SECTION 1 Installing Identity Governance 3

Exercise 1-1 Install Apache Tomcat and the PostgreSQL Database . . . . . . . . . . . . . . . . . . . . . . . 4

Exercise 1-2 Install One Single Sign-On Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Exercise 1-3 Install Identity Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

SECTION 2 Collecting Identity Governance Data 15

Exercise 2-1 Verify OSP Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Exercise 2-2 Collect Identity Governance User Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Exercise 2-3 Add a CSV-Based Application Source and Collect Its Data . . . . . . . . . . . . . . . . . 26
Exercise 2-4 Add Identity Manager as an Application Source and Collect Application Data . . 35

SECTION 3 Building Identity Governance Reviews 39

Exercise 3-1 Create a Review with Manual Fulfillment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Exercise 3-2 Fulfill a Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Exercise 3-3 Create and Run a Review with Automated Fulfillment . . . . . . . . . . . . . . . . . . . . . 46

SECTION 4 Implementing Technical Roles 53

Exercise 4-1 Create Technical Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Exercise 4-2 Perform a Technical Roles Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

SECTION 5 Using Identity Governance Policy 65

Exercise 5-1 Create a Separation of Duties Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Exercise 5-2 Define Business Roles Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Exercise 5-3 Create a Business Roles Policy with Automated Fulfillment. . . . . . . . . . . . . . . . . 86
Exercise 5-4 Develop an Access Requests Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

SECTION 6 Integrating Identity Reporting 97

Exercise 6-1 Implement Identity Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

1
Identity Governance Workbook

2
SECTION 1 Installing Identity Governance

To run the Identity Governance product, you need the following components:
Databases for Identity Governance and Identity Reporting. You can use
PostgreSQL or Oracle.
An application server. Identity Governance requires Apache Tomcat.
One SSO Provider (OSP).
LDAP authentication server (NetIQ eDirectory or Microsoft Active Directory).
(Optional) ActiveMQ.
(Optional) Identity Reporting.
Puede obtener los componentes del sitio de descargas de NetIQ en Identity
Manager. Para su comodidad, Apache Tomcat y PostgreSQL se incluyen en el
mismo programa de instalación. Si ya tiene las versiones apropiadas de PostgreSQL,
ActiveMQ y Tomcat, no necesita instalar las aplicaciones nuevamente.
También deberá descargar, descomprimir y ejecutar las siguientes máquinas
virtuales desde ftp.novell.com/outgoing:
ftp.novell.com/outgoing/TS-3181-IDV-Server-VM.zip
 ftp.novell.com/outgoing/TS-3181-IG-UofM-VM.zip
 ftp.novell.com/outgoing/TS-3181-IG-Server-VM.zip
In this section, you install the Identity Governance software and its required
components and framework.
The following exercises are included in this section:
1. “Install Apache Tomcat and the PostgreSQL Database” on page 4
2. “Install One Single Sign-On Provider” on page 7
3. “Install Identity Governance” on page 9

3
Identity Governance Workbook

Exercise 1-1 Install Apache Tomcat and the PostgreSQL Database

In this exercise, you use the convenience installer to install Apache Tomcat and
PostgreSQL. The convenience installer installs Open Source version of these
components. In addition, the installer provides a Java JRE from Oracle and Apache's
ActiveMQ message broker.
By default, the installation program installs the applications in their respective
directories in the /opt/netiq/idm/apps/ directory.
Do the following:
1. From the IG Server virtual machine, login as root with the password of
netiq000.
2. Right-click the desktop; then select Open Terminal.
3. Change to the Identity Governance install directory by entering cd Desktop/
install.
4. From the command prompt, start the Tomcat/PostgreSQL installer by entering ./
TomcatPostgreSQL.bin.
Wait while the installation program starts.
5. From the Introduction screen, select Next.
6. From the License Agreement screen, select I accept the terms of the License
Agreement; then select Next.
You see the following:

7. Take note of the product features that will be installed; then select Next.
8. From the Tomcat install folder screen, note the Tomcat install folder location;
then select Next.

4
 9. From the Tomcat details screen, note the default port assignments; then accept
the port assignments by selecting Next.
10. From the ActiveMQ install folder screen, note the ActiveMQ install folder
location; then select Next.
11. From the PostgreSQL install folder screen, note the PostgreSQL install folder
location; then select Next.
12. From the PostgreSQL details screen, type the following:
 Password for ‘postgres’ user: netiq000
 Confirm password for ‘postgres’ user: netiq000
13. Note the default PostgreSQL port; then select Next.
The following is displayed:

14. Select Install.

Wait while the components are installed.
15. When finished, from the Install complete screen, select Done.
16. At the command prompt, enter ll /opt/netiq/idm/apps
You see the directories that were created during the install and the assigned
permissions. Notice that Tomcat is installed as a non-root user.

5
Identity Governance Workbook

(End of Exercise)

6
Exercise 1-2 Install One Single Sign-On Provider
One SSO Provider (OSP), allows you to configure Identity Governance for single
sign-on access.
By default, the installation program installs the OSP components in the /opt/netiq/
idm/apps/osp directory.
Do the following:
1. At the command prompt, start the OSP installer by entering ./osp-install-
linux.bin.
The installation program starts.
2. From the Introduction screen, select Next.
3. From the License Agreement screen, scroll to the bottom of the license
agreement text.
4. Select I accept the terms of the License Agreement; then select Next.
5. From the Select install location screen, note the Install location; then select Next.
6. From the Tomcat details screen, note the value for the TOMCAT_HOME Folder;
then, accept the displayed value by selecting Next.
7. From the Tomcat Java home screen, note the value for Select a Folder; then select
Next.
8. From the Application address screen, type the following:
 Host name: 172.17.5.115
 Port: 8080
9. Select Next.
10. From the Login screen customization screen, read the text displayed in the text
box; then select Next.
11. From the Authentication details screen, type the following:

NOTE: The authentication source used in the exercises is the eDirectory Identity Vault on the
IDV server.

 LDAP host: 172.17.5.105

 LDAP port: 389
12. Select Next.
13. From the second Authentication details screen, type the following:
 Admin DN: cn=admin,ou=sa,o=system
 Admin password: netiq000
 User container: ou=users,o=data
 Admin container: ou=sa,o=system

7
Identity Governance Workbook

14. Select Next.

You see a Connection succeeded dialog box.
15. Select OK.
16. From the third Authentication details screen, for Keystore password and Confirm
keystore password, type netiq000; then select Next.
17. From the Auditing details screen, leave the Enable auditing for OSP check-box
de-selected; then select Next.
18. From the Pre-Installation summary screen, select Install.
Wait while OSP is installed.
19. When finished, select Done.
(End of Exercise)

8
Exercise 1-3 Install Identity Governance
In this exercise, you do the following:
 “Install Identity Governance Using the GUI Installation Wizard” on page 9
 “View the Identity Governance Database Structure” on page 12

Install Identity Governance Using the GUI Installation Wizard

1. To start the Identity Governance install, at the command prompt, enter ./identity-
governance-install-linux.bin.
The installation program starts.
2. From the Introduction screen, select Next.
3. From the License Agreement screen, scroll to the bottom of the license
agreement text.
4. Select I accept the terms of the License Agreement; then select Next.
You see the following:

You see the Identity Governance is set to be installed by default.

5. To install Identity Reporting, select the check-box for Identity Reporting; then
select Next.
6. From the Select install location screen, note the Install location; then select Next.
7. From the Tomcat installation screen, note the value for Specify the Tomcat
folder; then, accept the displayed value by selecting Next.
8. From the second Tomcat installation screen, type the following:
 Runtime host name: 172.17.5.115
 Port: 8080

9
Identity Governance Workbook

9. Verify that the value for Runtime identifier is local; then select Next.
10. From the Tomcat Java home screen, note the value for Select JRE home folder;
then, accept the displayed value by selecting Next.
11. From the Application Address screen, type the following:
 Host name: 172.17.5.115
 Port: 8080
12. Select Next.
13. From the Authentication details screen, for Service password and Confirm
service password, type netiq000.

NOTE: This is the secret used by the client to connect to the OSP authentication service. This
secret is used by the OSP server and Identity Governance.

14. Select Next.

15. From the Bootstrap administrator details screen, note the value for Bootstrap
admin name; then for Password and Confirm password, type netiq000.
16. Select Next.
17. From the ActiveMQ details screen, verify that Use ActiveMQ is selected; then
select Next.
18. From the second ActiveMQ details screen, change the value for Host name from
localhost to 172.17.5.115; then verify that the value for Port is 61616.
19. Select Next.
20. From the Database type screen, verify that PostgreSQL is selected; then select
Next.
21. From the Database details screen, verify that Configure database now is
selected, then select Next.
22. From the second Database details screen, change the value for Host from
localhost to 172.17.5.115; then verify that the value for Port is 5432.
23. Select Next.
24. From the third Database details screen, note the name of the Administrator user;
then, for Administrator password, type netiq000.
25. Verify that the Test connection check-box is selected; then select Next.
26. From the Success dialog, select OK.
27. From the fourth Database details screen, note the names of the Identity
Governance databases that are created during the install; then for Password and
Repeat password, type netiq000.
28. From the fifth Database details screen, note the value for Reporting user; then for
Reporting user password and Confirm password, type netiq000.
29. Select Next.

10
30. From the sixth Database details screen, for Reporting database name, type igrpt;
then, for Reporting database users password and Confirm password, type
netiq000.
31. Select Next.
32. From the seventh Database details screen, verify that Update is selected; then
select Next.

NOTE: This step publishes the default users and the schema in the database.

33. From the Report default language screen, from the Target locale drop-down list,
verify that English is selected; then select Next.
34. From the Report email delivery screen, in the SMTP server field, type
172.17.5.115; then select Next.

NOTE: Email delivery of reports is not covered in this course so a valid email server is not
specified.

35. From the Report retention details screen, accept the default settings by selecting
Next.
36. From the Identity Audit screen, leave the Enable auditing check-box de-
selected, then select Next.
37. From the Pre-Installation summary screen, select Next.
38. From the second Pre-Installation summary screen, select Install.
Wait while Identity Governance is installed.
39. When finished, select Done.
40. From the command prompt, restart the server by entering init 6.
41. After the server has restarted, login as root with the password of netiq000; then,
from the desktop, open Firefox.
You see the Identity Governance sign in screen:

11
Identity Governance Workbook

42. Sign in as igadmin, with the password of netiq000.

You see that Identity Governance currently is not populated with any collected
data.
43. Sign out of Identity Governance; then close Firefox.

