Identity Certification
Contents
1. J J Y Y 8 Click Review to review the Role Entitlements Exception AllowedAl y Exception AllowedAll Exception AllowedAll ft Exception AllowedAl Lee Attribute Value Corporate TIMS Su pport User s Attribute Value Z_CRM_B C_ALL_US ERS Z_CRM_B C_ALL_US ERS Z_CR M_BC_SU PPORT_CE NTER Z_CRM_B C_SUPPO RT_CENTE R Attribute Value Managers Attribute Value SU04 SU08 SU09 Comments Comments Comments Comments 9 Assign Certify Revoke Unknown or Exception Allowed to sign off each attribute value within each policy that belongs to a particular role Each policy can also be certified as a whole Applying Revoke Unknown or Exception Allowed to an attribute requires entering a comment to signify as to why the attribute policy should no longer be associated with the role in case of Revoke why the nature of the association of the attribute policy is unknown in the case of Unknown and what is the exception and why is it being allowed in the case of Exception Allowed Chapter 8 Identity Certifications 115 Completing a Role Entitlement Certification Home Logout Help amp SUN Role Manager Welcome admin admin Identity Certification Role Engineering Administration Role Management Identity Audit My Settings My Requests Identity Warehouse Dashboard gt My Certifica2. 0 10 44 14 3 WED Fire at 2 10pm and at 2 44pm every Wednesday in the month of March 0 15 10 MON FRI Fire at 10 15am every Monday Tuesday Wednesday Thursday and Friday 0151015 Fire at 10 15am on the 15th day of every month 01510L Fire at 10 15am on the last day of every month 01510 6L Fire at 10 15am on the last Friday of every month 01510 6L Fire at 10 15am on every last Friday of every month during the years 2002 2003 2004 and 2005 2002 2005 0 15 10 6 Fire at 10 15am on the third Friday of every month 0 0 30 8 9 5 20 Fires every half hour between the hours of 8 am and 10 am on the 5th and 20th of every month Note that the trigger will NOT fire at 10 00 am just at 8 00 8 30 9 00 and 9 30 142 Sun Role Manager 4 1 September 2008 Role Manager Scheduling 0 30 23 19 Fires at 10 30 11 30 12 30 and 13 30 on every Wednesday and Friday MOE e te Fire every 5minutes and 10 seconds 00 5 TST Fire every 5 minutes The current schedule which is fixed for the various jobs is listed below Job Schedule GDW User Import Fires at 7 05 am every day Glossary Import Fire at 10 05am every day Account Import Fire every 15 minutes between 12 am and 4pm and between 9 pm to 12 pm everyday Account Export Fire at 7 05 pm everyday Follow the given steps to enable the four jobs in Role Manager 1 Log on to the Application Server 2 Browse to l
3. Add child Business Unit to Business Unit Allows a user to add child Business Units Add remove Global User to from Business Unit Allows a user to add remove Global Users Add remove Role to from Business Unit Allows a user to add remove Roles Chapter 4 Role Manager Security 49 Role Manager Security Add remove Policy to from Business Unit Allows auser to add remove Policies Add remove Application to from Business Unit Allows a user to add remove Applications Sign off Reports Allows a user to sign off reports Certify Entitlements Allows a user to certify associated entitlements Privileges are assigned to roles There are System and Business Unit roles System roles are assigned system level privileges Business Unit roles are assigned business level privileges m Roles are assigned to users Role Manager Roles Follow the steps given below to create a New Role 1 Log into Role Manager Browse to the Security Tab under Administration 2 3 Click on Role Manager Roles 4 Click New Role Manager Role Figure 4 1 New Role Manager Role Wizard 5 Enter Role Name and Description Click Next 50 Sun Role Manager 4 1 September 2008 Role Manager Security My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Reports Administration Rbacx Users gt Rbacx Roles oy New Rbacx Role New Rbacx R
4. i MasterDirectory UNIX ETC Master Directory for Uid Fi OpenVMS i E oracin NextFreeMinUID UNIX ETC Minimun for the next free UID search range Fi Figure 3 5 Delete Namespace Chapter 3 Role Manager Configuration 23 System Configuration 9 A message appears to confirm the deletion On Clicking namespace gets deleted Attribute Categories Attributes are entitlements which need to be defined for every user Attributes are grouped into Attribute Categories Each Attribute Category is defined by a set of similar attributes Attribute Categories are uniquely defined in a Namespace vY Steps to create rename and delete an Attribute Category 1 Start Role Manager by clicking on the Role Manager Icon 2 The login dialog box appears Enter the Admin credentials and login to Role Manager 3 Go to Administration G Configuration Namespaces 4 Addition of a new Attribute Category is done by highlighting the Namespace for which you need to create Attribute Category and clicking on New Attribute Category Tab 5 A dialog box appears where the user needs to enter the Name of the new Attribute Category along with the category order 6 To Rename an Attribute Category highlight the Attribute Category and click on Rename tab 24 Sun Role Manager 4 1 September 2008 System Configuration Rename Attribute Category Rename Attribute Category Rename Attribute Category Account Container ae KR Figure 3 6 Ren
5. sccccceseceeeeeeeseeseeeseeneeseseeseenesseneeneeees 155 Workflow Design Add a Ste EEN 157 ase ELE A e BEE 161 POR PEE tee 165 EEN 170 Chapter 12 Role Provisioning Rules Rule Based Role Assignment and Role Consolidation 173 BR a EE 177 Load Unload Data From Database iviscscisccsiiecoscianaaveuniwsnccsiwaacsretineunaieniueentinnesspaianevnevsenecenteareasies 179 How CloverETL Works with Databases ekeERREEkRRERR KENNEN EEN RRE REENEN REENEN ENER ENEE 179 ERKENNEN 179 Mapping JDBC data types onto Clover types ccccsceeseeceeeeeceeeeeeeeceneeeneesaneeeeeeseeeeesanenes 180 ml BS TO 4 ot N EE 181 EC SE 182 Deiere EE 183 BE el COMPONE EEN 184 DBOutputTable CONTA Le E 184 Executing SQL DML DDL Statements against DB ccccccseeeeeeeeeeeeeeeeeeeneeeeeeeeeeneesensaneeeeees 186 DESEN MR 186 Representation of Data within CloverETL 00 ccceceseeceseeeeeeeeeeeeceseeeneeeaneesaeeseaeeseneseeeesensaneaes 189 What Types of Data Fields CloverETL Supports ccccccsceccseeeseeseeeeeaeeseeeeeseeeeeeeeeneseeeneseeees 189 Specification OF Record Ereegnesser getieeggeeEegeE ge eEEeeEEEE 191 VIe DE 191 Steeg 192 Field Formats and Other Peau re Sirs cisccccsusecas sec coven dade cacusued ceawoec ceveaceSeieevepeceiensesceuededazecepacevecucs 192 Preface Who should read this guide The Sun Role Manager 4 1 Administration Guide is intended for use by service providers deployment engineers and
6. Delete User J Orphan Accounts Refresh Users gt gt Orphan Accounts Namespaces d ActiveDirectory Fi Account Name Account Type Domain Create Date Vaau Active Directory Fi rMcDonald Wei 00 10 rMcDonald Fj hGreen Ge hGreen F capse TASHA bbartow d bat Active Directo ry F b b artow VAAL Ti 00 59 E i SAP R3 i ACF2 GRACF Figure 5 1 Available Orphan Accounts 7 Select account s by selecting the corresponding checkbox and then select Assign to User 8 A pop up opens up that allows searching and selecting a User 60 Sun Role Manager 4 1 September 2008 Manual Correlation 10 Searc C C C C Cc 9 980 h J Search Al Fields zi User Name aPodgur stiches tMcCrea tMasterson dgoodrow alBrighi heBrighi IBrighi jDoe miOleary First Name Alice Steve Thomas Thais Karen Albert Herman Luz JOHN Michael b Search Advanced Search F Last Name Phone Primary Email Podgur Tiches McCrea Masterson Goodrow Brighi Brighi Brighi DOE Oleary D St Pf S amp S Je it a e cae KR 12345 6 Next gt gt 1 10 of 54 Records Display 10 Figure 5 2 Search and Select a User Using the quick search or advanced search feature search for the User to be assigned the orphan account s Select the desired User from the search result and click Ok Steps to Change Ownership o
7. My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Administration Business Structures Users Roles Policies gt EndPoints Gei New EndPoint EndPoints EndPoint Namespace Vaau Active Directory 00 10 ActiveDirectory SAP Productiton 300 SAP R3 Vaau Active Directory 00 20 ActiveDirectory Vaau Active Directory 00 32 ActiveDirectory Yaau Active Directory 00 47 ActiveDirectory Vaau Active Directory 00 54 ActiveDirectory Vaau Active Directory 00 56 ActiveDirectory Vaau Active Directory 00 57 ActiveDirectory Yaau Active Directory 00 59 ActiveDirectory CR RRRRRKVA g ri ri ai ag a a a a ri Vaau Active Directory 00 70 ActiveDirectory Page 12 3 4 Next gt gt 1 10 of 37 Records Display Figure 3 11 View Endpoints 4 This gives a list of all the endpoints in the identity warehouse Select the endpoint for which an attribute value is to be modified in the glossary by clicking on the Endpoint Select the Data Management Tab 30 Sun Role Manager 4 1 September 2008 System Configuration Home Logout Help amp Sun Role Ma nager Welcome admin admin lt ronystem My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Reports Administration Business Structures Users Roles Policies gt EndPoints Gei New EndPoint EndPoints gt Vaau Active Directory 00 10
8. My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Administration System gt Namespaces Provisioning Servers Identity Certification Reports Email Templates Security Import Export Workflows Role Engineering ei New Attribute os Rename 3 Delete G2 Properties KA Configuration gt Namespaces Namespaces Name Description Values Mandatory Managed Auditable Importable Minable Certifiable E 2 Namespaces A H U FirstName First name D D 0 v BR o e ZT E pActiveDirectory MiddleInitials Middle name o o M 0 o e BT Account Container LastName Last name O D B M o D e w T General g 3 e DisplayName Name displayed in address book for user O 0 M M D o Ff amp Address A CH or e mM mMm nN P im Account ADSdescription Description to display for the user LJ LJ LJ M LJ e Se BLL Password Office Office o o o m o o E eg Profile Telephone Users primary telephone number B jw D o e ZT Teleph i Telephones OtherTelephone Users other telephone numbers 0 O O M D o e ZT Organization v Info Private information for user 0 D 0 D D 8 Member Of keng e zb Exchange General Email Users email address o o M M 0 e BT Extension Attributes y Page 12 Next gt gt 1 10 of 12 Records Display 10 7 Figure 9 1 Set Auditable Attributes Create Audit Rules Y Steps to Create an Audit Rule 1 Log into the Role Manager Web
9. My Settings k THE El Identity Warehouse Identity Certification Welcome admin admin Role Engineering Select a Role from the Roles panel on the left Role Management Identity Audit Reports Home Logout Help Administration Business Structures Users gt Roles Policies EndPoints Gi New Role Decommission Role Roles Cash and Stock Reconciliation Clerk General Business Units Policies Cash and Stock Reconciliation Clerk Gj Finance Assistant Assistant Loan Administrator Yersion Yersion Status Role 1 RM Fri Mar 14 15 15 29 PDT 2008 1 Inactive Inactive System Analyst 2 K Management Accountant bi Operations Generalist System Analyst 3 Inactive Gj Settlement Analyst Ga Trade Finance amp Documentary Credits Clerk Inactive System Analyst 4 Cash and Stock Reconciliation Clerk 5 Active Figure 11 7 Versions Tab Review Modifications VI Refresh e e Search Exclusion Roles Last Updated 03 15 2008 03 48 39 03 15 2008 03 49 10 03 15 2008 03 54 29 03 15 2008 04 35 41 Chapter 11 Role Management and Designing Workflows Role Name ersion Date 03 15 2008 03 48 39 03 15 2008 03 49 10 03 15 2008 03 54 29 03 15 2008 04 35 41 Compare ersions Created By rbacxadmin rbacxadmin rbacxadmin rbacxadmin Custom Properties Approved Date 03 15 2008 03 46
10. Select Business Unit s Ci aau Inc B Cost Centers Ean t e D n e O zn pr D n Sam A Eaa G e OE Frojects E CL ldentity Management e OE Web Conversion e Cer Manager e pida E wl BEE H Eaa Financial Corporation Qi el VI Figure 9 10 Select Business Unit 3 Click Ok to select the required Business Units Click Next This will guide the user to the Policy Violation Scan page where listed on top is the number of users being scanned and the progress of the audit scan The following message appears once the scan is completed Chapter 9 Identity Audit 131 Audit Rules and Policies 132 Home Logout Help amp SUN Ro le Manager Welcome admin admin My Settings My Requests Identity Warehouse Identity Certification Role Engineering COG T Og Identity Audit Administration Dashboard Policies Rules Policy Violations Scheduled Scan Jobs iNew Policy A Scan Policies Policy Violation Scan Policy Violations Policy Name User Name Exception Severity Vendor Authorization Profile Davis Matt http 10 1 57 31 8080 High Vendor Authorization Profile Stockman Li Policy violation scan completed successfully High Vendor Authorization Profile Mathew Susa High Vendor Authorization Profile Tarro Lance Co High Vendor Authorization Profile Gilroy Mauri High Vendor Authorization Profile Dunham Mark High Vendor Authorization Profile Vij Atul Vendor Authorization Pr
11. m By closely monitoring user access privileges who approved access privileges and what access privileges shouldn t be there Role Manager provides organizations with the data required to take informed corrective actions in order to remediate policy violations Role Manager provides a platform to enforce policies and generate audit trails that can be used to certify compliance with various laws and regulations Following types of exceptions are monitored by the system on a scheduled basis m Actual vs Assigned The system will monitor all instances where a user s actual access in the target system does not match the access assigned to the user based on the roles assigned to the user E Terminated User with Accounts The system will monitor all instances where a terminated user has active accounts Audit Rules and Policies Create Audit Rules and Audit Policies YV Steps to set Auditable Attributes before Identity Audit 1 Open your Java enabled web browser 2 Log into the Role Manager Web Interface from your Java enabled web browser 3 The login dialog box appears Enter the relevant credentials and login to Role Manager 4 Click the Administration C Configuration tab and then Namespaces link 122 Sun Role Manager 4 1 September 2008 Audit Rules and Policies 5 Select desired namespace and check or uncheck Auditable dialog box for each attribute Home Logout Help amp SUN Ro le Manager Welcome admin admin
12. The contents of this file with the ideal logging levels are specified below log4j rootLogger INFO file Console Appender log4j appender console org apache log4j ConsoleAppender log4j appender console layout org apache log4j PatternLayout log4j appender console layout ConversionPattern sd ABSOLUTE 5p Sc 1 smn File Appender log4j appender file org apache log4j DailyRollingFileAppender log4j appender file file C Vaau RBACx2006 tomcat55 logs rbacx log log4j appender file layout org apache log4j PatternLayout log4j appender file layout ConversionPattern sd ABSOLUTE 5p sc 1 Sm n log4j appender file ImmediateFlush true log4j appender file DatePattern yyyy MM dd Tomcat logging log4j logger org apache catalina WARN DON T EDIT FOLLOWING log4j logger com vaau commons springframework context ContextLifecycleListener INFO VAAU commons logging log4j logger com vaau commons WARN RBACx Core logging log4j logger com vaau rbacx WARN log4j logger com vaau rbacx core WARN log4j logger com vaau rbacx service WARN log4j logger com vaau rbacx manager DEBUG RBACx Security logging log4j logger com vaau rbacx security WARN Chapter 6 Role Manager Logging 69 Role Manager Logging 70 RBACx Scheduling logging log4j logger com vaau rbacx RBACx ETL log4j logger com vaau rbacx RBACx IAM logging log4j logger com vaau rbacx RBACx Reporting logging log
13. The number after the period is used to truncate the string starting from that position Manual Correlation Manual correlation refers to the ability to manually correlate accounts to users This capability proves very helpful in situations where the existing correlation rules result in accounts that are not automatically associated with any user Such accounts are referred to by the term Orphan Accounts Role Manager provides the ability to manually correlate such account to a specific user Manual correlation is also useful when the ownership of an account needs to be changed from one User to another Chapter 5 Data Correlation 59 Manual Correlation Y Steps to correlate Orphan Account to User 1 Start Role Manager by clicking the Role Manager Icon The login dialog box appears Enter your credentials and login to Role Manager Select the Identity Warehouse Tab and then select the Users Tab Select the Orphan Accounts Tab Sh e o Je The panel on the left displays all the namespaces that can be expanded to endpoints and further expanded to available orphan accounts 6 Select a namespace or endpoint to view all the available orphan accounts Home Logout Help amp Sun Role Ma na ge r Welcome admin admin My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Reports Administration Business Structures gt Users Roles Policies EndPoints GP New User
14. gt lt Field name ListDataResource type String size 10 gt lt Field name ListDataSource type string size 10 gt lt Field name M8A11 type string size 10 gt lt Record gt Database Input We use this node to import data from databases In the following example the ETL Manager will execute the graph for each file that matches the pattern in rbacxReexLookupFiles lt Graph name Testing Filter rbacxRegxLookupFiles tss_ w accounts w gt lt Global gt lt Metadata id InMetadata fileURL 5 Chapter 7 Role Manager ETL Process 85 Transformation Examples graphsLocation metadata InAccountsFromDB fmt gt lt Metadata id OutMetadata fileURL graphsLocation metadata OutAccounts fmt gt lt DBConnection id InterbaseDB dbConfig graphsLocation dbConfig Rbacx cfg gt lt Global gt lt Phase number 0 gt lt Node id INPUT1 type DB INPUT TABLE dbConnection InterbaseDB gt lt SQLCode gt select from tss 01 accounts lt SQLCode gt lt Node gt lt Node id COPY type REFORMAT gt q4 import org je q4 tel component DataRecordTransform q4 import org jetel data DataRecord 4 import org jetel data SetVal 4 import org jetel data GetVal public class reformatAccount extends DataRecordTransform int counter 0 DataRecord source DataRecord target public boolean transform DataRecord source DataRecord target
15. Enter the Admin credentials and login to Role Manager 3 Goto My Settings gt My Profile gt Change Password tab Change Password Old Password New Password Confirm New Password v OK X Cancel Figure 2 2 Change Password 4 Enterthe values required and click on save 16 Sun Role Manager 4 1 September 2008 My Settings My Proxy Assignments This option is used to delegate managers when on leave These Guidelines are created to help a manager to complete certificates by setting up another manager on the manager s behalf The delegate should be set from the day that manager leaves and cannot be set to more than 30 days New Proxy Assignment Steps to create a new Proxy Assignment 1 Start Role Manager by clicking on the Role Manager Icon 2 The login dialog box appears Enter the Admin credentials and login to Role Manager 3 Goto My Settings gt My Proxy Assignment gt New Proxy Assignment Home Logout Help amp Sun Role Ma nager Welcome admin admin My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Administration My Profile gt My Proxy Assignments Gel New Proxy Assignment New Proxy Assignment Name Description Proxy User v Start Date 08 22 2008 End Date 08 22 2008 E Figure 2 3 New Proxy Assignments Chapter 2 My Settings 17 My Settings 4 A formas shown above comes u
16. Exclusion Roles Last Updated 03 15 2008 03 46 39 03 15 2008 03 49 10 03 15 2008 03 54 29 03 15 2008 04 35 41 Role Name Version Date 03 15 2008 03 48 39 03 15 2008 03 49 10 03 15 2008 03 54 29 03 15 2008 04 35 41 Created By rbacxadmin rbacxadmin rbacxadmin rbacxadmin Custom Properties Approved Date 03 15 2008 03 46 08 03 15 2008 03 48 50 03 15 2008 03 49 15 03 15 2008 03 56 22 03 15 2008 04 37 50 Search Approved By rbacxadmin rbacxadmin rbacxadmin afida rbacxadmin ersions Comments uto Approved By System 4uto Approved By System 4uto Approved By System 1 5 of 5 Records Display 10 Compare Yersions Tab to compare these aspects of the versions 162 Sun Role Manager 4 1 September 2008 Revert to Version Select the General Ownership Business Units Policies or Exclusion Roles Role Versioning Compare Versions General Exclusion Roles Role 1 RM Fri Mar 14 15 15 29 PDT 2008 1 Attribute alue customProperty1l customProperty10 customProperty2 customProperty3 customProperty4 customPropertyS customProperty6 customProperty customPropertys customProperty9 department highPrivileged jobCode parentRoleName lec t Created by RBACx s Role Mining Engine Fri Mar 14 didi 15 15 29 PDT 2008 vale an EEN ES Unchanged Hh Added BW Modified RB Removed Figure 11 9 General View for comparison Syste
17. O O O O Page 1 Created By rbacxadmin Creation Date 02 13 2008 Last Updated By Last Update Date Back to Certifications List Rolename ee ae Architect Consultant Figure 8 22 Edit Certification Status Q Show Details Collapse Export Options You can download the certification reports in following formats D Export to PDF S Export to XLS Comments Action Review Review 1 2 of 2 Records Display 10 Complete Certification 7 Click Certify or Revoke for each Role that the certifier is an owner for Applying Revoke Unknown or Exception Allowed to a role requires entering a comment to signify as to why the role should no longer belong under the certifier s ownership or if all its underlying entitlements are incorrect in case of Revoke Sun Role Manager 4 1 September 2008 Completing a Role Entitlement Certification Exception Certify Revoke Kissed Unknown Name Namespace O O QO Q jcarrol jcarrol SAP R3 Figure 8 23 Review Role Entitlements ActiveDirectory 0 EndPoint Vaau Active Directory 00 1 SAP Productiton 200 Attribute Values Group Membership Certify Revoke All All Unknown All en ft Account Roles Certify Revoke Unknown All All All User group Certify Revoke Unknown All All All O A OA Authorization Profiles Certify Revoke Unknown All All All f f ft e
18. export exclusion lists including but not limited to the denied persons and specially designated nationals lists is strictly prohibited DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS REPRESENTATIONS AND WARRANTIES INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE OR NON INFRINGEMENT ARE DISCLAIMED EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID Sun Microsystems Inc d tient les droits de propri t intellectuelle relatifs la technologie incorpor e dans le produit qui est d crit dans ce document En particulier et ce sans limitation ces droits de propri t intellectuelle peuvent inclure un ou plusieurs brevets am ricains ou des applications de brevet en attente aux Etats Unis et dans d autres pays Cette distribution peut comprendre des composants d velopp s par des tierces personnes Certaines composants de ce produit peuvent tre d riv es du logiciel Berkeley BSD licenci s par l Universit de Californie UNIX est une marque d pos e aux Etats Unis et dans d autres pays elle est licenci e exclusivement par X Open Company Ltd Sun Sun Microsystems le logo Sun le logo Solaris le logo Java Coffee Cup docs sun com Java JDBC et Solaris sont des marques de fabrique ou des marques d pos es de Sun Microsystems Inc aux Etats Unis et dans d autres pays Toutes les marques SPARC sont utilis es sous licence et sont des marques
19. iis11 Role Manager Introduction 12 Identity Warehouse The Role Manager Identity Warehouse captures and stores relevant entitlement data from systems containing a simple to a complex entitlement structure These entitlement feeds are imported on a scheduled basis and Role Manager accommodates an n level entitlement structure which can be stored in the Role Manager data repository Role Manager has an import engine which supports complex entitlement feeds from a text or xml file and also includes ETL Extract Transform Load processing capabilities Role Manager also captures the g ossary description of each entitlement and this can be inputted as a separate feed to Role Manager Glossary information provides business descriptions that are associated with the raw entitlement data for improved usability and understandability The complete entitlement data can be correlated during the certification phase and the entitlement hierarchy can be shown as part of the drill down entitlements Role Engineering and Management One of the most challenging problems in managing large networks is the complexity of security administration Role based access control also called role based security has become the predominant model for advanced access control because it reduces the complexity and cost of security administration in large networked applications Most information technology vendors have incorporated RBAC into their product line and the techno
20. 03 14 15 32 47 main_RM Policy_SAP R3_SAP Productiton Documentary Credits Clerk 200_2008 03 14 15 32 47 main BM Policy _ACF2_Prod 03 500_2008 03 14 15 32 47 main_RM Policy_ActiveDirectory_Vaau Active Directory 00 10_2008 03 14 15 32 47 main_RM Policy _ACF2_Prod 03 500_2008 03 14 15 32 47 03 20 2008 main_RM Policy_ActiveDirectory_Vaau 07 47 48 Active Directory 00 10_2008 03 14 15 32 47 rbacxadmin 1 2 of 2 Records Display 10 Show Details Collapse Show Details Collapse S Figure 11 12 Show Details 8 To view Owner addition deletion history select Show Details corresponding to Owner History Chapter 11 Role Management and Designing Workflows 167 Role History Home Logout Help Ro le M a n a g e r Welcome admin admin My Settings SEET Identity Warehouse Identity Audit Administration Identity Certification Role Engineering Role Management Business Structures Users gt Roles Policies EndPoints lt p New Role d Decommission Role _ Review Modifications J Refresh i Roles Finance Assistant Assistant gt Search Role Name Role Membership History Show Details Collapse Reconciliation Clerk i a hmm Assistant Policy History Show Details Collapse Assistan QB Loan Administrator Owner History Show Details Collapse i Cash and Stock CR Management Accountant Modified By First Name Last Name ID H B Operations Ganiralst Own
21. 06 03 15 2008 03 48 50 03 15 2008 03 49 15 03 15 2008 03 56 22 03 15 2008 04 37 50 Search Approved By rbacxadmin rbacxadmin rbacxadmin afida rbacxadmin Yersions Comments Auto Approved By System 4uto Approved By System Auto Approved By System 1 5 of 5 Records Display 10 Revert to Version 161 Role Versioning 6 amp Sun microsysteeet Role Manager My Settings heat Identity Warehouse Identity Certification Welcome admin admin Role Engineering Role Management Identity Audit To compare two versions select them by selecting their corresponding checkboxes and select Compare Versions Home Logout Help Reports Administration Business Structures Users gt Roles Policies EndPoints oh New Role 7 Decommission Role Roles Cash and Stock Reconciliation Clerk Cash and Stock R Reconciliation Clerk QB Finance Assistant Assistant Loan Administrator CS Management Accountant H Q Operations Generalist ersion Role 1 RM Fri Mar 14 15 15 29 PDT 2008 1 System Analyst 2 System Analyst 3 QB Settlement Analyst CS Trade Finance amp Documentary Credits Clerk System Analyst 4 Cash and Stock Reconciliation Clerk 5 Figure 11 8 Compare Versions T Review Modifications 1 7 Refresh f r Search ersion Status Inactive Inactive Inactive Inactive Active
22. Approval Reject Ro Reject Role gt gt Delete Role Approve Role Policy Jandi Auto Approva Add Action Add Owner Pend ing Auto Approval POLICY_OWNER Step Delete SS Approval Approval gt gt Role Owner Step Finish Approval 4 p D rove d b y all policy owners gt gt Role Owner Approval e el gt a Ee Version RBACx 4 0 0 build 4 0 0 20080303001 GA4 Figure 11 4 Edit Workflow After each step in the workflow there is a column called Operation which contains the Add Step and Delete Step options For this example we are going to add a step after Start Workflow and before Policy Chapter 11 Role Management and Designing Workflows 157 Workflow Design Add a Step 158 Owner Approval In this organization we have an employee who is designated as the Role Manager and must approve and document all roles when they are created 1 2 Navigate to the Role Workflow tab under Administration gt Configuration Select the Workflow to edit Role Creation in this example Click Add Step for the step you want to fall before the one you are trying to create Select the type of step you want to create mM Role Manager comes with two templates out of the box however more templates are usually designed for the clients needs during implementation phases After selecting Approval Step we get the following window Step Name Name for this step within this workflow Link Role St
