve all of the information that you need to ensure that your organization is in full compliance with relevant business laws and regulations. With this knowledge, you can answer even the most sophisticated Governance Risk and Compliance (GRC) queries.
The infrastructure for the Identity Information Warehouse requires the following components:
The Identity Information Warehouse stores its information in the SIEM database of the event auditing service. The Identity Reporting component allows you to audit and create reports about your Identity Manager solution. You can use the reports to help meet compliance regulations for your business. You can run predefined reports to demonstrate compliance for business, IT, and corporate policies. You can also create custom reports if the predefined reports do not meet your needs. Use Identity Reporting to report critical business information about various aspects of your Identity Manager configuration, including information collected from Identity Vaults and connected systems. The user interface for Identity Reporting makes it easy to schedule reports to run at off-peak times for optimized performance. For more information about Identity Reporting, see the Using Identity Manager 4.5 Reports.
The Data Collection Service uses the Data Collection Services driver to capture changes to objects stored in an Identity Vault, such as accounts, roles, resources, groups, and team memberships. The driver registers itself with the service and pushes change events (such as data synchronization, add, modify, and delete events) to the service.
The service includes three subservices:
Report Data Collector: Uses a pull design model to retrieve data from one or more Identity Vault data sources. The collection runs on a periodic basis, as determined by a set of configuration parameters. To retrieve the data, the collector calls the Managed System Gateway driver.
Event-Driven Data Collector: Uses a push design model to gather event data captured by the Data Collection Service driver.
Non-Managed Application Data Collector: Retrieves data from one or more non-managed applications by calling a REST end point written specifically for each application. Non-managed applications are applications within your enterprise that are not connected to the Identity Vault.
The Managed System Gateway Driver queries the Identity Vault to collect the following type of information from managed systems:
List of all managed systems
List of all accounts for the managed systems
Entitlement types, values, and assignments, and user account profiles for the managed systems
To include auditing and reporting as part of your Identity Manager solution, you need a security information and event management service, such NetIQ Event Auditing Service or NetIQ Sentinel. The installation package for Identity Reporting includes Event Auditing Service (EAS). EAS captures the following log events associated with the following types of actions:
Actions performed within the RBPM and the role administration components
Actions performed in Identity Reporting, such as the import, modification, deletion, or scheduling of a report