View the Identity Governance Database Structure

1. Right-click the desktop; then select Open Terminal.
2. From the command prompt, enter /opt/netiq/idm/apps/postgres/scripts/
launchpgadmin.sh.

NOTE: If you encounter a connection failure message, select OK; then launch pgadmin again.

You see the following:

3. From the left-panel, expand Servers; then double-click PostgreSQL 9.6.

4. From the Connect to server dialog, for Password, type netiq000; then select OK.
You see the following:

12
5. From the left-panel, expand Databases.
You see the databases associated with Identity Governance including the igrpt
database that is associated with Identity Reporting:

6. Contra ce Databases; then expand Login/Group Roles.

You see the default set of Identity Governance users including the igrptuser user
that is required for Identity Reporting:

13
Identity Governance Workbook

7. Feel free to explore other components of the Identity Governance database

structure; then close pgAdmin.
8. Close the terminal window by entering exit.
(End of Exercise)

14
 Collecting Identity Governance Data

SECTION 2 Collecting Identity Governance Data

Para certificar que sus usuarios tienen los niveles apropiados de acceso a sus
recursos y aplicaciones, debe completar el catálogo de Gobierno de identidad con
las identidades, las cuentas de las aplicaciones, y permisos de aplicación que existen
en su entorno. Identity Governance organiza los datos según su tipo de fuente:
identidad o aplicación. Cuando crea una fuente de datos, también configura la
configuración para la recopilación de datos.
Identity Governance debe recopilar información sobre los usuarios de fuentes de
identidad. Después de que Identity Governance recopile esta información, debe
publicar la información para completar el catálogo. Luego puede asignar a estos
usuarios autorizaciones administrativas en el producto.
Los siguientes ejercicios están incluidos en esta sección:
1. “Verify OSP Integration” on page 16
2. “Collect Identity Governance User Data” on page 18
3. “Add a CSV-Based Application Source and Collect Its Data” on page 26
4. “Add Identity Manager as an Application Source and Collect Application Data”
on page 35

15
Identity Governance Workbook

Exercise 2-1 Verify OSP Integration

En este ejercicio, verifica que puede iniciar sesión en la interfaz de Gobierno de
identidad a través de OSP. Recuerde que la Bóveda de identidad de eDirectory se
definió como la fuente de autenticación.
Haz lo siguiente:
1. Desde el escritorio del servidor IG, abra
Firefox. Ves lo siguiente:

2. From the NetIQ Access page, sign in as igadmin with the password of netiq000.

NOTE: igadmin is the bootstrap user name defined during installation.

You see the Identity Governance Overview page.

You now verify that Identity Governance is properly configured to use the OSP.
3. In the upper-right corner of the Overview page, select the down-arrow next to
Bootstrap Admin; then select Sign out.

16
 Collecting Identity Governance Data

4. From the NetIQ Access page, sign in as aastin with the password of netiq000.
You see the following:

The aastin user was able to sign in to the Identity Governance interface because
the user exists in the eDirectory Identity Vault (the OSP authentication source).
Because aastin has not yet been collected into the Identity Governance database,
the user does not have the ability to access any Identity Governance tools.
5. Sign out as aastin; then sign in again as igadmin.
(End of Exercise)

17
Identity Governance Workbook

Exercise 2-2 Collect Identity Governance User Data

In this exercise, you collect user data from an identity source; then populate the data
to the Postgres database. As soon as users are defined in Identity Governance, you
can assign them to specific administrative roles.
You do the following:
“Add an Identity Source” on page 18
“Configure Administrator Roles and General Settings” on page 23

Add an Identity Source

1. From the left-panel, under Data Sources, select Identities; then, from the Identity
Sources page, select the plus sign.
You see the following:

2. For Name, type IG Users; then, from the Name field, copy the IG Users text.
3. In the Description field, select the upper case B; then paste the text from the
previous step.
4. From the Publish behavior drop-down list, select Publish without merging.
5. Select the New Collector section heading.
You see the collector parameters.
6. In the Collector name field, type Identity Manager.
7. From the Collector template drop-down list, select Identity Manager Identity.
8. From the list of sections, select the Service Parameters section heading.
You see the following:

18
 Collecting Identity Governance Data

9. In the Service Parameters section, type (or verify) the following:

 Host: 172.17.5.105
 Port: 389
 User Name: cn=admin,ou=sa,o=system
 Password: netiq000
10. Scroll down; then select Test connection.
You see a Connection successful message. If the connection test fails, double
check the parameter values; then try again.
11. Contract the Service Parameters section by selecting Service Parameters again;
then, from the list of sections, select the Collect Identity section heading.
12. In the Collect Identity section, find the Base Dn field; then update the displayed
value to the following: ou=users,o=data
13. Compare the list of Collect Identity attributes and the list of Mapped attributes.
The Collect Identity attributes represent attribute names in Identity Governance
and the Mapped attributes are attribute names from the identity source.
14. To contract the Collect Identity section, select Collect Identity again; then, from
the list of sections, select the Collect Group section heading.
15. Under Collect Group, find the Base Dn field; then update the displayed value to
the following: ou=groups,o=data
16. Compare the list of Collect Group attributes and the list of Mapped attributes.

19
Identity Governance Workbook

The Collect Group attributes represent attribute names in Identity Governance

and the Mapped attributes are attribute names from the identity source.
17. To contract the Collect Group section, select Collect Group again; then, from the
list of sections, select Collect Parent Group to Child Group Relationships.
18. Under Collect Parent Group to Child Group Relationships, find the Base Dn
field; then update the displayed value to the following: ou=groups,o=data
19. To contract the Collect Parent Group to Child Group Relationships section, select
Collect Parent Group to Child Group Relationships again.
20. From the top of the New Identity Source page, select the Save icon .
21. From the bottom of the page, select Test Collection and Troubleshooting.
You see the following:

22. Select the check-box for Identity Manager Collector; then select Run Test
Collection.
The following is displayed:

23. Select the check-box for Identity Manager Collector; then for the Identity
collection, replace the word ALL with the number 5.
24. Select Run Raw Data Collection.
Wait while the test collection takes place. You see the following:

20
 Collecting Identity Governance Data

25. From the Actions drop-down list, select View; then, from the IG Users Test
Collection dialog, select Identity (5 records of raw data).
You see the following:

You see a solid representation of data that will be collected with a full identity
collection.
26. Review the data; then, if desired, review the data associated with groups and
group relationships.
27. Close the IG Users Test Collection dialog; then, from the Collection Testing and
Analytics page, select the Download and Emulation tab.
You see the options for downloading collection data sources and emulation
packages.
28. From the left-panel, under Data Sources, select Identities; then, begin the
identity collection by selecting the Collect icon .
Wait while the collection takes place.
29. From the left-panel, under Catalog, select Users.
You see that the catalog is empty because the identity data has been collected but
not published.
30. From the left-panel, under Data Sources, select Identities.

21
Identity Governance Workbook

You see the following:

You see that the IG Users Identity Source has been collected. Next to Collect
Status, you see a red diamond. The red diamond indicates that the data has not
been published.
31. Next to the Identity Sources heading, select the Publish icon .
Wait while the identity data is published. When finished, you see the following:

32. From the left-panel, under Catalog, select Users.

You see that the catalog is populated with the users published from the identity
source.

22
 Collecting Identity Governance Data

Configure Administrator Roles and General Settings

With identities published to the Users Catalog, you now have the ability to assign
users to Identity Governance administrative roles.
Do the following:
1. From the left-panel, select Administration; then, from the Administration page,
select Authorization Assignments.
You see the following:

2. In the field next to Global Administrator, begin typing Andrew.

You see that Andrew Astin’s name is displayed:

3. Select Andrew Astin.

Andrew is added as a Global Administrator.
4. In the upper-right corner of the Administration Assignments page, select the
Save icon .
5. Sign out as igadmin; then sign in as aastin with the password of netiq000.
As a Global Administrator, you see that Andrew has access to all Identity
Governance resources.

23
Identity Governance Workbook

6. From the left-panel, select Administration; then, from the Administration page,
select Authorization Assignments.
7. Make the following administration assignments:

Global Administrator: Chip Nano

Access Request Administrator: Mary Carey

Auditor: Bill Brown

Business Roles Administrator: Anthony Palani

Data Administrator: Abby Spencer

Fulfillment Administrator: Anthony Palani

Review Administrator: Terry Mellon

Technical Roles Administrator: Aaron Corry

Report Administrator: Terry Mellon

Security Officer: Helen Winzen

Separation of Duties Administrator: Anthony Palani

8. Select the Save icon .

9. Contract the Authorization Assignments section, by selecting Authorization
Assignments; then select General Settings.
10. For Home Page URL, type http://172.17.5.115:8080/IDMRPT; then select the
Save icon .

NOTE: This setting makes it so that the Identity Reporting admin utility will open when
selecting the Home icon in the upper-right corner of the Identity Governance admin utility.

