Difference between revisions of "Access Governance Suite"

From MicroFocusInternationalWiki
Jump to: navigation, search
(Replaced content with "Micro Focus International Wiki  |  Micro Focus Community  |  Knowledge Partner Program  |   &n...")
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{TOCright}}
+
[[Micro Focus International Wiki]]  |  [[Micro Focus Community]]  |  [[Knowledge Partner Program]]  |    |  [[Access_Governance_Suite]]
[[Micro Focus International Wiki]]  |  [[Micro Focus Community]]  |  [[Knowledge Partner Program]]  |  [[KP/Geoffrey Carman]]  |  [[Access_Governance_Suite]]
+
  
If you are familiar with Microfocus/NetIQ/Novell Identity Manager then you will be familiar with many of the features in Identity Governance. The focus of Identity Manager is to provision and manage users in multiple systems. Initially this was all automated, via HR data or the like. This expanded greatly with Roles and Resources so that users can both request, but also allow approvals/denials in the flow of those requests.
 
  
The main goal of Identity Goverance is to 'govern' that system. That is, just because someone has certain access does not mean they really should. Perhaps they have permissions they got in a previous job role that was never removed. Perhaps there are some historical anomalies that led to this odd set of rights a user has acquired.
+
There are several Governance products that have been released over the years.
  
The initial versions of this product were called Access Review for just this reason. But there is much more to the product. Once you have collected all the data (users, accounts, permissions, access) from all the relevant systems, you can start to review it. At this point, how do you fix things that need to change? Well there is a whole fullfillment model. Perhaps it is manual and sends an email that stays unresolved until a link is clicked to confirm it is done. Perhaps you write straight to a data source to make the change. Perhaps you kick of an IDM Workflow. Lots of options.
+
The latest is [[Identity Governance]] currently at version 3.0.
 
+
Put all that together, review, fixing things, and then checking again for completion (Just because they said they fixed it does not mean they really did) and you have a cycle you call a Certification Campaign.
+
 
+
Then there are a bunch of fun frills like  Business Roles and Role Mining, where you can determine that 90% of your users have the same basic set of permissions.  This might consist of 10 different permissions. Reviewing all 10 every campaign can be painful and time consuming, whereas coallesciing that set into a Business Role and approving or revoking just the Role can be much simpler. (One versus ten should be obvious why that is.)
+
 
+
Some of these Roles will be obvious and easy to define, but others will be harder to discover, so the product can Mine for them.  That is, look for commonly occuring patterns of permission sets and allow you to examine, tweak, and then create appropriate Roles from them.
+
 
+
All that being said, here we have another product to manage and learn how it works at a level, that allows us to understand it and troubleshoot it.
+
 
+
 
+
==Enabling logging==
+
 
+
The logging configuration is not in the GUI, like it was in User Application (login as a User App Administrator, Administration tab, and then Logging side tab), nor in the setenv.sh file in tomcat/bin as for OSP. Rather it is in the tomcat/conf directory in the file:
+
/opt/netiq/idm/apps/tomcat/conf/ig-server-logging.xml
+
 
+
Some examples of entries in that file are:
+
 
+
<logger additivity="true" level="DEBUG" name="com.netiq.iac"/>
+
        <logger additivity="true" level="DEBUG" name="com.novell.soa"/>
+
        <logger additivity="true" level="INFO" name="com.netiq.iac.AuthPermissions"/>
+
        <logger additivity="true" level="INFO" name="com.netiq.iac.server.admin"/>
+
        <logger additivity="true" level="INFO" name="com.netiq.iac.server.rest"/>
+
        <logger additivity="true" level="INFO" name="com.netiq.iac.server.security"/>
+
        <logger additivity="true" level="INFO" name="com.netiq.iac.server.spi"/>
+
        <logger additivity="true" level="DEBUG" name="com.netiq.persist"/>
+
 
+
You can see there is name XML attribute for the name of the class to log. There is a level XML attribute that can be one of these values:
+
*INFO
+
*DEBUG
+
*TRACE
+
*ALL
+
*FINE
+
*OFF
+
 
+
Now lets list off each logging class and see if we can get people to add in examples of where they used each log level to troubleshoot a specific issue. If you could include trace examples as well that would be great.
+
 
