Identity Governance and Administration as a Service Quick Start

This quick start provides a brief overview of the NetIQ Identity Governance and Administration hybrid solution and the tasks you need to complete to start using Identity Governance as a Service.

Figure 1 Overview of Identity Governance and Administration

Identity Governance and Administration (IGA) manages and governs digital identities and enforces appropriate access across the enterprise. With a unified governance framework, organizations can determine who has access to which resources and whether that access is appropriate. Scaling to billions of identities, IGA automates and streamlines processes related to access requests, access certification, identity lifecycle management, provisioning, and compliance reporting. IGA detects changes as they happen in the connected systems and adjusts security controls for continuous compliance, thus reducing risk and increasing efficiency for the organization.

IGA, as illustrated in the above diagram, includes following main components and additional services:

  • NetIQ Identity Governance helps organizations run effective access certification campaigns and implement identity governance. Key features include certification reviews, micro-certifications, access request and approval, segregation of duties (SOD), and governance insight. Identity Governance can be deployed on premises or using SaaS.

  • NetIQ Identity Manager powers the entire identity management lifecycle, managing identities and their associated attributes to minimize privileges. Key features include automated provisioning, identity attribute management, password synchronization, and data and event transformation to match organizational business processes.

You can use the IGA hybrid solution to log in to Identity Governance as a Service using Advanced Authentication as a Service for authentication based on methods and repositories configured in Advanced Authentication tenancy. In addition, you can collect data from on-premises Identity Manager using a data transfer bridge (Cloud Bridge), create custom workflows for request approval on fulfillment, and generate reports.

Identity Governance as a Service and Advanced Authentication as a Service will be deployed, configured, and maintained by OpenText. Once you receive your tenancy URL (http://tenantid.igasubdomain.hostedsaasdomain.com), you can log in to Identity Governance, assign authorizations, and perform governance tasks.

1.0 Browser Requirements for Identity Governance and Its Components

To log in to Identity Governance on their local devices, users must have one of the following browser versions, at a minimum:

  • Apple Safari 17.4.1 (19618.1.15.11.14)

  • Google Chrome 125.0.6422.113

  • Microsoft Edge Browser 125.0.2535.51

  • Mozilla Firefox 126.0

IMPORTANT:The browser must have cookies enabled. If cookies are disabled, the product will not work.

2.0 Supported Integrated Components

This section outlines the integrated component versions.

2.1 Integrated Components

  • Form Builder 1.5.2.0000

  • Identity Reporting 7.3

  • Workflow Console 1.0.8.0000

  • Workflow Engine 1.0.8.0000 on the same Tomcat server as Identity Governance

2.2 Supported Identity Manager Drivers and Packages

Identity Governance provides IDM entitlement application definition and application templates to collect account and permission entitlements from an on-premises Identity Manager environment. To successfully collect all accounts and permissions, the supported drivers must be running. Find below a list of the Identity Manager and Identity Governance supported drivers.

  • Drivers in Identity Manager 4.8.4 and later patched versions

  • Identity Governance Assignment collection: MFIGASGMTCOL_1.0.0.20220110104142

    Driver

    Minimum Driver Version

    Minimum Package Version

    Active Directory

    4.1.3.0

    • NOVLADENTEX_2.5.7.20190610155012

    Azure AD

    5.1.7

    • MFAZUREENTL_1.0.2.20211118165327

    • MFAZUREXROLE_1.0.2.20211125114229

    Bidirectional

    4.0.4.0

    • NOVLEDIR2ENT_2.2.7.20211118165416

    Groupwise REST

    4.0.1.1

    • NOVLGRPWRAEN_3.1.1.20211209173838

    JDBC

    4.2.2.0000

    • NOVLJDBCBISN_2.0.0.20211208134901

    • NOVLJDBCENTI_2.4.4.20211208135336

    • NOVLORAINSYN_2.1.0.20211208135824

    • NOVLSQSIDSYN_2.1.1.20211220115351

    • NOVLPGSINSYN_2.1.1.20211220124959

    Lotus Notes

    4.1.2.0

    • NOVLNOTEENT_2.4.1.20211118113748

    SAP User Management

    4.0.4.0

    • NOVLSAPUFENT_2.3.5.20211217153914

    • NOVLSAPUMIG_1.0.0.20211217153953

    SCIM

    1.0.1.0200

    • NETQSCIMENT_1.0.1.20211223151040

    • NETQSCIMBASE_1.0.1.20211223151032

    Workday

    1.3.0.0100

    • NETIQWDENT_1.0.0.20210505165701

3.0 Logging In to the Identity Governance Service

After signing up for Identity Governance as a Service, log in to your unique URL using the provided user name and password. You must log in with the bootstrap administrator account until you have collected and published identities and assigned a user as the Customer Administrator. Bootstrap administrator account is created during the onboarding process. We recommend that you change the bootstrap administrator password. You can change the password by logging in to your aa service/account as tenantid\IGBOOTSTRAPS\bootstrap administrator email. For example, when Tenant ID is Tenant 1 and the bootstrap administrator email is igadmin@tenant1.com, log in to your aa.cyberresprod.com/account as TENANT1\IGBOOTSTRAPS\igadmin@tenant1.com.

