Presentation is loading. Please wait.

Presentation is loading. Please wait.

IGI Technical Introduction incl. Planning for a Deployment

Published byChristoffer Sørensen Modified over 5 years ago

Similar presentations

Presentation on theme: "IGI Technical Introduction incl. Planning for a Deployment"— Presentation transcript:

1 IGI Technical Introduction incl. Planning for a Deployment
Identity Governance Tech Enablement IGI Technical Introduction incl. Planning for a Deployment Author notes: <please delete these instructions before presenting> This is the IBM Security Default Template for both internal and external use. It’s aspect ratio is 4:3 and measures 10 x 7.5”. This template was created in Microsoft PowerPoint 365 Pro Plus 2016. Template files (saved with the file extension .potx) contain slide designs and customized layouts and are stored in your Microsoft templates folder* To save your new template as your default template for future use: Click “File / Save as” and choose “PowerPoint template (.potx) from the pull down menu” Rename file to, “Blank.potx” and click “Save” (file will then be stored to the default template location) Themes provide a complete slide design that can be applied to your existing presentation, including background designs, font styles, colors, and layouts To save your new template’s theme file; click “View / Slide Master / Themes” On the Themes pull down menu, select, “Save Current Theme” This new Theme file is how you apply the new template design to your existing presentations For more information, visit: Office.com / PowerPoint / Support Copy your existing source slides in slide sorter view Paste special by right-clicking in slide sorter view of destination file or template Select “Keep source formatting” This helps to ensure your slides retain their existing styles Each slide needs to be adjusted by doing the following in “Normal view” Select body content except title and footer by (Control “A”; then select title and footers while holding shift key) Cut remaining selected body content (Control “X”) Reset slide layout using new template layouts Paste slide content back onto slide (Control “V”) Learn more about using templates, visit: Office.com / PowerPoint / Support David Edwards Technical Enablement – Identity Governance

2 Aim of this module: Introduce the product from a technical perspective to help with deployment planning

3 Agenda Key Concepts of IGI Architectural Overview of IGI
Overview and components Product requirements Deployment options IGI functional components Planning Considerations Class Lab setup

4 Module Outcomes At the end of this module you should:
Understand the key concepts of IGI Be able to describe the architecture and components of IGI Know how to find the detailed product requirements Understand some of the deployment considerations Have setup the Lab environment for this course

5 Key Concepts of IGI

6 Identity Management and Identity Governance
Managing “who has access to what” Focused on managing users and their access Usually involves reconciliation and provisioning Users = people or identities; employees, contractors, customers Users normally reside in a repository – HR system, directory, AD etc. Will often hold attributes of users – jobcode, position code, manager, office location etc. Can be used for role-based or attribute-based provisioning May drive identity management off changes to user data Access is the accounts and access rights on target systems Accounts will include logon id and password, and other account attributes Access rights may be account attributes (e.g. AUDITOR flag) or group membership (e.g. AD group) May also be a permission and right to access a resource (e.g. READ Sales Report) Roles are used to simplify identity management Includes workflow for review/approval of access requests

7 Identity Management and Identity Governance
Focused on ensuring there are processes to control “who has access to what” Includes: Risk Policies Separation of Duties (SoD) Sensitive Access (SA) Processes for managing risk, including mitigations Business activities The auditor view of job functions, “Purchase Order Create” & “Purchase Order Approve” Recertification (or attestation) to periodically review access Reviewing user access Reviewing how roles are defined Reviewing risks and mitigations Reporting

8 Typical Identity Governance and Intelligence actors
Employee / User Self-service access requests and password management Can delegate (be delegated) access Performs certifications Initiates access requests / Approves self-service requests Initiates and approves third-party delegations Performs certifications regarding organizational unit and entitlement visibility User Manager / Dept. Manager Application Manager Approves access requests Resolves unmatched or orphaned accounts Models permission to business activity mapping Risk Manager Approves violation escalated access requests Performs access violations mitigation campaigns Security Officer / Reviewer Supervisor Certification supervisor Locks and unlocks user accounts Operator Manually performs access fulfillment requests © Copyright IBM Corporation 2015

9 Entitlements – Roles and Permissions
Business Roles IT Roles Application Permissions Application 1 Application 2 External Role Internal to Identity Governance Business roles: A combination of permissions, IT roles, or other business roles from any resource under management that deliver a defined business function IT roles: A combination of permissions or other IT roles from a single application or resource Tied to Target System Permissions External Role: Access granted on target systems that have a hierarchy (like AD Groups) Permission: The lowest, or indivisible, level of access granted by an application or IT resource. © Copyright IBM Corporation 2015

10 Role lifecycle management: Defining versus discovering roles
Roles: Making identity management more business-friendly Defining roles – Top-down Role Design You know what permissions a role should contain These roles represent a “should-be” view New roles can be defined Assign a role name and role type Map entitlements to the new role Define scope for the new role Discovering Roles – Bottom-up Role Design Use the existing users and entitlements to determine what common sets of access users have to do their job New roles can be “discovered” through role mining Explore any subset of the realm Users and entitlements are analyzed and grouped Select a promising role, review it for conflicts, and publish it © Copyright IBM Corporation 2015

11 Business-activity-based risk control modeling
October 9, 2019 Business-activity-based risk control modeling Two complementary ways to look at the application estate; from a provisioning perspective and a governance perspective: Roles consolidate permissions to make life easier for non-technical users Rather than understanding crpytic permission names, business users work with roles with descriptions Roles don’t work well for SoD/SA Use “Business Activities”, the language of auditors SoD is a conflict of business activities – “Purchase Order Create” AND “Purchase Order Approve” Sensitive Access (Privileged Access) is a single business activity Users & Roles u1 u2 u3 The identity management perspective r2 r1 r3 Business Activity Mapping The identity governance perspective Activities and SoD rules © Copyright IBM Corporation 2016

12 Certification campaigns
Certification campaigns are a formal process for automating the periodic review of a given relationship The Access Certifier tool allows nontechnical lines of business management to enforce accurate and timely access decisions with simple approve or revoke selections applied to the assignments being examined Five types of certification campaigns are supported Organization unit assignment. - Visibility of entitlements by organization. - The review is normally conducted by the application manager/owner. - Access to the entitlement can be approved or revoked for each organization. User assignment. - Review of entitlements held by individual users. - The review is normally conducted by the user manager or department manager. - Entitlements must be approved or revoked for each user. Risk violation mitigation. - Review of unmitigated SoD, sensitive access (SA), and other risk violations. - The review is normally conducted by the risk manager. - Mitigations can be applied or revoked for each risk. Entitlement. - Review the contents of each role to assure it contains only the correct entitlements. - The review is normally conducted by the role manager/owner or the application manager/owner. - Each role can be approved or revoked. Account. - Review of accounts held by each user and the account status. - Accounts can be approved or revoked for each user. Campaign Type Description Organization unit assignment Review entitlements for visibility violations User assignment Review entitlements for user access violations Risk violation mitigation Review for unmitigated risk violations Entitlement Review by application manager of entitlement use Account Review account access for target applications © Copyright IBM Corporation 2015

13 Personas accessing the Identity Governance and Intelligence solution
Different personas access the Identity Governance and Intelligence solution; each persona is responsible for a set of tasks or has privileges for specific actions and workflows Service Center Employee / User Virtual Appliance console and the Virtual Appliance Command Line Interface User Manager / Dept. Manager Security Officer / Reviewer Supervisor Virtual Appliance Administrator Administration Console Identity Governance and Intelligence Administrators © Copyright IBM Corporation 2015

14 Virtual Appliance Administrator tasks
The Virtual Appliance Administrator is responsible for the initial setup and activation of the Identity Governance and Intelligence Virtual Appliance (VA) and for its day-to-day administration, such as the following tasks Monitor proper functioning of the whole solution Apply upgrades and Fix Packs to the Virtual Appliance Virtual Appliance administrator maintenance tasks Troubleshoot issues and work with IBM Customer Support should a complex issue arise © Copyright IBM Corporation 2015

