Difference between revisions of "Access Governance Suite"

From MicroFocusInternationalWiki
Jump to: navigation, search
(com.netiq.iac.server.rest)
(Replaced content with "Micro Focus International Wiki  |  Micro Focus Community  |  Knowledge Partner Program  |   &n...")
 
(13 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{TOCright}}
+
[[Micro Focus International Wiki]]  |  [[Micro Focus Community]]  |  [[Knowledge Partner Program]]  |    |  [[Access_Governance_Suite]]
[[Micro Focus International Wiki]]  |  [[Micro Focus Community]]  |  [[Knowledge Partner Program]]  |  [[KP/Geoffrey Carman]]  |  [[Access_Governance_Suite]]
+
  
If you are familiar with Microfocus/NetIQ/Novell Identity Manager then you will be familiar with many of the features in Identity Governance. The focus of Identity Manager is to provision and manage users in multiple systems. Initially this was all automated, via HR data or the like. This expanded greatly with Roles and Resources so that users can both request, but also allow approvals/denials in the flow of those requests.
 
  
The main goal of Identity Goverance is to 'govern' that system. That is, just because someone has certain access does not mean they really should. Perhaps they have permissions they got in a previous job role that was never removed. Perhaps there are some historical anomalies that led to this odd set of rights a user has acquired.
+
There are several Governance products that have been released over the years.
  
The initial versions of this product were called Access Review for just this reason. But there is much more to the product. Once you have collected all the data (users, accounts, permissions, access) from all the relevant systems, you can start to review it. At this point, how do you fix things that need to change? Well there is a whole fullfillment model. Perhaps it is manual and sends an email that stays unresolved until a link is clicked to confirm it is done. Perhaps you write straight to a data source to make the change. Perhaps you kick of an IDM Workflow. Lots of options.
+
The latest is [[Identity Governance]] currently at version 3.0.
 
+
Put all that together, review, fixing things, and then checking again for completion (Just because they said they fixed it does not mean they really did) and you have a cycle you call a Certification Campaign.
+
 
+
Then there are a bunch of fun frills like  Business Roles and Role Mining, where you can determine that 90% of your users have the same basic set of permissions.  This might consist of 10 different permissions. Reviewing all 10 every campaign can be painful and time consuming, whereas coallesciing that set into a Business Role and approving or revoking just the Role can be much simpler. (One versus ten should be obvious why that is.)
+
 
+
Some of these Roles will be obvious and easy to define, but others will be harder to discover, so the product can Mine for them.  That is, look for commonly occuring patterns of permission sets and allow you to examine, tweak, and then create appropriate Roles from them.
+
 
+
All that being said, here we have another product to manage and learn how it works at a level, that allows us to understand it and troubleshoot it.
+
 
+
 
+
==Enabling logging==
+
 
+
The logging configuration is not in the GUI, like it was in User Application (login as a User App Administrator, Administration tab, and then Logging side tab), nor in the setenv.sh file in tomcat/bin as for OSP. Rather it is in the tomcat/conf directory in the file:
+
/opt/netiq/idm/apps/tomcat/conf/ig-server-logging.xml
+
 
+
Some examples of entries in that file are:
+
 
+
<logger additivity="true" level="DEBUG" name="com.netiq.iac"/>
+
        <logger additivity="true" level="DEBUG" name="com.novell.soa"/>
+
        <logger additivity="true" level="INFO" name="com.netiq.iac.AuthPermissions"/>
+
        <logger additivity="true" level="INFO" name="com.netiq.iac.server.admin"/>
+
        <logger additivity="true" level="INFO" name="com.netiq.iac.server.rest"/>
+
        <logger additivity="true" level="INFO" name="com.netiq.iac.server.security"/>
+
        <logger additivity="true" level="INFO" name="com.netiq.iac.server.spi"/>
+
        <logger additivity="true" level="DEBUG" name="com.netiq.persist"/>
+
 
+
You can see there is name XML attribute for the name of the class to log. There is a level XML attribute that can be one of these values:
+
*INFO
+
*DEBUG
+
*TRACE
+
*ALL
+
*FINE
+
 
+
Now lets list off each logging class and see if we can get people to add in examples of where they used each log level to troubleshoot a specific issue. If you could include trace examples as well that would be great.
+
 
+
===com.netiq.iac===
+
 
+
This is a parent class and includes tracing all the child classes, so this one gets very verbose, very fast, so take care when enabling this one.  As you will see some of the subclasses are called out as examples in the file (like iac.AuthPermissions and so on).
+
 
+
===com.netiq.soa===
+
 
+
===com.netiq.iac.AuthPermissions===
+
===com.netiq.iac.server.admin===
+
===com.netiq.iac.server.rest===
+
 
+
This setting is quite useful as it shows the REST requests and responses made.  This makes it clear that the IG-Client, the user interface, is talking REST to the IG-Server for all display data.
+
 
+
I ran into an issue, where I broke how displayName works, so my displays were all empty lines. I thought it was broken. But in fact, I could see from the REST response in this trace level, that names were coming back but the data had a lot of blanks in it. Which was useful to understand what the actual issue was.
+
 
+
===com.netiq.iac.server.security ===
+
===com.netiq.iac.server.spi===
+
===com.netiq.persist===
+
 
+
This seems to include database operations, usually through Hibernate and generates tons of trace as this product makes many database calls throughout. I would not enable this one unless you have a specific database problem as it clogs the log and is pretty hard to read.
+
 
+
Or put another way, I had a database issue, and I enabled this, but it was also the very first thing I turned off once I figured out my issue.
+

Latest revision as of 17:27, 23 August 2018

Micro Focus International Wiki  |  Micro Focus Community  |  Knowledge Partner Program  |    |  Access_Governance_Suite


There are several Governance products that have been released over the years.

The latest is Identity Governance currently at version 3.0.