23. CG New Certification My Certifications gt Q2 User Cert IT Your New Certifications will require a complete review of the users roles and or entitlements Pending certifications have had some review but the process has not been completed further action is still required Complete certifications are stored here for revisions or review purposes Expired Certifications are past their allocated Certification period but may be useful for review Certification Details Show Details Collapse oy Step 1 Employment Verification Verify the employment status of these employees by selecting one of the options in the list and then go to step 2 to complete the certification Employes a User ID Department Comments Status Apply to all Click to change for all h gt Black George gblack This employee Works for me H Brady Lia lbrady This employee Choose H Brighi Albert alBrighi This employee Choose Carrol Joyce jearrol This employee Choose H Cerreta Jan jCerreta This employee Choose Davis Peter pdavis This employee Choose Dunham Patrick pdunham This employee Choose Farber Abby afarber This employee Choose Fitzpatrick Patricia pfitzpatrick This employee Choose Gallagher Kevin kgallagher This employee Choose Page 12 3 4 Next gt gt 1 10 of 31 Records Display 10 H CS Figure 8 21 Certification Details 21 Complete attesting access of all users Role Manager detec
24. Cert Your New Certifications will require a complete review of the users roles and or entitlements Pending certifications have had some review but the process has not been completed further action is still required Complete certifications are stored here for revisions or review purposes Expired Certifications are past their allocated Certification period but may be useful for review Password Required EA Q Show Details Collapse Certification Details 7 Complete Certification Password Status EndPoint Name Comments Action 100 Vaau Activ Ny Review Page 1 1 1 of 1 Records Display 10 Ls Figure 8 25 Complete Certification 116 Sun Role Manager 4 1 September 2008 Completing an Application Owner Certification Completing an Application Owner Certification This sub section describes how to sign off an application owner certification for attestation and reporting purposes Y Steps to Complete an Application Owner Certification 1 a P W N Log into the Sun Role Manager Web Interface using a Java enabled web browser Log in with credentials of administrator or certifier Click Identity Certification tab Click My Certifications Click the New or In Progress Certification or search for the required certification using the available search filters Select the Certification to complete by clicking on the Certification Name or using the corresponding checkbox and clicking Edit Cert
25. DIRECTY DC com i l CN Crater Employee 2 CN First Storage i QpFirst name Group CN InformationStore CN CRATER CN Servers CN DTVUS CN Administrative i Groups CN DirecTV CN Microsoft Exchange CN Services CN Configuration DC FRD DC DIRECTY DC com pUsers fax number garbageCollPeSiebeld pGroup CN Delphi Employee CN First Storage Membership Group CN InformationStore CN DELPHI CN Servers CN DTVUS CN Administrative pHome Folder Path Groups CN DirecTY CN Microsoft i i Exchange CN Services CN Confiquration DC FRD DC DIRECTY DC com Some Directory Remote CN DENEXCO2 CN Second Storage E Ku MOB Group CN InformationStore CN DENEX C02 CN Servers CN DENYER CN Administrative Home MDB Groups CN DirecTV CN Microsoft Home MTA Exchange CN Services CN Confiquration DC FRD DC DIRECTY DC com Chapter 3 Role Manager Configuration 31 System Configuration 6 To give a new glossary value to an attribute value click on the attribute value Attribute Value Details EndPoints gt Vaau Active Directory 00 10 gt Custom Attribute gt UCL Attribute Value UCUO8 Glossary Data Owner na Classification Approve Payroll v C High Privileged u Figure 3 13 Attribute Value Details 7 Attribute Value Details box opens up A user friendly value can be specified for the attribute in the Glossary field A Data Owner van also be selected for the attribute value Select the icon in the D
26. Interface 2 Click Identity Audit tab and click Rules link Chapter 9 Identity Audit 123 Audit Rules and Policies Home Logout Help amp Sun Ro le Ma nage r Welcome admin admin My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Administration Dashboard Policies gt Rules Policy Violations Scheduled Scan Jobs Gi New Rule Rules A Rule Name Description Created Date Updated Date Check Issuer 08 11 2006 06 01 2007 e Check Receiver 08 11 2006 08 11 2006 e Vendor Authorization Rule 09 29 2006 06 01 2007 e Located in Los Angeles 10 10 2006 11 28 2006 e Vaau IT Operations Analyst 11 28 2006 04 19 2007 e Unauthorized Bank Account Unauthorized Bank Account 04 06 2007 04 06 2007 e Unauthorized Signer Unauthorized Signer 04 06 2007 04 06 2007 e Initiate and Approve Gaurantee Initiate and Approve Gaurantee 04 06 2007 04 06 2007 e Initiate and Release Gaurantee Initiate and Release Gaurantee 04 06 2007 04 06 2007 e Initiate and Modify Hierarchy Initiate and Modify Hierarchy 04 06 2007 04 06 2007 e Page 12 3 4 Next gt gt 1 10 of 32 Records Display 10 Figure 9 2 Audit Rules 3 Click the New Rule button 4 Enter a relevant Rule name and description 5 Select a Role Manager object from the drop down list options will include User and each defined Namespace 6 Selecting the Object will bring up a pull down list of Object s attributes 7 Select d
27. Java enabled web browser 2 Browse to the Security Tab under Administration 3 Click on Role Manager Users gt New Role Manager User My Settings Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit reports Administration a gt Rbacx Users Rbacx Roles New Rbacx User Wizard User Name First Name Last Name Password Confirm Password E Mail Enabled Figure 4 5 Adding New User 4 Complete User Information and click next 5 Add System Roles To add system roles select the role s from the list on the left and click Next gt Chapter 4 Role Manager Security 53 Role Manager Security New Rbacx User Wizard Available System Roles Selected System Roles Figure 4 6 Adding System Roles to a User 54 Sun Role Manager 4 1 September 2008 Role Manager Security 6 Remove System Roles To delete system roles select the role s from the list on the right and click Back lt New Rbacx User Wizard Available System Roles Selected System Roles Role Owner ss os Eo Figure 4 7 Removing System Role 7 Click Next 8 Add Business Unit Roles To add Business Unit roles select the Business Unit from left all the related roles come in the Available Business unit role s Select the role from the list on the top and click the button 9 Delete Business Unit Role To delete a business Unit role assigned to the user selec
28. Job Description Scheduled Dates Daily Weekly Monthly One Time Only Select the time and day for the task to start Start Time lal IERT A Perform this Task Every Day O Weekdays Every 1 08 23 2008 Figure 8 7 Run Certification 19 Select Create to create the certification 20 The Certification Jobs window opens and displays the new task created 100 Sun Role Manager 4 1 September 2008 New Identity Certification Sun Role Manager M y Dashboard Settings on New Certification My Certifications Your New Certifications will require a complete review of the users roles and or entitlements Pending certifications have had some review but the process has not been completed further action is still required Complete certifications are stored here for revisions or review purposes Expired Certifications are past their allocated Certification period but may be useful for review Kl Identity Certifications Show Me Status New Progress a In Progress mwN Nj Page 1 New amp In Progress Identity Warehouse Identity Certification Certification Jobs v Certification Name Business Unit Q2 IT pp Cert Information Technology Q2 afida Role Cert afida Q2 User Cert IT Information Technology Qi Web Conversion User cert Web Conversion Q1 IT D App Cert Figure 8 8 Certification Jobs 21 Welcome admin admin Role Engin
29. Names Connection Type C localhost sun Page 1 1 1 of 1 Records Display 10 x Figure 10 4 Import Export Tab 5 Provide the name and description of the job 6 Enter the required job scheduling information and click finish My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Administration System Namespaces Provisioning Servers Identity Certification Reports Email Templates Security gt Import Export Workflows Role Engineering apSchedule Job Completed Jobs New Job Name Description Run the Job Now oss Scheduled Dates Months Days Weekdays Years Scheduled Time Hours Minutes Seconds Every Month al Every Day a Every Year a Every Hour g Every Minute S Every Second E January 1 2008 0 0 0 February 2 2009 1 1 1 March 3 2010 2 2 2 April sl 4 sl 2011 sl 3 sl sl sl KEREN Figure 10 5 New Job 7 Each namespace consists of an endpoint hence it is also important to 140 Sun Role Manager 4 1 September 2008 Role Manager Scheduling select the correct endpoint in case of an entitlement import or export Namespaces Endpoints Vaau Active Directory EN DEM AD Chicago_AD gt Vaau Active Directory T Figure 10 6 NameSpace and Endpoints Note Certain data imports exports such as tole import export users import export do not require Namespaces or Endpoints information to be specified File Based Imp
30. Role Manager 4 1 September 2008 View and Search Certifications Does Not Contain More restrictions can be imposed on the search criterion by selecting a period in which to search for the certification amp SUN Ro le Ma nager Welcome admin admin My Settings My Requests IC DTW EE Identity Certification Role Engineering Role Management Identity Audit Administration Dashboard gt My Certifications Certification Jobs ab New Certification My Certifications Your New Certifications will require a complete review of the users roles and or entitlements Pending certifications have had some review but the process has not been complete Complete certifications are stored here for revisions or review purposes Expired Certifications are past their allocated Certification period but may be useful for review d Search Click on the certification s name to work on the certification Mouse over the certification s name to view a summary d Certification Name Li Show Me New amp In Progress Business Unit E Created By E Updated By Status Certification Name Business Unit Type Start Date End Date oe e Period geg E tj New rest User Certification 2200 2300 User 08 23 2008 08 23 2008 rbac From 08 24 2007 i Application S New Q2 IT App Cert Information Technology Oumar 03 14 2008 rbacy To 08 23 2008 or B New Q2 afida Role Cert afida Role 02 13 2008 rbac r alzi Select S r Q2 User Cert IT Informati
31. Role or Entitlement select the Revoke radio button This will bring up a comments field which must be filled for post certification remediation activities User Name mdavis Phone Department E Mail ship Exception Certify Revoke Unknown N s Allowed Revoke Comments EX tevoke All Unknown All Exception Allowe C C C mec Comments Unknown Exception 4 X All Allowedali Attribute Value Keen Ee C Z_CRM_BC_ALL_USE e C Z_CRM_BC_ALL_USE G C C C Z_CRM_BC_DEV_ALI User group Certify Revoke Ee Exception PE EE All All AllowedAll C Di C C SAPCRM mdavis SAP R3 SAP Productiton 100 Authorization Profiles Certify Revoke Unknown Exception f All All All AllowedAli Attribute Value Su02 ge e gt Figure 8 20 Revoke Comments Sign off on Certification Identity Certification supports a series of post certification activities which include reports revoke emails and kicking off a workflow process if integrated with an LAM solution To complete and sign off on a certification complete the above steps to certify or revoke access for each user Chapter 8 Identity Certifications 111 Completing a User Access Certification Home Logout Help amp Sun Role Manager Welcome admin admin My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Administration Dashboard gt My Certifications Certification Jobs
32. Status User ID Last Comments ick to change for all Complete lbrady repons to sald parson Yorks For Me IBrighi righi Terminated mdaniels janie Does Not Work For Me mieis on a E eee unh choose e maDunham kgallagher mGilroy mGulati mathews Istockman SEegggeeg RWTH NH NIK 1 10 of 12 Records Display D a CH S Ei RR EEN a SSES Figure 8 12 Employee Verification 9 The Reports to Another Person option allows the selection of another Global User as the correct certifier for the user This causes a new workflow where a new certification is created for the newly selected Correct Certifier to certify the particular user s accesses This new process will take place only if in the general Identity Certification configurations or in the custom configurations for the certification under consideration Reporting Changes and Create New Certification per Reporting Manager have been enabled Refer to Sun Role Manager Configuration gt Identity Certification portion of Sun Role Manager 4 1 Admin Guide for more information on these settings After filling in appropriate comment and clicking Ok a new window opens that allows use of the Advanced User Search or quicksearch feature to select a Global User as the appropriate certifying authority 10 Selecting Works For Me makes the user eligible for review in Step2 11 When one or more
33. User access audit view Access to Business Units view Allows a User Access to Business Unit view Access to Endpoints view Allows a User Access to Endpoint view Access to Policies view Allows a User Access to Policies view Access to Roles view Allows a User Access to Roles view Access to Scheduler view Allows a User Access to Scheduler view Access to Users view Allows a User Access to Users view RBACx Administrator Allows a User Role Manager Administrator access Run Business Unit Reports Allows a User Run Business Unit Reports Run System Reports Allows a User Run System Reports Run Audit Reports Allows a User Run Audit Reports Access the Users tab in Business Unit Allows a User Access to the Users tab in Business Unit View View Access the Roles tab in Business Unit Allows a User Access to the Roles tab in Business Unit View View Access the Policies tab in Business Unit Allows a User Access to the Policies tab in Business Unit View View Access the business unit selection tab in Allows a User Access to the business unit selection tab in Application view Applications view Chapter 4 Role Manager Security 47 Role Manager Security Access the policies tab in Applications view Allows a User Access to the policies tab in Application view Access the global users tab in Applications view Allows a User Access to the global users tab in Application view Access the policies tab in Endpoint view Allows a User
34. behaviour is influenced by concrete data parser or data formatter but simply put when field is not specified to be nullable and application tries to put null value in it this operation fails which can result in stopping the whole transformation process Sun Role Manager 4 1 September 2008 Preface format Format attribute can be used for specifying expected format of data when parsing in or printing out of CloverETL In this case HIRE_DATE field is of type date and is specified that date values in external textual data will look like this 19 12 1999 For all possible format specifiers control characters see documentation for java text SimpleDateFormat Similar to HIRE_DATE is JOB_GRADE field which is of type numeric Here the format specifies that data is expected to be integer numbers only no decimal point allowed See following tables for date and number format specifiers Date Letter Date or Time Component Presentation Examples G Era designator Text AD y Year Year 1996 96 M Month in year Month July Jul 07 wW Week in year Number 21 W Week in month Number 2 D Day in year Number 189 d Day in month Number 10 F Day of week in month Number 2 E Day in week Text Tuesday Tue a Am pm marker Text PM H Hour in day 0 23 Number 0 k Hour in day 1 24 Number 24 191 Preface K Hour in am pm 0 11 Number 0 h Hour in am pm 1 12 Number 12
35. date of policy removal Owner History provides a view of all owners added to or removed from the Role along with the Sun Role Manager User responsible for the action and the date of owner addition removal Attribute History provides a view of all modifications made to attributes associated with a role The Attribute name old value of the attribute and the new value after modification are displayed Also displayed are the Sun Role Manager User responsible for the modification and the date of the change Certification History provides a view of all the certifications performed on the Role It gives details of the certification such as creation date created by certification period certifier certification status certification date etc Y Steps to view Role History 1 Start Sun Role Manager by clicking the Sun Role Manager icon 2 The login dialogue box appears Enter your credentials and login to Sun Role Manager 3 Select the Role view by selecting it from the Identity Warehouse Tab 4 Select a Role from the Roles panel on the left 5 Select the History Tab 164 Sun Role Manager 4 1 September 2008 Role History Home Logout Help Role Ma nager Welcome admin admin My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Reports Administration Business Structures Users gt Roles Policies EndPoints HP New Role Decommission Role Review
36. different one Basic control characters as t tabulator n line feed and r carriage return are supported Field Formats and Other Features 190 Following example is a little bit more complicated and shows additional features lt xml version 1 0 encoding UTF 8 gt lt Automatically generated from database null gt lt Record name EMPLOYEE type delimited gt lt Field name EMP NO type integer delimiter format gt lt Field name FIRST NAME type string delimiter gt lt Field name LAST NAME type String delimiter gt lt Field name PHONE EXT type string nullable yes delimiter gt lt Field name HIRE DATE type date delimiter format dd MM yyyy gt lt Field name BIRTH DATE type date delimiter locale en gt lt Field name DEPT NO type string delimiter gt lt Field name JOB CODE type string delimiter gt lt Field name JOB GRADE type numeric delimiter format gt lt Field name JOB COUNTRY type string delimiter gt lt Field name SALARY type numeric delimiter gt lt Field name FULL NAME type sString nullable yes delimiter n gt lt Record gt nullable As you can see some fields PHONE_EXT for example have attribute nullable set to yes It basically means that for this field it is allowed to contain null value The default is yes true field can contain null The exact
37. field s name e g Age Name etc Date format used for date constans is yyyy MM dd or yyy MM dd hh mmiss This graph produces one output file where all employees have in the fileld comments the pattern DELTSO 0 9 0 lt Graph name Testing Filter rbacxRegxLookupFiles tss_ w accounts w gt lt Global gt lt Metadata id InMetadata fileURL graphsLocation metadata InAccounts fmt gt lt Global gt lt Phase number 0 gt lt Node id INPUTI1 type com vaau rbacx etl clover components DelimitedDataReader fileURL inputFile gt lt Node id FILTEREMPL2 type EXT FILTER gt Scomments DELTSO 0 9 0 lt Node gt lt Node id OUTPUT1 type com vaau rbacx etl clover components DelimitedDataWriter fileURL outputFile gt lt Edge id INEDGE1 fromNode INPUT1 0 toNode FILTEREMPL2 0 metadata InMetadata gt lt Edge i1d INNEREDGE3 fromNode FILTEREMPL2 0 toNode OUTPUT1 0 metadata InMetadata gt lt Phase gt lt Graph gt Fixed Length Data NIO Reader This graph transforms a Fixed Length Data file into a csv File lt Graph name Testing Filter rbacxRegxLookupFiles tss_ w accounts w gt lt Global gt lt Metadata id OutMetadata fileURL graphsLocation metadata InAccounts fmt gt lt Metadata id InMetadata fileURL graphsLocation metadata InAccountsFixedWith fmt gt lt Global gt lt Phase number 0 gt lt Node id INP
38. m Minute in hour Number 30 S Second in minute Number 55 S Millisecond Number 978 Z Time zone General time zone Pacific Standard Time PST GMT 08 00 Z Time zone RFC 822 time zone 0800 Examples Date and Time Pattern Result yyyy MM dd Gar HH mm ss z 2001 07 04 AD at 12 08 56 PDT EEE MMM d yy Wed Jul 4 01 h mm a 12 08 PM hh o clock a zzzz 12 o clock PM Pacific Daylight Time Komma z 0 08 PM PDT yyyyy MMMMM dd GGG hh mm aaa 02001 July 04 AD 12 08 PM EEE d MMM yyyy HH mm ss Z Wed 4 Jul 2001 12 08 56 0700 yyMMddHHmmss Z 010704120856 0700 192 Sun Role Manager 4 1 September 2008 Preface Number Symbol Location Localized Meaning 0 Number Yes Digit Number Yes Digit zero shows as absent Number Yes Decimal separator or monetary decimal separator Number Yes Minus sign Number Yes Grouping separator E Number Yes Separates mantissa and exponent in scientific notation Need not be quoted in prefix or suffix Subpattern Yes Separates positive and negative subpatterns boundary Prefix or suffix Yes Multiply by 100 and show as percentage u2030 Prefix or suffix Yes Multiply by 1000 and show as per mille u00A4 Prefix or suffix No Currency sign replaced by currency symbol If doubled replaced by international currency symbol If present in a pattern the monetary decimal separator is used instead of
39. not nullable There are three different data policies defined E strict any problem causes BadDataFormatException this is the default behaviour E controlled similar to strict but on top logs the problematic value mM lenient if default value exists is defined for filed CloverETL attemts to assign that default value 195
40. of 11 Records Display 10 A pop up opens up that allows searching and selecting a User Using the quick search or advanced search feature search for the User to be assigned the account s Select the desired User from the search result and click Ok Chapter 5 Data Correlation 63 CHAPTER 6 Role Manager Logging Role Manager has various logs which are available and can be used during trouble shooting The two major types of logs are the mM Role Manager Audit Logs mM Role Manager System Logs Review Audit Logs Every operation done on the Role Manager is recorded and reported in the Audit Event view in Role Manager The current audit events include mM Role Manager User Password Update mM Addition of Role Manager User mM Modification of Role Manager User Deletion of Role Manager User The details captured by the Audit events are Function Description Timestamp Denotes the time when the audit event was captured Userld Denotes the user id of the account which initiates the change iis65 Role Manager Logging UserName Denotes the name of the user account which initiates the change Action One of the following action are shown in this column ADD MODIFY DELETE LOGIN LOGOUT Description The description of the audit event is provided here Remote IP Address IP Address of the machine which initiates the change Remote Host Name Host Name of the machine which initiates the change S
41. of heart has a driver supporting the JDBC API CloverETL can be used to unload data stored within database table or can populate database table with internal data DBConnection Before any attempt to connect to database can be made the way of connecting to the database has to be described For this purpose DBConnection must be specified first Within the graph definition it can be done following way lt DBConnection id InterbaseDB dbConfig Interbase cfg gt It specifies that CloverETL should set up database connection called InterbaseDB All required parameters J DBC driver name DB connect string user name amp password can be found in config file called Interbase cfg The content of dbConfig file is standard Java preferences file It contains names of parameters with values for parameters The possible parameters lists following table Parameter name Description of parameter Example of parameter s value dbDriver Specifies name of class otg posteresql Driver containing JDBC driver for your database This class must be visible to Java i e be part of CLASSPATH dbURL URL for connecting to jdbe posteresql 192 168 1 100 mydb database the name of JDBC driver to use IP address where the server listens name of database instance port etc user Username under which to Admin connect to database password Password to be used free driverLibrary Optional parameter Whe
42. of the reminder by selecting a template Escalation Options These options can be used to trigger an escalation mechanism if the appropriate action is not taken after a specified number of reminders Sun Role Manager 4 1 September 2008 Workflow Design Add a Step Workflow Step New Template Workflow Step General Step Name Link Status Active Destination Step Start Workflow Assignee IT Enable Due Date Options Due Date Options Step Expires After Iess days E Enable Reminder Option E Enable Escalation Option Reminder Options Send First Reminder days before due date Escalation Trigger After Reminders Reminder Frequency Once Choose Template Cc Daily Escalation Options Cc Weekly Choose Template Figure 11 5 Workflow Step 6 Once the step has been saved it appears in the appropriate location both on the left pane and diagrammatically in the right pane Chapter 11 Role Management and Designing Workflows 159 Workflow Design Add a Step Edit Workflow Name Role Creation Workflow Description Role Life Cycle Workflow Initial E Bae Actions Actions Description Store Workflow Input Stores data required for workflow Steps Start SLO WNLUIRIILNN Add Action add SS Workflow gt gt Policy Owner Step Delete Approval Step Start Workflow Approve Role gt gt Start ree Role Manager Approval Reject Role Role Reject Role Add Actio
43. or revoke for each account and attribute Certify Revoke Unknown Prieta Name Namespace EndPoint Attribute Values Ce Group Membership Certify Revoke Unknown Exception Attribute All All All AllowedAll Value Comments Bases IIR epair DBA O 4 O O Accounts Group Vaau Active Directory 00 cre DBA 57 Accounts i Group GB O 4 O O eBillView DBA Acco h unts Grou p GB eBillVi ew DBA A O WM O O ccounts G roup O O O aHarmsen ActiveDirectory Figure 8 14 Certify or Revoke Entitlements for Group Membership 19 Sun Role Manager provides a Glossary feature which translates the cryptic access entitlements into business friendly terms Click the highlighted access entitlement with hyperlink to display the actual attribute value and its corresponding definition and comments Figure 8 15 Glossary and Attributes or Revoke Roles and Entitlement ZN CO mdavis Vaau Active Directory 00 10 GroupMembership Attribute Complete Name GroupMembership po Ei Nee Actual Value Read Only User Accounts Group Glossary Definition Default AD Group Comments Attributes espace EndPoint Comments Directory Vaau Active Directory 00 Comments Comments Comments ASAT VP DEE revoke a en a Sun Role Manager 4 1 September 2008 Completing a User Access Certification Revoking a Role or Access outside Role 20 To revoke any access whether it lies in a
44. return true private String getBooleanString int value if value 0 return FALSE else return TRUE lt Node gt lt Node id OUTPUT1 type com vaau rbacx etl clover components DelimitedDataWriter fileURL outputFile gt lt Edge id INEDGE1 fromNode INPUT1 0 toNode COPY 0 metadata InMetadata gt lt Edge id OUTEDGE1 fromNode COPY 0 toNode OUTPUT1 0 metadata OutMetadata gt lt Phase gt lt Graph gt If we don t want to put a file in the drop location to make this graph to be executed we may add the attribute rbacxExecuteAlways true lt Graph name Testing Filter rbacxExecuteAlways true gt lt Global gt lt Metadata id InMetadata fileURL graphsLocation metadata InAccountsFromDB fmt gt lt Metadata id OutMetadata fileURL graphsLocation metadata OutAccounts fmt gt lt DBConnection id InterbaseDB dbConfig graphsLocation dbConfig Rbacx cfg gt Chapter 7 Role Manager ETL Process 87 Transformation Examples 88 lt Global gt lt Phase number 0 gt q4 import 4 import q4 import q4 import public int lt Node id INPUT1 type DB INPUT TABLE dbConnection InterbaseDB gt lt SQLCode gt select from tss 01 accounts lt SQLCode gt lt Node gt lt Node id COPY type REFORMAT gt q4 org je org jetel data DataRecord org jetel data SetVal tel data GetV
45. section describes how to sign off a role entitlement certification for attestation and reporting purposes Y Steps to Complete a Role Entitlement Certification 1 Log into the Sun Role Manager Web Interface using a Java enabled web browser 2 Log in with credentials of administrator or certifier Chapter 8 Identity Certifications 113 Completing a Role Entitlement Certification 114 3 Click Identity Certification tab Click My Certifications Click the New or In Progress Certification or search for the required certification using the Shoe Me drop down option 6 Select the Certification to complete by clicking on the Certification Name or using the corresponding checkbox and clicking Edit Certification My Certifications gt Q2 afida Role Cert Your New Certifications will require a complete review of the users roles and or entitlements Pending certifications have had some review but the process has not been completed further action is still required Complete certifications are stored here for revisions or review purposes Expired Certifications are past their allocated Certification period but may be useful for review Views All Certification Details a KL Certification Overview Certification Q2 afida Role Cert Business Unit afida Certification History Start Date 02 13 2008 End Date Completed Gj Incremental Number of Roles 2 Certifier a Certify Revoke