15 Architectural Overview of IGI
Let’s look at how the product is put together before diving into the functions Architectural Overview of IGI

16 Architectural Overview for IGI
Optional Postgres DB

17 Architectural Overview for IGI
Identity Governance and Intelligence (IGI) Server Implemented as a Virtual Appliance (VA) NOT software Three licensed components; Lifecycle, Compliance and Analytics Also includes: The Broker (aka Identity Brokerage) for managing provisioning to target systems using adapters IBM Tivoli Directory Integrator (TDI) for running adapters Enterprise Connectors, including SAP-specific connectors APIs – Java and REST Bulkload tools for fast loading of identity objects Two user interfaces Administration Console – for system administration of IGI Service Center – for role-based identity governance functions (e.g. employee, user manager) Adapters and Connectors May be agent-based (deployed to target systems) or agentless Covered in more detail later Data Stores IGI Database Stores all IGI data, such as objects and policies Remote DB2 or Oracle instance, or onboard (VA) Postgres DB IGI Directory Used as a cache for reconciliation and provisioning with the Broker Uses a remote IBM Security Directory Server (SDS) instance (runs on DB2)

18 Product Requirements Current requirements can be found at:
Search for “identity governance”, select “Identity Governance and Intelligence” and your version number For IGI this includes: Hypervisor Citrix XenServer 6.5, VMWare ESXi 5.0/5.1/5.5/6.0 NOTE – IGI VA is also supported on AWS and as a KVM (see support technotes) Processor/Memory/Disk for VA Disk: At least 100 GB free hard disk space. Memory: Minimum 16 GB system memory if using DB2 and Oracle as databases; minimum 24 GB system memory if using the internal database. Processor: CPU: Minimum 2.2 GHz, four cores (64-bit) Database DB2 ESE 10.5, Oracle Database 12c Release 1 Directory IBM Security Directory Server 6.4 Integration Tivoli Directory Integrator 7.1.1 Web Browsers Google Chrome 58 and future fix packs, Microsoft Internet Explorer 11 and future fix packs Mozilla Firefox ESR 52 and future fix packs

19 Deployment Options Many – depends on the functional and non-functional requirements Examples: All-in-one deployment Only deploy the VA and use the on-board database All integration with external systems via bulkload or enterprise connectors Good for a governance-only deployment or a standalone user training environment Two-box deployment Deploy a single VA with a separate server for the database, directory and any integration components Good for small governance+lifecycle deployment Three-box deployment Deploy; VA, data server (DB and LDAP) and integration server (TDI plus adapters/integrations) Good for larger deployments, can tune the different components independently HA and DR Virtual Appliance uses clustering mechanism Allows for one master and up to three replicas Fail-over built into the firmware IGI server is also basically stateless, so could have multiple instances behind a load-balancer Data replication mechanisms available for DB2 and SDS Discussed in more detail in the delivery/deployment training

20 IGI Logical Architecture (from Knowledge Center)

21 IGI Modules and Components
Service Center UI Administrative Console UI Access Governance Core* Access Risk Controls ARC for SAP Access Optimizer Dashboards Risk Violations SAP Fine-Grained Risk Analysis Role Mining (incl. Data Exploration) Access Request Access Certifier (Certification campaigns) Access/Accounts Manage Risk Objects Identities Manage SAP Risk Objects Risk Scoring Roles BA Mapping Passwords Self Care (incl. passwords) Reports Reports Reports User Account Matching Bus. Activities, Risks (SoD, SA), Mitigations BAs, SAP Roles, AOs, “SAP Authorization” Copy of Users, Entitlements, Roles Reports Role Lifecycle Notifications Report Designer Process Designer Task Planner Manage Core Objects Manage Campaigns Manage Reports Manage Processes Manage Tasks and Jobs People, Accts, Entitlements, Applications etc. Certification Campaigns and Datasets Queries, Reports and Dashboards Processes, Activities, Menus Schedules, Tasks and Jobs Identity Warehouse Rule Engine (Event Processing) Enterprise Connectors Virtual Appliance App Server SDI Instances Posgres DB Utilities Firmware OS VA Local Management Interface (LMI) Manage Connectors Authorization Manager (Entitlement Server) VA Command Line Interface (CLI) Qs Workflow Engine Connectors, Profiles, Profile Types, Attribute Mapping Bulkload Tools ISIM Integration (ISIGADI) APIs Enterprise Connectors Id. Broker / Adapters DPRA @IGI 5.2.3

