Rule Libraries/Tasks

      

Rule Libraries

  Rule Libraries are collection of methods that have been grouped together and stored in IdentityIQ as a Rule Object.

To Reference a Rule Library :             


  To Test a Rule Library using a Task :


Save and Execute



Different Types of Tasks in IIQ :

  • Perform Maintenance
    Perform Maintenance Task usually run in every 5 minute, for that go to "TaskSchedule" object  and change the "CronExpressions"  as per  requirement.
    cron expressions are in the format:
    s m h d M w y 
    Using Perform Maintenance Task we can do many things, 
    1. Important for all certification types
    2. Certification phase Changes : Must run after certifier clicks “Sign Off” to mark certification completed and move it to next phase  
    3. Scan for certification remediations : Manages remediation checking during Revocation period
    4. Finish Certifications
    5. Prune Requests :  like prune task results, prune batch requests
    6. Process background workflows.

  • Perform Identity Request Maintenance 
This task has 2 main functions as :

  1.  To validate the identity requests in a "Verifying" state to determine that they are in fact "Complete".
  2.  To delete old identity requests that are no longer needed, for this can specify the number of days to allow things to be "Verifying" before they get marked "Failed" b/c they can't be verified, and  can specify the number of days to keep old, completed/failed Identity Requests.  Both of these are settings in the task definition.
    It already automatically ignores waiting/incomplete access requests - it is ONLY looking at Verifying and Complete/Failed requests.


    • Identity Cube Refresh Task and various options:
    1. updates identity attributes from the identity account attributes
    2. run against all identities ( by default )
    3. update role assignments/detections
    4. promote entitlements to a certifiable state
    5. check for policy violations
    6. run after the aggregation process when cube data needs recalculation
    7. mark manager status for each identity
    The identity cube refresh task will then check for any active lifecycle event or certification event for native changes that need to be executed. A lifecycle event can trigger a business process to take action on native changes. A certification event will generate a new certification for the changed identity and allows a selected certifier to review an entire identity cube. Collected native changes are processed during the identity cube refresh, if the option Process Events is enabled. 
    • Prune Identity Task :
    • Account Aggregation Task :
    1. The process by which IdentityIQ creates and updates Identity Cubes with account, attribute and entitlement data accessed through configured Applications.
    2. Account Aggregation is very similar to reconciliation within an identity management solution. Tasks are utilized to perform account aggregation.


    • Account Group Aggregation Task :

     Multi Object Concept / Multi group Concept :


    Till  version 6.3 only 2 object types were there :

    1. Account
    2. Group  -------------->>  are entitlements in Identity IQ

    But with 6.4 onwards the multi object types introduced as and all these except account are known as access :

    1. Account
    2. Profile            ---      access ( entitlement )
    3. Privileges       ---      access ( entitlement )      
    4. Group            ---      access ( entitlement )

    When you do the aggregation of an access of the target system into Identity IQ these accesses will come into Entitlement Catalog and can be considered as entitlements in Identity IQ

    Entitlement   ------  Access of the target system which can be assigned to the end user. That means all access of target system should come into identityiq in the form of an entitlement, and it should be populated in entitlement catalog.

    To bring all entitlements / access from target system , the job which is run is called account group aggregation.


    For Example :  JDBC Application --- taking department attribute as access 



    Add Object Type :





    New Object type dept created  :


    Discover Schema Attribute of object type dept

    Preview


    Create Task --  Account     group aggregation


     

    Executed Task ---  Account group aggregation


    Verify  in Entitlement Catalo



    Now to provide a relationsh    ip between department attribute and object type dept


    select in drop down of department attribute as dept




    So now the department is an access so make it as entitlement and managed



    Now Run First     Account group aggregation and after Account group aggregation run next account aggregation of the application.


    Now verifying department name in identity ware house for 1 identity


    Note:  suppose if want to make any attribute to come in Entitlement Catalog simply make it managed and then run account aggregation with the check box checked for  Promote Managed Attribute

     And this is the reason why Entitlements are enerally marked as Managed to get the entry in Entitlement Catalog




    verify in Entitlement Catalog






    Subscribe to: Posts (Atom)