46. the metadata corresponds to number and types of returned data fields See CloverETL examples for more variations of DBInputTable usages DBOutputTable component When there is a need to populate DB table with data comming from CloverETL transformation graph the DBOutputTable component can be used to fulfill it It is complement to DBInputTable It maps CloverETL data records individual fields onto target DB table fields It can perform simple data conversions to successfully map CloverETL basic data types on to target DB variants see CloverETL to DBC table above Following example illustrates usage of DBOutputTable lt xml version 1 0 encoding UTF 8 gt lt Graph name TestingDB2 gt lt Global gt lt Metadata id InMetadata fileURL metadata myemployee fmt gt lt DBConnection id PosgressDB dbConfig posgress cfg gt lt Global gt lt Phase number 0 gt lt Node id INPUT type DELIMITED DATA READER NIO fileURL employees list dat gt Node id OUTPUT type DB OUTPUT TABLE dbConnection PosgressDB dbTable myemployee gt lt Edge id INEDGE fromNode INPUT 0 toNode OUTPUT 0 metadata InMetadata gt lt Phase gt lt Graph gt Should you need to populate only certain fields of target DB table when for instance one fields 1s automatically populated from DB sequence dbFields parameter of DBOutputTable can be used lt Node id OUTPUT2 type DB OUTPUT TABLE dbConnection Posgre
47. the violation or close with an accepted risk with an end date for this risk 2 Click Close as Risk Accepted 3 This will bring up a screen where you need to assign a future date until when this risk is acceptable 4 Assign a mitigating control in the comments for this accepted risk 5 Click Ok Your action will show up in the violation trail for auditors and management auditors to keep track of 134 Sun Role Manager 4 1 September 2008 Audit Rules and Policies Close as Risk Accepted Expirati g et ION 08 29 2008 Temporary Assignment Comments Figure 9 13 Close as Risk Accepted To assign another Remediator to this violation click Assign This will bring up a User Search dialog box Find relevant user and click ok Assign Violation to User Assign To Search Figure 9 14 Assign Violation to User Chapter 9 Identity Audit 135 Audit Rules and Policies 8 To close this Exception with no further action click Close You will need to enter your comments in the pop up box Close as Fixed Fixed on 02 1 08 Comments tenia Figure 9 15 Close as Fixed 9 All actions are recorded and logged with date stamps for a complete audit violation life cycle trail Violation Trail Date User State R Assiged To Comments bk 12 01 2006 _rbacxadmin Open k Grey Andy 01 10 2007 rbacxadmin Closed and Risk Accepted Grey Andy Accept Figure 9 16 Violation Trai
48. they are based upon the open source Open Symphony Workflow engine Workflow Configuration Before we can begin to use workflows within Role Manager we have to ensure that they configured correctly During the default installation process with the automated installer using SQL server and Apache Tomcat workflows are configured automatically If the environment is different from the default we must ensure that the settings are correct The default external folder location is C Vaau rbacx 4 0 conf workflows The OS Workflow Engine uses xml files to store the various workflows Those files are housed in this location As a result since Role Manager comes with three configured workflows out of the box all three of the corresponding xml files will be located here If the folder location of the conf workflows is somewhere other then C Vaau rbacx 4 0 then we need to input the location in the workflows xml file The workflows xml file is located in the application server directory under application server webapps directory rbacx WEB INF classes workflows xml Ensure that the location of the workflow xml files for the external rbacx folder is correct If not change them save the file and restart the application server to reflect the changes iis153 Workflow Configuration TextPad C Vaau rbacx 4 0 tomcat55 webapps rbacx WEB INF classes workflows xml gt 7 E E E EE lt workflow name Role Creatio
49. to indicate values that are unmodified modified added or deleted The key Role Versioning features in Sun Role Manager are D Version Creation Sun Role Manager automatically creates a new version for a Role when the definition of a Role is changed Role definition changes due to number of actions on role properties such as policy addition removal change in an associated policy addition removal of owners change in name manual change in status etc D Version Comparison Sun Role Manager allows the comparison of two versions of role Role properties are divided into General Ownership Business Units Policies or Exclusion Roles Sun Role Manager 4 1 September 2008 Role Versioning modules for comparison All properties for the compared versions are displayed side by side and the changes are highlighted with color codes for modification addition and deletion Reverting to a Version Sun Role Manager stores all created versions of a role Only one version of a role can be active at an instant A Role can easily be reverted to any of the inactive versions using the Revert to Version capability Vv Steps to Manage Role Versions View Compare Revert 1 Start Sun Role Manager by clicking the Sun Role Manager icon 2 The login dialogue box appears Enter your credentials and login to Sun Role Manager 3 Select the Role view by selecting it from the Identity Warehouse Tab 4 5 Select the Versions Tab Sun Role Manager
50. 4j logger com vaau rbacx RBACx Audit logging log4j logger com vaau rbacx RBACx Role Mining logging scheduling DEBUG etl DEBUG iam WARN reporting WARN audit WARN log4j logger com vaau rbacx rolemining WARN log4j logger com vaau commons datamining WARN RBACx IDC logging log4j logger com vaau rbacx 1dc INFO SgqlMap logging statements log4j logger log4j logger log4j logger log4j logger log4j logger WARN log4j logger log4j logger log4j logger com com com Com org configuration iba iba iba ibatis WARN q4 LC q4 LC 4 UL 1s common 1s common is sgqlmap Change WARN to DEBUG if want to see all sql jdbc SimpleDataSource WARN jdbc ScriptRunner WARN engine impl SqlMapClientDelegate WARN springframework jdbc datasource DataSourceTransactionManager java sgql Connection WARN java sgl Statement WARN java sgql PreparedStatement WARN Spring Framework log4j log4j log4j log4j log4j log4j log4j JIAM log4j logger logger logger logger logger logger logger log org org org org org org org Springframework WARN springframework springframework springframework springframework springframework springframework category com ca WARN Sun Role Manager 4 1 September 2008 rules values WARN context support WARN transaction WARN a
51. A A A T7 Role Manager CloverETL eCxtensSiOns ccccccesceeeseseecseeeeseneeseneeeeeseseaneeeeeneseaneesaeneseneenesaneaes 77 Transformation Greg 78 ETE Cs Ee 78 H leen RE EE 78 ETL Ero pple Eee or Ossie ae een mee Meee ie Siete eee oe eee eee ee eee ere eee eee 78 BO EE Reeg 78 IMON gi IT 79 SE Eege 79 Import process Ee UN d IN aco csccciccscceviceuecsceictcesgenccetecananse ccerceecnwsdceassstemecansbsseeceancanteneeesies 79 Maximum Concurrent IMports cccccccseceeeceeeeeneeenecenscensennecaneceeeonesenssoaseonesnecensseasseasonsonses 80 Maximum Emors Cini E 80 tee 80 Ee i EE 80 CGoOmpiete ANI EE 80 leit LOCION pace cu eccne ose seteacne cc trenncatence D EEr a EEEE 81 Correlation Paramelef eege 81 Belg ee 81 Role Manager ET TL Rererence chnimniininesinniniuinnnemiiaioteis 81 eNO OL TT E 81 Big eee BE ENAA eege ee 82 Re EE 82 Transformation Eegeregie eege 82 lo teagan ey ara ng aera presi aac atone es alten eee nea enna ede aN 82 all 83 Fixed Length Data NIO Readet cccscccsseeeeseeeeseeneeeeeneeceneeseneeeeeseseeeneseaneeseenenenesaeseneseessneags 84 EAR ae Te E 85 Chapter 8 Identity GEREENT ees 91 Understanding An ERC 92 Identity Certification DASMBO ANG D 93 New Identity Grat eeeeeggegbeebes erefgeeegE gebeten 94 View and Search e Te dn ennan 101 Completing a User Access CertifiCation c ccccssseesseeeeeeseeseseeeeeneseeseeseaneeseseeseeneneeseeesensonenees 104 FE 108 Completin
52. Access to the policies tab in Endpoint view Access the business Units tab in Roles view Allows a User Access to the business Units tab in Roles view Access the users tab in Roles view Allows a User Access to the users tab in Roles view Access the policies tab in Roles view Allows a User Access to the policies tab in Roles view Access the exclusion roles tab in Roles view Allows a User Access to the exclusion roles tab in Roles view Access the roles tab in Users view Allows a User Access to the roles tab in Users view Access the business Units tab in Users view Allows a User Access to the business Units tab in Users view Access the accounts tab in Users view Allows a User Access to the accounts tab in Users view Access the applications tab in Users view Allows a User Access to the applications tab in Users view Create IDC Certification Allows a User to Create a new Identity Certification Access to IDC view Allows a User Access to Identity Certification view Access to Security tab in Thin Client Allows a User Access to the Security Tab in the Thin Client Access to Glossary tab in Thin Client Allows a User Access to the Glossary Tab in the Thin Client Access to System audit logs tab in Thin Client Allows a User Access to the System audit logs Tab in the Thin Client Access to Password Configuration tab in Thin
53. Allows a User to add new Roles UPDATE Role Allows a User to modify existing Roles DELETE Role Allows a User to delete existing Roles CREATE Policy Allows a User to add new Policies UPDATE Policy Allows a User to modify existing Policies DELETE Policy Allows a User to delete existing Policies CREATE Application Allows a User to add new Applications UPDATE Application Allows a User to modify existing Applications DELETE Application Allows a User to delete existing Applications CREATE Endpoint Allows a User to add new Endpoints Privileges Description UPDATE Endpoint Allows a User to modify existing Endpoints DELETE Endpoint Allows a User to delete existing Endpoints CREATE Schedule Job Allows a User to add new Schedule Jobs UPDATE Schedule Job Allows a User to modify existing Schedule Jobs DELETE Schedule Job Allows a User to delete existing Schedule Jobs Access Report Dashboard Allows a User to review compliance performance Import Data Allows a User to Import Data from ETrust Admin to Role Manager Export Data Allows a User to Export Data from Role Manager to ETrust Admin 46 Sun Role Manager 4 1 September 2008 Role Manager Security Configure System Allows a User to configure the LAM Servers and Attributes Access to Application view Allows a User access application view Access to Audit view Allows a
54. Client Allows a User Access to the Password Configuration Tab in the Thin Client 48 Sun Role Manager 4 1 September 2008 Role Manager Security Access to Audit Event Logs sub tab under System tab in Thin Client Allows a User Access to the Audit Event Logs sub tab under System Tab in the Thin Client Access to Import Logs sub tab under System tab in Thin Client Allows a User Access to the Import Logs sub tab under System Tab in the Thin Client Access to web setvice method Find Users in a given role Allows a User Access to the web service method Find Users in a given role Access Policies sub tab under Identity Audit tab in Thin Client Allows a User Access to the Policies sub tab under Identity Audit Tab in the Thin Client Access Rules sub tab under Identity Audit tab in Thin Client Allows a User Access to the Rules sub tab under Identity Audit Tab in the Thin Client Access Policy Violations sub tab under Identity Audit tab in Thin Client Allows a User Access to the Policy Violations sub tab under Identity Audit Tab in the Thin Client Access the Role Management tab in the Main View Allows a User Access to the Role Management tab in the main view Access to My Requests tab in the Main View Allows a User Access to the My Requests tab in the main view Business Privileges Privileges Description Access Business Unit Allows a user access to Business Unit details
55. Data Management Attributes gt Pre Windows2000 login ID ser Attributes _ pAccount expiration Al Attribute Yalue Glossary Data Owner Classification High Privileged date pDescription pPre Windows2000 login ID i pObject class identifying information i pProvide dial in capability paltRecipient _ epaccept Message from Mailbox SSC allback number for dial in capability pcCaller ID number pTtown or city i ah mee mF the UI Figure 3 12 Data Management 5 This gives a list of all the attributes associated with the endpoint Select the attribute one of whose value s in to be modified in the glossary A complete list of attribute values will be listed on the right pane amp SUN Role Manager Welcome admin admin My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Reports Administration Business Structures Users Roles Policies gt EndPoints oA New EndPoint EndPoints gt Vaau Active Directory 00 10 Data Management Attributes gt Home MDB se Attributes jee Cust Attribut Ss Sees ae Attribute alue Glossary riche Clas gt pCustom Attribute 3 E CN Castor Macintosh CN Third Storage pap ietom Aerie Group CN InformationStore CN CASTOR CN Servers CN DTVUS CN Administrative pCustom Attribute Groups CN DirecTY CN Microsoft Exchange CN Services CN Configuration DC FRD DC
56. DataSource GetVal getString source Lis Transformation Examples SetVal setString target M8A11 GetVal getString source M8A11 catch Exception ex errorMessage ex getMessage gt occured with record counter return false counter t return true private String getBooleanString int value if value 0 return FALSE else return TRUE lt Node gt lt Node id OUTPUT1 type com vaau rbacx etl clover components DelimitedDataWriter fileURL ONEPUL LOCATION tss 01 accounts dat gt lt Edge id INEDGE1 fromNode INPUT1 0 toNode COPY 0 metadata InMetadata gt lt Edge id OUTEDGE1 fromNode COPY 0 toNode OUTPUT1 0 metadata OutMetadata gt lt Phase gt lt Graph gt Chapter 7 Role Manager ETL Process 89 CHAPTER 8 Identity Certifications Sun Role Manager is the Industry leading solution that provides enterprise level certifications of user entitlements role content and application access It supports periodic certification of user entitlements access by business managers role owners and application owners Sun Role Manager also supports granular certifications to support systems that have complex security models for authorization Sun Role Manager includes a robust and fully customizable glossary feature which helps translate cryptic access permissions into business friendly terms Certifications in progress and completed cert
57. Event Logs 6 Display event details as needed Chapter 6 Role Manager Logging 67 Role Manager Logging T Click the Close icon to return to the filtered Audit Event Logs list Follow the given steps to review the import logs for the various feed imports and export them to a csv file 1 St e amp pP 6 Log in to Role Manager Web Interface using a Java enabled web browser Click the System tab Click on Import Logs under the System tab Select the type of Import logs Accounts User or Glossary as needed Review details of the logs Export Logs Export Logs Export Format cs B Ken Ee Click the export button to export the logs to a csv file Figure 6 2 Export Logs T 8 Click ok at the save dialog and select a location Click the Close icon to return to Import Logs page 68 Sun Role Manager 4 1 September 2008 Role Manager Logging Review System Logs The application logs are generated and stored under the C Vaau RBACx2006 tomcat55 logs folder and the file name is called rbacx log The log captures various details such as the import export information ETL processing and also any exceptions which arise while running the application There are different levels in the rbacx log and these can be adjusted and modified as needed The properties file which is used to alter the logging level is found under RBACX_HOME WEB INF folder and the file name is log4j properties
58. Initiate and Release Gaurantee 04 06 2007 04 06 2007 e Initiate and Modify Hierarchy Initiate and Modify Hierarchy 04 06 2007 04 06 2007 e v Page 12 3 4 Next gt gt 1 10 of 32 Records Display 10 Figure 9 4 Completed Rule Creation Chapter 9 Identity Audit 125 Audit Rules and Policies Create Audit Policy vY Steps to Create Audit Policy 1 In the Identity Audit tab click Policies 2 Select New Policy and assign Policy name and description Home Logout Help amp Sun Ro le Ma na ge r Welcome admin admin My Settings My Requests Identity Warehouse Identity Certification Role Engineering IO ER Identity Audit Administration Dashboard gt Policies Rules Policy Violations Scheduled Scan Jobs GNew Policy A Scan Policies New Policy Accountant in Los Angeles Account accessing home folder in Indiana Description Active Directory Figure 9 5 Create Audit Policy 3 To add an Audit Rule select Add This will bring up a pop up window with all listed Audit Rules and dates of creation 126 Sun Role Manager 4 1 September 2008 Audit Rules and Policies Add rules to policy o Check Issuer 08 11 2006 Check Receiver 08 11 2006 Vendor Authorization Rule 09 29 2006 Located in Los Angeles 10 10 2006 Vaau IT Operations Analyst 11 28 2006 Unauthorized Bank Account Unauthorized Bank Account 04 06 2007 Unauthorized Signer
59. JOB CODE VARCHAR2 5 not null JOB GRADE NUMBER 4 2 not null JOB COUNTRY VARCHAR2 15 not null SALARY NUMBER 15 2 not null FULL NAME VARCHAR2 35 JI insert into employee values 2 Robert Nelson 250 20 12 1988 600 VP 240 USA 105900 0 Nelson Robert insert into employee values 4 Bruce Young 233 ASTAZPAISS 621 Eng 2 0 USA 97500 0 Young Bruce insert into employee values 5 Kim Lambert 22 06 02 1989 130 Eng 2 0 USA 102750 0 ember ty Kim insert into employee values 8 Leslie Johnson 410 05 04 1989 180 Mktg 3 0 USA 64635 0 Johnson Leslie insert into employee values 9 Phil Forest 229 17 04 1989 622 4 Munger 3 0 USA 1506020 Forest Phil lt SQLCode gt lt Node gt lt Phase gt lt Graph gt Appendix 2 CloverETL How To Data Record Format Description Representation of Data within CloverETL CloverETL works with data in terms of data records and data fields within records Internally all records are represented as variable length data It means that every data field consumes only as much memory as it is needed for storing field s value If you have field of type STRING specified to be of 50 chars in length and this field is populated with string of 20 characters only 20 characters are allocated in memory Moreover CloverETL doesn t insist on any length to be specified There is of course internal leng
60. Manager Welcome admin admin My Settings Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Reports Administration My Requests gt audit Event Logs Import Export Logs System gt Audit Event Log Action All Remote Remote Serve j _ Timestamp User Full Action Description IP Host Server IP Host a Login Logout pame Dame Address Name Address Name a Add a Modify ee rbacxadmin B ID LOGIN User rbacxadmin logged on 127 0 0 1 127 0 0 1 129 150 146 190 localh O 13 21 55 admin a Delete 25 i y Filter O EE rbacxadmin SEW LOGIN User rbacxadmin logged on 127 0 0 1 127 0 0 1 129 150 146 190 localhe User 6 25 2008 i Name O a rbacxadmin Ed LOGIN User rbacxadmin logged on 127 0 0 1 127 0 0 1 129 150 146 190 localhe 08 25 2008 admin he O 12 12 14 rbacxadmin SO LOGIN User rbacxadmin logged on 127 0 0 1 127 0 0 1 129 150 146 94 localhe 08 25 2008 admin acon O 12 12 14 rbacxadmin admin LOGIN User rbacxadmin logged on 127 0 0 1 127 0 0 1 129 150 146 94 localhe Dae O eae rbacxadmin EA LOGIN User rbacxadmin logged on 127 0 0 1 127 0 0 1 129 150 146 94 localhe Filter Clear et Set 8 23 2008 i Period O abei rbacxadmin oe LOGIN User rbacxadmin logged on 127 0 0 1 127 0 0 1 192 168 2 109 localhe 07 26 2008 lt From amp 1 10 of 120 Records Display 10 v amp Page 12345 12 Next gt gt Figure 6 1 Audit
61. Manager Web Interface using a Java enabled web browser 38 Sun Role Manager 4 1 September 2008 System Configuration 2 Click on the Administration gt Configuration tab and then Identity Certification My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Administration System Namespaces Provisioning Servers Ion Reports Email Templates Security Import Export Workflows Role Engineering Configuration gt Identity Certification General Certify Entitlernents Certify Roles Gi All Entitlements Entitlements Outside Roles O High Privileged Entitlements TT Integrate with IAM Allow multiple open certifications per Business Unit C Hierarchical Hierarchy Depth 3 C Require Revoke Comments Pending Certification Notifications First Reminder to Manager Reminder Interval 2 days Email Template Certification Reminder Q1 SOX Audit Ending 3 31 07 Second Reminder To Manager Reminder Interval 4 days Email Template 2nd Reminder Manager Figure 3 20 Identity Certification This figure details the options available for configuration of how you wish your certification to display access for attestation When Roles are defined for your organization a combination of Certify Roles and Entitlements outside Roles will allow you to monitor Actual versus Assigned exceptions for a completed RBAC framework of attestation Certify on A
62. Modifications I Refresh Roles Cash and Stock Reconciliation Clerk A Search Role Name Search amp Roles General Business Units Policies Users Exclusion Roles Custom Properties History Cash and Stock Reconciliation Clerk 4 QB Finance Assistant Assistant QB Loan Administrator Role Membership History Show Details Collapse Policy History Show Details Collapse Owner History Show Details Collapse D Management Accountant D Operations Generalist H Settlement Analyst K Trade Finance amp Documentary Credits Clerk Attribute History Show Details Collapse Figure 11 10 History Tab 6 To view member addition deletion history select Show Details corresponding to Role Member History Chapter 11 Role Management and Designing Workflows 165 Role History Home Logout Help amp SUN Ro le Ma nager Welcome admin admin My Settings Nace Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Administration Business Structures Users gt Roles Policies EndPoints cb New Role Decommission Role _ Review Modifications J Refresh Roles Finance Assistant Assistant J Search Role Name General Users Exclusion Roles 1 Ownership n Role Membership History Cash and Stock Reconciliation Clerk CS Finance Assistant Member Added Member Removed Requested By Assistant Q Loan A
63. Next 100 w It works by examining two roles and reporting the intersection meaning everything the two roles have in common will be reported Cut offs can be set and work similarly to the cut offs used during the role mining process The cut off will filter the results and only show similarities between the two selected roles Chapter 12 Role Provisioning Rules Rule Based Role Assignment and Role Consolidation 175 Role Consolidation 176 that fall above the cut off percentage This allows us to filter out many of the access similarities that are common across multiple roles since they are more or less base role type accesses A screenshot of Role Consolidation screen evaluating similarity by entitlements In this mode Role Manager analyzes two different roles and displays their similarity by comparing the number of policies they share Kappa index 0 bi Classification Model PctCorrect 0 Classification Model PctIncorrect 0 Valid Roles Used For Training 1 Figure 12 6 Role Consolidation Evaluating by Entitlements aen Roles Cash and Stock Reconciliation Clerk Comparison Roles Similarity Cash and Stock Reconciliation Clerk nm Figure 12 7 Role Consolidation Similarity Results Sun Role Manager 4 1 September 2008 Appendix l CloverETL how to Load Unload Data From Database How CloverETL Works with Databases To simplify things CloverETL uses JDBC to work talk to with databases If your database
64. StringBuffer strBuf new StringBuffer 80 source source 0 target target 0 try SetVal setString target name GetVal getString source name SetVal setString target comments GetVal getString source comments SetVal setString target endPoint GetVal getString source endPoint SetVal setString target domain GetVal getString source domain SetVal setString target suspended getBooleanString GetVal getInt so urce suspended SetVal setString target locked getBooleanString GetVal getString so urce locked SetVal setString target AcidA11 GetVal getString source AcidA11 SetVal setString target AcidxXAuth GetVal getString source AcidXAut SetVal setString target FullName GetVal getString source FullName SetVal setString target GroupMemberOf GetVal getString source Grou pMemberOf 86 Sun Role Manager 4 1 September 2008 Transformation Examples SetVal setString target InstallationData GetVal getString source I nstallationData SetVal setString target ListDataResource GetVal getString source L istDataResource SetVal setString target ListDataSource GetVal getString source Lis tDataSource SetVal setString target M8A11 GetVal getString source M8A11 catch Exception ex errorMessage ex getMessage gt occured with record counter return false counter t
65. Sun Role Manager 4 1 Administration Guide Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 U S A Part No 820 5758 September 2008 2008 Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 U S A Sun Microsystems Inc has intellectual property rights relating to technology embodied in the product that is described in this document In particular and without limitation these intellectual property rights may include one or more U S patents or pending patent applications in the U S and in other countries U S Government Rights Commercial software Government users are subject to the Sun Microsystems Inc standard license agreement and applicable provisions of the FAR and its supplements This distribution may include materials developed by third parties Parts of the product may be derived from Berkeley BSD systems licensed from the University of California UNIX is a registered trademark in the U S and other countries exclusively licensed through X Open Company Ltd Sun Sun Microsystems the Sun logo the Solaris logo the Java Coffee Cup logo docs sun com Java JDBC and Solaris are trademarks or registered trademarks of Sun Microsystems Inc in the U S and other countries All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International Inc in the U S and other countries Products bearing SPARC trademarks are based upon an architecture develop
66. T INTEGER BIGINT LONG DECIMAL DOUBLE FLOAT NUMERIC REAL NUMERIC CHAR LONGVARCHAR VARCHAR OTHER STRING DATE TIME TIMESTAMP DATE BOOLEAN BIT STRING true value coded as T false value coded as F Following example illustrates the conversion First the DDL Oracle DB definition of database table is presented and then Clover s version of the same using its internal datatypes create table MYEMPLOYEER EMP NO FIRST NAME LAST NAME PHONE EXT HIRE DATE DEPT NO JOB CODE JOB GRADE JOB COUNTRY SALARY FULL NAME NUMBER not null VARCHAR2 15 not null VARCHAR2 20 not null VARCHAR2 4 DATE not null CHAR 3 not null VARCHAR2 5 not null NUMBER 4 2 not null VARCHAR2 15 not null NUMBER 15 2 not null VARCHAR2 35 lt xml version 1 0 encoding UTF 8 gt lt Automatically generated from database null gt lt Record name EMPLOYEE type delimited gt lt Field name EMP_ NO type numeric delimiter format gt lt Field name FIRST NAME type string delimiter gt lt Field name LAST NAME type sString delimiter gt lt Field name PHONE EXT type string nullable yes delimiter gt lt Field name HIRE DATE type date delimiter format dd MM yyyy gt lt Field name DEPT_NO type string delimiter gt lt Field name JOB_CODE type string delimiter gt lt Fi
67. UT1 type FIXLEN DATA READER NIO OneRecordPerLine true SkipLeadingBlanks true LineSeparatorSize 2 fileURL inputFile gt Sun Role Manager 4 1 September 2008 Transformation Examples lt Node id COPY type SIMPLE COPY gt lt Node id OUTPUT1 type com vaau rbacx etl clover components DelimitedDataWriter outputFile gt lt Edge id INEDGE1 metadata InMetadata gt lt Edge id OUTEDGE1 metadata OutMetadata gt lt Phase gt lt Graph gt fileURL fromNode INPUT1 0 toNode COPY 0 fromNode COPY 0 toNode OUTPUT1 0 This are the Records Definitions The content of the file InAccounts fmt is the same than the one in the page 5 Below is the content of the file InAccountsFixedWith fmt lt xml version 1 0 encoding UTF 8 gt lt Record name TestInput type fixed gt lt Field name name type string lt Field name comments type string size 16 gt size 16 gt lt Field name endPoint type string size 16 gt lt Field name domain type string size 5 gt lt Field name suspended type string size 10 gt lt Field name locked type string size 10 gt lt Field name AcidAl11 type string size 10 gt lt Field name AcidxXAuth type string size 10 gt lt Field name FullName type string size 40 gt lt Field name GroupMemberOf type String size 60 gt lt Field name InstallationData type String size 60
