Cybersecurity
DevOps Cloud (ADM)
IT Operations Cloud
Data Access Governance (DAG) is a powerful solution that allows Line of Business owners to govern who should have access to their team’s unstructured data, and Managers to govern what data their employees should have access to, using the same Identity Governance toolset that is being used by the organization to govern the Application access and other permissions these users already have. Micro Focus has released a SaaS version of Identity Governance and, due to security restrictions and architectural differences, the configuration of DAG will be a little different. In this article we will cover the differences and where you will need to diverge from the official documentation in configuring this.
When setting up Data Access Governance on-prem, you configure an Identity Governance collector that connects directly to the File Reporter database where all the permissions are stored. It reads those permissions and allows you to construct Reviews around them. Since everything is on the same network, this is easily accomplished. Below is a simplified diagram showing the connections of File Reporter and Identity Governance.
When Identity Governance is moved to the cloud, the connection is a bit different. Identity Governance SaaS uses something called a Cloud Bridge Agent (CBA) to facilitate Collections from on-prem identity sources, databases and applications. Below is a diagram showing how the connectivity has changed when you move Identity Governance to the cloud.
As a result of this connectivity change, there are a few extra steps required to make it work. We will cover these below but note that for some of the more typical tasks, links to the documentation will be provided.
As has been discussed, in the SaaS model, Identity Governance no longer has direct access to the File Reporter database, and you no longer have direct access to Identity Governance. As a result, when you get to Configuring Database Connectivity of the documentation, or Section 6.3 in the PDF, please follow the steps below as the process described here differs for SaaS.
/opt/<some directory>/agent/
Below the agent directory you may see a /lib directory if you already have other custom collectors in place. If you do not yet have such a folder, or if it is empty, please contact the SaaS Support team for assistance. You will need help creating this folder, the files that belong in it and then mounting it into the CBA container.
Otherwise, this folder should contain a dist-collectors.jar file already. Per the IG SaaS Quick Start Guide, custom collectors and JDBC collectors are placed into this directory and numbered as generic1.jar through generic10.jar. Rename the JDBC driver you downloaded in Step 1 to the highest unused number and transfer the file into this directory. It should look something the image below.
Be sure to restart the CBA container in order to mount this directory, and it’s associated drivers, into the CBA itself.
You can now continue with the installation using the documentation and import the Attributes and Template. Continue with the documentation Importing the File System Access Permission Attributes or section 6.4 of the PDF.
Again, when you get to this section in the documentation, or section 6.6 of the PDF, you will need to set aside those instructions and follow the steps below.
Within IG SaaS we do not store any credentials for any of your on-prem systems. All of these are stored on your site, on the Cloud Bridge Agent. Next, we will need to prepare your CBA and register these credentials that will be used to access the File Reporter database.
Each set of credentials on the CBA is identified by a unique identifier. This Identifier is created within Identity Governance.
The Unique ID number that you just created will be used to correlate the credentials on the CBA to the Collector in IG. It’s now time to enter the credentials onto the CBA. To do this, follow the instructions from the Identity Governance as a Service Quick Start Guide.
With your JDBC driver and the database credentials now in place, you can proceed setting up the actual Permission collector in Identity Governance. It’s now time to return to Identity Governance.
Permission Query |
SELECT e.id AS entitlement_id, e.entitlement, e.description, e.permission, e.target_path, e.category FROM ig.dag_entitlements AS e; |
|
|
Permission ID from Source |
entitlement_id |
|
|
Permission Name |
entitlement |
|
|
Permission Description |
description |
|
|
File System Category |
category |
|
|
File System Path |
target_path |
|
|
File System Access |
Permission |
Collect this data? |
(Check) |
|
|
Permissions to Holders Query |
SELECT e.entitlement_id, e.trustee_fdn, e.trustee_guid, e.trustee_sid FROM ig.dag_entitlement_entries AS e; |
|
|
Permission ID(s) from Source |
entitlement_id |
|
|
Permission Account User Mapping |
trustee_guid |
Now that your collector is configured, and Identity Governance SaaS can communicate to your File Reporter database using the CBA, you can continue with the regular documentation, or section 7.0 of the PDF.