11. Contract the General Settings section, by selecting General Settings; then select
Identity Manager System connection Information.
12. Type the following:
 Identity Manager URL: http://172.17.5.105:8180/IDMProv
 Identity Manager username: uaadmin
 Identity Manager password: netiq000
13. Select Test Connection.
The following is displayed:

24
 Collecting Identity Governance Data

If the connection test fails, double check the parameter values; then try again.
14. Select the Save icon .
15. Sign out as aastin; then sign in as cnano with the password netiq000.
Notice that Chip has the same access as aastin.
16. Sign out as cnano; then sign in as tmellon password netiq000.
You see that Terry has limited options according to his administrative role
assignments.
17. Sign out as tmellon; then login as cnano.
18. Minimize Firefox.
(End of Exercise)

25
Identity Governance Workbook

Exercise 2-3 Add a CSV-Based Application Source and Collect Its Data
En este ejercicio, agrega una fuente de aplicación basada en CSV -. La aplicación
consta de dos archivos de base de datos planos -: uno incluye datos de cuenta y el
otro incluye datos de permisos.
Haz lo siguiente:

1. Desde la esquina superior izquierda - del escritorio del servidor IG, abra la carpeta Instalar.
2. Copie los archivos mmpAccounts.csv y mmpPermissions.csv; luego busque y pegue los archivos
en /opt/netiq.
3. En el navegador de archivos, desde el directorio /opt/netiq, abra el archivo mmpAccounts.csv.
Tome nota del texto resaltado en la siguiente imagen:

Estos encabezados definen los nombres de campo en el archivo CSV. Se usan

más adelante en el ejercicio.
4. Cierre el archivo mmpAccounts.csv.
5. Abra el archivo mmpPermissions.csv.
Tome nota del texto resaltado en la siguiente imagen:

Estos encabezados definen los nombres de campo en el archivo CSV. También

se usan más adelante en el ejercicio.
6. Minimice el archivo mmpPermissions.csv.
7. Cerrar el navegador de archivos; luego maximice Firefox.
8. Desde el panel izquierdo -, en Fuentes de datos, seleccione Aplicaciones;
luego, desde la página Fuentes de aplicación, seleccione el signo más.
Ves lo siguiente:

26
 Collecting Identity Governance Data

9. Para nombre, escriba ManageMyProject; luego, desde el campo Nombre,

copie el texto Administrar mi proyecto.
10. En el campo Descripción, seleccione la mayúscula B; luego pegue el texto
del paso anterior.
11. En el campo Descripción, junto al segundo conjunto de asteriscos, type es
un sistema de gestión de proyectos y seguimiento de tiempo.
12. Seleccione el encabezado de la sección Nuevo recopilador.
13. Para nombre de recaudador, escriba Cuentas.
14. Desde la caída de la plantilla de recopilador - hacia abajo, seleccione Cuenta
CSV.
15. Seleccione el encabezado de la sección Recopilar cuenta.
Ves lo siguiente:

27
Identity Governance Workbook

16. Escriba o modifique lo siguiente:

 Nombre del archivo: /opt/netiq/mmpAccounts.csv

IMPORTANT: Desplácese hacia abajo hasta el área de atributos Recopilar cuenta.

 Account ID de la fuente: Account ID

 Account Name: Account Name
 Account Description: Account Description
 Account Type: Type

NOTE: Estos valores son los encabezados del archivo mmpAccounts.csv.

17. En el campo Asignación de usuario de la cuenta -, escriba Cuenta - Titular; luego, de la lista
desplegable del atributo Mapto -, seleccione ID de fuerza laboral como se muestra a continuación:

18. Scroll to the top of the New Application Source page; then select the Save icon
.
19. To add another collector to this application source, select the plus sign.
20. From the list of sections, select the New Collector section heading.
21. For Collector name, type Permissions; then, from the Collector template drop-
down list, select CSV Permission.
You see the following:

28
 Collecting Identity Governance Data

22. From the listed sections, select Collect Permission.

23. Type or modify the following:
 File Name: /opt/netiq/mmpPermissions.csv

IMPORTANT: Desplácese hacia abajo hasta el área de atributos de permiso de recopilación.

 Permission ID from Source: Permission ID

 Permission Name: Permission Name
 Permission Description: Permission Description
 Permission Type: Type

NOTE: These values are the headings from the mmpPermissions.csv file.

24. En el área de mapeo de propietarios de Permiso -, verifique que el propietario esté asignado
a ID de usuario desde Fuente.
25. Desplácese hacia abajo hasta el área de asignación de cuenta o usuario de Permiso -.
26. En el campo Permiso - Cuenta o Asignación de usuario, reemplace el contenido con ID de
cuenta; luego, de la lista desplegable Mapa a atributo -, seleccione ID de cuenta de origen.
27. Desplácese hacia abajo hasta que vea la lista de secciones para este recopilador como se
muestra a continuación:

28. Select the Collect Holder to Permissions Mapping section heading.

29
Identity Governance Workbook

29. En el encabezado Recopilar titular a permisos (, es posible que deba desplazarse

hacia arriba ) para Recopilar estos datos? seleccione la casilla de verificación -
para Sí.
30. Para el nombre del archivo, escriba /opt/netiq/mmpAccounts.csv.
31. Desplácese hacia abajo hasta el área de atributos de Mapeo de Soporte de
Permisos; luego, en el campo Permiso del titular ( s ), escriba Permisos
32. En el campo Usuario o ID de cuenta, reemplace el contenido con ID de cuenta;
luego, desde la lista desplegable Mapa a atributo -, verifique que se seleccione
ID de cuenta de Source.
33. Es posible revocar esta asignación de permiso? campo, escriba falso como se
muestra a continuación:

34. Desplácese hacia abajo hasta que vea la lista de secciones para este recopilador.
35. Seleccionar el Collect Permission hierarchy based on child to parent section
heading.
36. Bajo la jerarquía de permisos de recopilación basada en el encabezado de niño a
padre (, es posible que deba desplazarse hacia arriba ), para recopilar estos
datos? seleccione la casilla de verificación - para Yes.
37. For File Name, type /opt/netiq/mmpPermissions.csv
38. Desplácese hacia abajo hasta la jerarquía de permisos de recopilación en función
del área de atributos de niño a padre; luego, realice los siguientes cambios:
 Child Permission ID from Source: Permission ID
 Parent Permission(s): Parent
39. Scroll to the top of the ManageMyProject page; then select the Save icon .
Take note of what will be and what will not be collected based on this application
source definition:

30
 Collecting Identity Governance Data

40. Scroll to the bottom of the ManageMyProject page; then select Test Collection
and Troubleshooting.
You see the following:

41. Next to the Name heading, select the check-box; then select Run Test
Collection.
The following is displayed:

42. Select the check-boxes for Account and Permission; then for both collectors
replace the word All with the number 5.
43. Select Run Raw Data Collection.
Wait while the test collection takes place. When finished, you see the following:

44. From the Actions drop-down list, select View.

31
Identity Governance Workbook

You see the following:

45. Select Account (5 records of raw data).

You see the following:

You see a good representation of account data from the mmpAccounts.csv file.
46. Select Permission (5 records of raw data).
You see the following:

You see a good representation of permission data from the mmpPermissions.csv

file.
47. Close the ManageMyProject Test Collection dialog.
48. From the left-panel, under Data Sources, select Applications; then, from the
Application Sources list, select ManageMyProject.
49. From the top of the ManageMyProject page, select the Collect Now icon .
Wait for the data to be collected.

32
 Collecting Identity Governance Data

50. Select the Publish Now icon .

Wait for the data to be published. When finished, you see the following:

51. From the left-panel, under Catalog, select Accounts.

You see the accounts collected from the mmpAccounts.csv file.
52. From the left-panel, under Catalog, select Permissions.
You see the permissions collected from the mmpPermissions.csv file.
53. From the left-panel, under Catalog, select Applications; then, from the
Applications list, select ManageMyProject.
You see data collected for this application. The Permissions tab is selected:

54. Select the Accounts tab.

You see the accounts associated with this application:

33
Identity Governance Workbook

You see that you have the ability to filter accounts that are mapped to Identity
Governance users and those that are unmapped.
(End of Exercise)

34
 Collecting Identity Governance Data

Exercise 2-4 Add Identity Manager as an Application Source and Collect

Application Data
En este ejercicio, recopila datos de una fuente de aplicación. Los datos
recopilados de las fuentes de aplicación incluyen información como datos de
cuenta e información de derecho / permiso de cuenta.
El sistema Identity Manager conectado proporciona los datos de la aplicación para
este ejercicio. Recopila datos de la aplicación de usuario de Identity Manager.
Haz lo siguiente:
1. From the left-panel, under Data Sources, select Applications; then, from the
Application Sources page, select the plus sign.
You see the following:

2. For Name, type Identity Manager Permissions; then, from the Name field,
copy the Identity Manager Permissions text.
3. In the Description field, select the upper case B; then paste the text from the
previous step.
4. Select the New Collector section heading.
You see additional collector parameters.
5. In the Collector name field, type IDM Permissions.
6. From the Collector template drop-down, select Identity Manager AE
Permission.
7. From the list of sections, select the Service Parameters section heading.
You see the following:

35
Identity Governance Workbook

8. Type the following:

 Host: 172.17.5.105
 Password (for the cn=admin,ou=sa,o=system user): netiq000
 User Application Base Provisioning Service URL:
http://172.17.5.105:8180/IDMProv
 Password (for the cn=uaadmin,ou=sa,o=data user): netiq000
9. Select Test connection.
You see a Connection successful message. If the connection test fails, double
check the parameter values; then try again.
10. Scroll to the top of the current page; then select the Save icon .
11. Begin the collection of Identity Manager Permissions by selecting the Collect
Now icon .
Wait while the collection takes place.
12. When completed, select the select the Publish Now icon .
Wait while the data is published.
13. From the left-panel, under Data Sources, select Applications.

36
 Collecting Identity Governance Data

You see the new Identity Manager Permissions application source.

14. From the left-panel, under Catalog, select Applications.
Además de los permisos de Identity Manager, verá las aplicaciones recopiladas
de los controladores de la aplicación de usuario de Identity Manager:

Las aplicaciones asociadas con los controladores IDM se consideran

aplicaciones subordinadas y son necesarias para recopilar datos de permisos
para la Aplicación de usuario.
15. From the left-panel, under Catalog, select Permissions; then, from the
Permissions page, advance to page 3.
In addition to the permissions gathered from the ManageMyProject application,
you see some of the User Application roles to which permissions are granted.
(End of Exercise)

37
Identity Governance Workbook

38
 Building Identity Governance Reviews

SECTION 3 Building Identity Governance Reviews

Los administradores de revisiones pueden crear varios tipos de revisiones para

enfocar a los revisores en diferentes tipos de acceso, como revisiones de acceso de
usuarios, revisiones de cuentas asignadas y no asignadas y revisiones de membresía
de roles comerciales. Para cada tipo de revisión, seleccionan los usuarios, cuentas,
aplicaciones, permisos o roles que se revisarán, y definen el proceso de revisión y
los participantes. Los propietarios de revisiones ejecutan las revisiones, que generan
tareas para los revisores. Los revisores determinan si mantener o eliminar el acceso,
cambiar las asignaciones de los usuarios y si retener la membresía de rol para cada
elemento que se les asigne en la revisión.