68. Unauthorized Signer 04 06 2007 Initiate and Approve Gaurantee Initiate and Approve Gaurantee 04 06 2007 Initiate and Release Gaurantee Initiate and Release Gaurantee 04 06 2007 O10 cg ooo aooaa O Initiate and Modify Hierarchy Initiate and Modify Hierarchy 04 06 2007 Figure 9 6 Add Rules to Policy 4 Check all desired Rules and click Ok Chapter 9 Identity Audit 127 Audit Rules and Policies Home Logout Help amp SUN Role Manager Welcome admin admin My Settings My Requests Identity Warehouse Identity Certification Role Engineering ER ET Identity Audit Administration Dashboard gt Policies Rules Policy Violations Scheduled Scan Jobs chNew Policy A Scan Policies New Policy Rule Name Description Check Receiver Vendor Authorization Rule Located in Los Angeles 1 3 of 3 Records Display 10 Page 1 Add Remove Figure 9 7 Check Rules 5 Set the logical condition operator between Rules Options are AND OR and add more rules if required 6 Click Next to go to the remediators tab 7 All violations of said policy will be assigned to this remediator and appropriate email notifications will be sent Click Search to display a search box for users Select one user and click OK and then Finish to save the policy 128 Sun Role Manager 4 1 September 2008 Audit Rules and Policies J Search Ai Fields kgallagher U
69. aWriter We can read Excel files with the Node com vaau rbacx etl clover components ExcelDataReader See the Appendix 1 for the complete set of CloverETL Nodes 76 Sun Role Manager 4 1 September 2008 Introduction Edge Edge connects Nodes Nodes may have more than one input or output to indicate which port we are connecting we add a semicolon and the port number to the Node we want to connect lt Edge id INEDGE fromNode INPUT1 0 toNode COPY 0 metadata InMetadata gt In the above example we are connecting the output port 0 of the Node INPUT1 to the input port 0 of the Node COPY and that the records are described in the xml element InMetadata Phase Transformation tasks are performed in phases When the first phase is finished the second starts and so on Role Manager CloverETL extensions The elements rbacxRegxLookupFiles and rbacxExecuteAlyays are not part of the CloverETL graph definition They are processed by Role Manager ETL Manager The attribute rbacxRegxLookupFiles is a regular expression for file names ETL Manager scans the drop location with this regular expression when it finds a file that matches this pattern ETL Manager runs the graph with the following parameters inputFile Absolute path of the file found in the Drop Location eraphsLocation Graph Location outputLocation Output Location dropLocation Drop Location outputFile Absol
70. al org je tel component DataRecordTransform class reformatAccount extends DataRecordTransform counter 0 DataRecord source DataRecord target public boolean transform DataRecord _source DataRecord target source source 0 target target 0 try 4 SetVal setString target SetVal setString target SetVal setString target SetVal setString target SetVal setString target urce Suspended SetVal setString target urce locked SetVal setString target SetVal setString target SetVal setString target SetVal setString target pMemberOf SetVal setString target nstallationData SetVal setString target istDataResource SetVal setString target tDataSource Sun Role Manager 4 1 September 2008 StringBuffer strBuf new StringBuffer 80 name GetVal getString source name comments GetVal getString source comments endPoint GetVal getString source endPoint domain GetVal getString source domain suspended getBooleanString GetVal getInt so locked getBooleanString GetVal getString so AcidA11 GetVal getString source AcidAl11 AcidxXAuth GetVal getString source AcidxXAut FullName GetVal getString source FullName GroupMemberOf GetVal getString source Grou InstallationData GetVal getString source I ListDataResource GetVal getString source L List
71. ame Attribute Category 7 Rename Attribute Category dialogue box appears Enter the new name and save it 8 In order to delete an Attribute Category select the Attribute Category to be deleted and select the Delete tab 9 Amessage appears to confirm the deletion On clicking Attribute Category gets deleted Attributes Attributes are the entitlements under each namespace which map to different objects in a namespace such as a Database name in MS SQL Server UID in Unix and so forth Attributes are listed under Attribute Categories Attributes are the fields which are defined under each namespace Role Manager provides a detailed properties page of an attributes where all the details of an attribute can be defined The various parameters which are used to define an attribute are Table 3 1 Attribute Parameters Name Name of the attribute Description Description of the attribute Min Length The minimum length which can be specified for an attribute Chapter 3 Role Manager Configuration 25 System Configuration Max Length The Maximum length which can be specified for an attribute Case Specifies whether the attribute value can be upper lower case Edit Type Specifies the data type of the attribute Order Specifies the order in which the attribute is listed or imported Min Value The minimum value that the attribute can have Max Value The maximum value that the att
72. ata Owner field to get a User Selection box Select Ok when all the values in this window have been selected 32 Sun Role Manager 4 1 September 2008 System Configuration amp Sun Role Ma nage r Welcome admin admin My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Reports Administration Business Structures Users Roles Policies gt EndPoints ER New EndPoint EndPoints gt Vaau Active Directory 00 10 Data Management Attributes gt Home MDB ep Attributes EECHER 4s Attribute Yalue Glossary pees Clas epCustom Attribute epCustom Attribute epcustom Attribute QpUsers fax number QpFirst name garbageCollPeSiebeld R amp P Group Membership Home Folder Path pHome Directory Remote Figure 3 14 Attribute Value Details 8 The user friendly value is now set as the glossary value for the attribute value It can be used to provide information about the attribute value in more user friendly terms to the end user and can be leveraged in decision making in during various processes like certification role mining etc 9 Similar to Attribute Glossary a Resource Glossary can be defined by selecting a Resource under an Attribute The resource values along with the glossary definition are listed on the right pane Provisioning Servers A Provisioning Server is one which creates user accounts on the target machines Chapter 3 Ro
73. atus The status that the role will be in while it is in this phase of the workflow Role can be in a few different status types during each step mM Active Role is actively provisioning users mM Inactive Role is suspended and is not provisioning users m Composing Role is not yet complete a Pending Approval Role is complete but is awaiting approval by appropriate parties before becoming active Destination Step Allows admin to choose which step the role goes into once it completes the current step Assignee The Global User Role Role Owner or Policy Owner who will be approving this step After selecting the assignee another window will open to search and locate the assignee from the group that was selected Note If multiple users are required as part of the approval step then a role non provisioning role must be created containing all those users and the role must be selected as the Assignee Due Date Options This allows setting an expiry on the added step Select Enable Due Date Options checkbox Fill in the value for the number of days that the step will be valid before it expires Reminder Options These options can be used to send reminders notifying about the expiry of the added step a specified number of days before expiry at the selected frequency Select Enable Reminder Options checkbox Fill in the value for the number of days before due date that reminder will be sent Select the reminder frequency and the form
74. be defined in Role Manager The rule management feature provides a robust rule creation engine with a vast combination of user attributes such as job codes department location etc and multiple conditions to assign and de assign roles from users Sun Role Manager 4 1 September 2008 Role Manager Introduction Identity Certification Managing enterprise wide attestation is a major challenge Organizations must align a strategy to provide review of granular entitlements of a user s access within the organization to the user s manager s Today there are various challenges involving this with a single user having access to a multitude of platforms systems and applications Organizations must be able to manage increasing costs associated with gathering the user entitlements and distributing them across to managers They must also be able to manage increased security risks associated with the escalating volume of gathering and distributing these entitlements Also federal requirements mandate the needs to address Time Based Certifications Granular Entitlements certify Contractors on Unique Schedules Set Baseline and Certify Incremental Changes and provide a Certification Dashboard of all the certifications issued To help ensure all the above needs Role Manager provides an Identity Certification module which enables easy handling of the collecting and distributing user entitlements and provides scheduled certifications on these entitleme
75. by a manager Emails can be sent when a manager selects Does Not Work For Me or Revoke Access from the roles and entitlements certification screen Actions Access Revoke Send email to security administrators on access revoke By certification O By each namespace in certification By each account in certification Email Template Access Revoke Send email to HR on user does not work any longer By Certification O By User Email Template Access Revoke Figure 3 23 Configure Revoke Action Chapter 3 Role Manager Configuration 41 System Configuration 42 Configure Reporting Changes Reporting actions can be configured by the Reporting Changes options given on the Identity Certification configuration page These options are relevant when considering the actions to be taken in the case of employee verification options Does Not Work for Me Terminated and Works for Some One Else When reporting changes is enabled the details of employees verified by selecting the options mentioned is recorded separately Create new certification per reporting manager option creates a new certification for each user selected as the actual certifier by using the Works for Some One Else option Steps to configure reporting changes 1 Log into the Role Manager Web Interface using a Java enabled web browser 2 Click on the Administration gt Configuration tab and then Identi
76. credentials and login to Role Manager 3 Goto Administration gt Configuration gt Namespaces 4 Click on the New Namespace Tab to add a new namespace Chapter 3 Role Manager Configuration 21 System Configuration New Namespace New Namespace Namespace Name Short Name Comments aos Es Figure 3 3 New Namespace 5 A dialog box appears where the user needs to enter the Name of the new Namespace along with the Short Name of the Namespace which is a 3 letter abbreviation 6 To Rename a Namespace highlight a namespace and click on Rename tab Rename Namespace Rename Namespace Rename Namespace UNIX V save Y Save x Cance e Figure 3 4 Rename Namespace 7 Rename Namespace dialogue box appears Enter the new name and save 22 Sun Role Manager 4 1 September 2008 System Configuration it 8 In order to Delete Namespace select the namespace to be deleted and select the Delete tab Configuration gt Namespaces Namespaces z Name Description alues Ma SE a a wen eneer FullName UNIX ETC Fay e page at http localhost 8686 says Ka O E unix pag p y E AR BE Do you want to delete UNIX namespace ctiveDirecti QMS SOL InitProg UNIX ETC oO Server 7 A d oracle HomeDir UNIX ETC o Server ES R3 Primary Group UNIX ETC 7 O Hnos R GroupNames Group Names F Servers
77. d but may be useful for review Views All a Certification Details Show Details Collapse Certification Overview Certification History Export Options Certification Q2 afida Role Cert Start Date 02 13 2008 End Date You can download the certification reports in following formats Export to PDF ech Export to XLS Business Unit afida Completed Number of Roles 2 Incremental Created By rbacxadmin Certifier Creation Date 02 13 2008 Last Updated By rbacxadmin Last Update Date 08 23 2008 Certify Revoke Description Department Comments Action O O Architect Review Figure 8 11 Complete Employee Verification 106 Sun Role Manager 4 1 September 2008 Completing a User Access Certification 8 Complete Employee Verification Select Works for Me Does Not Work for Me Terminated or Reports to Another Person Click to change for all can be used to change all the users to the same status The Does Not Work for Me Terminated and Reports to Another Person options prompt a corresponding comments box where further information can be provided My Certifications gt test user cert_2100 All x D I Certification Details Show Details Collapse lt Back Step 1 Employment Verification Step TTT TT TT ENT E EX EES verify the employment status of these employee nplete the certification Does not work for me comments Employee Verification
78. de fabrique ou des marques d pos es de SPARC International Inc aux Etats Unis et dans d autres pays Les produits portant les marques SPARC sont bas s sur une architecture d velopp e par Sun Microsystems Inc FireWire est une marque de Applex Computer Inc utilis sous le permis Netscape est une marque de Netscape Communications Corporation Netscape Navigator est une marque de Netscape Communications Corporation Mozilla est une marque de Netscape Communications Corporation aux Etats Unis et a d autres pays PostScript est une marque de fabrique d Adobe Systems Incorporated laquelle pourrait tre d pos e dans certaines juridictions OpenGL est une marque d posre de Silicon Graphics Inc ORACLE est une marque d pos e registre de ORACLE CORPORATION L interface d utilisation graphique OPEN LOOK et Sun a t d velopp e par Sun Microsystems Inc pour ses utilisateurs et licenci s Sun reconna t les efforts de pionniers de Xerox pour la recherche et le d veloppement du concept des interfaces d utilisation visuelle ou graphique pour l industrie de l informatique Sun d tient une licence non exclusive de Xerox sur l interface d utilisation graphique Xerox cette licence couvrant galement les licenci s de Sun qui mettent en place l interface d utilisation graphique OPEN LOOK et qui en outre se conforment aux licences crites de Sun Les produits qui font l objet de cette publication et les informations qu il contient sont r gis par la
79. de id INPUT2 type com vaau rbacx etl clover components DelimitedDataReader LilEURL GEViss iile 02 dat gt lt Node id INPUT3 type com vaau rbacx etl clover components DelimitedDataReader E ees eer ule 03 dar gt lt Node id MERGE type MERGE mergeKey ShipName ShipVia gt lt Node id OUTPUT type com vaau rbacx etl clover domain DelimitedDataWriter fileURL outputFile gt lt Edge id INEDGE1 fromNode INPUT1 0 toNode MERGE 0 metadata InMetadata gt lt Edge id INEDGE2 fromNode INPUT2 0 toNode MERGE 1 metadata InMetadata gt lt Edge id INEDGE3 fromNode INPUT3 0 toNode MERGE 2 metadata InMetadata gt lt Edge id OUTEDGE fromNode MERGE 0 toNode OUTPUT 0 metadata InMetadata gt lt Phase gt lt Graph gt Filter This graph demonstrates functionality of Extended Filter component It can filter on text date integer numeric fields with comparison operators gt lt lt gt Text fields can also be compared to a Java regexp using operator A filter can be made of different parts separated by a logical operator AND OR Parenthesis for grouping Chapter 7 Role Manager ETL Process 83 Transformation Examples 84 individual comparisons are also supported e g Age gt 10 and Age lt 20 or HireDate lt 2003 01 01 Filter works on single input record where individual fields of record are reference using dollar sign and
80. dministrator Farber Abby CR Management Accountant Thompson Emma Show Details Collapse H Operations Generalist Newton Veronica 03 15 2008 04 02 48 Fitzpatrick Patricia Low Manny rbacxadmin Documentary Credits Clerk Black George Brady Lia 03 20 2008 08 00 22 rbacxadmin avis Peter Page 1 1 2 of 2 Records Display 10 Policy History Show Details Collapse Owner History Show Details Collapse Attribute History Show Details Collapse Figure 11 11 Role Member History 7 To view Policy addition deletion history select Show Details corresponding to Policy History 166 Sun Role Manager 4 1 September 2008 Role History t Home Logout Help amp SUN Role Ma Nager welcome admin admin microrystemn My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Administration Business Structures Users gt Roles Policies EndPoints cb New Role W Decommission Role Review Modifications J Refresh Roles Finance Assistant Assistant J Search Role Name E Search Exclusion Roles Custom Properties i Cash and Stock Role Membership History Show Details Collapse Reconciliation Clerk e Finance Assistant Policy History Show Details Collapse Assistant Q Loan Administrator Modified By First ag Management Accountant a Polices Removed Leg H Operations Generalist main_RM Policy_RACF_RACF_2008
81. e Edit Workflow Name Description Initial Actions Steps Figure 11 3 Role Creation Workflow Role Life Cycle Workflow Actions Store Workflow Input Step Link Name Status Start Wor kfl ow Policy l Owner ous Approval Approval 2 Edit Workflows Actions Start Workflow gt gt Policy Owner Approval Approve Role gt gt Policy Owner Approval Reject Role gt gt Delete Role Auto Approval gt gt Role Owner Approval Approved by all policy owners gt gt Role Owner Approval on RBA Versic Description Stores data required for workflow Assignee Type POLICY_OWNER Assignee Operation Add Action Add Step Delete Step Add Action Add Step Delete Step Cx 4 0 0 build 4 0 0 20080303001 GA Si W sse Start Workflow Start Workflow Policy Owner Approval Reject Ro l pprove Role Role Owner Approval Reject Ro l Approve Role Finish di ECKER From the Edit Workflow screen click on Approve Role from the Policy Owner Approval step Chapter 11 Role Management and Designing Workflows 155 Workflow Design Assign Policy and Role Owners e Workflow Action Details General Post Functions Name Approve Role Destination Step Policy Owner Approval xl Enable Approval Selection 7 Approval Action C Rejection Action Figure 11 2 General Workflow Action Details 4 Select the Ass
82. e This metadata can be later on used by any DB related component Running AnalyzeDB utility is simple use command like this java cp cloverETL rel 1 x zip org jetel database AnalyzeDB AnalyzeDB needs several parameters to be specified At least it must know how to connect to database and which DB table to analyze For specifying database connection the same DBConnection parameter file can be used see text above For specifying which table to analyze SQL query must be specified which is executed against DB and the returned result set is examined for field types This way only portion of table can be extracted analyzed See following table for complete list of options parameters Parameter Meaning dbDriver JDBC driver to use dbURL Database name URL config Config Property file containing parameters user User name password User s password d Delimiter to use standard is O Output file to use standard is stdout f Read SQL query from filename q SQL query on command line info Displays list of driver s properties Example of using AnalyzeDB to get field types of employee DB table java cp cloverETL rel 1 x zip org jetel database AnalyzeDB config postgres sql q select from employees where 1 0 Using such a command all the data fields will be examined When only some of the fields should be extracted specify them in the SQL query java cp cloverETL rel 1 x zip or
83. e 8 8 My Certifications New and In Progress New amp In Progress Y Certification Name Q2 IT App Cert Q2 afida Role Cert Q2 User Cert IT Qi Web Conversion User cert Q1 IT 4D App Cert Business Unit Information Technology afida Information Technology Web Conversion Information Technology Type Application Owner Role User User Application Owner Start Date 03 14 2008 02 13 2008 02 13 2008 02 07 2008 02 07 2008 End Date Updated By rbacxadmin rbacxadmin rbacxadmin rbacxadmin 1 5 of 5 Records Display 10 Edit Certification Complete Certification iew Reports iew Reminder Logs Created By rbacxadmin rbacxadmin rbacxadmin rbacxadmin rbacxadmin Click on the certification s name to work on the certification Mouse over the certification s name to view a summary Last Update Date 04 30 2008 02 13 2008 02 07 2008 02 07 2008 A Creation e Dat e 03 14 2008 02 13 2008 02 13 2008 02 07 2008 02 07 2008 5 Select the appropriate value in the drop down option Show Me to get the desired certifications view 6 The Search panel can accessed by clicking the expand icon Use the Search panel to search within the current certification view Search can be done on Certification Name Business Unit Created By and Updated By fields Search conditions can be created using Begins With Ends With Contains Equals To Sun
84. e files at the same time and can insert or update Role Manager database using different batch sizes IAM service requires a schema file rbx corresponding to each feed type Schema Files Schema files are templates for data feeds IAM Service uses a regular expression to pick a schema file to parse a data feed For example using the following regular expression IAM service links the data feeds to their corresponding schema file Remember each namespace has its own schema file when importing accounts lt shortnamespacename gt w accounts w Where w any alphanumeric character w any alphanumeric character or dot Following is an example of Top secret schema file The uncommented row of the file should have account attributes or account namespace attributes separated by comas The names of the account attributes are case sensitive iam namespace name CA Top Secret shortName tss name lt Correlationkey gt comments endPoint domain suspended locked AcidA11 AcidXAu th FullName GroupMemberOf InstallationData ListDataResource ListDataSource M8A11 In the above example where name comments endpoint domain suspended and locked are account attributes and AcidAll AcidX Auth FullName GroupMemberOf InstallationData ListDataResoutce ListDataSource and M8AI are namespaces attributes The field name is used as Correlation Key The correlation key is used to link the user with account Import proce
85. e functionality to transform the data feed before they are put into the drop location For example Role Manager has the ability to read Excel and raw data files using the transformation graphs Transformation graphs are xml files that contain a state machine style processing instructions Further details are given in the Transformation graph section Following is the overall processing of data feeds lis73 Introduction 74 ETL graphs get KC eet len SS Complete lt RBACX IAM Service D RBACX RDMS Schema location robo Figure 7 1 Role Manager ETL Process Transformation Process Role Manager transforms data files dropped into the ETL drop location using the transformation graphs Role Manager uses CloverETL to perform all the transformation processing At the end of transformation ETL Manager writes the files to a specified drop location which is usually configured as input for AM Service Transformation Graphs Graphs are xml files that contain a state machine style processing instructions The basic elements in graphs are Parameters Nodes Edges Metadata and Phases Following is an example of an ETL graph Sun Role Manager 4 1 September 2008 Introduction INEDGE TRANSFORM OUTEDGE Figure 7 2 Sample ETL Graph lt Graph name testing rbacxRegxLookupFiles tss w accounts w gt lt Global gt lt Metadata id InMetadata fileURL graphsLocation metadata TSSAccount fm
86. ecified for jobOwnerName optional gt entry key jobOwnerName gt lt value gt REPLACE ME lt value gt lt entry gt lt multiple user names can be specified as commma delimeted e g userl user2 optional gt lt entry key usersToNotify gt lt value gt REPLACE ME lt value gt lt entry gt lt entry key IAMActionName gt lt value gt ACTION_IMPORT_USERS lt value gt lt entry gt entry key IAMServerName gt lt value gt FILE_SERVER lt value gt lt entry gt lt Job chaining i e specify the next job to run optional gt lt entry key NEXT_JOB gt lt value gt rolesImportJob lt value gt lt entry gt lt mhap gt lt property gt lt bean gt lt l Figure 10 1 Jobs xml iis137 Role Manager Scheduling 1 Define a job in jobs xml 2 Add a reference to job below gt lt ref bean usersImportJob gt let bean accountsImportJob gt lt l ref bean rolesImportJob gt lt ref bean glossaryImportJob gt lt l ref bean policiesImportJob gt let bean certificationReminderJob gt lt ref bean reportReminderJob gt lt l ref bean stableFolderCleanUpJob gt lt l ref bean accountsMaintenanceJob gt lt ref bean rmeJob gt lt list gt lt property gt lt property name triggers gt lt list gt cl Uncomment
87. ection InterbaseDB dbTable myemployee dbFields FIRST NAME LAST NAME cloverFields LAST NAME FIRST NAME gt lt Edge id INEDGE fromNode INPUT 0 toNode OUTPUT 0 metadata InMetadata gt lt Phase gt lt Graph gt The resulting mapping between fields specified in example above ts Source field CloverETL Target field DB table LAST_NAME FIRST_NAME FIRST_NAME LAST_NAME Executing SQL DML DDL Statements against DB DBExecute Component Sometimes you need to execute single or multiple commands against DB which does not require any input For example create new table add data partition drop index or something totally different Fot this CloverETL offers DBExecute component which takes specified commands and executes them one by one against DB You may define whether all commands form one transaction or whether they should be DB commit after each command Following is a simple example of DBExecute lt xml version 1 0 encoding UTF 8 gt lt Graph name TestingExecute gt lt Global gt lt DBConnection id InterbaseDB dbConfig interbase cfg gt lt Global gt lt Phase number 0 gt lt Node id DBEXEC type DB EXECUTE dbConnection InterbaseDB inTransaction N gt lt SQLCode gt create table EMPLOYEE EMP NO NUMBER not null FIRST NAME VARCHAR2 15 not null LAST NAME VARCHARZ 20 not null PHONE EXT VARCHAR2 4 HIRE DATE DATE not null DEPT NO CHAR 3 not null
88. ed by Sun Microsystems Inc FireWire is a trademark of Apple Computer Inc used under license Netscape and Netscape Navigator are trademarks or registered trademarks of Netscape Communications Corporation Mozilla is a trademark or registered trademark of Netscape Communications Corporation in the United States and other countries PostScript is a trademark or registered trademark of Adobe Systems Incorporated which may be registered in certain jurisdictions OpenGL is a registered trademark of Silicon Graphics Inc ORACLE is a registered trademark of ORACLE CORPORATION The OPEN LOOK and SunTM Graphical User Interface was developed by Sun Microsystems Inc for its users and licensees Sun acknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry Sun holds a non exclusive license from Xerox to the Xerox Graphical User Interface which license also covers Sun s licensees who implement OPEN LOOK GUIs and otherwise comply with Sun s written license agreements Products covered by and information contained in this publication are controlled by U S Export Control laws and may be subject to the export or import laws in other countries Nuclear missile chemical or biological weapons or nuclear maritime end uses or end users whether direct or indirect are strictly prohibited Export or reexport to countries subject to U S embargo or to entities identified on U S
89. eering Type Application Owner Role User User Start Date 03 14 2008 02 13 2008 02 13 2008 02 07 2008 Information Technology EE EE 02 07 2008 Role Management End Date Updated By rbacxadmin rbacxadmin rbacxadmin rbacxadmin 1 5 of 5 Records Display 10 Identity Audit Created By rbacxadmin rbacxadmin rbacxadmin rbacxadmin rbacxadmin Home Logout Help Reports Click on the certification s name to work on the certification Mouse over the certification s name to view a summary Last Update Date 04 30 2008 02 13 2008 02 07 2008 02 07 2008 Administration Creation e Date 03 14 2008 02 13 2008 02 13 2008 02 07 2008 02 07 2008 v Edit Certification Complete Certification iew Reports iew Reminder Logs The created certification Jobs can be viewed from the Certification Jobs view When a job is run using the Run now or schedule features it will be available in the certifier s My Certifications view View and Search Certifications The My Certifications view under the Identity Certifications Tab provides the main interface in Sun Role Manager to view and access certifications By default the view shows New and In Progress certifications Filters are provided to view All or any combination of New In Progress Complete and Expired certifications For further precision a certificat
90. eess 11 Identity Eege 12 Role Engineering and MaNAGGIMe NE iscccindcicssactedvacrsnsenmrsnentwnssvdesvenioosacieahiecsateutedvanvundeadaencvicdene 12 PASE CPC OM iin ne EERE NE enema esas eis 13 Io De EE 13 Chapter NEEN 15 isen 15 GRANJE PISS WON DEE 16 Oe Ee EN 17 Chapter 3R ole Manager Configuration ccsccccsseeeesseeeeeeeseeseeseeneeeeseesseneeeeaeeeesesensaeeeaneeeeeeesoenensees 19 SY SION CONNOTATO EEN 19 Proxy Assignment NOUTIC ANON E 19 Ma Server SEMINO aser EEE EEA E EA NENEN EREN 20 KIEREN Eed e ennn 20 Kl 20 PTET e Le 24 SEENEN 25 EI e EE 29 ma oh ene Lele hot gic CN 33 IERT 38 Configure Email NOt CAO CN 40 conhgur Revoke ACH Vu BE 41 Configure Reporting Changes cccssccccssecceeeeseeeeeeeeeeeeeseeseeeeeeeneseesnesseneeseaseneeneeseeseseenesensoees 42 SEENEN 42 Chapter 4 Role Manager SeCurity cccccccscccsseeceseeeeeeceeeeeneeceneeeeeeseaeeeaeeseaeesaaeseasssanesoasesnesensanesees 45 EK A EN 45 BUSINESS Te S ornini iin enan EEE 49 Role Manager E 50 Role Manager EEN 53 Ghapter 5 Dala Cornello ege 57 Estelle 57 KEES 57 le 59 AEN TR Or E e EE 59 Chapter 6 Role Manager LOGQIING cccsseecceeeseeeeeeeeneeseeeeseeneeeeeeeeeeneseeseeeeaneeeeaeeseensesneeeeenesenesess 65 Er 1 LOOS EE 65 TER CG E A 69 Chapter 7 Role Manager ETL Fee Geteste 73 laigs ali mrle g EE EE 73 SEILER 74 Transformation Ebene 74 EE EE 75 Vleit 76 lr LE T7 E E I E A E O E E A EA A E S E A EN A E
91. eld name JOB_GRADE type numeric delimiter gt lt Field name JOB_COUNTRY type string delimiter gt lt Field name SALARY type numeric delimiter gt lt Field name FULL NAME type string nullable yes delimiter n gt lt Record gt CloverETL to JDBC The reverse conversion from CloverETL to JDBC data type usually done when populating target DB table is again driven by JDBC datatypes There are some exceptions caused by non existence of certain field types on CloverETL s side These exceptions are handled automatically by CloverETL Internally it is done by calling different than standard JDBC methods for populating DB fields with values See following table for explanation See source code org jetel database CopySQLData to get complete insight JDCB type CloverETL type Conversion performed Timestamp Date Date is converted to Timestamp and the target is set using setTimestamp method Boolean String If string contains T or t the target is set to be True Bit otherwise False using setBoolean Decimal Integer Conversion from Integer to Decimal is made the target Double is set using setDouble method Numeric Real Other String The target is set using setString method includes NVARCHAR amp NCHAR Using AnalyzeDB utility CloverETL package contains simple utility which can analyse source or target database table and produce Clover s metadata description fil
92. elp Identity Audit Reports Administration gt Role Provisioning Rules Role Consolidation on New Rule New Role Provisioning Rule Rule Name Base Employee Chicago Rule Description Role given to employees working from Chicago Figure 12 1 New Role Provisioning Rule 172 Sun Role Manager 4 1 September 2008 Role Provisioning Rules Rule Based Role Assignment and Role Consolidation 4 Click next and you will be taken to the Rule Conditions screen Here you can define the various rules to select a group of users and assign them to a role E To add more rules click the add button WR Fach rule by default is separated by an AND operator E The number of rule conditions is not limited Home Logout Help amp SUN Role Ma nager Welcome admin admin Role Management Identity Audit Administration My Settings My Requests Identity Warehouse Identity Certification Role Engineering gt Role Provisioning Rules Role Consolidation ab New Rule New Role Provisioning Rule Rule Conditions Ve C Attribute Condition alue C building Chicage5422 Fi countryOrRegion Add Remove is nul u is not null Em EH Sg does not contain Figure 12 2 Rule Conditions 5 Once all the Conditions have been set click next and select the Role to which these users will be assigned Home Logout Help amp Sun Role Ma na ge r Welcome admin admin Role Engineering Role Mana
93. ember 2008 Role Provisioning Rules Rule Based Role Assignment and Role Consolidation Role Consolidation Over time enterprises end up with roles that are very similar It becomes difficult to consolidate these roles since they contain overlapping users and access The Role Consolidation engine built into Role Manager can analyze and consolidate roles on the basis of either Memberships users or Entitlements Access amp SUN Role Ma nager Welcome admin admin Home Logout Help My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Reports Administration Choose consolidation based on Role Membership Entitlements Role C Select All Fj Cash and Stock Reconciliation Clerk Ki bi E Finance Assistant Assistant i E Loan Administrator bi E Management Accountant OG Operations Generalist zc Settlement Analyst e _ Trade Finance amp Documentary Credits Clerk Back 1 To 100 Records Next 100 w Figure 12 5 Rule Consolidation Comparison Role C Select All GI les E Cash and Stock Reconciliation Clerk bi E Finance Assistant Assistant GG Loan Administrator bi Fi Management Accountant GG O Operations Generalist GG Settlement Analyst bi _ Trade Finance amp Documentary Credits Clerk Back 1 To 100 Records
94. er Business Unit Manager Start Date 08 23 2008 ei End Date 08 23 2008 GED Customize Configuration And Email EI Template General M Certify Entitlements M Certify Roles All Entitlements Entitlements Outside h Roles O High Privileged Entitlements G Integrate with IAM M Allow multiple open certifications per Business Unit G Hierarchical Hierarchy Depth 3 O Require Revoke Comments Pending Certification Notifications O First Reminder to Manager Reminder Interval 2 days Email Template Certification Reminder Q1 SOX Audit Ending 3 31 07 Figure 8 5 Period and Certifier Customize Configuration and Email Template 17 The final configuration summary page opens The certifier field will display the name of the user selected if the Select option was used and Business Unit Manager if business unit manager option was chosen If user selection strategy used was By Business Unit number of business units selected will be displayed If user selection strategy used was By User Selection the number of users selected will be displayed Click the view button to view the names of business units or users 98 Sun Role Manager 4 1 September 2008 New Identity Certification Create Certification gt User Selection Stratargy gt By Business Unit gt Period And Certifier gt Summary Summary Certification Name TEst Certifier Podgur Alice Start Date 08 26 2008 End Da
95. ers Added Owners Removed Date K Settlement Analyst Fida Amad Trade Finance amp Documentary Credits Clerk Page 1 1 1 of 1 Records Display 10 s 03 15 2008 04 04 37 rbacxadmin Attribute History Show Details Collapse Figure 11 13 Owner History H To view Attribute modification history select Show Details corresponding to Attribute History This displays the Attribute Name Old Value and New Value along with timestamp and User 168 Sun Role Manager 4 1 September 2008 Role History Home Logout Help amp SUN Role Manager Welcome admin admin My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Administration Business Structures Users gt Roles Policies EndPoints cp New Role Decommission Role _ Review Modifications J Refresh Roles Finance Assistant Assistant a Search Role Name Search Cash and Stock Role Membership History Show Details Collapse Reconciliation Clerk Finance Assistant Policy History Show Details Collapse Assistant QB Loan Administrator S e Owner History Show Details Collapse ki Management Accountant Q Operations Generalist Attribute History Show Details Collapse Q Settlement Analyst i Trade Finance amp Documentary Credits Clerk AttributeName Old Value New Value Attribute Modification Update Date Update User 03 15 2008 04 04 37 rbacxadmin statusK
96. ertification Audit Analyst Auditor Accesses the Identity Certification Identity Certification Dashboard Dashboards to view progress of each certification and view reports of completed certifications 92 Sun Role Manager 4 1 September 2008 Identity Certification Dashboard Identity Certification Dashboard The Identity Certification Dashboard provides a single view for statistical information regarding certifications The dashboard provides panels for Bar graph representation of the number of new in progress complete and expired certifications for each of the three types of certification user access role entitlement and application owner lt A summary of the total number of users accounts namespaces and endpoints involved in the certification process A pie chart representation of the certified revoked and incomplete certification of accounts in User Account Certifications A pie chart representation of the certified revoked and incomplete certification of roles in the Role Entitlement certifications A listing of the average number of certifications per business unit roles per user accounts per user and users in business units A graph representing the notifications issued in the last week The dashboard can be great tool for monitoring the certification progress Sun Role Manager My Settings My Requests Identity Warehouse Identity Certification Welcome admin admin Home Logo
97. erver IP address and Host Name Role Manager Address In addition to the audit events the import logs for the various feed imports are recorded in Role Manager The Import logs are again divided into three categories m User Import mM Account Import WR Glossary Import The details captured by the Import logs are Function Description Imported By This outlines the method used to import the feed files In this case this will be represented as BATCH Source Denotes the source of import For this version all imports will be FILE_IMPORT Import Type Denoted as Accounts Glossary Users depending on type Total number of records Total number of records in the feed file Records Imported Total number of records imported by Role Manager Number of Errors Denotes the number of errors encountered during the Feed import Start time Start Time of Import End Time End Time of Import 66 Sun Role Manager 4 1 September 2008 Role Manager Logging Read Time NA End Time NA Description The file name is specified in the description To review the audit events in Role Manager follow these steps 1 Log into Role Manager Web Interface using a Java enabled web browser 2 Click the System tab 3 Search on User or Actions as needed 4 Select the time period from to and From Calendars as needed 5 Click K Result The events matching the search criteria display Home Logout Help Sun Role
98. erver Settings System Email wbacx vaau com RBACx URL http localhost 8282 rbacx Figure 3 2 Role Manager Server Settings Namespaces A Namespace is an application or a target system which needs to be defined in Role Manager A Namespace is a collection of all the systems such as UNIX WINDOWS NT SAP ORACLE and so on Custom Applications can also be defined as Namespaces in Role Manager Role Manager provides a detailed description of all the user entitlements Some of the user entitlements have various levels of hierarchy associated with them and all these levels can be defined in Role Manager The metadata module in Role Manager helps define the entitlement details as well as the n level hierarchy of entitlements Role Manager provides the metadata module which enables the user to define applications and the detail list of entitlements for these applications In addition the metadata model can be used to define the various levels of hierarchy associated with the user entitlements The metadata is defined in Role Manager through the Configuration section and the order in which the attributes need to be defined for the metadata are Namespaces gt Attribute Categories gt Attributes Sun Role Manager 4 1 September 2008 System Configuration Y Steps to create Rename and delete a namespace 1 Start Role Manager by clicking on the Role Manager Icon 2 The login dialog box appears Enter the Admin
99. esired attributes condition and value 8 To add another object to the Audit Rule click Add 124 Sun Role Manager 4 1 September 2008 Audit Rules and Policies Home Logout Help amp SUN Role Ma nager Welcome admin admin My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Administration Dashboard Policies gt Rules Policy Violations Scheduled Scan Jobs da New Rule New Rule Description Conditions Attribute Condition location AcctRole Figure 9 3 Add Audit Rules 9 Click Add when rule creation is complete Home Logout Help SUN Role Manager weiome admin admin mere My Settings My Requests Identity Warehouse Identity Certification Role Engineering GER DTM Identity Audit Administration Dashboard Policies gt Rules Policy Violations Scheduled Scan Jobs cb New Rule Rules A Rule Name Description Created Date Updated Date Check Issuer 08 11 2006 06 01 2007 e Check Receiver 08 11 2006 08 11 2006 e Vendor Authorization Rule 09 29 2006 06 01 2007 e Located in Los Angeles 10 10 2006 11 28 2006 e Vaau IT Operations Analyst 11 28 2006 04 19 2007 A Unauthorized Bank Account Unauthorized Bank Account 04 06 2007 04 06 2007 A Unauthorized Signer Unauthorized Signer 04 06 2007 04 06 2007 e Initiate and Approve Gaurantee Initiate and Approve Gaurantee 04 06 2007 04 06 2007 e Initiate and Release Gaurantee
100. espaces Namespaces ex Name Description Yalues Ma Sen FullName UNIX ETC LIEU A Se ie d re ui UNIX ETC H l uid eee g Do you want to delete UNIX namespace O ActiveDirect MS SOL InitProg UNIX ETC Fl Server F DG ora cle HomeDir UNIX ETC H i oO E P R3 PrimaryGroup UNIX ETC emmer o n DS us GroupNames Group Names d Servers E amp MasterDirectory UNIX ETC Master Directory for Uid o OpenvM ES oracin NextFreeMinUID UNIX ETC Minimun for the next free UID search range IT Figure 3 10 Delete Attribute 10 A message appears to confirm the deletion On clicking Attribute gets deleted Glossary Most of the values for Attributes and Resources do not make sense to a User s Manager User Friendly names for all attributes and resources can be defined under the Glossary The Metadata defines the schema of the data to be represented in Role Manager A complete list of all the attribute and resource values along with their friendly names can be listed from the Glossary section in Role Manager Steps to create and modify Glossary 1 Start Role Manager Java Applet by clicking on the Role Manager Java Applet Icon 2 The login dialog box appears Enter the Admin credentials and login to Role Manager 3 Go to Identity Warehouse gt Endpoints Chapter 3 Role Manager Configuration 29 System Configuration Home Logout Help amp SUN Ro le Ma nager Welcome admin admin
101. ey Composing Active AttributeName Old Value New Value roleName Role 2 RM Fri Mar 14 15 32 14 PDT 2008 Business Analyst 03 15 2008 04 06 48 rbacxadmin AttributeName Old Value New Value 03 15 2008 04 36 06 rbacxadmin roleName Business Analyst Finance Assistant AttributeName Old Value New Value 03 20 2008 08 05 45 rbacxadmin roleName Finance Assistant Finance Assistant Assistant Page 1 1 4 of 4 Records Display 10 Figure 11 14 Show Attribute Details 10 To view Certification history select Show Details corresponding to Certification History Role Status As a role progresses through the various steps of a workflow it can be set to a number of different statuses The role statuses that Role Manager supports are as follows m Active Role is actively provisioning users a Inactive Role is suspended and is not provisioning users E Composing Role is not yet complete Chapter 11 Role Management and Designing Workflows 169 Role Status m Pending Approval Role is complete but is awaiting approval by appropriate parties before becoming active E Decomissioned Role is disabled and will no longer be used 170 Sun Role Manager 4 1 September 2008 12 CHAPTER 12 Role Provisioning Rules Rule Based Role Assignment and Role Consolidation Role Manager can assign to new or existing users on the basis of pre defined rules or criteria The rules are usually based on HR attribu
102. f Account Start Role Manager by clicking the Role Manager Icon The login dialog box appears Enter your credentials and login to Role Manager Select the Identity Warehouse Tab and then select the Users Tab Select a User Select the accounts Tab Select account s whose ownership is to be changed by selecting the corresponding checkbox Chapter 5 Data Correlation 61 Manual Correlation Users Grey andy 4 Accounts Custom Properties Relationship Map Account Name Account Type Endpoint Domain Namespace Name Create Date Last Update Date agrey Provisioning account Vaau Active Directory 00 10 VA amp AUIT ActiveDirectory agrey Provisioning account SAP Productiton 200 SAP R3 agrey Provisioning account RACF RACF agrey Provisioning account Prod 03 500 ACF2 1 4 of 4 Records Display 10 zl Figure 5 3 Select Accounts 7 Select Change Owner Tab 62 Sun Role Manager 4 1 September 2008 Manual Correlation 10 Search Search User Name aPodgur aTomkins alBrighi alPodgur aPerry avij aHarmsen awhite afarber e e e S e e e e e agrey First Name zl First Name Alice Amanda Albert Alice Andy Atul Arueet Alice Abby Andy Last Name Phone Podgur Tomkins Brighi Podgur Perry Vij Harmsen White Farber Grey Primary Email KT Les 1 Advanced Search J7 12 Next gt gt 1 10
103. ffers for each field default value to be specified This value is used in certain cases when field is assigned to be null but null value is not allowed for this field It contrasts a little bit with what was stated befor but only on a first sight Following example shows fields with specified default values lt xml version 1 0 encoding UTF 8 gt lt Record name Orders type delimited gt lt Field name OrderID type numeric delimiter format gt lt Field name OrderDate type date delimiter format dd MM yyyy default 01 01 1900 nullable no gt lt Field name Amount type number delimiter n default 0 0 nullable no gt lt Record gt Sun Role Manager 4 1 September 2008 Preface In this example OrderDate is defaulted to 1 1 1900 in case it is not present in text data which this record is parsed from In general when this field is assigned null value this specified default value is assigned instead The same holds for Amount field except the default is specified to be 0 That said there is one more important note this behaviour is not default and concerns only data parsers If you in your code attempt to assign null value into not nullable field the BadDataFormatException will be raised If you use any of clover s data parsers you may specify DataPolicy which states what should happen if parsed value can t be assigned to data field as in case when value is null and field is
104. g a Role Entitlement Certification cccccceeseseeeeeeeeeeeeeeeeeeeeeseeeeneeseeneeeeeneseeeessaees 113 Completing an Application Owner Certification ccccccceeeseeesseceeeeessesceeeeaeeseeneeeesaeeeeseeeoes 117 See T EEN 121 Jee CNN EEN 121 KIEREN 122 Create Audit Rules and Audit Policies cccccccesseeeseeeesseeeeeeeeseeseeseeneeseeneseeneeseeseneesnsoeeaes 122 Groate Aud E 123 EE AUR FOC oa ea aE E a a Eana 126 Scan Audit Policy VIOlAU EN 129 Open EE ME Eeer 132 Manage Life Cycle of Audit Volatton sek NR EE RRREERR ERR EERE ENER KENNEN REENEN ENEE 134 Chapter 10 Role Manager SCheduling ccccceceecesseeeeeeeeseeeeeeeeeeeeneseeneeceaneeseseeseeneesanaeeeeneseenseneoees 137 UI Based Import Export SCHedulel cc cccccecceeeeeeeeeeeeeeceeeeeeeeeeeeeseseseeeesaneseeeeeenesoeeseesaneaes 138 File Based Import Export Scheduller ccccsccceeseeseeeeeeeeseeseaeeeeeeeeseecenseenesaesesaeeeeseeeeesees 141 Scheduling COPIA ONS serseri in nnna aE arnai EASRA NEEE n EEREN 145 SOC KOPOTI EE 145 Scheduling Reminder Eta Siaiiiviasnnnnninicnnisinininniiimndinen inant 148 Scheduling Role Mining TASK vvissssessosrsaxcncsssanarxiacsencenelvesnssvsandeannnennissndubesmnsaviaaenncessaberanesuennenseians 149 Chapter 11 Role Management and Designing Workflows cccscccsssseeseeseseseeseeeeeeeeeseeseeseeenees 153 Worklow ee de UTC dn EE 153 Workflow Design Assign Policy and Role OWNS
105. g a combination of correlation rules and expressions Role Manager provides powerful correlation capabilities in the form of manual correlation This enables a user to manually correlate accounts that do not have any users associated with them orphan accounts as well as change the association of already correlated accounts Correlation Rules E Correlation rules are defined in the schema rbx files under the Role Manager schema folder These rules once defined are evaluated in the same order as found in the schema file Below is an example of a schema file with multiple correlation rules iis57 Correlation Rules 58 iam namespace name Summarization shortName SUM fa iii tityCorrelationRule rule SglobalUser userName Saccount userName 4 Iden q4 E IdentityCorrelationRule rule S globalUser FirstName Saccount FirstName E Se oe dt r dt HE 4 IdentityCorrelationRule rule SglobalUser LastName Saccount LastName q4 IdentityCorrelationRule rule SglobalUser MiddleName q4 Saccount FirstName 1 1 Saccount LastName IdentityCorrelationRule rule SglobalUser userName defaultuser userName endPoint domain comments suspended locked name FunctionCode FirstName MiddleName LastName C99 m As shown in the example above the left side of the rule before the globaluser and the right side of the role is associated to the accounts Only
106. g jetel database AnalyzeDB config postgres sql q select emp no full name from employees where 1 0 DBinputTable component For unloading data from database table use DBInputTable component It requires DBConnection to be specified dbConnection parameter and SQL command sqlQuery parameter which will be executed against database specified by DBConnection Individual fields fetched from database are mappend onto Clover data record fields see JDBC to CloverETL table the structure of Clover record is determined by specified Clover metadata metadata is assigned to Edge which connects DBInputTable with other components connected to DBInputTable Example of transformation graph which uses DBInputTable component lt xml version 1 0 encoding UTF 8 gt lt Graph name TestingDB gt lt Global gt lt Metadata id InMetadata fileURL metadata employee fmt gt lt DBConnection id PosgressDB dbConfig Posgress cfg gt lt Global gt lt Phase number 0 gt lt Node id INPUT type DB INPUT TABLE dbConnection Posgress DB sqlQuery Select from employee gt lt Node id OUTPUT type DELIMITED DATA WRITER NIO append false fileURL employees2 list out gt lt Edge id INEDGE fromNode INPUT 0 toNode OUTPUT 0 metadata InMetadata gt lt Phase gt lt Graph gt SQL command sqlQuery can be more complicated than the example above suggests You can use any valid SQL construct but make sure
107. gement Identity Audit Administration My Settings My Requests Identity Warehouse Identity Certification gt Role Provisioning Rules Role Consolidation DA New Rule New Role Provisioning Rule Role Finance Assistant Assistant Select Role Figure 12 3 Select Role 6 This leads to the Unassign Rule Option page These options can be applied to unassign roles based on the conditions created for the rule in step 4 Any users that do not satisfy all the conditions associated with Chapter 12 Role Provisioning Rules Rule Based Role Assignment and Role Consolidation 173 Role Provisioning Rules Rule Based Role Assignment and Role Consolidation the rule and have the Role assigned to them will have the Role de assigned when this rule will be evaluated Home Logout Help amp SUN Role Ma nager Welcome admin admin Role Management Identity Audit Administration My Settings My Requests Identity Warehouse Identity Certification Role Engineering gt Role Provisioning Rules Role Consolidation Gi New Rule New Role Provisioning Rule Un assign Rule Option In case of any changes to Attributes and its values the following should take place Remove Role Immediately Remove Role After b Days O Notify Administrator Choose Template No Changes Figure 12 4 Unassign Rule Option 7 When the un assign options have been selected click Finish to save the rule 174 Sun Role Manager 4 1 Sept
108. he second rule and the intersection is made we probably find that only one globaluser meets both rules e The default correlation rule to associate users to their entitlements on the basis of their user ids is Sglobaluser userName Saccount userName Note The correlation method used in previous versions of Role Manager using the lt correlationkey gt tag also works with Role Manager 4 1 so old schema files are not required to be changed Sun Role Manager 4 1 September 2008 Examples Examples Let us assume a user has the following attributes g FirstName John LastName Cook Various pattern matching scenarios can be created in order to match the users to their entitlements These are the results for the following pattern examples Saccount FirstNameSaccount LastName JohnCook Saccount FirstName 10 John y Saccount FirstName 10 d John Saccount FirstName _ 10 John account FirstName _ 10 Jonn S Saccount FirstName 3 John Saccount FirstName 5 John account FirstName 2 3 ohn Saccount FirstName 2 3 Joh account FirstName 1 1 Selz Saccount FirstName 1 1 S account LastName JCook Saccount FirstName 1 1 Saccount LastName J Cook Note The sign signifies that the text is left justified The sign signifies that the text is right justified The first number inside the parenthesis indicates the minimum number of characters
109. ier Certifier Business Unit Manager Start Date 08 26 2008 fe End Date 08 27 2008 EJ Customize Configuration 4nd P Email Template cs as eee Figure 8 3 Period and Certifier 12 Certifier can be selected as the Business Unit Manager in which case a separate certification will be created for each distinct business unit in the user set selected for the certification 13 The Select option for certifier allows the use of the advanced user search and quicksearch capability to search for the global user that is to be selected as the certifier Click the search button that appears when Select option is set for certifier 14 Select the User from the Search result that is to be selected as Certifier and click Ok 15 Sun Role Manager uses a customizable notification mechanism to send reminders and notifications to the various parties involved The notifications are sent relative to the Start Date and End Date End date should be set to give sufficient time to the certifier to complete the certification Once the End date is passed the Certification is marked as Expired and cannot be edited or completed Sun Role Manager 4 1 September 2008 New Identity Certification Home Logout Help amp SUN Ro le M a na ge r Welcome admin admin My Settings My Requests CDA EE e Identity Certification Role Engineering Role Management Identity Audit Administration Dashboard gt My Certificat
110. ification Chapter 8 Identity Certifications 117 Completing an Application Owner Certification 118 nome Logout nep amp SUN Role Ma nage r Welcome admin admin My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Administration Dashboard gt My Certifications Certification Jobs da New Certification My Certifications gt Q1 IT AD App Cert Your New Certifications will require a complete review of the users roles and or entitlements Pending certifications have had some review but the process has not been completed further action is still required Complete certifications are stored here for revisions or review purposes Expired Certifications are past their allocated Certification period but may be useful for review Vd Certification Details Show Details Collapse Certification Overview Certification History Export Options Certification Q1 IT AD App Cert Start Date 02 07 2008 You can download the certification reports in following f ts Business Unit Information Technology End Date Completed Incremental IA Export to PDF S Export to XLS Number of EndPoints 1 Created By rbacxadmin Certifier Creation Date 02 07 2008 CA h Last Updated By rbacxadmin Last Update Date 02 07 2008 Back to Certifications List Status EndPoint Name Namespace Name Comments Action 100 Vaau Active Directory 00 10 ActiveDirecto
