7.2 Integration with Identity Management Systems
NetIQ provides a solution that integrates Sentinel with Novell Identity Manager. For other identity systems, similar integration can be achieved by writing an identity synchronization collector that uses the Identity API. For more information, see the Novell Plug-in SDK Web site for Sentinel.
The examples and illustrations in this section use Identity Manager to explain how integration works among identity management systems.
Sentinel integration with Identity Manager is provided using the Identity Manager driver called the Identity Tracking Module for Sentinel. Standard event collection must also be set up with the systems to which Identity Manager has provisioned accounts using the Collectors available at the Sentinel Plug-ins Web site.
After Sentinel and Identity Manager are installed, the Identity Tracking Module for Sentinel sends identity and account information from the Identity Vault to the Sentinel REST API, which populates the Sentinel database.
Figure 7-1 Sentinel Integration with IDM
The time required to initially populate the Sentinel database depends on the amount of data in the Identity Vault; identity information including photographs requires significantly more time to load.
The Identity Tracking Module for Sentinel also keeps the identity information synchronized as information is updated in the Identity Vault during normal Identity Manager operations.
After the identity and account information are loaded, a map named IdentityAccount is automatically generated in /var/opt/novell/sentinel/data/map_data. The map contains the following information:
-
Account Name
-
Authority
-
Customer Name
-
Identity GUID
-
Full Name
-
Department
-
Job Title
-
Manager GUID
-
Account Status
IMPORTANT:An identity can have multiple accounts but one account cannot be assigned to multiple identities.
The identity map is automatically applied to all events from Collectors to look for an identical match between the information in the event and key fields in the map. The table below shows the fields that are populated if all of the map key fields and event data exactly match. These mappings are automatically configured and are not editable.
|
Label |
Populated by which Column from IdentityAccount Map |
|---|---|
|
InitUserDepartment |
Department |
|
InitUserFullName |
Full Name |
|
InitUserIdentity |
Identity GUID |
|
TargetUserDepartment |
Department |
|
TargetUserFullName |
Full Name |
|
TargetUserIdentity |
Identity GUID |
NOTE:To find a match, the event fields and map key fields must match exactly. This might require modifications to existing Collectors to enable them to parse or concatenate data to make these fields match the data from the Identity Vault.
After these fields are added to the event by the mapping service, they are used by Correlation rules, remediation actions, and reports in the Identity Tracking Solution Pack. In addition to using the content included in the Solution Pack, users can also perform the following actions:
-
Create Correlation rules based on identity in addition to account name. This allows you to look for similar events from a single user, which provides a more comprehensive view than looking at events from a single account
-
Create reports that show identity, including all accounts associated with a user
-
Use the Identity Browser to get more information about users and their activities