Las revisiones pueden contener una sola etapa, con cada elemento de revisión
asignado a un solo revisor o grupo de revisores o etapas múltiples, con cada
elemento de revisión asignado a múltiples revisores que actúan sobre los elementos
de revisión solo después de que el revisor anterior complete una acción.
Los siguientes ejercicios están incluidos en esta sección:
1. “Create a Review with Manual Fulfillment” on page 40
2. “Fulfill a Review” on page 44
3. “Create and Run a Review with Automated Fulfillment” on page 46

39
Identity Governance Workbook

Exercise 3-1 Create a Review with Manual Fulfillment

En este ejercicio, crea una revisión que revisa los permisos asignados a la aplicación
ManageMyProject. Debido a que la aplicación ManageMyProject utiliza archivos
CSV, se considera un sistema no conectado. El cumplimiento de esta revisión debe
realizarse manualmente.
Haces lo siguiente:
“Configure Manual Fulfillment” on page 40
“Create the Review” on page 41

Configure Manual Fulfillment

1. Verifique que haya iniciado sesión en Gobierno de identidad como cnano.
2. Desde el panel izquierdo, debajo de Cumplimiento, seleccione Configuration;
luego, de la lista, seleccione Manual Fulfillment (system default).
3. En el campo Cumplidor, agregue Chip Nano; luego seleccione el icono Guardar .
4. Desde el panel izquierdo, debajo de Cumplimiento, seleccione
Configuration; luego selecciona el Application setup pestaña.
Ves lo siguiente:

5. Para la aplicación ManageMyProject, seleccione customize; luego, desde la

página de configuración de Cumplimiento, seleccione el encabezado Tipos
de solicitud de cambio admitidos.
Se muestra lo siguiente:

Verá que tiene la capacidad de establecer los tipos de cambio que permitirá
el cumplimiento manual de la aplicación. En este ejercicio, no realiza
ningún cambio.
6. Close the Manual Fulfillment options by selecting the X.

40
 Building Identity Governance Reviews

Crear la revisión
1. Desde el panel izquierdo, debajo del Catálogo, seleccione Applications; luego, de la
lista de aplicaciones, seleccione el ManageMyProject solicitud.
2. Select the Edit icon .
3. Para Riesgo, establezca el control deslizante en un valor de rango normal.
4. Para propietarios, agregue Jack Miller; luego seleccione Save.
5. Desde el panel izquierdo, debajo del Catálogo, seleccione Applications; luego, de la lista
de aplicaciones, seleccione el ManageMyProject solicitud.
Ves algo similar a lo siguiente:

6. Cerrar sesión como cnano; luego iniciar sesión como tmellon.

NOTE: Recuerde que a Terry se le asigna la función administrativa del Administrador de revisión.

7. Desde el panel izquierdo, en Comentarios, seleccione Definitions; luego,

desde la página de definiciones de revisión, seleccione el signo más.
8. En la lista desplegable Tipo de revisión, verifique que se seleccione
Revisión de acceso de usuario; luego escriba lo siguiente:
 Name: Projects and Time Create Permissions Review
 Description: Determine who has access to the Projects Create and Time
Create Permissions
9. En el encabezado Elementos de revisión de acceso de usuario, de la primera
lista desplegable, seleccione Select permissions.
10. En la lista Buscar permisos, agregue Projects - Create and Time - Create
como se muestra a continuación:

41
Identity Governance Workbook

11. De las secciones mostradas, seleccione Reviewers; luego, de la lista

desplegable Revisor, seleccione Review by Application Owners.
12. En la parte superior de la página, seleccione Guardar icono; luego
seleccione el icono Ejecutar . Ves lo siguiente:

13. Select Start in Preview.

14. Desde el panel izquierdo, en Comentarios, seleccione
Definitions. Se muestra lo siguiente:

15. Debajo del encabezado de la columna Estado,

seleccione Preview. Ves lo siguiente:

16. Seleccionar el Review items pestaña.

Usted ve los resultados preliminares de la revisión.
17. En el cuadro REVISAR PREVISIÓN, seleccione Go Live;luego, desde el cuadro de
diálogo Confirmar en vivo, seleccione Go Live.
18. Desde el panel izquierdo, en Comentarios, seleccione Reviews. Verás que
la revisión ha comenzado.

NOTE: Como administrador de revisiones, Terry tiene acceso a todas las revisiones en proceso.

19. Cerrar sesión tmellon; luego iniciar sesión como jmiller.

42
 Building Identity Governance Reviews

Como él es el propietario de la aplicación, verá que la revisión ha sido asignada

a Jack:

20. De la lista de Comentarios, seleccione Projects and Time Create Permissions

Review. Ves lo siguiente:

21. Para los usuarios Bill Burke y Kate Smith, seleccione Keep; luego para los
usuarios Bill Bender y Jane Brown, seleccione Remove.
22. En la esquina superior derecha de la página, seleccione
Submit 4 item(s). Ves que la revisión de Jack está completa.
23. Cerrar sesión como jmiller; entonces el signo es como tmellon.
24. Desde el panel izquierdo, en Comentarios, seleccione Comentarios; luego, de la
lista de Comentarios, select Projects and Time Create Permissions Review.
25. To view the status of the review, select the Review Items tab.
You see the current status of the review.
26. In the upper-right corner of the page, select Approve.
You see that the review is certified.
(End of Exercise)

43
Identity Governance Workbook

Exercise 3-2 Cumplir una revisión

En este ejercicio, cumple con la revisión que acaba de
crear. Haz lo siguiente:
1. Regístrese como tmellon, luego inicie sesión como cnano. Recuerde
que Chip se define como un cumplidor manual.
2. Desde el panel izquierdo, en Cumplimiento, seleccione Solicitudes.
Ves lo siguiente:

3. Para cumplir con la solicitud, minimice Firefox; luego, desde el escritorio del
servidor, abra la carpeta de instalación.
4. Desde el navegador de archivos, busque la carpeta /opt/netiq; luego
abra el archivo mmpPermissions.csv.
5. En el archivo mmpPermissions.csv, busque la Hora - Crear permiso. Verá
que el valor de ID de permiso asignado a Time - Create es 70100:

6. Cierre el archivo mmpPermissions.csv; luego abra el archivo mmpAccounts.csv.

7. Search for the Bill Bender user.
Notice the permissions that are assigned to Bill:

8. Edit the mmpAccounts.csv file by removing the 70100 permission from Bill’s
permissions as shown below:

44
 Building Identity Governance Reviews

9. Perform the same steps for Jane Brown; then save and close the
mmpAccounts.csv file.
10. Close the file browser; then maximize Firefox.
11. From the Manual Fulfillment Requests page, next to the Task heading, select the
check-box; then, from the Actions drop-down list, select Fulfilled.
12. From the upper-right corner, select Submit 2 item(s).
13. From the left-panel, under Data Sources, select Applications.
14. For the ManageMyProject application, select the Collect Now icon
Wait while the collection takes place.
15. For the ManageMyProject application, select the Publish Now icon .
Wait while the publication takes place.
16. When finished, from the left-panel, under Fulfillment, select Status; then, from
the Fulfillment Status page, select the VERIFIED box.
The following is displayed:

(End of Exercise)

45
Identity Governance Workbook

Exercise 3-3 Create and Run a Review with Automated Fulfillment

En este ejercicio, crea una revisión que revisa el acceso a un permiso asignado a la aplicación de
Permisos de Identity Manager. Debido a que Identity Manager es un sistema conectado, la revisión
se puede configurar para un cumplimiento automatizado.
Haces lo siguiente:
 “Configure Fulfilment” on page 46
 “Create and Run a Review” on page 47

Configure Fulfilment
1. Desde el panel izquierdo, debajo de Cumplimiento,
seleccione Configuration. Ves lo siguiente:

2. Seleccionar Identity Manager automated (system); luego, desde la página de configuración

del objetivo de cumplimiento, en el campo Cumplimiento, agregue Chip Nano.
3. Select the Save icon .
4. Desde el panel izquierdo, debajo de Cumplimiento, seleccione
Configuration; luego selecciona el Application setup pestaña.
5. Para el controlador de directorio activo de utopía, de la lista desplegable
Objetivos de cumplimiento, seleccione Identity Manager automated (system);
luego, para el controlador, seleccione customize.
6. Verifique que el menú desplegable de Cumplimiento esté configurado para Auto with
manual fallback; luego, para Fulfiller, reemplace Chip Nano con Andrew Astin.
7. On the Application setup tab, select the Save icon .
8. From the left-panel, under Catalog, select Permissions.
9. In the upper-right corner of the Permission page, in the Search for permissions
field, enter VPN Access; then, from the Permissions list, select VPN Access.
10. From the Utopia Active Directory Driver VPN Access page, select the
Permission relationships tab.
This view shows you that the driver’s Group Membership Entitlement is used to
grant the permission.
11. Edit the permission by selecting the Edit icon as shown below:

46
 Building Identity Governance Reviews

The edit page allows you to assign an owner to the entitlement as well as
associated risk and cost.
12. Slide the risk bar to a setting somewhere in the normal range; then select Save.
13. From the left-panel, under Catalog, select Permissions.
You see the VPN Access permission with the associated risk that you just
assigned:

Create and Run a Review

1. Sign out of Identity Governance as cnano; then sign in as tmellon.

IMPORTANT: Remember that Terry Mellon is set up as a review administrator.

2. From the left-panel, under Reviews, select Definitions; then, from the Review
definitions page, select the plus sign.
3. From the Review type drop-down list, verify that User Access Review is
selected; then type the following:
 Name: Review VPN Access
 Description: Determine who has access to the VPN Permission
4. Under User Access Review items heading, from the first drop-down list, select
Select permissions.
5. In the Search for permissions field, add VPN Access; then select Save icon .
6. Select the Run icon ; then, from the Start review dialog, select Start and Go
Live.
7. From the left-panel under Reviews, select Reviews.
You see VPN Access as a running review:

47
Identity Governance Workbook

8. From the list, select Review VPN Access.

You see the following:

Notice the Review percentage and the review approval flow.