22 IGI Modules and Components – with Licensed Products
Lifecycle Compliance Analytics Common Components Access Governance Core* Access Risk Controls ARC for SAP Access Optimizer Dashboards Risk Violations SAP Fine-Grained Risk Analysis Role Mining (incl. Data Exploration) Access Request Access Certifier (Certification campaigns) Access/Accounts Manage Risk Objects Identities Manage SAP Risk Objects Risk Scoring Roles BA Mapping Passwords Self Care (incl. passwords) Reports Reports Reports User Account Matching Bus. Activities, Risks (SoD, SA), Mitigations BAs, SAP Roles, AOs, “SAP Authorization” Copy of Users, Entitlements, Roles Reports Analytics Role Lifecycle Notifications Report Designer Process Designer Task Planner Manage Core Objects Manage Campaigns Manage Reports Manage Processes Manage Tasks and Jobs People, Accts, Entitlements, Applications etc. Certification Campaigns and Datasets Queries, Reports and Dashboards Processes, Activities, Menus Schedules, Tasks and Jobs Identity Warehouse Rule Engine (Event Processing) Enterprise Connectors Virtual Appliance App Server SDI Instances Posgres DB Utilities Firmware OS VA Local Management Interface (LMI) Manage Connectors Authorization Manager (Entitlement Server) VA Command Line Interface (CLI) Qs Workflow Engine Connectors, Profiles, Profile Types, Attribute Mapping Bulkload Tools ISIM Integration (ISIGADI) APIs Enterprise Connectors Id. Broker / Adapters DPRA @IGI 5.2.3

23 Deployment Considerations
Typical considerations when planning a deployment Deployment Considerations

24 Preparing for an Identity Governance deployment
The deployment team members must work with their various customer counterparts to gather the following information User listings and details about authoritative user resources (feeds from HR systems) Source of the user data, export files, spreadsheets, CSV, HR feeds, and communication protocols for data exchange User hierarchies, employee – manager relationships, and hierarchy update processes Integration with external identities sources Users, attributes, application permissions, accounts management Organizational chart Roles catalog Administrative roles Business roles Entitlements and entitlement groupings How to translate this into the IGI data model, permissions, IT Roles, Business Roles, External Roles, and Admin Roles Business applications Application owners Accounts on each application Target systems/applications/datastores Business Activity Tree And any Separation of Duties and Sensitive Access policies in use or identified Expected reports, that is, who can access reporting, what reports are required or expected, format and delivery method © Copyright IBM Corporation 2016 © Copyright IBM Corporation 2015

25 Identify business processes around Identity Governance
Business processes impacted by the Identity Governance solution User creation, user termination User assignment to organizational units Role lifecycle management Role creation, removal, and consolidation Role assignments Access lifecycle management Identity reconciliations such as users, attributes, application permissions, accounts Segregation of Duties (SoD) and Sensitive Accesses (SA) management Mitigations of risks Periodic risk analysis Role delegations Periodic recertification © Copyright IBM Corporation 2016 © Copyright IBM Corporation 2015

26 Identify key stakeholders
Identify key stakeholders and define their duties Access lifecycle management approvers SoD & mitigation controls evaluator or approvers User managers Risk managers Supervisors to certification campaigns Don’t forget stakeholders that do not use the Identity Governance solution directly HR CIO/CFO Legal © Copyright IBM Corporation 2016 © Copyright IBM Corporation 2015