4.0 Installing and Configuring the Cloud Bridge Agent

In as a Service environment, Cloud Bridge is a data transfer bridge between the application in the cloud and data sources in on-premises environments. The Cloud Bridge Agent(CBA) is the entity that responds to the collection and fulfillment commands and directs them to the proper data source for execution. The following diagram provides a brief overview of the Cloud Bridge setup.

Figure 2 Overview of Cloud Bridge Setup

The Cloud Bridge Data Center in your Identity Governance tenancy is created by the SaaS team based on the information you provide in the technical questionnaire. Data Centers are a conceptual representation of your Cloud Bridge Agent instance and could reside in different on-premises and cloud environments. DataCenter.json contains customer-specific data center information. Defines the connection information between the CBC and a single CBA instance. Install the Cloud Bridge Agents on your local systems, then configure Identity Governance Data Source Connections and Data Sources as needed to connect to your on-premises data sources.

For information about the Cloud Bridge Agent and related Identity Governance procedures, see the following sections.

4.1 Installing and Upgrading the Cloud Bridge Agent

Prior to installing the Cloud Bridge Agent on premises, the SaaS operations team must have granted you the privilege to use Cloud Bridge. You or an authorized user can then add an external repository in the IGA Advanced Authentication tenancy.

NOTE:Use TENANT_ID_AA_ER, where TENANT_ID is in uppercase, as the name of the external repository. For more information about adding Cloud Bridge external repository, refer to the NetIQ Advanced Authentication Administration Guide.

Regarding upgrading your Cloud Bridge Agent, before you upgrade an existing CBA installation, you should review your environment and do some planning for high availability. For more information about installing and upgrading the Cloud Bridge Agent on premises, refer to the NetIQ Cloud Bridge Agent Release Notes and the NetIQ Cloud Bridge Agent Installation and Administration Guide.

IMPORTANT:(TBD) The connector jar files used for identity and application data collection and fulfillment have been updated to Java 11. The Cloud Bridge Agent 1.10.0 has been updated to JDK 17, which is backward compatible with JDK 11. If you have custom connectors that were compiled with JDK 8, you will need to recompile them with JDK 11. You must also ensure that any new custom connectors are compiled with JDK 11.

The CBA installation script does not automatically remove custom connectors from the bridge-lib folder, so you must manually remove them if you want to replace them with the updated connectors.

Additionally, with JDK 17, the Nashorn JS Engine is no longer a part of the JDK. As a result, Identity Governance 4.2 and Cloud Bridge 1.10.x now utilize the Graal JS Engine. This change could impact your transformation scripts in collectors and fulfillment, as well as your code in a custom collector or fulfillment. Ensure that you review and test all of your transformation scripts and custom code accordingly.

4.2 Configuring Identity Governance Data Source Connection and Adding Credentials

After installing the agent, you must configure a data source connection in Identity Governance, then add credentials using the Cloud Bridge Agent UI. For information about configuring data source connections, and adding credentials, see Collecting Data Using Cloud Bridge in the Identity Governance as a Service User and Administration Guide and Add Credentials for Data Source Connections in the Cloud Bridge Installation and Administration Guide.

When adding credentials, in addition to unique ID, user name, and password, you must also specify the appropriate ordinal for the authentication method. When a connector (collector or fulfiller) takes only one credential pair, then the default ordinal value of 0 is used. When a connector supports more than one credential pair (user name and password) combination such as the IDM AE Permission Collector and SCIM collectors and fulfiller, then you need to specify additional ordinals.

NOTE:The user name and password fields are limited to 255 characters.

You can view the existing credentials you have by visiting http://localhost (CBA IP address or DNS name):8080/api/v1/credential. Since the connector can only be configured for one type of authentication, the other credential sets will be unused by the connector.

IMPORTANT:When configuring the Cloud Bridge Agent, it is critical that the proper ordinal value be utilized for the authentication method being utilized. For example, if a SCIM Identity Collector is being configured in Identity Governance and Basic Auth is selected for the Authentication Method, the basic authentication credentials would need to be added to the Cloud Bride Agent using ordinal value 3. Also note that if an authentication method is chosen that requires multiple credential sets, ALL of these credential sets must be added to the CBA using specific ordinal values. For addition information about specific ordinal values and authentication methods, refer to the Identity Governance as a Service User and Administration Guide.

5.0 Configuring Identity Governance Data Sources and Collecting and Publishing Data

Once you have completed the above procedures and established data source connections with the Cloud Bridge, enable the collection using the out-of-the-box templates, then start collecting and fulfilling change requests. For information about collection and fulfillment see the following chapters in the Identity Governance as a Service User and Administration Guide:

6.0 Requesting Access and Performing Governance and Administration Tasks

For information about requesting access and performing other governance tasks such as setting up access reviews, and creating policies, and managing data, refer to the Identity Governance as a Service User and Administration Guide. For additional information regarding creating and customizing your request approval and fulfillment workflows, refer to the Workflow Service Administration Guide.

For additional documentation, visit the Micro Focus Identity Governance and Administration website.

7.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@microfocus.com. We value your input and look forward to hearing from you.

For support, visit the CyberRes by OpenText Support Website or email cyberressupport@microfocus.com.

For general corporate and product information, visit the Corporate Website.

For interactive conversations with your peers and experts, become an active member of our community. The online community provides product information, useful links to helpful resources, blogs, and social media channels.

8.0 Legal Notice

The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

Copyright 2024 Open Text.