+
===Excluding a log level===
+
 
+
Sometimes you will find that enabling a higher level class, generates a ton of traffic you are not interested in, coming from a specific class. An example would be enabling the com.netiq.iac level which is most of the core Identity Governance classes. However there is a class com.netiq.iac.server.dtp.ManageOrphanedTask that runs every 15 seconds and dumps a lot of content into the log. I wanted the parent class enabled, but I did not want this class. Initially I was trying to find a way to filter out events, but it was pointed out, I could simply change the log level for that class to OFF and be done with it.
+
 
+
So one way to exclude an error message you are not interested in seeing, would be to define that lower level as OFF. The higher level ALL or DEBUG level will apply, down to this level and then stop.
+
 
+
==Main Logging classes==
+
 
+
Here is a list of the classes defined in the various log files. In principle there are as many log classes as there are actual classes, but lets start with these. If you find a log level of interest be sure to add it as a new level.
+
 
+
===com.netiq.iac===
+
 
+
This is a parent class and includes tracing all the child classes, so this one gets very verbose, very fast, so take care when enabling this one.  As you will see some of the subclasses are called out as examples in the file (like iac.AuthPermissions and so on).
+
 
+
===com.netiq.soa===
+
 
+
===com.netiq.iac.AuthPermissions===
+
===com.netiq.iac.server.admin===
+
===com.netiq.iac.server.rest===
+
 
+
This setting is quite useful as it shows the REST requests and responses made.  This makes it clear that the IG-Client, the user interface, is talking REST to the IG-Server for all display data.
+
 
+
I ran into an issue, where I broke how displayName works, so my displays were all empty lines. I thought it was broken. But in fact, I could see from the REST response in this trace level, that names were coming back but the data had a lot of blanks in it. Which was useful to understand what the actual issue was.
+
 
+
===com.netiq.iac.server.security ===
+
===com.netiq.iac.server.spi===
+
===com.netiq.persist===
+
 
+
This seems to include database operations, usually through Hibernate and generates tons of trace as this product makes many database calls throughout. I would not enable this one unless you have a specific database problem as it clogs the log and is pretty hard to read.
+
 
+
Or put another way, I had a database issue, and I enabled this, but it was also the very first thing I turned off once I figured out my issue.
+
 
+
You will see thousands of entries like this:
+
[FINE] 2018-07-28 00:00:50 com.netiq.persist.HibernateUtil begin - [IG-SERVER] SESS[341495980] BEGIN TXN[475058365] (com.netiq.iac.server.dtp.DPMediatorService$ClaimableMediatorTask:315)
+
[FINE] 2018-07-28 00:00:50 com.netiq.persist.HibernateUtil commit - [IG-SERVER] SESS[1279062097] COMMIT_CONT TXN[574727396] (com.netiq.iac.server.dtp.PendingProductionTask:237)
+
[FINE] 2018-07-28 00:00:50 com.netiq.persist.HibernateUtil closeSession - [IG-SERVER] SESS[1279062097] CONTINUE TXN[] (com.netiq.iac.server.dtp.PendingProductionTask:237)
+
[FINE] 2018-07-28 00:00:50 com.netiq.persist.HibernateUtil flushSession - [IG-SERVER] SESS[1279062097] FLUSH TXN[] (com.netiq.iac.server.dtp.PendingProductionTask$2:178)
+
 
+
This is a bit much, and not helpful unless there is a specific error.
+
 
+
==Audit Loggers==
+
audit Loggers ("audit." + class name). Set to INFO to see all audit messages from the specified service (DEBUG, TRACE, ALL will also work).
+
 