111. ification 7 Reports Email Templates Security Import Export Workflows Role Engineering Configuration gt Reports Notification First Reminder To Data Owner Reminder Interval 2 days Email Template Certification Reminder Q1 SOX Audit Ending 3 31 07 Second Reminder To Data Owner Reminder Interval 1 se days Email Template 2nd Reminder Manager C Third Reminder to Data Owner s Manager Reminder Interval 1 days Email Template Peal Reminder to Information Security Department Reminder Interval 1 days Email Template Tel EES 2 Toconfigure the workflow select the reminder level for Data Owner or Report Owner select the Reminder Interval and add the pre defined email template created in the Email Templates tab 148 Sun Role Manager 4 1 September 2008 Scheduling Reminder Emails Email Template Details Email Template Details Name 2nd Reminder Manager Description 2nd Reminder to Manager to respond to certifications reports in queue Sender Name RBACx Administrator From neha sethi yvaau com To neha sethi vaau com cc BCC Subject 2nd Reminder for Certification Response HTML Enabled Dear Manager This is a 2nd reminder for you to respond to your certifications and or reports in your queue Thank You The RBACx Administration Team X Close Body Figure 10 12 Email Templates Tab 3 Click Create to save the workflow settings This workflow functio
112. ifications can be viewed under the Compliance dashboard enabling auditing analysts to view reports of certified certifications The Identity Certification module includes a configurable workflow functionality which has the ability to send reminder notices and escalations to various actors designated to be a part of the certification process This is more of an administrator level function and has been explained in detail in the Sun Role Manager 4 1 Administrators Guide This powerful Identity Certification module is extended in Sun Role Manager 4 1 to provide the ability to perform certifications at the instance or server level of a resource provides advanced drill down capabilities for users and advanced filtering and searching capabilities on the certification interface The Identity Certification module has three Certification types User Access Certification Allows certifier to certify Role Membership and User Entitlements Role Entitlement Certification Allows certifier to certify roles and role content Application Owner Certification Allows certifier to certify entitlements pertaining to an iis91 Identity Certifications application narrowed down by each instance of the application Understanding the Actors The Identity Certification module in Sun Role Manager assists various personnel in an organization to review and certify user entitlement data role content data and application access data which further assists i
113. ignee tab e Workflow Action Details General Assignee Post Functions Assignee Policy Owner x Selected Assignee cs KEN 156 Sun Role Manager 4 1 September 2008 Workflow Design Assign Policy and Role Owners Figure 11 3 Workflow Action Details Assignee tab 5 Select the type of Assignee and the Selected Assignee and click the Save button The process to add or change the Role Owner is similar and involves selecting the Approve Role Step from the Role Owner Approval step instead of the Policy Owner Step Workflow Design Add a Step To modify an existing workflow click on the name of the workflow In this screen we can see all the current steps within the workflow Steps can be added or removed by simply clicking the appropriate button Lets walk through the modification of the Role Creation Workflow by adding another approver Role Creation Workflow Modification Edit Workflow Name Role Creation Workflow Description Role Life Cycle Workflow Initial z Ee Actions Actions Description Store Workflow Input Stores data required for workflow Steps z 8 E Step Link Assignee S Name Statue Actions Type Assignee Operation Start Workflow Start Start Workflow Add Action Add Start Workflow Workflow gt gt P olicy Owner Sa Delete Approval gt tep Policy Owner Approval Reject Ro enve Rale C ppro ROIG Approve Role gt gt Policy Owner Approval i Role Owner
114. ing My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit elec Administration System Namespaces Provisioning Servers Identity Certification Reports Email Templates Security gt Import Export Workflows Role Engineering cbSchedule Job A Completed Jobs Select Job Type Export Job Type Export Roles Export Policies Page 1 1 2 of 2 Records Display 10 X Cancel Figure 10 3 Schedule Job Types Export Chapter 10 Role Manager Scheduling 139 Role Manager Scheduling To create a new Import Export job using this scheduler 1 Navigate to Administration gt Configuration gt Import Export tab 2 Click Schedule Job 3 Select the Job Type 4 Select the connection to use It is important to select the correct Server Type on the screen from the dropdown menu All IAM Servers created in the Provisioning Servers menu will be displayed in this dropdown menu Also the File Server option is a standard option that is displayed which signifies a flat file csv xml etc data import or export My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Administration System Namespaces Provisioning Servers Identity Certification Reports Email Templates Security gt Import Export Workflows Role Engineering ga Schedule Job Completed Jobs Data Selection Source Connection
115. iolations State Closed and Risk Accepted Closed and Risk Accepted Closed and Risk Accepted Closed and Risk Accepted Closed and Risk Accepted Closed and Risk Accepted Closed and Risk Accepted Closed and Risk Accepted Closed and Risk Accepted Closed and Risk Accepted Click an Open exception Created By rbacxadmin rbacxadmin rbacxadmin rbacxadmin rbacxadmin rbacxadmin rbacxadmin rbacxadmin rbacxadmin rbacxadmin Updated By rbacxadmin rbacxadmin rbacxadmin rbacxadmin rbacxadmin rbacxadmin rbacxadmin rbacxadmin rbacxadmin rbacxadmin Created Date 12 01 2006 12 01 2006 12 01 2006 12 01 2006 12 01 2006 12 01 2006 12 01 2006 12 01 2006 12 01 2006 12 01 2006 Updated Date 01 10 2007 12 05 2006 02 07 2007 04 04 2007 12 01 2006 02 07 2007 12 20 2006 12 07 2006 04 11 2007 12 09 2006 1 10 of 64 Records Display 10 LSA The Audit Violation lists the Policy that was violated current state of Exception Date of Detection Remediator assigned to this Violation and details of the User in violation Scroll down the screen to list Account being violated including account name and target machine Further below note the violation trail Chapter 9 Identity Audit 133 Audit Rules and Policies Manage Life Cycle of Audit Violation Y Steps to Manage life cycle of an Audit Violation 1 The options for a remediator are to assign the violation to another person immediately close
116. ion Dashboard gt My Certifications Certification Jobs Gp New Certification My Certifications Your New Certifications will require a complete review of the users roles and or entitlements Pending certifications have had some review but the process has not been com Complete certifications are stored here for revisions or review purposes Expired Certifications are past their allocated Certification period but may be useful for review g Search Click KG eas Ej over the certification s name to view a summar Certification Name v Show i Select Certification Report Begins With v Revoked Entitlements Report End Updated Creat ype Start Date Date By By ertified Entitlements Repo Certified Entitl ts R rt Period ager nee SE Complete Certification Report 03 14 2008 baci From EAH ama v Ok X Cancel le 02 13 2008 rbacxadmin rbacxz To 08 26 2008 3 Or e i Progress Qz User CEIT mrornracorr recinimorygy User 02 13 2008 rbacxadmin rbacx Select Period v Z In 0 A Q1 Web Conversion User cert Web Conversion User 02 07 2008 rbacxadmin rbacx Detailed Status All v o lem Q1 IT AD App Cert Information Technology 02 07 2008 rbacxadmin rbacx Search Figure 8 10 View Certification Report 10 Select the type of report that is to be viewed and click Ok 11 To view the reminder logs for a certification select the corresponding checkbox and click View Reminder Logs The follo
117. ion search capability is provided that can be used in conjunction with the filters to quickly search for a certification Chapter 8 Identity Certifications 101 View and Search Certifications 102 v 1 Log into the Sun Role Manager Web Interface using a Java enabled web browser 2 Log in with credentials of administrator or certifier 3 Select the My Certifications Tab under Identity Certification Tab 4 New and In Progress Certifications are available for view by default This is also indicated by the selected value in the drop down option Show Me amp Sun Role Manager My Settings My Requests Identity Warehouse Welcome admin admin Identity Certification Role Engineering Role Management Identity Audit Steps to Search and View Certifications Home Logout Help Administration Dashboard Gi New Certification My Certifications Your New Certifications will require a complete review of the users roles and or entitlements Pending certifications have had some review but the process has not been completed further action is still required Complete certifications are stored here for revisions or review purposes Expired Certifications are past their allocated Certification period but may be useful for review Kl Show Me Status New x I Identity Certifications gt Progress In Progress os In Progress gt bep OR En e Progress Page 1 Figur
118. ions Certification Jobs dh New Certification Create Certification gt User Selection Stratargy gt By Business Unit gt Period And Certifier Period And Certifier Certifier Business Unit Manager Start Date 08 23 2008 LE Choose a date x 4 August 2008 gt End Date 08 23 2008 E Su Mo Tu We Th Fr Sa 27 28 29 30 31 1 2 Customize Configuration And Email m 31415161718 9 Template 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 1 2 3 4 5 Figure 8 4 Period and Certifier Choose Date 16 The general Identity Certification workflow is set by navigating to Configuration gt Identity Certification Tab However each certification can be customized by setting these values Select the checkbox for Customize Configuration and Email Template For more information on these fields refer to the Identity Certification section in the chapter on Sun Role Manager Configuration Click Next Chapter 8 Identity Certifications 97 New Identity Certification Home Logout Help amp SUN Role Ma na ge r Welcome admin admin My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Administration Dashboard gt My Certifications Certification Jobs gp New Certification Create Certification gt User Selection Stratargy gt By Business Unit gt Period And Certifier Period And Certifier Certifi
119. itlements Discovery Rule Discovery 5 New Role Mining Tasks Role Management Identity Audit Administration Role Engineering gt Task Scheduler gt RoleMining Jobs Scheduled Dates Daily Weekly Monthly One Time Only Select the time and day for the task to start Start Time a2 fas 37 am Perform this Task Every Day weekdays Every 1 days Start Date 08 26 2008 es KSE ES Figure 10 14 Task Scheduler 5 Select a Daily Weekly Monthly or One Time Task and fill in the 150 Sun Role Manager 4 1 September 2008 Scheduling Role Mining Task corresponding fields Select Schedule when all values are selected This will schedule a Role mining task to be run at the intervals selected Chapter 10 Role Manager Scheduling 151 11 CHAPTER 11 Role Management and Designing Workflows Role Manager is designed to be the authoritative source for roles in any architecture and thus it contains a powerful module for Role Management The major component of Role Management is the implementation of workflows to manage roles throughout their lifecycles Out of the box Role Manager comes with six important workflows Role Membership Workflows Role Modification Workflow Role Creation Workflow Policy Creation Workflow Policy Modification Workflow and Mass Modification Workflow These workflows can be configured and tailored to any environment since
120. l 136 Sun Role Manager 4 1 September 2008 10 CHAPTER 10 Role Manager Scheduling The current scheduler is based in the configuration files and is specific to every App Server The scheduler is packaged between two files in Role Manager and these are found under the RBACX_HOME WEB INF folders The two files which enable the scheduling service are scheduling context xml and jobs xml lt User imports triggered every hour gt lt bean id usersImportTrigger class org springframework scheduling quartz CronTriggerBean gt lt property name jobDetail gt lt ref bean usersImportJob gt lt property gt lt property name cronExpression gt lt value gt O 0760 lt yvalue gt lt property gt lt bean gt lt bean id usersImportJob class org springfranmework scheduling quartz JobDetailBean gt lt property name name gt lt value gt Users Import lt value gt lt property gt lt property name description gt lt value gt Users import Job lt value gt lt property gt lt property name jobClass gt lt value gt com vaau rbacx scheduling manager providers quartz jobs IANJob lt value gt lt property gt lt property name group gt lt value gt SYSTEM lt value gt lt property gt lt property name durability gt lt value gt true lt value gt lt property gt lt property name jobDataAsMap gt lt map gt lt only single user name can be sp
121. le Manager Configuration 33 System Configuration My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Reports Administration System Namespaces gt Provisioning Servers Identity Certification Reports Email Templates Security Import Export Workflows Role Engineering ei New Provisioning Server Connection Configuration gt Provisioning Servers ww Provisioning Servers Provisioning Servers rile sun Figure 3 15 Provisioning Servers Y Steps to Create a New Provisioning Server Connection 1 Start Role Manager by clicking on the Role Manager Icon 2 The login dialog box appears Enter the Admin credentials and login to Role Manager 3 Goto Administration gt Configuration gt Provisioning Servers gt New Provisioning Server Connection 4 Select the Type of Provisioning server Connection and click ok We can set connection with 4 provisioning servers 5 On the basis of provisioning server selected in Step 4 different New Provisioning Server Connection setup screens are displayed 34 Sun Role Manager 4 1 September 2008 System Configuration My Settings Identity Warehouse Identity Certification Identity Audit Compliance Dashboard Reports Security Configuration System Namespaces Provisioning Servers Identity Certification Reports EmailTemplates Security E New Provisioning Server Connection New Provisioning Server Connectio
122. legislation am ricaine en mati re de contr le des exportations et peuvent tre soumis au droit d autres pays dans le domaine des exportations et importations Les utilisations finales ou utilisateurs finaux pour des armes nucl aires des missiles des armes chimiques ou biologiques ou pour le nucl aire maritime directement ou indirectement sont strictement interdites Les exportations ou r exportations vers des pays sous embargo des Etats Unis ou vers des entit s figurant sur les listes d exclusion d exportation am ricaines y compris mais de mani re non exclusive la liste de personnes qui font objet d un ordre de ne pas participer d une fa on directe ou indirecte aux exportations des produits ou des services qui sont r gis par la legislation am ricaine en mati re de contr le des exportations et la liste de ressortissants sp cifiquement design s sont rigoureusement interdites LA DOCUMENTATION EST FOURNIE EN L ETAT ET TOUTES AUTRES CONDITIONS DECLARATIONS ET GARANTIES EXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE Y COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE A L APTITUDE A UNE UTILISATION PARTICULIERE OU A L ABSENCE DE CONTREFACON Table of Contents WDO EE e E redd Inis LTL TE H DOCUMENTATION CONVENTION E 10 Chapter 1 Role Manager INtroduction cccccsseceeeseeeeeeeeeeeeeseseeseeeeeseseeeeeneseeneeeneneseaeeseneeneseneanee
123. ll Entitlements will display all entitlements even those within the role for attestation Require Revoke Comments prompts the user for a comment whenever any revoke action is initiated It also makes the comment field active in certification of entitlements Role Manager supports highly privileged entitlements for certification of system administrators only for example Hierarchical radio button needs to be checked when certifying on hierarchical namespace attributes 1 Select the desired certification configurations based on the requirements of the organization 2 Click on the Administration gt Configuration tab and then Identity Certification 3 Select the desired certification configurations based on the requirements of the organization Chapter 3 Role Manager Configuration 39 System Configuration Configure Email Notifications Role Manager supports various notification reminder and escalation emails that can be configured in this screen Multiple email templates can be defined for each suited purpose These email templates support HTML and can be used with variable characters as shown in the following interactive demonstration Follow the given steps to Create New Email Template and Configure Email Notifications 1 From the Web Interface click on Administration gt Configuration tab and then Email Templates Click on New Email Template Fill the form using variable entries wherever required Click Save Retu
124. llowing options E Minimum Password Length Minimum Alphabetic Characters Minimum Upper Case Characters Minimum Lower Case Characters Minimum Numeric Characters Minimum Special Characters Other options are as follows m Enable Dictionary Check E Password Intervals mM Grace Period Days 5 After setting the values click Save Chapter 3 Role Manager Configuration 43 CHAPTER 4 Role Manager Security Role Manager Security is based on the principles of Role Based Access Control It allows users to be assigned one or more roles which correspond to different privilege levels within the system Roles can be defined by the Role Manager administrator per the requirements of the organization There are several System Level and Business Unit Level privileges available in Role Manager that can be assigned to Role Manager Roles The System and Business Level privileges are listed in the tables below System Privileges Privileges Description CREATE Business Unit Allows a User to add new Business Units UPDATE Business Unit Allows a User to modify existing Business Units DELETE Business Unit Allows a User to delete existing Business Units CREATE Global User Allows a User to add new Global Users UPDATE Global User Allows a User to modify existing Global Users DELETE Global User Allows a User to delete existing Global Users lis45 Role Manager Security CREATE Role
125. logy is finding applications in areas ranging from health care to defense in addition to the mainstream commerce systems for which it was designed Role Based Access Control RBAC is emerging as an alternative to traditional access control methodologies as it established a framework to facilitate management of users and information assets across an enterprise in a controlled and effective manner The primary concept of RBAC is that access to information assets is assigned by using pre defined roles and approved roles Role Manager provides a complete mechanism to define roles which are based on different access levels on different platforms Role can be defined based on the collected user entitlements or can be generated using the software s Role Mining Interface The Role Mining component in Role Manager uses sophisticated algorithms to generate roles based on user entitlements and the cuts the role definition time to about 50 Role Manager offers an enhanced workflow engine to manage the lifecycle of roles this new workflow engine provides the ability to design various workflow processes and also allows users to call external functions from the workflow It also provides a complete setup of security workflow and auditing features to manage the lifecycle of rules This functionality will help companies obtain greater efficiencies from a role based access control model Multiple rules to assign new and existing users specific role based access can
126. m Analyst 4 Attribute customPropertyl customProperty10 customProperty2 customProperty3 customProperty4 customPropertyS customProperty6 customProperty customPropertys customProperty9 department highPrivileged jobCode parentRoleName lec t Created by RBACx s Role Mining Engine Fri Mar 14 Gegieheretde et eg 15 15 29 PDT 2008 BEI Ef e DEEN 8 To revert to an inactive version of the Role select a version by selecting its checkbox and select Revert to Version 9 A Confirm Revert to Version Window opens Select Yes The version status of the version reverted to will change from Inactive to Pending Approval Role History Role History creates a complete snapshot of the Role Role History provides at a glance all instances of addition removal of members policies and owners as well as modification to attribute values of the Role Chapter 11 Role Management and Designing Workflows 163 Role History An audit trail is created by recording and displaying when and by whom a change is made The aspects covered by Sun Role Manager Role History are Role Membership History provides a view of all members added to or removed from the Role along with the Sun Role Manager User responsible for the action and the date of member addition removal Policy History provides a view of all policies added to or removed from the Role along with the Sun Role Manager User responsible for the action and the
127. n Gs s KE Connection Name Host Name Clear Port TLS Port Domain Name User Name Password Use TLS System Figure 3 16 New provisioning server connection CA Table 3 2 New provisioning server connection CA Connection Name Enter a name for the new connection being created with the CA eTrust Admin This connection name is used during import process instead of the Host Name and Port which is difficult to remember Host Name Enter the Host name Clear Port 20380 lt Default Value gt TLS Port 20390 lt Default Value gt Domain Name Enter the name of your domain User Name etaadmin lt default username gt Password Rea Enter the password set for the ETA user Chapter 3 Role Manager Configuration 35 System Configuration b SUNIDM Administration Role Engineering Role Management Identity Audit Reports My Settings My Requests Identity Warehouse Identity Certification System Namespaces gt Provisioning Servers Identity Certification Reports Email Templates Security Import Export Workflows Role Engineering Gel New Provisioning Server Connection New Provisioning Server Connection Connection Name SPML URL User Name Password Figure 3 17 New Provisioning server connection SUN IDM Table 3 3 New Provisioning server connection SUN IDM Enter a name for the new connection being c
128. n Add l Manager Active GLOBAL_USER Step Delete Approve Role Approval gt gt Delete Role Step aie sai Policy Owner Approval Reject SEN gt gt Start i Workflow Approve Role Approve Role Reject Role gt gt Policy Owner Approval Approve Role Reject Role s Sage Add Action Add oat arora uto Approval POLICY_OWNER Step Delete e gt gt Role E sie IR IR gt i Version RBACx 4 0 0 build 4 0 0 20080303001 GA i a gt Figure 11 6 Workflow Completion Role Versioning 160 Sun Role Manager provides sophisticated role versioning capabilities allowing role engineers and administrators to create different versions of roles so that modifications made to a role do not affect the original role Sun Role Manager allows n number of versions to be created for any particular role requiring a version to be approved before it is made active This feature assists in managing the lifecycle of roles ensuring no role modifications are made without approval and that there is always a previous version of the role to fall back on Sun Role Manager provides sophisticated role version management with the ability to compare versions and revert to any version All versions have an audit trail of when and by whom they were created and approved Comparing two versions gives an individual comparison all the attributes owners business units policies and exclusion roles of a role in a tabular fashion Different color codes are used
129. n Report Reports for Notification 02 03 2010 16 32 17 02 19 2008 17 02 44 m Page 1 1 2 of 2 Records Display 10 v Figure 10 7 New Report Job 4 Enter the report job name description and which report you would like to run on a scheduled basis Chapter 10 Role Manager Scheduling 145 Scheduling Reports My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Administration Dashboard Sign off Reports gt Ad hoc Reports Schedule Reports Business Unit Reports System Reports Identity Audit Reports Reports gt Ad hoc Reports gt Business Unit Reports Report Name Download PDF Report Download CS Report Business Unit Roles Report Download Download Business Unit Users Report Download Download Business Unit User Roles Report Download Download Business Unit Role Users Report Download Download Business Unit Role Policies Report Download Download Business Unit User Entitlements Report Download Download Business Unit Namespace Entitlements Report Download Download Download Download E K e 4 User Certification Report Page 1 1 9 of 9 Records Display Figure 10 8 Schedule Business Unit Reports Generating Reports 5 Select the Business Unit you would like to run the report for by clicking Add Business Unit The Business Unit tree view appears in a separate display 146 Sun Role Manager 4 1 September 2008 Sched
130. n Workflow type file location C Vaau rbacx 4 0 conf workflows role creation workflow xml gt lt workflow name Role Modification Workflow type file location C Vaau rbacx 4 0 cont workflows role modification workflow xml gt lt workflow name Role Membership Workflow type file location C Vaau rbacx 4 0 conf workflows role user membership workflow xml gt lt workflow name Mass Modification Workflow type file location C Vaau rbacx 4 0 conf workflows mass modification workflow xml gt lt workflow name Policy Creation Workflow type file location C Vaau rbacx 4 0 cont worktlows policy creation workflow xml gt lt workflow name Policy Modification Workflow type file location C Vaau rbacx 4 0 conf workflows policy modification workflow xml gt lt workflows gt Figure 11 1 workfows xml 154 Sun Role Manager 4 1 September 2008 Workflow Design Assign Policy and Role Owners Workflow Design Assign Policy and Role Owners The current workflow setup in Role Manager can be seen under the Workflows tab under Administration gt Configuration We can easily assign and reassign both policy and role owners from this section The following example will show a step by step approach with an existing workflow 1 2 Navigate to the Role Workflow tab under Administration gt Configuration Select the Workflow to edit Role Creation in this exampl
131. n cleaning up entitlement access and ensures that users have access to the correct entitlements across various target systems It is important to understand the various actors that are a part of the Identity Certification process as described in the table below Actor Name Description identity Certification Type Generic term representing personnel User Access Certification Role Certifier responsible for reviewing and completing Entitlement Certification Application any kind of certification Certification User Manager An employee s direct reports to User Access Certification manager Access Reviewer Designated personnel responsible for User Access Certification Application reviewing user access Certification Designated personnel usually responsible Application Certification for reviewing a users access in a particular target system by endpoint or domain Role Owner Designated personnel usually responsible Role Entitlement for reviewing role and its content Sun Role Manager Administrator Administrator with full access to the Sun User Access Certification Role Role Manager application has the ability Entitlement Certification Application to create and view proeress of all Certification certifications Certification Administrator Limited access to the Sun Role Manager User Access Certification Role application has the ability to create and Entitlement Certification Application view progress of all certifications only C
132. ning three data fields lt xml version 1 0 encoding UTF 8 gt lt Record name TestInput type delimited gt lt Field name Name type String delimiter gt lt Field name Age type numeric delimiter gt lt Field name City type String delimiter n gt lt Record gt This simple examples shows definition of data record named TestInput specified as delimited this is some additional info used by CloverETL components The record has three fields m Name of type string mM Age of type numeric E City of type string Naming The is no strict rule for naming fields and records It is however good to use the same rules as for naming Java variables i e use only letters a zA Z numbers 0 9 not at the first place and _ underscore The encoding specified for the XML file is UTF 8 it is imperative that when creating you really save the file using the encofing specified in encoding tag Otherwise XML parser used by CloverETL won t be able correctly interpret the file 189 Preface Delimiters Fach field in above given example has specified delimiter character This information is used by data parser when parsing data records of this structure from external text files The same delimiters are used on the other hand when CloverETL outputs internal data records of this structure into output text files Delimiters can be of any length actually up to 32chars and each field can have
