Data Access Governance and Identity Governance SaaS

1 Likes

Data Access Governance (DAG) is a powerful solution that allows Line of Business owners to govern who should have access to their team’s unstructured data, and Managers to govern what data their employees should have access to, using the same Identity Governance toolset that is being used by the organization to govern the Application access and other permissions these users already have.   Micro Focus has released a SaaS version of Identity Governance and, due to security restrictions and architectural differences, the configuration of DAG will be a little different.   In this article we will cover the differences and where you will need to diverge from the official documentation in configuring this.

 

Background

When setting up Data Access Governance on-prem, you configure an Identity Governance collector that connects directly to the File Reporter database where all the permissions are stored.  It reads those permissions and allows you to construct Reviews around them.   Since everything is on the same network, this is easily accomplished.  Below is a simplified diagram showing the connections of File Reporter and Identity Governance.

 

 When Identity Governance is moved to the cloud, the connection is a bit different.  Identity Governance SaaS uses something called a Cloud Bridge Agent (CBA) to facilitate Collections from on-prem identity sources, databases and applications.    Below is a diagram showing how the connectivity has changed when you move Identity Governance to the cloud.

 

As a result of this connectivity change, there are a few extra steps required to make it work.   We will cover these below but note that for some of the more typical tasks, links to the documentation will be provided.

 

 

JDBC Driver Configuration

 As has been discussed, in the SaaS model, Identity Governance no longer has direct access to the File Reporter database, and you no longer have direct access to Identity Governance.  As a result, when you get to Configuring Database Connectivity of the documentation, or Section 6.3 in the PDF, please follow the steps below as the process described here differs for SaaS.

 

  1. You will need to acquire the latest Microsoft SQL 9.x driver, or PostgresSQL JDBC driver, from their respective repositories.  As per the on-prem documentation, you are looking for one that supports Java 8.  Unlike the documentation however, you cannot install it into the tomcat/lib folder as this is a SaaS environment and you do not have access to this in the cloud.  Save this file for now as we will need this shortly.

    NOTE: At this time Microsoft SQL JDBC driver v10.x are not supported.
  2. Log into your CBA host. Depending on when the installation was done and by whom, the CBA container will be installed into:

/opt/<some directory>/agent/

 

Below the agent directory you may see a /lib directory if you already have other custom collectors in place.    If you do not yet have such a folder, or if it is empty, please contact the SaaS Support team for assistance.    You will need help creating this folder, the files that belong in it and then mounting it into the CBA container.  

Otherwise, this folder should contain a dist-collectors.jar file already.    Per the IG SaaS Quick Start Guide, custom collectors and JDBC collectors are placed into this directory and numbered as generic1.jar through generic10.jar.   Rename the JDBC driver you downloaded in Step 1 to the highest unused number and transfer the file into this directory.  It should look something the image below.

 

 Be sure to restart the CBA container in order to mount this directory, and it’s associated drivers, into the CBA itself.

 

Import DAG Attributes and Templates

 You can now continue with the installation using the documentation and import the Attributes and Template.    Continue with the documentation Importing the File System Access Permission Attributes or section 6.4 of the PDF.

Defining a File System Access Collector

 Again, when you get to this section in the documentation, or section 6.6 of the PDF, you will need to set aside those instructions and follow the steps below.

Collector Credentials

 

Within IG SaaS we do not store any credentials for any of your on-prem systems.   All of these are stored on your site, on the Cloud Bridge Agent.   Next, we will need to prepare your CBA and register these credentials that will be used to access the File Reporter database.  

 

Each set of credentials on the CBA is identified by a unique identifier.  This Identifier is created within Identity Governance.

  1. Log into Identity Governance as an Administrator and create a new Data Source Connection by following the instructions in Section 5.7.1 Configuring Cloud Bridge Data Source connections of the documentation. It doesn’t matter what this is called but you will need to be able to identify it later when looking at a list of potentially more than one of these.
  2. Once it is created Identity Governance will assign a Unique ID to the connection. Copy this ID and save it for later.

 

The Unique ID number that you just created will be used to correlate the credentials on the CBA to the Collector in IG. It’s now time to enter the credentials onto the CBA.  To do this, follow the instructions from the Identity Governance as a Service Quick Start Guide.

 

  1. On the CBA itself, or a machine capable of reaching the CBA, open a browser and navigate to http://<localhost or IP address of CBA>:8080
  2. The credentials you will want to create are for the srsreport_user. Enter your Unique ID along with the srsreport_user and the password and click on Add Credential.

  

With your JDBC driver and the database credentials now in place, you can proceed setting up the actual Permission collector in Identity Governance.  It’s now time to return to Identity Governance.

 

Creating the Application Source

 

  1. From Identity Governance, select Data Sources | Application Sources
  2. Click the + to create a new application source
  3. Give it a Name and Description and click on Save

 

 

Create the Application Collector

  1. Click the + to add a new Collector
  2. Name the collector and from the Collector Template, select JDBC Permission that is specific to your database, either MS SQL or PostgreSQL

Service Parameters Settings

  1. Click the down chevron to expand the Service Parameters
  2. Set the options as follows:
    • Use Cloud Bridge Connector – Yes
    • Select a Cloud Bridge Data Source Connection – from the drop-down select the Collector Credentials you created above.
    • Host Server – host name or IP address of your File Reporter database server
    • Database Instance Name – srsdb



  3. At this point you can click on Test Connection to make sure IG can reach your database and that your credentials work properly. If you do not get a successful connection here, you will need to troubleshoot that before continuing.

Collect Permission Settings

 

  1. Click the down chevron to expand the Collect Permission
  2. Enter the following in each of the fields:

Permission Query

SELECT
    e.id AS entitlement_id,
    e.entitlement,
    e.description,
    e.permission,
    e.target_path,
    e.category
FROM ig.dag_entitlements AS e;

 

 

Permission ID from Source

entitlement_id

 

 

Permission Name

entitlement

 

 

Permission Description

description

 

 

File System Category

category

 

 

File System Path

target_path

 

 

File System Access

Permission

 

Collect Permission to Holders

  1. Click the down chevron to expand the Collect Permission to Holders
  2. Enter the following in each of the fields:

Collect this data?

(Check)

 

 

Permissions to Holders Query

SELECT
 e.entitlement_id,
 e.trustee_fdn,
 e.trustee_guid,
 e.trustee_sid
FROM ig.dag_entitlement_entries AS e;

 

 

Permission ID(s) from Source

entitlement_id

 

 

Permission Account User Mapping

trustee_guid

 

 

Collecting and Publishing File System Access Permissions

 

Now that your collector is configured, and Identity Governance SaaS can communicate to your File Reporter database using the CBA, you can continue with the regular documentation, or section 7.0 of the PDF.

Labels:

How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended