This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to review permissions not assigned by IDM?

Hello,

I have IDM, IG, AD in my lab and I would like to review or at least report all permissions per user which are not assigned by IDM and they are assign directly in the target application only.

Reconciliation itself will be a next step.

Is something like that possible? Have you done something like that and can you share details how to achieve this "review"?

At this moment, I integrated IDM and AD separately in IG. Identities are coming from IDM only, I have 2 application sources - IDM and AD, hopefully with properly mapped attributes.

I've been told that a IG report "Reconciliation - CSV" might be what I want. But the report is always empty because the table reconciliation_perm_v is empty too. I have no clue how this works.

One of my idea is to create roles in IG 1:1 with roles in IDM and then somehow report permission which are not coming from roles... 

If you can share you experience, it would be great.

Regards,

Milan

  • 0  

    Let me restate your environment from what I think I understand:   You have an IDM AD Driver that uses roles/resources to assign group permissions, but the permissions are sometimes changed by admins directly in AD.   You want to fix it so that any administrative changes are reflected back in the roles/resources in IDM--- correct?

    Do you have a need for the business to review those permissions as well?  Or is the goal solely to ensure IDM roles/resources are up to date?

    --Jim

  • 0 in reply to   

    I do not really want to fix it. I wanna first recognize it and review it. It can also happen that a reviewer says that an assignment in AD must be removed. I know that probably comparing two applications in IG is not possible. But there is a reconciliation report for IG in the IG/IDM reporting server. But this report is empty.

    I know IDM support CPRS. So theoretically we can see discrepancies between IDM and e.g. AD there. But this is not really user friendly and I do not know how to provide a report from it.

  • 0   in reply to 

    In version 3 there were some capabilities that were similar (but not exactly) like what you are looking for, but those have been deprecated.   There is not an easy way to compare assignments between two applications.  IDM and its driver and resources/entitlements looks like an App to IG, and separately your AD infrastructure looks like an App.   It works great if you need to review one of those, but you want to see the comparison. 

    We've referred to this in the past as the triangle problem, where you mostly manage the App (AD in this case) with IDM, but you want to pull data to review directly from the app (for completeness), but then you need to get delta's back into IDM.

    --Jim

  • 0 in reply to 

    For the same goal we wrote a generic IDM driver that does the comparison and provides the report.

    The way we operate is that we ask each application owner to export all what they have in a pre-defined CSV format.

    The same file is used to feed IG and to operate a compare with IDM (using our driver).

    The IDM driver detects and reports:

    - Orphan accounts

    - Discrepancies between account status (e.g. enabled in the app but disabled in IDM)

    - Discrepancies between account privileges/permissions (we compare/search with values found in IDM entitlement)

    This way we not only provide IG data-import capabilities but also let each application owner use the IDM driver in "self-service" mode (they just need to drop their file on a server), anytime, even outside IG data collection, to get their data analyzed and receive a report back in their mailbox --> they can clean and fix their discrepancies on their own.

    Jacques Forster (IGA architect)