+
 
+
 
+
===audit.com.netiq.iac.server.rest.AccessRequestApprovalPolicyRestService===
+
 
+
===audit.com.netiq.iac.server.rest.AccessRequestPolicyRestService===
+
 
+
===audit.com.netiq.iac.server.rest.AccountsService===
+
 
+
===audit.com.netiq.iac.server.rest.AdvisorFeedService===
+
 
+
===audit.com.netiq.iac.server.rest.ApplicationService===
+
 
+
===audit.com.netiq.iac.server.rest.ApprovalPolicyService===
+
 
+
===audit.com.netiq.iac.server.rest.AuthService===
+
 
+
===audit.com.netiq.iac.server.rest.AutoCurationService===
+
 
+
===audit.com.netiq.iac.server.rest.BURoleAnalyticsService===
+
 
+
===audit.com.netiq.iac.server.rest.BURoleService===
+
 
+
===audit.com.netiq.iac.server.rest.CertificationPolicyService===
+
 
+
===audit.com.netiq.iac.server.rest.CollectionService===
+
 
+
===audit.com.netiq.iac.server.rest.CollectorService===
+
 
+
===audit.com.netiq.iac.server.rest.ConfigurationService===
+
 
+
===audit.com.netiq.iac.server.rest.CoverageMapService===
+
 
+
===audit.com.netiq.iac.server.rest.FulfillmentService===
+
 
+
===audit.com.netiq.iac.server.rest.IdentitySourceService===
+
 
+
===audit.com.netiq.iac.server.rest.LocalizationService===
+
 
+
===audit.com.netiq.iac.server.rest.ProvisioningRestService===
+
 
+
===audit.com.netiq.iac.server.rest.RequestService===
+
 
+
===audit.com.netiq.iac.server.rest.ReviewDefinitionService===
+
 
+
===audit.com.netiq.iac.server.rest.ReviewInstanceService===
+
 
+
===audit.com.netiq.iac.server.rest.ReviewItemInfoService===
+
 
+
===audit.com.netiq.iac.server.rest.ReviewMonitorService===
+
 
+
===audit.com.netiq.iac.server.rest.ReviewReviewerService===
+
 
+
===audit.com.netiq.iac.server.rest.ReviewTargetSpecService===
+
 
+
===audit.com.netiq.iac.server.rest.RoleService===
+
 
+
===audit.com.netiq.iac.server.rest.SchemaService===
+
 
+
===audit.com.netiq.iac.server.rest.SoDService===
+
 
+
==REST Services Filters==
+
audit Loggers for REST services can be filtered by HTTP method, by adding the method to the end of the logger name. This enables more finely-grained auditing of updates for example (PUT and POST methods), or deletes (DELETE method).
+
 
+
===audit.com.netiq.iac.server.rest.CollectionService.GET===
+
===audit.com.netiq.iac.server.rest.CollectionService.PUT===
+
===audit.com.netiq.iac.server.rest.CollectionService.POST===
+
===audit.com.netiq.iac.server.rest.CollectionService.DELETE===
+
 
+
==DaaS Logging Levels==
+
 
+
Daas, Directory as a Service, seems like an abstraction layer to read the directory. Very little info is available on this topic.
+
 
+
This is configured in the file /opt/netiq/idm/apps/tomcat/conf/daas-logging.xml
+
 
+
===com.microfocus.daas===
+
===com.netiq.daas===
+
 
+
The database connectivity in Collectors is managed through this class, so when seeing errors try enabling some logging on this level.
+
 
+
====Error 486====
+
 
+
Testing a Database connector, all that bubbled up was a Error 486, which is not documented anywhere I can find.
+
 
+
[FINE] 2018-08-22 08:31:00 com.netiq.daas.daaservice.ServiceProviderMap clean - [DAAS] Collection cleaner running...
+
[FINE] 2018-08-22 08:31:00 com.netiq.daas.nativejdbcservice.ConnectorFactory createConnector - [DAAS] Creating Microsoft SQLServer Specific Connector
+
[FINE] 2018-08-22 08:31:00 com.netiq.daas.nativejdbcservice.connector.DBConnector setDriverClassName - [DAAS] Driver Class Name com.microsoft.sqlserver.jdbc.SQLServerDriver
+
[FINE] 2018-08-22 08:31:00 com.netiq.daas.nativejdbcservice.connector.DBConnector setConnectionProperties - [DAAS] setting connectionProperties
+
[FINE] 2018-08-22 08:31:00 com.netiq.daas.nativejdbcservice.connector.DBConnector setConnectionProperties - [DAAS] Key :databaseName value 'Test' added to connectionProperties
+
[FINE] 2018-08-22 08:31:00 com.netiq.daas.common.SrvInstance <init> - [DAAS] New service instance.  TTL: 60
+
[FINE] 2018-08-22 08:31:00 com.netiq.daas.common.SrvInstance resetTimeout - [DAAS] Reset timeout for service instance to TTL: 60
+
[FINE] 2018-08-22 08:31:00 com.netiq.daas.nativejdbcservice.connector.DBConnector setConnectionProperties - [DAAS] setting connectionProperties
+
[FINE] 2018-08-22 08:31:00 com.netiq.daas.nativejdbcservice.connector.DBConnector setConnectionProperties - [DAAS] Key :password value '<suppressed>' added to connectionProperties
+
[FINE] 2018-08-22 08:31:00 com.netiq.daas.nativejdbcservice.connector.DBConnector setConnectionProperties - [DAAS] Key :user value 'domain\username' added to connectionProperties
+
[FINEST] 2018-08-22 08:31:00 com.netiq.daas.nativejdbcservice.connector.DBConnector getConnectionProperties - [DAAS] accessor call to connectionProperties
+
[FINE] 2018-08-22 08:31:00 com.netiq.daas.nativejdbcservice.connector.DBConnector establishDBConnection - [DAAS] Caught SQLException: Login failed for user 'domain\username'. ClientConnectionId:00d9acdf-139d-4a9f-b8b0-baf0a0ad7d27
+
 