133. nitoring Segregation of Duty SoD Violations Detective Scanning Inter amp Intra Application SoD Enforcement Actual vs Assigned Exceptions Exception Lifecycle Management All the above exceptions can be captured in Role Manager and produced in a central repository Role Manager provides the capability to define Audit policies and the ability to capture report any exceptions from these policies Role Manager provides a Compliance Dashboard for Executives and Auditors which enable them to monitor these exceptions from a central point Additionally the various exceptions generated are stored in Role Manager and a security analyst can accept them or mitigate these risks and exceptions Chapter 1 Role Manager Introduction 13 CHAPTER 2 My Settings My Profile My Profile tab as shown below displays the user information Home Logout Help amp Sun Role Ma nager Welcome admin admin Role Management Identity Audit Reports Administration My Settings My Requests Identity Warehouse Identity Certification Role Engineering gt My Profile My Proxy Assignments Change Password My Profile First Name admin LastName admin E Mail admin rbacx com Figure 2 1 My Profile iis15 My Settings Change Password This option is used to change the password of the current user vY Steps to change password 1 Start Role Manager by clicking on the Role Manager Icon 2 The login dialog box appears
134. ns in the same fashion as the Identity Certification workflow hence the same concepts apply to this workflow as well Scheduling Role Mining Task Role Manager allows scheduling of Role Mining Tasks using the standard scheduler integrated with Role Manager Y Steps to schedule Role Mining Task 1 Start Role Manager by clicking on the Role Manager Icon 2 The login dialog box appears Enter the Admin credentials and login to Chapter 10 Role Manager Scheduling 149 Scheduling Role Mining Task Role Manager 3 Select the Role Engineering Tab This gives the Task scheduler view by default All role mining tasks created are listed here Sun Role Manager My Settings My Requests Home Logout Help Welcome admin admin Identity Warehouse Identity Certification Role Engineering gt Task Scheduler Role Discovery Role Entitlements Discovery Rule Discovery 5 New Role Mining Tasks Role Management Identity Audit Administration Role Mining Option Details Role Mining Tasks Role Mining Task Name Description Selection Type Created By Created Date Schedule Test Test rbacxadmin 08 22 2008 2 1 1 of 1 Records Display 10 Figure 10 13 Role Mining Option Details 4 Click the Schedule icon for the role mining task to be scheduled This opens the Task Scheduler My Settings My Requests Identity Warehouse Identity Certification Role Engineering gt Task Scheduler Role Discovery Role Ent
135. ntitlements Pending certifications have had some review but the process has not been completed further action is still required Complete certifications are stored here for revisions or review purposes Expired Certifications are past their allocated Certification period but may be useful for review Show Details Collapse Sign off certification Certification Details Cartification Overview Thank you for reviewing access Options Would you like to sign off this certification Certification Q1 IT AD App Cert an download the certification reports in following Business Unit Information Technology os Completed Export to PDF EN Export to XLS Number of EndPoints 1 Created By rbacxadmin Certifier Creation Date 02 07 2008 Last Updated By rbacxadmin Last Update Date 02 07 2008 k Status EndPoint Name Namespace Name Comments Action Vaau Active Directory 00 10 ActiveDirectory Review Page 1 1 1 of 1 Records Display 10 Figure 8 27 Sign off Certification 11 Enter your login password to secure your sign off on this certification Chapter 8 Identity Certifications 119 CHAPTER 9 Identity Audit Introduction Organizations must be able to manage Continuous Exception Monitoring Segregation of Duty SoD Violations Detective Scanning Inter amp Intra Application SoD Enforcement Actual vs Assigned Exceptions Exception Lifecycle Management All the above exceptions can be captured in R
136. nts In addition Role Manager provides a unique features which allows user to certify on granular entitlements and entitlements which are outside of user roles Furthermore business friendly glossary names can be stored and displayed for each entitlement during certification and can be stored in Role Manager This powerful Identity Certification module is further extended in Role Manager to provide the ability to perform certifications at the instance or server level of a resource providing advanced drill down capabilities for users and advanced filtering and searching capabilities on the certification interface The Role Manager Identity Certification module has three important Certification types 1 User Access Certification Allows certifier to certify role and entitlements associated with a user 2 Role Entitlement Certification Allows role owners to certify roles and role content 3 Application Certification Allows application owners to certify entitlements pertaining to an application narrowed down by each instance of the application Identity Auditing Exception Monitoring is an integral piece of Identity Auditing and Management In organizations today there are numerous exceptions of user accounts on various target systems A detective mechanism to monitor and acquire exceptions is needed in organizations where a centralized store for all the exceptions would be available Organizations must be able to manage Continuous Exception Mo
137. ofile Violation High Vendor Authorization Profile Brighi Luz Vendor Authorization Profile Violation High Vendor Authorization Profile Gulati Mona Vendor Authorization Profile Violation High Figure 9 11 Policy Violation Scan And violations found will be listed Users violating the policy along with Audit Rule exception are also listed Click Save to start managing the life cycle of this exception Open Policy Violations Steps to View Policy Lifecycle Log into Role Manager Web Interface and click the Identity Audit tab Click Policy Violations to list all saved violations from your Audit scans Sun Role Manager 4 1 September 2008 Audit Rules and Policies Sun Role Manager My Settings My Requests Identity Warehouse Welcome admin admin Identity Certification Role Engineering Role Management Identity Audit Home Logout Help Administration Dashboard Policies Rules gt Policy Violations Scheduled Scan Jobs Policy Violations Exception Vendor Authorization Profile Violation Vendor Authorization Profile Violation Vendor Authorization Profile Violation Vendor Authorization Profile Violation Vendor Authorization Profile Violation Vendor Authorization Profile Violation Vendor Authorization Profile Violation Vendor Authorization Profile Violation Vendor Authorization Profile Violation Vendor Authorization Profile Violation Page 12345 7 Next gt gt Figure 9 12 Policy V
138. ole Manager and produced in a central repository Role Manager provides the capability to define Audit policies and the ability to capture report any exceptions from these policies Role Manager provides a Compliance Dashboard for Executives Auditors which enable them to monitor these exceptions from a central point Also the various exceptions generated are stored in Role Manager and a security analyst can accept them or mitigate these risks exceptions The Role Manager Audit Module ensures that users only have the access that they should for their job responsibility Following are some of the key features of the Identity Auditing module m Actual Account Scanning Role Manager scans actual accounts for Identity Audit exceptions Irrespective of how an account is provisioned or modified directly or through a provisioning solution Role Manager will be able to detect any audit exceptions since the scanning is done at the actual account details level E Compliance Dashboard Role Manager provides a detailed dashboard for auditors security administrators and compliance teams to review the status history and trend of identity audit exceptions in the enterprises m Exception Lifecycle Management Role Manager stores every action that is conducted on an audit exception and creates a history of the exception This allows administrators to get a complete step by step history and lifecycle of the exception if required iis121 Introduction
139. ole Wizard Role Name Role Description 6 Add System Privileges Select System privileges from left and assign it to the right side cb New Rbacx Role New Rbacx Role Wizard Available System Privileges Available System Privileges CREATE BusinessUnit DELETE Global User CREATE Role UPDATE Role DELETE Role CREATE Policy Figure 4 2 Adding System Privileges 7 Delete a System Privilege Select the privilege from the list on the right and click Back lt Rbacx Users gt Rbacx Roles cb New Rbacx Role New Rbacx Role Wizard Available System Privileges Available System Privileges CREATE BusinessUnit DELETE BusinessUnit UPDATE BusinessUnit CREATE Global User CREATE Role UPDATE Global User UPDATE Role DELETE Global User DELETE Role CREATE Policy UPDATE Policy DELETE Policy CREATE Applicaton UPDATE Applicaton Figure 4 3 Deleting System Privileges Chapter 4 Role Manager Security 51 Role Manager Security 52 8 Add Business Privileges To do so Select System privileges from left and assign it to the right side 9 Delete Business Privileges Select the privilege from the list on the right and click Back lt 10 Click NEXT when the privilege list is complete to save the new Role Sun Role Manager 4 1 September 2008 Role Manager Security Role Manager User To create update delete a Role Manager user 1 Log into Role Manager Web Interface using a
140. on Technology User 02 13 2008 rbacxadmin rba Period Progress r ali Detailed Status OU E i Q1 Web Conversion User cert Web Conversion User 02 07 2008 rbacxadmin rbac All v i Applicati q tN r pplication k ITADA f Technol 7 em 2 Progress Qi D App Cert Information Technology Owner 02 07 2008 rbacxadmin rbac Page 1 Pos ht Figure 8 9 Search My Certifications 7 To select a certification for viewing progress or performing verification actions click the Certification Name or use the checkbox to select the certification and click Edit Certification 8 To complete a certification whose attestation actions have been done select the certification using its corresponding checkbox and click Complete Certification 9 To view reports for a complete in progress or expired certification select the corresponding checkbox and click View Reports Sun Role Manager allows reports to be viewed for in progress certifications This gives the flexibility of not having to wait till a potentially lengthy certification completes before reports can be viewed or exported A View Certification Report box opens up which lists the reports available for the particular certification Chapter 8 Identity Certifications 103 View and Search Certifications amp SUN Role Ma na ge r Welcome admin admin My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Administrat
141. one attribute can be set at a time for globalusers left side of the rule but any number of expressions can be configured on the right side for accounts sign is associated to the E The globaluser attribute and the globaluser table column should bear the same name for this feature to function correctly For example userName is the attribute that appears in the Role Manager table for global users and should be named accordingly m No patterns can be applied to the globaluser attribute for example elobaluser userName 10 is not allowed E When one globaluser accurately meets a certain rule designed for it the correlation is established between the user and entitlements and no further expressions are evaluated for that account m If however more than one globaluser meets a correlation rule for a given account the next correlation rule is evaluated Subsequently both results are intersected and if as result of this intersection only one globaluser meets both rules that globaluser is correlated to the account For example suppose the following rules are configured IdentityCorrelationRule rule SglobalUser FirstName Saccount FirstName IdentityCorrelationRule rule SglobalUser LastName Saccount LastName KE An account has the following attributes FirstName John LastName Cook When evaluating the first rule Role Manager may find many globalusers with John as FirstName but when it evaluates t
142. op interceptor WARN richclient WARN richclient image WARN Role Manager Logging Acegisecurity log4j logger org acegisecurity WARN log4j logger org acegisecurity event authentication LoggerListener FATAL Quartz scheduler log4j logger org quartz WARN DWR log4j logger uk 1ltd getahead dwr FATAL log4j logger org directwebremoting FATAL ehcache log4j logger net sf ehcache ERROR CloverETL log4j logger org jetel ERROR C3p0 log4j logger com mchange ERROR The highlighted log items are required in the current release of Role Manager A few more parameters to keep in mind are the Security and the AM logging These will report the Security and any exceptions in the entitlement data Chapter 6 Role Manager Logging 71 CHAPTER 7 Role Manager ETL Process Introduction The Role Manager IAM service provides the ability to import users accounts roles and policies data through CSV and Excel files It also supports a wide range of data transformations during the import process The Role Manager IAM Service processes the CSV files placed in a drop location and creates or updates objects in the Role Manager database IAM service uses different schema files templates to parse different data feeds i e users accounts roles policies After a successful processing of the data feeds they are moved to a Completed location In addition to the Role Manager import functionality Role Manager also provides th
143. ort Export Scheduler The file based scheduler is packaged between two files in Role Manager and these are found under the RBACX_HOME WEB INF folders The two files which enable the scheduling service are scheduling context xml and jobs xml Scheduling Context xml The scheduling context xml file enables the user to enable the three imports in Role Manager User import Account import Glossary import and the actual schedule for each import and export is specified in the jobs xml The schedule for every job is specified using a Cron Expression A Cron Expression is a string comprised of 6 or 7 fields separated by white space which specifies the schedule for every job A few sample Cron expressions are listed below Cron Expression Definition Chapter 10 Role Manager Scheduling 141 Role Manager Scheduling EE Fire at 12pm noon every day 01510 Fire at 10 15am every day EE 102 Fire at 10 15am every day Ota TOs eas Fire at 10 15am every day 0 15 10 F 22007 Fire at 10 15am every day during the year 2007 O 14 Fire every minute starting at 2pm and ending at 2 59pm every day 00 514 Fire every 5 minutes starting at 2pm and ending at 2 55pm every day 00 5 14 18 Fire every 5 minutes starting at 2pm and ending at 2 55pm AND fire every 5 minutes starting at 6pm and ending at 6 55pm every day 0 0 514 Fire every minute starting at 2pm and ending at 2 05pm every day
144. p Enter your Name Description select your delegate Start Date and End Date Search Proxy User Fida Amad Gallagher Kevin Nayyar Sachin ae neha Towne Joe Figure 2 4 New Proxy Assignments Form 5 Click Ok 6 Anew Proxy Assignment will be created Proxy Assignments Description Proxy User Start Date End Date On Leave Tiches Steve 03 26 2008 03 28 2008 Figure 2 5 List of New Proxy Assignments 18 Sun Role Manager 4 1 September 2008 CHAPTER 3 Role Manager Configuration System Configuration Proxy Assignment Notification This option enables email notifications to be sent to the users who have been set as proxy using the My Settings gt New Proxy Assignment tab An email Template can be selected for the proxy user ONG ae CC Tha nacee Administration Identity Warehouse Identity Certification Role Engineering My Settings My Requests gt System Namespaces Provisioning Servers Identity Certification Reports Email Templates Security Import Export Workflows Role Engineering Configuration gt System Proxy Assignment Notifications C Send E Mail to Proxy User when selected as Proxy Email Ternplate Ska Figure 3 1 Proxy Assignment Notification iis19 System Configuration 20 Mail Server Settings This option helps in setting up the mail server Role Manager Server Settings This option helps in setting up the Role Manager server RBACx S
145. p ps Inx80041Cell01 rbacx_war ear rbacx war WEB INF gt 3 Edit the jobs xml file a To update the User Schedule edit the cron expression on line 26 b To update the Account Schedule edit the cron expression on line 65 c To update the Glossary Schedule edit the cron expression on line 161 Scheduling Certifications Role Manager provides a standard scheduler that can be used to schedule certifications to run at a daily weekly monthly or one time jobs The scheduler provides full scheduling capability Certifications can be scheduled during the certification creation process For more details on scheduling a certification refer to the Create a New Certification section of the Identity Certification chapter 144 Sun Role Manager 4 1 September 2008 Scheduling Reports Scheduling Reports Y Steps to Schedule a Report 1 Start Role Manager by clicking on the Role Manager Icon 2 The login dialog box appears Enter the Admin credentials and login to Role Manager 3 Click Reports gt Schedule Reports gt New Report Job My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Weed ig Reports Administration Dashboard Sign off Reports Ad hoc Reports gt Schedule Reports da New Report Job Reports gt Schedule Reports Name Description Last Run Next Run Create Date Audit Exceptions Report Exception in 4udit 04 10 2011 14 45 18 02 19 2008 17 03 32 m Notificatio
146. p2 for all users verified as Works for me or the certifier may verify a user in Step and then go to Step2 to complete the certification for the user Irrespective of the approach taken Step2 displays all the users that have been verified by the certifier as Works for me Steps to Complete a User Access Certification Step 1 1 Log into the Sun Role Manager Web Interface using a Java enabled web browser 2 Login with credentials of administrator or certifier 3 Click Identity Certification tab 4 Click My Certifications 5 Click the New or In Progress Certification or search for the required certification using the Show Me option and certification search feature 6 Select the Certification to complete by clicking on the Certification Name or selecting the corresponding checkbox and clicking Edit Certification Chapter 8 Identity Certifications 105 Completing a User Access Certification My Certifications gt Q2 User Cert IT Your New Certifications will require a complete review of the users roles and or entitlements Pending certifications have had some review but the process has not been completed further action is still required Complete certifications are stored here for revisions or review purposes Expired Certifications are past their allocated Certification period but may be useful for review Certification Details oy Step 1 Employment Verification Verify the employment status of these employee
147. r review purposes Expired Certifications are past their allocated Certification period but may be useful for review Certification Details Show Details Collapse Group Data By My Employees H Step 1 Employment Verification ke Step 2 Approve or Revoke Roles and Entitlements Approve or Revoke the roles and entitlements of the user Harmsen Arijeet Contractor Phone EID aHarmsen E Mail Kispert Christian In Progress Oleary Brent In Progress Back To Step 1 Complete Certification Figure 8 13 Approve or Revoke Roles and Entitlements 14 Select Certify or Revoke Roles This will show all Roles associated to user 15 Click Certify Revoke on Role membership for the user Sun Role Manager 4 1 September 2008 Completing a User Access Certification Certify Access outside Roles Sun Role Manager Identity Certification allows configuration of certifications that will show entitlements for each user that only lie outside a Role This combined with the above Certify by Role completes a Role Based Access Attestation procedure This allows an organization to identify and treat Actual versus Assigned access as an exception with high priority 16 Select a User for certification Select certify or revoke entitlements 17 This will list all the user s accounts in the various namespaces with detailed access permissions on each endpoint 18 The certification options at this stage a
148. re Certify Revoke Unknown and Exception allowed Use Certify option to confirm valid access for the user Use Revoke to revoke access for the user Use Unknown when the accurate nature of the User s access is not known Use Exception allowed to certify access to the user while acknowledging the undesirable or irregular nature of the access These options can be used at 4 levels a Use the All option in the first 4 columns on this page to apply Certify Revoke Unknown or Exception Allowed across all attributes of all accounts of the user b Use the checkboxes in the first 4 columns for individual accounts to apply Certify Revoke Unknown or Exception Allowed across all attributes of an individual account of the user c Use the All option in the 4 columns under the Attributes field to apply Certify Revoke Unknown or Exception Allowed across all attribute values for an individual attribute of an single account of the user d Use the individual checkboxes in the 4 columns to apply Certify Revoke Unknown or Exception Allowed for individual attribute values of a single attribute of an account of the user Chapter 8 Identity Certifications 109 Completing a User Access Certification 110 ie Harmsen Arijeet Contractor Phone EID aHarmsen E Mail ke Con rm this employee s entitlements by selecting approve
149. re to look for JDBC driver class c Oracle product 10 1 0 Client_1 jdbc lib ojdbe14 jar other specific parameter Optional parameters specific for your JDBC Oracle example defaultRowPrefetch 10 driver Sample listing of Postgres cfg file with definition of connection to PostgreSQL database dbDriver org postgresql Driver dbURL jdbc postgresql 192 168 1 100 mydb user david password unknown All parameters can be also directly specified when defining connection lt DBConnection id InterbaseDB dbDriver org postgresql Driver dbURL jdbc postgresgql 192 168 1 100 mydb user david password unknown gt If you use the dbConfig parameter it has the precedence and all the connection parameters will be sought in specified properties file Mapping JDBC data types onto Clover types When working with database through JDBC drivers CloverETL needs to map its internal data types onto JDBC data types The variety of DB JDBC field types is huge but most of them with exception of BLOBs can be mapped onto Clover internal types without losing any information JDBC to CloverETL Following table lists JDBC data types and corresponding CloverETL data types The conversion is done automatically by CloverETL when analyzing DB tables using org jetel database AnalyzeDB utility This conversion can also be made manually using presented table JDBC DB data type CloverETL data type INTEGER SMALLINT TINYIN
150. reated with the SUN IDM This connection name is Connection Name used during import process instead of the Host Name and Port which is difficult to remember SPML URL Here SPML URL pattern is http lt IDM applicationservername gt lt portnumber gt idm servlet rpcrouter2 localhost 8080 idm servlet rpcrouter2 User Name configurator lt default username gt Password configurator lt default password gt 36 Sun Role Manager 4 1 September 2008 System Configuration c IBM My Settings Identity Warehouse Identity Certification Identity Audit Compliance Dashboard Reports Security Configuration System Namespaces Provisioning Servers Identity Certification Reports Email Templates Security E New Provisioning Server Connection New Provisioning Server Connection Connection Name Host Name Port l LDAP Context User Name Password Save Cancel Figure 3 18 New Provisioning server connection IBM Table 3 4 New Provisioning server connection IBM Connection Name Enter a name for the new connection being created with the IBM This connection name is used ae import process instead of the Host Name and Port which is difficult to remember E G VAAU Host Name Enter the Host name Port 2809 lt Default Port Number gt LDAP Context Enter ou vaau dc com User Name itim manager lt default username gt Password secret lt default pa
151. ribute can have Default Value The default value an attribute can have when it is imported Values A predefined list of values that the attribute can have Label The display label for the attribute In addition to these parameters there are a set of flags which can be defined for an attribute Space Allowed Allows the attribute values to have a space in them Multiple Value Allows an attribute to have a comma separated multiple values Hidden The attribute value can be hidden for password fields Managed To display an attribute or import it the managed flag needs to be set for the attribute Auditable This allows the attribute to be checked for audit exceptions Minable This allows Role Manager to run its mining algorithms over this attribute to produce roles Mandatory This flag when selected specifies all the privileges for the attribute such as managed importable etc Importable This allows the attribute to be imported from a CSV Text File Sun Role Manager 4 1 September 2008 System Configuration Y Steps to create rename and delete an Attribute 1 Start Role Manager by clicking on the Role Manager Icon 2 The login dialog box appears Enter the Admin credentials and login to Role Manager 3 Goto Administration gt Configuration gt Namespaces 4 Addition of a new Attribute is done by highlighting the Attribute Category for which you need to create Attribute and clicking on New Attribute Tab 2 New Attribute New A
152. rn to the Identity Certification Administration gt Configuration screen Select the notifications desired and click on to choose required email template Assign the reminder intervals for Pending Certification emails Click Save New Email Template Name Description Sender Name From RR D BCC Subject HTML Enabled Bod y 2nd Reminder Manager 2nd Reminder to Manager to respond to certifications reports in queue RBACx Administrator neha sethi vaau com neha sethi vaau com 2nd Reminder for Certification Response Dear Manager A This is a 2nd reminder for you to respond to your certifications and or reports in your queue a Eo Figure 3 21 New Email Template 40 Sun Role Manager 4 1 September 2008 System Configuration Email Template Details Email Template Details Name 2nd Reminder Manager Descnpunr 2nd Reminder to Manager to respond to certifications reports in queue Sender RBACx Administrator Name From neha sethi yvaau com To neha sethi vaau com cc BCC Subject 2nd Reminder for Certification Response HTML Enabled wl Body Dear Manager This is a 2nd reminder for you to respond to your certifications and o x Close Figure 3 22 Email Template Details Configure Revoke Action Certification can be configured to send appropriate emails along with manager s comments when user access is revoked
153. ry Review Page 1 1 1 of 1 Records Display 10 Figure 8 26 Edit Certification Status 7 Click Review to view application entitlements It is important to note that these application entitlements are filtered on the basis of their application endpoints 8 Click Certify Revoke Unknown or Exception Allowed for each User s access account Glossary definitions are useful in determining the true meaning of a cryptic or system level attribute value 9 Click Certify or Revoke to sign off each attribute value within each user s account that belongs to a particular endpoint Each account can also be certified as a whole 10 If Sun Role Manager detects that all attestations have been completed a Sign Off Certification box appears To complete certification at this point click Ok Otherwise Complete attesting entitlements of all accounts and then click Complete Certification Sun Role Manager 4 1 September 2008 Completing an Application Owner Certification Home Logout Help amp Sun Ro le Ma nage P Welcome admin admin microsysteent My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Administration Dashboard gt My Certifications Certification Jobs ib New Certification My Certifications gt Q1 IT AD App Cert Your New Certifications will require a complete review of the users roles and or e