9. Select the Review Items tab.
The following is displayed:

Under the User column heading, you see that Jay, Kip, and Sally currently have
permissions to the VPN Corporate Access User Application role. The first step
for approving the assignment is assigned to the users’ supervisor, displayed
under the Current Reviewer column. Because Terry Mellon is a Review
Administrator, if desired, he can override this approval step.
10. Sign out as tmellon; then sign in as kkeller.
You see that Kip has one review that requires his attention.
11. Select the Review VPN Access review.
You see the following:

12. For Jay West, select Keep; then select Submit.

13. For Sally South, select Remove; then select Submit.
14. Sign out as kkeller; then sign in as kkilpatrick.
15. Select the Review VPN Access review.

48
 Building Identity Governance Reviews

16. For Kip Keller, select Keep; the select Submit.

17. Sign out as kkilpatrick; then sign in as tmellon.
You see the Terry has an active review in his queue.
18. From the left panel, under Reviews, select Reviews.
19. Select the Review VPN Access review.
You see the following:

20. Select the Review items tab.

You see the current status of the review:

As the owner, Terry could override these decisions if they are not part of standard
business controls. In this case, however, Terry realizes that Sally no longer needs
VPN access so he approves the review.
21. In the upper-right corner of the page, in the OWNER APPROVAL box, select
Approve as shown below:

You see that this review has been certified:

22. To verify the automatic fulfillment, in Firefox, add a new tab.

49
Identity Governance Workbook

23. From the bookmarks bar, select the IDM User App bookmark; then log in to the
User Application as uaadmin with password of netiq000.

NOTE: If you are presented with the Single Sign On Setup Security Questions page, select the
IDM User App bookmark again.

24. In the User App, from the top menu, select Roles and Resources; then, from the
Role Catalog list, select VPN Access.
25. From the VPN Access window, select the Assignments tab.
Notice that Jay and Kip still have VPN Access, but Sally does not:

26. Select the Request Status tab.

You see the following:

27. Select Cancel; then, in Firefox, switch to the Identity Governance tab.
28. Sign out as tmellon; then sign in as cnano.
29. From the left-panel under Fulfillment, select Status.
You see the following:

30. From the left-panel, under Data Sources, select Applications.

31. For the Identity Manager Permissions application, select the Collect Now icon
Wait while the collection takes place.
32. For the Identity Manager Permissions application, select the Publish Now icon
.
Wait while the publication takes place.
33. When finished, from the left-panel, under Fulfillment, select Status.

50
 Building Identity Governance Reviews

The following is displayed:

(End of Exercise)

51
Identity Governance Workbook

52
 Implementing Technical Roles

SECTION 4 Implementing Technical Roles

Los roles técnicos permiten a los propietarios de negocios simplificar el proceso de

revisión al agrupar los permisos, lo que proporciona un mayor nivel de abstracción y
reducir la cantidad de elementos para que los líderes empresariales los revisen.
Después de haber publicado los datos de la aplicación, puede crear roles técnicos
para agrupar los permisos que son comunes a estos roles técnicos. Cuando ha creado
roles técnicos, Identity Governance detecta a los usuarios con permisos que
coinciden con los roles técnicos que ha definido y enumera los roles técnicos que un
usuario tiene en el catálogo de usuarios. Cuando haya definido roles técnicos, puede
crear definiciones de revisión para revisiones de roles técnicos.
Los siguientes ejercicios están incluidos en esta sección:

1. “Create Technical Roles” on page 54

2. “Perform a Technical Roles Review” on page 61

53
Identity Governance Workbook

Exercise 4-1 Create Technical Roles

En este ejercicio, creas roles técnicos. Haz
lo siguiente:
“Create Technical Roles” on page 54
“Mine a Technical Role” on page 55

Create Technical Roles

1. Verifique que haya iniciado sesión en Gobierno de identidad como cnano.
2. Desde el panel izquierdo, debajo del Catálogo, seleccione Roles.
3. Desde la página Roles técnicos, seleccione el plus sign.
Ves lo siguiente:

4. Desde la página Nuevo rol técnico, para Nombre, escriba el rol de permisos de
facturas; luego, desde el campo Nombre, copie el texto del Rol de permisos de
facturas.
5. En el campo Descripción, pegue el texto del paso anterior.
6. En el campo Propietarios, agregue Abby Spencer.
7. Establezca la configuración del nivel de riesgo en un valor normal.
8. Junto a los permisos, seleccione el signo más.
9. En la esquina superior derecha de la lista, en el campo Buscar permisos, escriba
Facturas.
Ves lo siguiente:

54
 Implementing Technical Roles

10. Para agregar todos los permisos mostrados, junto al Nombre del permiso,
seleccione la casilla de verificación; luego seleccione Agregar (4).
11. From the top of the Invoices Permissions Role page, select the Active check-box;
then select the Save icon .
12. From the left-panel, under Catalog, select Roles.
13. From the Technical roles page, select the plus sign.
14. From the New Technical Role page, for Name, type Estimates Permissions
Role; then, from the Name field, copy the Project Create Permission Role text.
15. In the Description field, paste the text from the previous step.
16. In the Owners field, add Abby Spencer.
17. Set the Risk Level Configuration to a Normal value.
18. Next to Permissions, select the plus sign.
You see all the collected permissions from the Identity Governance catalog.
19. In the upper-right corner of the list, in the Search for permissions field, type
Estimates.
You see the following:

20. To add all displayed permissions, next to Permission Name, select the check-
box; then select Add (4).
21. From the top of the Estimates Permissions Role page, select the Active check-
box; then select the Save icon .

Mine a Technical Role

In this section, you verify that the most current mining data is collected; then you
mine data to create a technical role.
You do the following:
 “Collect Mining Data” on page 56
 “Mine a Technical Role” on page 56

55
Identity Governance Workbook

Collect Mining Data

1. From the left-panel, select Administration; then, from the list of administration
options, select Analytics and Role Mining Settings.
2. Scroll down until you see the following:

3. Next to the Name column heading, select the check-box; then, from the Actions
drop-down list, select Collect Metrics.
4. From the Collect Metrics dialog, select Collect Now.
Wait for the collection to finish.

Mine a Technical Role

1. From the left-panel, under Catalog, select Roles.

2. From the Technical roles page, select the Mining tab.
You see the following:

56
 Implementing Technical Roles

3. In the Minimum permissions field, type 2; then in the Minimum users field, type
2.

4. Select the Mine roles icon

You see the following:

5. Under the Permissions column heading, select Invoices, Estimates.

The following is displayed:

57
Identity Governance Workbook

6. Close the Permissions dialog; then, if desired, review any of the other role
candidates.
7. From the Role mining approach drop-down list, select Visual Role Mining.
You see the following:

8. Select the area of the map as shown below:

58
 Implementing Technical Roles

9. Select View candidate.

You see the following:

10. Select Create candidate.

11. From the left-panel, under Catalog, select Roles.
You see the following:

12. Under the Name column heading, select the Candidate technical role; then select
Edit.
The following is displayed:

59
Identity Governance Workbook

13. From the Technical Role Candidate page, replace the contents of the Name field
with Client and Projects Edit Role; then, from the Name field, copy the Client
and Projects Edit Role text.
14. In the Description field, replace the contents by pasting the text from the
previous step.
15. Set the Risk Level Configuration to a Normal value.
16. From the top of the page, from the Do you wish to promote this role candidate?
drop-down list, select Yes; then select the Save icon .
17. From the left-panel, under Catalog, select Roles.
You see the following:

The role is now ready to be made active.

(End of Exercise)

60
 Implementing Technical Roles

Exercise 4-2 Perform a Technical Roles Review

In this exercise, you use technical roles to create a review that verifies permission
access based on role conditions.
Do the following:
1. From the left-panel, under Reviews, select Definitions.
2. From the Review definitions page, select the plus sign.
3. From the Review type drop-down list, verify that User Access Review is
selected.
4. For Name, type Review Estimate and Invoice Access; then, from the Name
field, copy the Review Estimate and Invoice Access text.
5. In the Description field, paste the text from the previous step.
6. Under User Access Review Items, from the first drop-down list, select Select
roles.
7. In the Search for roles field, add Estimates Permissions Role and Invoices
Permissions Role as shown below:

8. Scroll down to the displayed section headings; then select Reviewers.

9. From the Reviewer drop-down list, select Review by Selected Users; then, in the
User or group required field, add Abby Spencer.
10. At the top of the New Review Definition page, select the Save icon ; then
select the Run icon.
11. From the Start review dialog, select Start and Go Live.
12. Sign out as cnano; then sign in as aspencer.
13. From the left-panel, select Reviews.
You see the following:

14. From the Reviews list, select Review Estimate and Invoice Access.
You see the list of users that meet the criteria as defined in the Review Estimate
and Invoice Access review.

61
Identity Governance Workbook

You were not aware that Kate has the permissions to qualify for the Estimates
Permissions Role technical role, so you need to address her permissions.
15. For the Kate Smith Estimates Permissions Role, select Remove; then, for all
other Review Items, select Keep.
16. In the upper-right corner of the Compare Project Roles page, select Submit 6
item(s).
17. Sign out as aspencer; then sign in as cnano.
18. From the left-panel, under Reviews, select Reviews.
19. From the Reviews list, select Review Estimate and Invoice Access; then, from
the Review Estimate and Invoice Access page, select the Review items tab.
Chip has the authority to inspect each Review item and could choose to override
the decisions made in the previous steps. In this case, he decides to approve the
review.
20. In the upper-right corner, in the Owner Approval box, select Approve.
The review is Certified.
21. From the left-panel, under Fulfillment, select Requests.
You see the following:

22. To fulfill the request, minimize Firefox; then, from the server desktop, open the
install folder.
23. From the file browser, browse to the /opt/netiq folder; then open the
mmpPermissions.csv file.
24. In the mmpPermissions.csv file, search for the permissions associated with
Estimates.
You see that the Permission ID values range from 50000 to 50300.
25. Close the mmpPermissions.csv file; then open the mmpAccounts.csv file.
26. Search for the Kate Smith user.
27. Edit the mmpAccounts.csv file by removing the 50000 level permissions from
Kate; then save and close the mmpAccounts.csv file.
28. Close the file browser; then maximize Firefox.