27 Questions? Module Summary You should now:
Understand the key concepts of IGI Be able to describe the architecture and components of IGI Know how to find the detailed product requirements Understand some of the deployment considerations Have setup the Lab environment for this course

28 Appendix – IGI User Interface
Common structure and controls Appendix – IGI User Interface

29 IGI User Interfaces – Login, Admin Console and Service Center
All modules Link on title and icon Common landing page Service Center Dashboards Functions displayed based on user roles Login form Both UIs use the same framework and common functions

30 IGI User Interfaces – Menu and Title Bar
Admin Console Link to online help Admin Menu Logout link Realm / logged in user Service Center Service Center menu Items displayed based on IGI roles for user

31 IGI User Interfaces – Common Controls
Tabbed Menu Function Tabs Click to sort, also resize columns Filter Action Menu Vertical bars can be dragged to resize panes Page Controls

32 IGI User Interfaces – Common Controls
Filter Control Filter the list displayed Attributes/fields will depend on the object list being filtered These are everywhere! Action Menu Perform action on selected object(s) Some don’t require a selection (like Add) Actions will depend on the objects being operated on These are everywhere! Page Control Total items, # pages, items/page Refresh icon used to refresh list Refresh

33 Mandatory closing slide with copyright and legal disclaimers.

Download ppt "IGI Technical Introduction incl. Planning for a Deployment"

Similar presentations

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
1 ILANTUS Proprietary Jaunary 20, 2014 Enabling complete AGS features on ISIM Compliance Express – ISIM Integration.

1 ILANTUS Proprietary Jaunary 20, 2014 Enabling complete AGS features on ISIM Compliance Express – ISIM Integration.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
VMware vCenter Server Module 4.

VMware vCenter Server Module 4.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
#CONVERGE2014 Session 1304 Managing Telecom Directories in a Distributed or Multi-Vendor Environment David Raanan Starfish Associates.

#CONVERGE2014 Session 1304 Managing Telecom Directories in a Distributed or Multi-Vendor Environment David Raanan Starfish Associates.

Module 5: Managing Public Folders. Overview Managing Public Folder Data Managing Network Access to Public Folders Publishing an Outlook 2003 Form Discussion:

Module 5: Managing Public Folders. Overview Managing Public Folder Data Managing Network Access to Public Folders Publishing an Outlook 2003 Form Discussion:
SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.

SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.
Classroom User Training June 29, 2005 Presented by:

Classroom User Training June 29, 2005 Presented by:
® IBM Software Group © 2009 IBM Corporation Rational Publishing Engine RQM Multi Level Report Tutorial David Rennie, IBM Rational Services A/NZ

® IBM Software Group © 2009 IBM Corporation Rational Publishing Engine RQM Multi Level Report Tutorial David Rennie, IBM Rational Services A/NZ
1 The following presentation is from the Oracle Webcast “What’s New in P6 EPPM Release 8.1.” As a partner, you may not use the Oracle Power Point template,

1 The following presentation is from the Oracle Webcast “What’s New in P6 EPPM Release 8.1.” As a partner, you may not use the Oracle Power Point template,
Module 9 Configuring Messaging Policy and Compliance.

Module 9 Configuring Messaging Policy and Compliance.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
National Center for Supercomputing Applications NCSA OPIE Presentation November 2000.

National Center for Supercomputing Applications NCSA OPIE Presentation November 2000.
Module 9 Configuring Messaging Policy and Compliance.

Module 9 Configuring Messaging Policy and Compliance.
1 System for Administration, Training, and Educational Resources for NASA Introduction for SATERN Administration.

1 System for Administration, Training, and Educational Resources for NASA Introduction for SATERN Administration.
Module 7 Planning and Deploying Messaging Compliance.

Module 7 Planning and Deploying Messaging Compliance.

Similar presentations

Ads by Google