+
This was helpful since it showed that it read the values of DB Name, username as I expected. Alas, cannot see the password which is good and bad. It is good, since it protects the password. It is bad, since sometimes a special character is not properly escaping and this might have shown that error case.
+
 
+
Also note that the database connect string is missing which would have been helpful to validate that again, no special characters are being missed or incorrectly passed through.
+
 
+
For completeness, if you did not enable this log level, you might see the error otherwise as:
+
 
+
[FINE] 2018-08-22 08:31:00 com.netiq.iac.persistence.dcs.dce.daas.DaaSService testConnection - [IG-SERVER] DaaS Service Test response code: 486
+
[FINE] 2018-08-22 08:31:00 com.netiq.iac.persistence.service.cum.DataCollectionService testConnection - [IG-SERVER] Encountered unexpected error: DAAS_ERROR: 486 : Target Connection failure.
+
com.netiq.common.i18n.LocalizedException: Encountered unexpected error: DAAS_ERROR: 486 : Target  Connection failure.
+
        at com.netiq.iac.common.IacException.<init>(IacException.java:105)
+
 
+
followed by a very long Java error stack which does not need including, but ends with a Caused by of:
+
 
+
Caused by: java.lang.Exception: DAAS_ERROR: 486 : Target Connection failure.
+
        at com.netiq.iac.persistence.dcs.dce.daas.DaaSService.testConnection(DaaSService.java:505)
+
 
+
 
+
 
+
 
+
==IG Client Logging Levels==
+
 
+
This is configured in the file /opt/netiq/idm/apps/tomcat/conf/ig-client-logging.xml
+
 
+
===com.netiq.iac===
+
This seems like the same as the server level, so not sure how to use this properly yet. It seems like it would be overly broad. Would probably be helpful to track this down to a more specific sub-class of iac to make it more effective.
+
 
+
==Workflow Logging Levels==
+
 
+
This is configured in the file /opt/netiq/idm/apps/tomcat/conf/ig-wf-logging.xml
+
 
+
===com.netiq.iac.af===
+
===com.netiq.iac.notification===
+
===com.netiq.iac.workflow===
+
===com.netiq.workflow===
+
===com.novell.soa.af===
+
 
+
==IDM Reporting Client Logging Levels==
+
 
+
This is configured in the file /opt/netiq/idm/apps/tomcat/conf/idmrptclient_logging.xml
+
 
+
To be honest, it looks like these are basically not really useful for logging, since it does not isolate it down to anything specific to the Reporting engine.  Very interesting that these are the choices. Sort of the log everything to find an error approach. It would be interesting to figure out some better, more specific classes.
+
 
+
===com.novell===
+
 
+
This level is very odd, since it enables logging for all the children of the com.novell class, which one would imagine is much of the legacy Java code.
+
 
+
===com.netiq===
+
 
+
This level is very odd, since it enables logging for all the children of the com.netiq class, which one would imagine is much of the current Java code.
+
 
+
==IDM Reporting Core Logging Levels==
+
This is configured in the file /opt/netiq/idm/apps/tomcat/conf/idmrptcore_logging.xml
+
 
+
To be honest, it looks like these are basically not really useful for logging, since it does not isolate it down to anything specific to the Reporting engine.  Very interesting that these are the choices. Sort of the log everything to find an error approach. It would be interesting to figure out some better, more specific classes.
+
 
+
===com.novell===
+
 
+
This level is very odd, since it enables logging for all the children of the com.novell class, which one would imagine is much of the legacy Java code.
+
 
+
===com.netiq===
+
 
+
This level is very odd, since it enables logging for all the children of the com.netiq class, which one would imagine is much of the current Java code.
+

Latest revision as of 17:27, 23 August 2018

Micro Focus International Wiki  |  Micro Focus Community  |  Knowledge Partner Program  |    |  Access_Governance_Suite


There are several Governance products that have been released over the years.

The latest is Identity Governance currently at version 3.0.