62
 Implementing Technical Roles

29. From the Manual Fulfillment Requests page, next to the Task heading, select the
check-box; then, from the Actions drop-down list, select Fulfilled.
30. From the upper-right corner, select Submit 4 item(s).
31. From the left-panel, under Data Sources, select Applications.
32. For the ManageMyProject application, select the Collect Now icon
Wait while the collection takes place.
33. For the ManageMyProject application, select the Publish Now icon .
Wait while the publication takes place.
34. When finished, from the left-panel, under Fulfillment, select Status.
The following is displayed:

(End of Exercise)

63
Identity Governance Workbook

64
 Using Identity Governance Policy

SECTION 5 Using Identity Governance Policy

Las políticas muestran a los auditores externos que tiene estructuras establecidas
para garantizar el cumplimiento en su entorno. Las políticas de separación de
funciones funcionan para evitar que un solo usuario tenga demasiado acceso. Los
roles comerciales automatizan la aplicación del acceso apropiado en función de la
función laboral. Los factores de riesgo y la ponderación permiten que el gobierno de
identidad calcule el nivel de riesgo según sus criterios. Request automatiza la
concesión de acceso a las solicitudes de los usuarios al permitirle definir criterios
para otorgar automáticamente el acceso solicitado o las solicitudes de aprobación de
ruta a la entidad correspondiente.

En esta sección, aprende sobre las siguientes políticas de gobernanza de identidad:

Separation of Duties

Separación de deberes Los administradores pueden crear políticas para permitir que
Identity Governance busque usuarios y cuentas con demasiado acceso. Identity
Governance crea casos cuando encuentra violaciones, y los propietarios de políticas
revisan los casos y aprueban o resuelven las violaciones.

Cuando una persona en su empresa tiene acceso a demasiados sistemas, podría tener
problemas para demostrar que sus sistemas están a salvo de fraude cuando es hora
de auditorías.

El administrador de SoD debe ser un propietario de una empresa que comprenda los
niveles de acceso adecuados para las personas en su empresa. Al crear políticas para
evitar que una persona tenga demasiada responsabilidad, el Administrador de SoD
permite que el Gobierno de Identidad identifique a los usuarios con acceso a los
activos de la compañía que deben revisarse. Tener estas políticas de SoD pone las
reglas de control de acceso sobre sus sistemas comerciales para brindarle la
capacidad de mostrar a los auditores la protección automatizada que proporciona
Identity Governance.

Cuando tiene políticas activas de SoD, Identity Governance crea casos para
cualquier violación de las políticas y las enumera en la página de Violaciones. El
administrador de SoD o los propietarios de políticas revisan los casos para
determinar si los resuelven o los aprueban.

Los casos de SoD son similares al proceso de revisión estándar. En lugar de una
definición de revisión que se ejecuta en un horario regular, las políticas de SoD se
ejecutan siempre que estén activas y creen casos continuamente para violaciones.

65
Identity Governance Workbook

Business Roles
Identity Governance le permite administrar los roles técnicos y comerciales en su
organización. Para permitir una gestión más fácil de estos roles, Identity
Governance ve a los administradores de roles técnicos y administradores de roles
comerciales con responsabilidades separadas pero superpuestas.

Los roles comerciales organizan a las personas por su función comercial y los
atributos basados en el usuario para resolver preguntas a las que los usuarios deben
tener acceso debido a quiénes son o qué necesitan o podrían tener un opción de
solicitar sin aprobación adicional.

Las funciones técnicas organizan permisos de nivel inferior en conjuntos de

permisos que ofrecen suficiente valor comercial para ser revisados y asignados
como una unidad o solicitados como una unidad. Los roles técnicos están diseñados
para limitar el número de elementos de revisión y permisos de superficie de manera
que puedan presentarse a los usuarios administradores típicos no -.

Access Requests

El Administrador de solicitudes de acceso o el Administrador global deben

configurar políticas que regulen quién puede solicitar acceso y quién puede aprobar
las solicitudes de acceso en su entorno.
La interfaz de solicitud de acceso permite a los usuarios monitorear y solicitar
acceso a los elementos que están disponibles en su organización.
Los administradores pueden configurar la interfaz de Solicitud de acceso para
proporcionar acceso que está aprobado previamente - o que puede enrutarse
automáticamente para su aprobación.
Los siguientes ejercicios están incluidos en esta sección:

1. “Create a Separation of Duties Policy” on page 67

2. “Define Business Roles Policy” on page 74
3. “Create a Business Roles Policy with Automated Fulfillment” on page 86
4. “Develop an Access Requests Policy” on page 90

66
 Using Identity Governance Policy

Exercise 5-1 Create a Separation of Duties Policy

As an Identity Governance administrator, you want to control who has access to
specific permissions in the ManageMyProject application. You determine that it
would be a violation of policy for one individual to have access to both the Proposal -
Create and Invoice - Create permissions.
You do the following:
“Define a Separation of Duties Policy” on page 67
“Resolve an Existing SoD Violation” on page 70
“Resolve a New SoD Violation” on page 71

Define a Separation of Duties Policy

In this part of the exercise, you create a Separation of Duties policy to determine if
any users have access to both of the permissions described above.
1. Verify that you are signed in to Identity Governance as cnano.
2. From the left-panel, under Policy, select SoD; then, from the Separation of Duties
Policies page, select the plus sign.
You see the following:

3. Activate the policy by selecting the check-box for Active.

4. For Name, type Separate Proposal and Invoice Create Duties; then, from the
Name field, copy the Separate Pro pops al and Invoice Create Duties text.
5. In the Description field, paste the text from the previous step.

67
Identity Governance Workbook

6. In the Owners field, add Chip Nano; then set the Risk Level Configuration to a
high value.
7. Scroll down to the SoD Conditions area.
You see the following:

8. For the first condition, from the drop-down list, select User has one or more of
the following.
9. In the first condition area, select permissions; then, from the Search for and
select permissions page, search for the Proposals - Create permission.
10. Select the check-box for Proposals - Create; then select Add (1).
11. In the second condition area, verify that the drop-down list displays User has all
of the following.
12. In the second condition area, select permissions; then, from the Search for and
select permissions page, search for the Invoices - Create permission.
13. Select the check-box for Invoices - Create; then select Add (1).
You see the following:

14. From the top of the page, select the Save icon .
Wait a minute or two to make sure the policy runs its course. The following will
be displayed:

68
 Using Identity Governance Policy

15. From the left-panel under Policy, select Violations.

You see the following:

16. Select Josh Kelly.

The following is displayed:

17. Select Resolve.

You see the following:

69
Identity Governance Workbook

18. To remove Josh’s Proposals - Create permission, next to Proposals - Create,

ManageMyProject, select Remove; then select Resolve.
You see that Josh’s Case Status is changed to Resolving - Pending fulfillment.
19. From the left-panel, under Fulfillment, select Requests.
You see a task was created for removing the Proposals - Create permission from
Josh.

Resolve an Existing SoD Violation

In this part of the exercise, you resolve the SoD violation.
Do the following:
1. To fulfill the request, minimize Firefox; then, from the server desktop, open the
install folder.
2. From the file browser, browse to the /opt/netiq folder; then open the
mmpPermissions.csv file.
3. In the mmpPermissions.csv file, search for the Proposals - Create permission.
You see that the Permission ID value is 40100.
4. Close the mmpPermissions.csv file; then open the mmpAccounts.csv file.
5. Search for the Josh Kelly user.
6. Edit the mmpAccounts.csv file by removing the 40100 permission from Josh;
then save and close the mmpAccounts.csv file.
7. Close the file browser; then maximize Firefox.

70
 Using Identity Governance Policy

8. From the Fulfillment Requests page, for the Josh Kelly Remove Permission
Assignment task, select Fulfilled; then, from the upper-right corner, select
Submit 1 item(s).
9. From the left-panel, under Data Sources, select Applications.
10. For the ManageMyProject application, select the Collect Now icon
Wait while the collection takes place.
11. For the ManageMyProject application, select the Publish Now icon .
Wait while the publication takes place.
12. When finished, from the left-panel, under Fulfillment, select Status.
You see that the status for the Remove Permission Assignment task is verified
fulfilled.
13. From the left-panel, under Policy, select Violations.
You see the following:

Resolve a New SoD Violation

In this part of the exercise, you introduce, then resolve an SoD violation.
Do the following:
1. Minimize Firefox; then, from the server desktop, open the install folder.
2. From the file browser, browse to the /opt/netiq folder; then open the
mmpAccounts.csv file.
3. Search for the Brad Jones user.
4. Edit the mmpAccounts.csv file by adding the 60100 (Invoices - Create)
permission to Brad; then save and close the mmpAccounts.csv file.
5. Close the file browser; then maximize Firefox.
6. From the left-panel, under Data Sources, select Applications.
7. For the ManageMyProject application, select the Collect Now icon
Wait while the collection takes place.
8. For the ManageMyProject application, select the Publish Now icon .
Wait while the publication takes place.
9. From the left-panel, under Policy, select Violations.

71
Identity Governance Workbook

You see a new SoD violation:

10. Under the Name column heading, select Brad Jones.

You see the following:

11. Select Approve.

The following is displayed:

72
 Using Identity Governance Policy

You see that a comment is required.

12. In the Comment field, type Approved as per management policy; then, in the
Control Period (days) field, type 10.
13. Select Approve.
You see that Brad’s Case Status is changed to Approved:

(End of Exercise)

73
Identity Governance Workbook

Exercise 5-2 Define Business Roles Policy

In this exercise, you define business role policies and build a business role review.
You do the following
 “Create a Business Role Policy” on page 74
 “Mine a Business Role Policy” on page 78
 “Build a Business Role Review” on page 83

Create a Business Role Policy

1. Verify that you are signed in to Identity Governance as cnano.
2. From the left-panel, under Policy, select Business Roles; then, from the Business
Roles page, select the Approval Policies tab.
The following is displayed:

NOTE: It is from this location that you create new approval policies. In this exercise, you use
the No Approval policy.

3. From the Business Roles page, select the Roles tab; then, next to Business Roles,
select the plus sign.
You see the following:

74
 Using Identity Governance Policy

4. For Name, type Sales Director Proposal Access; then, copy the Sales Director
Proposal Access text.
5. In the Description field, paste the text from the previous step.
6. In the Grace period field, type 20.
The grace period determines the amount of time users are allowed to continue as
role members when they no longer meet the conditions of the business role
policy.
7. Set the Risk Level Configuration to a normal level.
8. From the Membership tab, select the Membership expressions section
heading; then, next to Add expression, select the plus sign.
You see the following:

9. In the Search for catalog attribute value or enter your own field, add Sales
Director.
You see the following:

75
Identity Governance Workbook

10. Above the Membership expressions heading, select View Members.

You see the list of users that have the Sales Director attribute assigned and who
will be given permissions based on this business role policy.

11. Close the dialog.

12. Select the Authorizations tab; then select the Authorized Permissions section
heading.
13. Next to Permissions, select the plus sign; then, from the pop-out box, select Add
permissions from catalog.
14. From the Search for and select permissions page, search for the Proposals
permission.
15. Select the check-box for Proposals; then select Add (1).
The following is displayed:

16. From the No Auto-Grant or Auto-Revoke drop-down, select Auto-Grant and

Auto-Revoke.
17. Select the Owners and Administration tab.
18. For Role owner, Role manager and Fulfiller, add Chip Nano.
19. For Approval Policy, add No Approval.

NOTE: This is the approval policy from the first part of the exercise.

20. Select the check-box for Automatic Fulfillment.

76
 Using Identity Governance Policy

21. From the Owners and Administration tab, select the Save icon ; then from the
displayed dialog, select Save.
22. From the Sales Director Proposal Access page, select Publish.
23. From the left-panel, under Fulfillment, select Requests.
The following is displayed:

24. To fulfill the requests, minimize Firefox; then, from the server desktop, open the
install folder.
25. From the file browser, browse to the /opt/netiq folder; then open the
mmpPermissions.csv file.
26. In the mmpPermissions.csv file, search for the Proposals permission.
You see that the Permission ID value is 40000.
27. Close the mmpPermissions.csv file; then open the mmpAccounts.csv file.
28. Search for the Chris Black user; then add the 40000 permission to Chris.
29. Search for the Ernie Euro user; then add the 40000 permission to Ernie.
30. Search for the Ricardo Castro user; then add the 40000 permission to Ricardo.
31. Save and close the mmpAccounts.csv file.
32. Close the file browser; then maximize Firefox.
33. From the Fulfillment Requests page, next to the Task column heading, select the
check-box; then, from the Actions drop-down menu, select Fulfilled.
34. From the upper-right corner, select Submit 3 item(s).
35. From the left-panel, under Fulfillment, select Status.
You see the following:

36. From the left-panel, under Data Sources, select Applications.

77
Identity Governance Workbook

37. For the ManageMyProject application, select the Collect Now icon
Wait while the collection takes place.
38. For the ManageMyProject application, select the Publish Now icon .
Wait while the publication takes place.
39. From the left-panel, under Fulfillment, select Status
You see fulfilling the Add permission to user tasks have been verified:

Mine a Business Role Policy

1. From the left-panel, under Policy, select Business Roles.
2. From the Business Roles page, select the Mining tab.
You see the following:

3. For the Permission coverage field, replace 50 with 0.

4. In the Group candidates by field, add Title; then select the Mine roles icon .
The following is displayed:

78
 Using Identity Governance Policy

5. Under the # Users column, for the Acct Executive title, select 4.
You see the users that match the Acct Executive title criteria:

6. Close the match criteria dialog.

7. Under the # Permissions column, for the Acct Executive title, select 7.
You see all permissions that the current Acct Executives are assigned:

8. Close the match permissions dialog.

79
Identity Governance Workbook

9. Under the # Applications column, for the Acct Executive title, select 2.
You see the applications that the current Acct Executives are assigned:

10. Close the match applications dialog.

11. From the Title column, select the check-box for Acct Executive; then select
Create Candidates.
You see the following:

12. From the drop-down list, select Create a single business role candidate; then,
in the Name field, type Default Acct Executive Permissions.
13. Select Create Candidates.
14. From the Business Roles page, select the Roles tab.
15. From the list of business roles, select Default Acct Executive Permissions;
then, from the displayed details page, select Edit.
16. In the Grace period field, type 20.
17. Set the Risk Level Configuration to a normal level.
18. From the Membership tab, select the Membership expressions section
heading.
You see the following:

80
 Using Identity Governance Policy

This expression was added during the mining process.

19. Select the Authorizations tab; then select the Authorized Permissions section
heading.
You see the permissions added during the mining process.
20. In the What-if Scenarios section, select Analyze SoD Violations.
You see the following:

21. Next to the Potential New Member SoD Violations, select 3.

You see users who would be in violation were the business policy to be activated:

22. From the dialog box select Close; then close the Analyze SoD Violations box.
23. To fix the potential SoD violation, for the Invoices Create permission, at the end
of the permission line, select the X.
24. In addition, remove the permissions associated with the IDM roles by selecting
the X for the Resource Administrator and Resource Manager permissions.
25. For each permission, change No Auto-Grant or Auto-Revoke to Auto-Grant
and Auto-Revoke.
26. Select the Authorized Applications section heading.
You see the applications that were added during the mining process.
27. Select the Owners and Administration tab.
You see the values that were added during the mining process.
28. Select the check-box for Automatic Fulfillment.

81
Identity Governance Workbook

29. From the Owners and Administration tab, select the Save icon .
30. Scroll to the top of the page.
You see the following:

31. From the Do you wish to promote the is role candidate? drop-down, select Yes;
then select the Save icon ;
32. From the Default Acct Executive Permissions page, select Publish.
33. From the left-panel, under Fulfillment, select Requests.
The following is displayed:

34. To fulfill the requests, minimize Firefox; then, from the server desktop, open the
install folder.
35. From the file browser, browse to the /opt/netiq folder; then open the
mmpPermissions.csv file.
36. In the mmpPermissions.csv file, search for the Proposals - Create permission.
You see that the Permission ID value is 40100.
37. Close the mmpPermissions.csv file; then open the mmpAccounts.csv file.
38. Search for the April Smith user; then add the 40100 permissions to April.
39. Search for the Ken Carson user; then add the 40100 permission to Ken.
40. Search for the Kevin Chang user; then add the 40100 permission to Kevin.
41. Save and close the mmpAccounts.csv file.
42. Close the file browser; then maximize Firefox.
43. From the Fulfillment Requests page, next to the Task column heading, select the
check-box; then, from the Actions drop-down menu, select Fulfilled.
44. From the upper-right corner, select Submit 3 item(s).

82
 Using Identity Governance Policy

45. From the left-panel, under Fulfillment, select Status.

You see the following:

46. From the left-panel, under Data Sources, select Applications.

47. For the ManageMyProject application, select the Collect Now icon
Wait while the collection takes place.
48. For the ManageMyProject application, select the Publish Now icon .
Wait while the publication takes place.
49. From the left-panel, under Fulfillment, select Status
You see fulfilling the Add permission to user tasks have been verified:

Build a Business Role Review

In this part of the exercise, you create a review related to the business role you just
created.
1. From the left-panel, under Reviews, select Definitions; then, from the Review
definitions page, select the plus sign.
2. From the Review type drop-down list, select Business Role Membership
Review.
3. For Name, type Acct Executive Business Role Review then, from the Name
field, copy the Acct Executive Business Role Review text.
4. In the Description field, paste the text from the previous step.
5. In the Business Role Membership Review items section, from the drop-down list,
select Select business roles.
6. In the Search for business roles field, add Default Acct Executive Permissions.
7. Select the Reviewers section heading; then, from the Reviewer drop-down list,
select Review by Selected Users.

83
Identity Governance Workbook

8. In the User or group required field, add Terry Mellon.

9. From the New Review Definition page, select the Save icon ; then, to run the
review, select the Run .
10. From the Start review dialog, select Start and Go Live.
11. Sign out as cnano; then sign in as tmellon.
From the left-panel, under reviews, you see that the review is ready for Terry’s
attention.
12. From the left-panel, under Reviews, select Reviews; then, from the Reviews
page, select the Acct Executive Business Role Review review.
13. Select the Your review items tab.
14. From the list, for Kevin Chang, select Remove; them, for all other users, select
Keep.
15. To submit this part of the review, select Submit 4 item(s).
16. Sign out as tmellon; then sign in as cnano.
17. From the left-panel, under Reviews, select Reviews.
18. From the Reviews page, for the Acct Executive Business Role Review review,
select Owner Approval Required; then, from the Acct Executive Business Role
Review page, select the Review items tab.
You see the current progress of the review.
19. In the OWNER APPROVAL box, select Approve.
The review is now certified.
20. From the left-panel, under Fulfillment, select Requests.
You see the request to remove Kevin Chang from the Default Acct Executive
Permissions business role.
21. To fulfill the request, from the left-panel, under Policy, select Business Roles.
22. From the Business Roles list, select the Default Acct Executive Permissions
role; then select Edit.
23. From the Default Acct Executive Permissions page, select Deactivate; then,
select the Excluded users section heading.
24. In the Excluded users area, next to Users, select the plus sign.
25. From the Search for and select users page, search for Kevin Chang.
26. Select the check-box for Kevin Chang; then select Add (1).
27. From the Default Acct Executive Permissions page, select the Save icon ; then
select Publish.
28. From the left-panel, under Fulfillment, select Requests.
You see the request to remove Kevin from the Default Acct Executive
Permissions business role.

84
 Using Identity Governance Policy

29. Under Action heading, select Fulfilled; then select Submit 1 item(s).
30. From the left-panel, under Data Sources, select Applications; then, for the
ManageMyProject application, perform a Collect and Publish.
31. From the left-panel, under Fulfillment, select Status.
You see Kevin’s being removed from the business role is verified.

NOTE: This review is designed to review the members of the business role - not the permissions
assignment. In the exercise, Kevin was removed as a member of the business role, but his access to
the role permissions was not removed.

(End of Exercise)

85
Identity Governance Workbook

Exercise 5-3 Create a Business Roles Policy with Automated Fulfillment

In this exercise, you define a business role policy that assigns specific permissions to
users who are assigned the Account Manager attribute.
You do the following
1. Verify that you are signed in to Identity Governance as cnano.
2. From the left-panel, under Policy, select Business Roles; then, from the Business
Roles page, select the plus sign.
3. For Name, type Account Manager VPN Access; then, copy the Manager VPN
Access text.
4. In the Description field, paste the text from the previous step.
5. For Grace period, type 20.
6. Set the Risk Level Configuration to a normal value.
7. From the Membership tab, select the Membership expressions section
heading; then, next to Add expression, select the plus sign.
You see the following:

8. In the Search for catalog attribute value or enter your own field, add Account
Manager.
You see the following:

9. Above the Membership expressions heading, select View Members.

You see the list of users that have the Account Manager attribute assigned and
who will be given permissions based on this business role policy:

86
 Using Identity Governance Policy

10. Close the displayed dialog box.

11. Select the Authorizations tab; then select the Authorized Permissions section
heading.
12. Next to Permissions, select the plus sign; then select Add permissions from
catalog.
13. From the Search for and select permissions page, search for the VPN Access
permission.
14. Select the check-box for VPN Access; then select Add (1).
The following is displayed:

15. From the No Auto-Grant or Auto Revoke drop down list, select Auto-Grant and
Auto-Revoke.
16. Select the Authorized Applications section heading; then, next to Applications,
select the plus sign.
17. From the pop-out box, select Add applications from catalog.
18. From the Search for and select applications page, select the check-box for Utopia
Active Directory Driver; then select Add (1).
19. Select the Owners and Administration tab.
20. For Role owner, Role manager and Fulfiller, add Chip Nano.
21. For Approval Policy, add No Approval.
22. Select the check-box for Automatic Fulfillment.
23. From the Owners and Administration tab, select the Save icon ; then from the
displayed dialog, select Save.
24. From the Manager VPN Access page, select Publish.
25. From the left-panel, under Fulfillment, select Status.
The following is displayed:

87
Identity Governance Workbook

26. In Firefox, switch to the IDM User App tab.

27. If necessary, login as uaadmin.

NOTE: If you are presented with the Single Sign On Setup Security Questions page, select the
IDM User App bookmark again.

28. From the top menu, select Roles and Resources; then, from the Role Catalog,
select VPN Access.
29. From the VPN Access page, select the Assignments tab.
You see that the five Account Manager users have been granted VPN access.
Take note of the Initial Request Description for each of the users.

30. Select Cancel; then, in Firefox, switch back to the Identity Governance tab.
31. From the left-panel, under Data Sources, select Applications; then, for the
Identity Manager Permissions application, perform a Collect and Publish.
32. From the left-panel, under Fulfillment, select Status

88
 Using Identity Governance Policy

You see fulfilling the Add permission to user tasks have been verified:

(End of Exercise)

89
Identity Governance Workbook

Exercise 5-4 Develop an Access Requests Policy

In this exercise, you create an access request policy that enables specific users to
individually request access to specific permissions from the ManageMyProject
application.
You do the following:
 “Create an Access Request Policy” on page 90
 “Test the Access Request Policy” on page 92

Create an Access Request Policy

1. Verify that you are signed in to Identity Governance as cnano.
2. From the left-panel, under Policy, select Access Request.
3. From the Access Request Policies page, select the plus sign.
You see the following:

4. For Name, type Request Proposals Permissions; then, copy the Request
Proposals Permissions text.
5. In the Description field, paste the text from the previous step.
6. From the list of sections, select the Allowed Users section heading; then, next to
Users, select the plus sign.

90
 Using Identity Governance Policy

7. From the Search for and select users page, search for and select the check-boxes
for the following users: Kip Keller, Ned North, Sally South, Jay West, and
Cal Central; then select Add (5).
You see the following:

8. For Kip Keller, de-select the check-box for Self; then select the check-box for
Direct Reports.
9. From the New Access Request Policy page, select the Save icon .
10. From the Request Proposals Permissions page, select the Permissions tab; then,
next to Permissions, select the plus sign.
11. From the Search for and select permissions page, in the Search for permission
field, type proposals.
You see a list of four proposal permissions.
12. Select the check-boxes for the four Proposals permissions; then select Add (4).
The policy is automatically saved.
13. From the left-panel, under Policy, select Access Request; then, from the Access
Request Policies page, select the Approval Policies tab.
The following is displayed:

91
Identity Governance Workbook

14. From Access Request Approval Policies section, under the Name heading, select
Manager Approval.
15. For the Manager Approval policy, select Edit; then, from the Manager Approval
page, select the Permissions tab.
16. Next to Permissions, select the plus sign.
17. From the Search for and select permissions page, in the Search for permission
field, type proposals.
18. Select the check-boxes for the four Proposals permissions; then select Add (4).
The policy is automatically saved.

Test the Access Request Policy

1. Sign out as cnano; then sign in as kkeller.
2. From the left-panel, under Request, select Access Request.
You see the following:

3. Under Current Access, select the Kip Keller box.

The following is displayed:

92
 Using Identity Governance Policy

Notice that Kip cannot request access for himself, but he can request for the other
members of his team. (Those he can request for are highlighted in light blue.)
4. Select Cal Central.
You see Cal’s list of permissions to which he has access.
5. From the menu, select Request > Browse; then, from the Browse Requests page,
select the box for ManageMyProject.
You see the list of permissions that Kip is authorized to assign to Cal as defined
in the Access Request policy:

6. Sign out as kkeller; then sign in as ssouth.

7. From the menu, select Request > Browse; then, from the Browse Requests page,
select the box for ManageMyProject.
8. Under Application Permissions, one at a time, select each permission; then, for
each permission, select Add to Request.
You see the following:

9. Next to Browse Requests, select the shopping cart icon; then, from the Confirm
and submit requests dialog, select Submit.
10. Sign out as ssouth; then sign in as kkeller.

93
Identity Governance Workbook

You see that Kip has one request awaiting his approval:

11. From the menu, select Approvals > My Approvals; then, under My Approvals,
select the box that contains the access request submitted by Sally South.
You see the following:

12. For Proposals - Edit and Proposals - Create, select Approve.

13. For Proposals - Delete and Proposals, select Deny; then select Submit items.
14. Sign out as kkeller; then sign in as cnano; then, from the menu, select
Governance Administration.
From the left-panel, you see that two requests are awaiting fulfillment.
15. From the left-panel, under Fulfillment, select Requests.
The following is displayed:

16. To fulfill the requests, minimize Firefox; then, from the server desktop, open the
install folder.
17. From the file browser, browse to the /opt/netiq folder; then open the
mmpPermissions.csv file.
18. In the mmpPermissions.csv file, search for the Proposals - Create permission.
You see that the Permission ID value for Proposals - Create is 40100.
19. Search for the Proposals - Edit permissions.
You see that the Permission ID value for Proposals - Edit is 40200.
20. Close the mmpPermissions.csv file; then open the mmpAccounts.csv file.

94
 Using Identity Governance Policy

21. Search for the Sally South user; then add the 40100 and 40200 permissions to
Sally.
22. Save and close the mmpAccounts.csv file.
23. Close the file browser; then maximize Firefox.
24. From the Fulfillment Requests page, next to the Task column heading, select the
check-box; then, from the Actions drop-down menu, select Fulfilled.
25. From the upper-right corner, select Submit 2 item(s).
26. From the left-panel, under Fulfillment, select Status.
You see the following:

27. To verify the request, from the left-panel, under Data Sources, select
Applications; then, for ManageMyProject, perform a Collect and a Publish.
Wait while the Collect and Publish take place.
28. From the left-panel, under Fulfillment, select Status.
You see that the status for each of the add permission requests is Verified
fulfilled:

(End of Exercise)

95
Identity Governance Workbook

96
 Integrating Identity Reporting

SECTION 6 Integrating Identity Reporting

Identity Governance integrates with Identity Reporting to generate reports about the
status of reviews, collected and published data, and fulfillment. The Report
Administrator can create, run, and view reports. You can use Identity Reporting with
Identity Governance, as standalone installation, or run reports from an existing
installation of Identity Manager Identity Reporting.
In this section, you use Identity Reporting with Identity Governance in an
environment without Identity Manager.
You do the following exercise:
1. “Implement Identity Reporting” on page 98

97
Identity Governance Workbook

Exercise 6-1 Implement Identity Reporting

1. Sign out of Identity Governance as cnano; then sign in as tmellon.
Remember that Terry is assigned the Report Administrator authorization
assignment.
2. From the Identity Governance admin utility, in the upper-right corner of the page,
select the Home icon .
You are re-directed to the Identity Reporting admin utility:

3. From the left-panel, select Data Sources; then, from the Data Sources page,
select the plus sign.
You see the following:

4. Type the following:

Name: IG Data
 Host: 172.17.5.115
 Port: 5432
 Database: igops

98
 Integrating Identity Reporting

 Username: igrptuser
 Password: netiq000
5. Select Test Connection.
You see the following:

6. Select Save.
The data source is added:

7. From the left-panel, select Download.

You see a list of all the reports that are provided with Identity Reporting for
Identity Governance.
8. Scroll through the list and review the descriptions for any desired reports; then,
next to the Bulk Actions drop-down list, select the down arrow.
You see the following:

99
Identity Governance Workbook

NOTE: In a non-lab environment, with Internet access, you would be able to perform any of
the displayed actions for your desired reports. Because Internet access is not available for the
labs in this course, the report source files have been downloaded for you and are stored on the
IG Server virtual machine. Instead of installing the report definitions from the Internet, you
import the source files from the server. The end-result is the same.

9. From the left-panel, select Import; then, from the Import Report Definitions
page, select Browse.
You see a list of report definition source files.
10. From the list, select the Catalog-Accounts-Details_3.0.0.0.rpz file; then select
Open.
The following is displayed:

11. Select Import.

You see the following:

12. In the yellow shaded area, select the link for Repository.
You see the newly-imported report definition.
13. From the definitions list, use the mouse pointer to hover over Catalog Accounts
Details.
You see the following:

100
 Integrating Identity Reporting

14. Select Edit.

You see the details of the report and report options.
15. From the left-panel, select Repository; then, from the definitions list, use the
mouse pointer to hover over Catalog Accounts Details.
16. Select Run Now.
You see the following:

17. In the yellow shaded area, select the link for Reports.
You see the completed report:

18. For the Catalog Accounts Details report, select View.

You see a pdf version of the completed report.
19. Scroll through the report as desired; then, when finished, close the report page.
20. Feel free the repeat Step 9 through Step 19 to import and run other reports as
desired.
(End of Exercise)

101
Identity Governance Workbook

102