154. s Unit Name Description 1 0 of 0 Records Display 10 e EIER Figure 8 2 By Business Unit 8 The Select Business Unit s window opens up Drill down into business units to select the business unit for selecting users To select a business unit select the corresponding checkbox s and click Ok H Use the corresponding checkboxes and Remove Business Units button to remove business units Select Next 10 If the certification type is User Access and the user selection strategy is By User Selection a user selection window opens up that allows users to be selected using the advanced user search or quicksearch capabilities Select users for certification from the search result by using corresponding checkboxes No users are included by default Select Next 11 The Period and Certifier window opens up This window allows selecting the certifier start and end dates and customized configuration and email templates for the certification Chapter 8 Identity Certifications 95 New Identity Certification 96 Home Logout Help amp Sun Role Ma nager Welcome admin admin My Settings My Requests IS Des A Identity Certification Role Engineering Role Management Identity Audit Administration Dashboard gt My Certifications Certification Jobs Gh New Certification Create Certification gt User Selection Stratargy gt By Business Unit gt Period And Certifier Period And Certif
155. s by selecting one of the options in the list and then go to step 2 to complete the certification Show Details Collapse Employee User Department Comments Status Applytoall Click to change for all v Perry Andy aPerry This employee Works for me v Farber Abby afarber This employee Works for me v Brighi Albert alBrighi This employee Works for me hd Oleary Brent brOleary This employee Works for me v Kispert Christian cKispert This employee Works for me v Hannagan Dave dHannagan This employee Works for me v Podgur Edward edPodgur This employee Works for me k Thompson Emma ethompson This employee Works for me v Podgur Eva evPodgur This employee Works for me v Gilroy Gerald gGilroy This employee Works for me v Page 1 2 3 4 Next gt gt 1 10 of 31 Records Display 10 e CS Figure 8 10 Certification Details 7 The page for the selected Certification opens Select Show Details to view a brief summary of Certification Overview and Certification History as well as options for exporting certification reports My Certifications gt Q2 afida Role Cert Your New Certifications will require a complete review of the users roles and or entitlements Pending certifications have had some review but the process has not been completed further action is still required Complete certifications are stored here for revisions or review purposes Expired Certifications are past their allocated Certification perio
156. s during the import process com vaau rbacx iam correlation dropOrphanAccounts true Correlation options These options allow further control over correlation of accounts to users during the import process Options available are always all accounts are correlated on every import D orphan only orphan accounts are correlated established user account associations are not updated never accounts are NOT correlated com vaau rbacx iam correlation correlate always Role Manager ETL Reference DelimitedDataReader CloverETL already has a csv Reader but we prefer to use the Role Manager version but in some cases we might want to use CloverETL s version That is the case when we have different delimiters for each field We have to provide fileURL Chapter 7 Role Manager ETL Process 81 Role Manager ETL Reference lt Node id INPUT type com vaau rbacx etl clover components DelimitedDataReader fileURL S inputFile gt DelimitedDataWriter The same can be said for DelimitedDataWriter lt Node id OUTPUT type com vaau rbacx etl clover domain DelimitedDataWriter fileURL S outputFile gt ExcelDataReader This Role Manager Node reads Excel files Attributes fileURL This attribute is Mandatory Row_From Number of the initial Row Optional Default value 1 Row_To Number of the final Row Optional Default value 1 AID Col_From Number of the initial Column Optional Default
157. ser Name First Name kgallagher Kevin 1 1 of 1 Records Display 10 H Figure 9 8 Search Remediator Scan Audit Policy Violations Steps to Scan System for Audit Violations 1 Click the Identity Audit gt Policies gt Scan Policies tabs Chapter 9 Identity Audit 129 Audit Rules and Policies My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Reports Administration gt Policies Rules Policy Violations Scheduled Scan Jobs Gem Policy A Scan Policies Policy Violation Scan Select Policies Policy Name Description Issue and Receive vendor Authorization Profile Los Angeles IT Operations Analyst Purchase to Pay Activate Vendors amp Approve Ab Invoices Purchase to Pay Create Invoice amp Run Payment Accounts Receivable Create Customer Records amp Customer Write Off Accounts Receivable Approve Credit Terms amp Invoice Customer Capital Enter Loan amp Approve Loan Tax Record Sales Tax Approve Provision BO aa gaa a a Hire to Retire Create Checks amp Approve Checks Page 12 3 Next gt gt 1 10 of 24 Records Display 10 Figure 9 9 Scan Policies 2 Click Add Business Unit s to add certain business units from the selection or check All Business Units to scan against the entire warehouse 130 Sun Role Manager 4 1 September 2008 Audit Rules and Policies Select Business Unit s
158. ss Configuration File Import properties are configured in RBACX_HOME conf iam properties Chapter 7 Role Manager ETL Process 79 Import Process 80 Maximum Concurrent Imports This setting specifies the number of files to import concurrently Default is 2 fileITAMSolution maxConcurrentImports 2 Maximum Errors Limit This setting specifies the maximum number of errors per file before aborting the process fileIAMSolution rowErrorsLimit 3 In the above example if file imports process encounter 3 errors then the import is aborted fileIAMSolution rowErrorsLimit 1 In the above example there is no limit to the number of errors Batch Size This setting specifies the number of records to read and process in a batch during an import filelTAMSolution batchSize 500 Drop Location The files to be imported are placed in this location accountsFileImport dropLocation opt Vaau RBACx2006 import drop Complete Location Input files are moved to a complete location after processing accountsFileImport completeLocation opt Vaau RBACx2006 import drop Sun Role Manager 4 1 September 2008 Import Process Schema Location The schema files are placed in this location accountsFileImport schemaLocation opt Vaau RBACx2006 import schema Correlation Parameters Correlation parameters specify whether orphans accounts accounts which are not correlated to a global user are dropped or saved as orphan account
159. ssDB dbTable myemployee dbFields FIRST NAME LAST NAME gt One more parameter of DBOutputTable can be used to precisely specify mapping from CloverETL data record to DB table record It allows for specifying which source Clover field is mappend onto which target DB table field The parameter name is cloverFields and contains list of source fileds from source record which should be considered for populating target DB table Coupled with dbFields it specifies 1 1 mapping Individual fields are mapped according to the order in which they apper in dbFrelds amp cloverFields respectively The driving side which determines how many fields will be populated is always dbFie ds parameter When there is no dbFie ds parameter present CloverETL assumes that all target fields should be populated in the order in which they appear in the target DB table Following examples illustrates how to pick certain fields from source data record CloverETL record regardless their order and map them onto target DB table fields again regardless their order lt xml version 1 0 encoding UTF 8 gt lt Graph name TestingDB3 gt lt Global gt lt Metadata id InMetadata fileURL metadata myemployee fmt gt lt DBConnection id PosgressDB dbConfig posgress cfg gt lt Global gt lt Phase number 1 gt lt Node id INPUT type DELIMITED DATA READER NIO fileURL employees2 list tmp gt lt Node id OUTPUT itype DB OUTPUT TABLE dbConm
160. ssword gt Chapter 3 Role Manager Configuration 37 System Configuration d File My Settings My Requests Identity Warehouse Identity Certification System Namespaces Provisioning Servers Identity Certification Gh New Provisioning Server Connection New Provisioning Server Connection Connection Name Import Drop Location Import Complete Location Import Schema Location Export Drop Location Export Schema Location EE Acrinistration Import Export Workflows Identity Audit Role Engineering Role Management Reports Email Templates Security Role Engineering Figure 3 19 New Provisioning server connection File Connection Name import process from a file Enter a name for the new connection being created This connection name is used during Import Drop Location Give the path of the drop folder where the input file to be imported is put Import Complete Location Give the path of complete folder used in import process Import Schema Location Give the Path of the schema folder where the schema file for import process is put Export Drop Location Specifies the path of the location where output file will be dropped after the successful export Export Schema Location Give the Path of the schema folder where the schema file for export process is put Identity Certification This section discusses configuration of Identity Certification 1 Log into the Role
161. system administrators who are responsible for installing the Sun Role Manager software formerly Vaau s RBACx product on the target systems and administering it Preface Documentation Conventions The following conventions are used in this guide Information in Indicates lt Italics_Brackets gt A variable that you must enter or select lt RBACX_HOME gt A variable whose value is name of the directory where Role Manager is installed Bold Information that you must type exactly as shown Bold Italics An option on the toolbar or Menu that you must select Square Brackets A button you must click 10 Sun Role Manager 4 1 September 2008 CHAPTER 1 Role Manager Introduction Identity Auditing Role Engineering Figure 1 1 Role Manager Sun Microsystems understands that organizations today need to be in complete control of their enterprise security The Sun Role Manager 4 1 software formerly Vaau s RBACx product addresses all aspects of Role Based Access Control RBAC enabling an enterprise to quickly and effectively embrace new opportunities improves operational efficiencies reduce costs and proactively manage virtually all security threats and risks to the IT security of the organization The Sun Role Manager software Role Manager contains areas that are grouped as follows Identity Warehouse Role Engineering amp Management Identity Certification and Identity Auditing
162. t gt lt Global gt lt Phase number 0 gt lt Node id INPUT type com DelimitedDataReader fileURL inputFile gt lt Node id TRANSFORM type REFORMAT transformClass com ReformatAccount gt lt Node id OUTPUT type com DelimitedDataWriter fileURL outputFile gt lt Edge id INEDGE fromNode INPUT1 0 toNode COPY 0 metadata InMetadata gt lt Edge id OUTEDGE fromNode COPY 0 toNode OUTPUT 0 metadata InMetadata gt lt Phase gt lt Graph gt In above example Role Manager ETL processor will transform all the files dropped in ETL location that match tss_ w _accounts w format For example tss endpoint01 accounts csv tss endpoint02 accounts csv tss endpoint02 accounts csv So a different transformation can be applied to each namespace and an endpoint with in a namespace Metadata The metadata is the definition of the records that goes from node to node In above example graph the Metadata is defined in a file called TSSAccount fmt There are two types of records delimited and fixed When the record is defined as delimited then the attribute delimiter is required And when it is defined as fixed a size attribute is required Below is the content of TSSAccount fmt Chapter 7 Role Manager ETL Process 75 Introduction lt xml version 1 0 encoding UTF 8 gt lt Record name TestInput
163. t opt IBM WebSphere AppServer profiles Inx80041_AppSrv01 installedAp ps Inx80041Cell01 rbacx_war ear rbacx war WEB INF gt 3 Edit the scheduling context xml file a To enable User import uncomment the User Import tags found on line 110 and 125 b To enable Account import uncomment the Account Import tags found on line 111 and 126 c To enable Glossary import uncomment the Glossary Import tags found on line 113 and 128 A snapshot of these lines is listed below lt Uncomment the line before to use this account import job Multiple jobs can be added 1 Define a job in jobs xml 2 Add a reference to job below gt Chapter 10 Role Manager Scheduling 143 Role Manager Scheduling lt ref bean usersImportJob gt lt ref bean accountsImportJob gt lt ref bean rolesImportJob gt lt ref bean glossaryImportJob gt lt list gt lt property gt lt property name triggers gt lt list gt lt Uncomment the line before to use this account import job Multiple triggers can be added 1 Define a trigger in jobs xml 2 Add a reference below gt lt ref bean usersImportTrigger gt lt ref bean accountsImportTrigger gt lt ref bean rolesImportTrigger gt lt ref bean glossaryImportTrigger gt Follow the given steps to update schedule of the three jobs 1 Log on to the Application Server 2 Browse to lt opt IBM WebSphere AppServer profiles Inx80041_AppSrv01 installedA
164. t the role from Selected Business Unit roles and click on the other button It will be taken off from this list and appear in the Available Business Unit Roles List Chapter 4 Role Manager Security 55 Role Manager Security 56 10 Once the Roles have been assigned to the user click Save A New user will be created and will appear in the Role Manager Users List Y Steps to modify User Password 1 a ae SO Log in to Role Manager Web Interface using a Java enabled web browser Browse to the Security Tab Click on Role Manager Users Select user and select the update password icon Enter the new password Sun Role Manager 4 1 September 2008 CHAPTER 5 Data Correlation Introduction In order to construct the Identity Warehouse in Role Manager globalusers and their entitlements across various namespaces and target systems need to be imported in Role Manager A commonly used method to import this data is to use the automated Role Manager Import process via flat files Globalusers need to be imported in Role Manager first following which their entitlements in the various namespaces can be imported as well The process of associating globalusers to their entitlements is called correlation In Role Manager multiple correlation rules can be defined in order to accurately associate globalusers to their entitlements This chapter lists various rules and examples to correlate globalusers to their entitlements usin
165. te 08 29 2008 Type Incremental No of Business Unit selected Business Unit Name Vaau Inc Cost Centers Projects Role Owners Vaau Financial Corporation Page 1 1 5 of 5 Records Display 10 Run Certification Now Gi Later O Figure 8 6 Period and Certifier Summary 18 There are two options for running the certification It can be run at the current instant by selecting Now for Run Certification field or it can be scheduled as a daily weekly monthly or one time task to be run at any particular data time Select Later to schedule a task A new panel opens up for the scheduler Select a name and description for the scheduled task Select the type of the task and the corresponding fields Chapter 8 Identity Certifications 99 New Identity Certification Home Logout Help amp SUN Role Manager Welcome admin admin My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Administration Dashboard gt My Certifications Certification Jobs dp New Certification Create Certification gt User Selection Stratargy gt By User gt Period And Certifier gt Summary Summary Certification Name Test 2 Certifier Global User Manager Start Date 08 23 2008 k End Date 08 23 2008 Type User Access Incremental No of User selected D view Run Certification Now O Later ei Certification Job Name Certification
166. tes but Role Manager has the ability to define rules based on any attribute stored within the identity warehouse for anyone of its users Examples of Rules might be If a user if based in the Midwest region and works in Chicago IL campus provide access to Base Employee Chicago Role Though this is a very simplistic example the Role Manager rule engine allows an administrator to define multiple rules to define a criteria using AND and OR operators between rules and equals does not equal contains does not contain is null and is not null within rule conditions Thus many rules can be defined in order to distinguish groups of users from one another and automatically assign a role to them This feature of Role Manager greatly decreases on boarding times for new employees and reduces the chance and delays associated with granting incorrect access Let s walkthrough the process of setting up a rule in Role Manager using the examples mentioned above 1 Migrate to the Role Provisioning Rules window under the Role Management tab 2 Click on the New Rule button 3 A window appears that asks for a Rule Name and Rule Description iis171 Role Provisioning Rules Rule Based Role Assignment and Role Consolidation amp SUN Role Manager Welcome admin admin My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Home Logout H
167. th maximum for any field but it should be enough to accommodate even very long strings We speak about strings because for other types there is fix size of the field regardless of the actual value Despite the information just given there are some cases when it matters whether you specify the size of each field or not This will be discussed in following text What Types of Data Fields CloverETL Supports Following table gives list of all supported types of data so far together with ranges of values for each type 187 Preface Data type name Based on Size Range of values string java lang String depends on actual data length Pe Ser E eee E R 1970 00 00 00 GMT integer java lang Integer 32bit sizeof int sane an numeric java lang Double 64bit sizeof double o 21023 long lava lang Long 64bit size of long cone Jeti not yet implemented byte Java lang Byte e Sen E S 55 188 Sun Role Manager 4 1 September 2008 Preface Specification of Record Format One way of putting together description of record format is to create some Java code and use CloverETL classes methods calls The easier way is to create XML description of record format which can be read by CloverETL and materialized in memory automatically It is customary to use fmt extension for XML file containing metadata describing format of data record Following example shows simple metadata describing record contai
168. the decimal separator Prefix or suffix No Used to quote special characters in a prefix or suffix for example HH formats 123 to 123 To create a single quote itself use two in a row o clock 193 Preface Number Format When specifying format for numbers Clover Java uses default system locale setting unless other locale is specified through locale option This is important in cases when you ate parsing data where decimal numbers use comma as decimal seperator whereas system default national says it is point In such case use locale option together with format option to change expected decimal delimiter Example lt Field name Freight type numeric delimiter format locale en US gt Locale Instead of specifying format patameter or together with format you may specify a locale parameter it states which geographical political or cultural region you want your information to be is formatted for Thus instead of specifying format for date field specify Germany locale eg locale de for instance Clover will automatically choose proper date format used in Germany There are cases when both format and locale parameters have their sense for example when specifying format of decimal numbers You define format pattern with decimal separator and locale specifies whether the separator is a comma or dot Specifying Default Values for Fields 194 CloverETL o
169. the line before to use this account import job Mulitple triggers can be added 1 Define a triger in jobs xnl 2 Add a reference below gt lt l ref bean usersImportTrigger gt let bean accountsImportTrigger gt lt ref bean accountsImportTrigger_2 gt lt Aditional triggers for account imports to be used in clusters gt lt ref bean accountsImportTrigger_3 gt lt Aditional triggers for account imports to be used in clusters gt lt l ref bean rolesImportTrigger gt let bean glossaryImportTrigger gt lt l ref bean policiesImportTrigger gt lt l ref bean certificationReminderTrigger gt lt l ref bean reportReminderTrigger gt let bean stableFolderCleanUpTrigger gt let bean accountsMaintenanceTrigger gt lt ref bean rmeTrigger gt lt list gt lt property gt Figure 10 2 Scheduling context xml In the current architecture these files are found in the following path C Vaau RBACx2006 tomcat55 WEB INF gt Scheduling context xml jobs xml UI Based Import Export Scheduler Role Manager provides a UI based scheduler for every data import and export capability available The Role Manager administrator can easily navigate to the scheduler and create jobs to import users accounts roles ot to export roles policies etc 138 Sun Role Manager 4 1 September 2008 Role Manager Schedul
170. tions Certification Jobs cb New Certification My Certifications gt Q1 IT AD App Cert Your New Certifications will require a complete review of the users roles and or entitlements Pending certifications have had some review but the process has not been completed further action is still required Complete certifications are stored here for revisions or review purposes Expired Certifications are past their allocated Certification period but may be useful for review Sign off certification x Certification Details Show Details Collapse Thank you for reviewing access Would you like to sign off this certification a Page 1 Comments Action Review 1 1 of 1 Records Display 10 S Figure 8 24 Sien off Certification 10 If Sun Role Manager detects that all attestations have been completed a Sign Off Certification box appears To complete certification at this point click Ok Otherwise Complete attesting entitlements of all roles and then click Complete Certification 11 Enter your login password to secure your signoff on this certification Home Logout Help amp SUN Role Manager Welcome admin admin Identity Certification Role Engineering Administration Role Management Identity Audit Identity Warehouse My Settings My Requests Dashboard gt My Certifications Certification Jobs CG New Certification My Certifications gt Q1 IT AD App
171. tions Tab under Identity Certification Tab 4 Click New Certification 5 The Create Certification window opens Fill in the Certification Name Select the type of certification to be created from User Access Role Entitlement and Application Owner To create an incremental Certification select the Checkbox for Incremental Select Next 6 Select the User Selection Strategy This step is applicable only if the type of certification is selected as User Access For Role Entitlement and Application Owner Certification type User selection is done on the basis of Business units For User Access certifications there is the option of doing a custom user selection 7 For Role Entitlement Certifications Application Owner Certifications and User Access certifications where User Selection Strategy is selected as By Business Unit the Business Unit Selection window opens Click Add Business Unit s button to add business units for user selection Sun Role Manager 4 1 September 2008 New Identity Certification Home Logout Help amp Sun Role Ma nager Welcome admin admin My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Administration Dashboard gt My Certifications Certification Jobs Gel New Certification Create Certification gt User Selection Stratargy gt By Business Unit Business Unit Gh Add Business Unit s W Remove Business Unit s Fi Busines
172. ts when a certification is completed and prompts for sign off on the certification Select Yes on the sign off certification screen to sign off certification 112 Sun Role Manager 4 1 September 2008 Completing a User Access Certification Home Logout Help Sun Role Manager Welcome admin admin My Settings My Requests Identity Warehouse Identity Certification Dashboard gt My Certifications Certification Jobs i New Certification Role Engineering Role Management Identity Audit Administration My Certifications gt Q1 IT AD App Cert Your New Certifications will require a complete review of the users roles and or entitlements Pending certifications have had some review but the process has not been completed further action is still required Complete certifications are stored here for revisions or review purposes Expired Certifications are past their allocated Certification period but may be useful for review Q Certification Details Show Details Collapse Thank you for reviewing access Would you like to sign off this certification e 100 Vi Review Status Page 1 1 1 of 1 Records Display 10 Complete Certification Figure 8 22 Sign off Certification 22 To sign off at a later instant use Complete Certification button 23 Enter your login password to secure your sign off on this certification Completing a Role Entitlement Certification This sub
173. ttribute Name Description Min Length Max Length Case Edit Type Order i Min Value Max Value i Default Value Values Excluded Value Label Space Allowed Multiple Value Hidden Mandatory Managed Auditable Importable Minable Certifiable Figure 3 7 New Attribute 5 A dialog box appears where the user needs to enter the New Attribute values which have been explained above 6 To Rename an Attribute use the Rename icon in the right most column for the appropriate attribute Chapter 3 Role Manager Configuration 27 System Configuration e Rename Attribute Category Rename Attribute Category Rename Attribute Category Account Container acme Figure 3 8 Rename Attribute 7 Rename Attribute dialogue box appears Enter the new name and Save it 8 In order to Edit Attribute select the Edit Attribute icon given in right most column and modify the required values e Attribute Properties DBSize Name DBSize Description Database Size Min Length Max Length Case Edit Type Order Min Value Max Value Default Value Values Excluded Value Label Database Size Space Allowed M Multiple Value Hidden e Mandatory Managed 4uditable Importable Minable Certifiable Figure 3 9 Edit Attribute 9 In order to delete an Attribute select the Delete icon in the right most column 28 Sun Role Manager 4 1 September 2008 System Configuration of the attribute Configuration gt Nam
174. ty Certification 3 Select the checkbox for Enable Reporting Changes 4 Select the checkbox to record reporting changes if required 5 Select checkbox for Create new certification per reporting manager to create new certification for changes in certifier during the certification process Security This tab is used to set the Password policies in Role Manager Sun Role Manager 4 1 September 2008 System Configuration Steps to create set password settings 1 Start Role Manager by clicking on the Role Manager Icon 2 The login dialog box appears Enter the Admin credentials and login to Role Manager 3 Goto Administration gt Configuration gt Security My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Reports Administration System Namespaces Provisioning Servers Identity Certification Reports Email Templates Import Export Workflows Role Engineering Configuration gt Security Password Quality Settings C Enable Quality Check Minimum Password Length Minimum Alphabetics Characters Minimum Upper Case Characters Minimum Lower Case Characters Minimum Numeric Characters Minimum Special Characters Minimum Alpha Numeric Characters O C Enable Dictionary Check Password Intervals Grace Period Days Figure 3 24 Password Quality Setting 4 Onchecking Password Quality Settings all the options under it become active You can set values for the fo
175. type delimited gt lt Field name name type String delimiter gt lt Field name comments type string delimiter gt lt Field name endPoint type string delimiter gt lt Field name domain type string delimiter gt lt Field name suspended type String delimiter gt lt Field name locked type string delimiter gt lt Field name AcidA11 type string delimiter gt lt Field name AcidxAuth type string delimiter gt lt Field name FullName type string delimiter gt lt Field name GroupMemberOf type string delimiter gt lt Field name InstallationData type String delimiter gt lt Field name ListDataResource type String delimiter gt lt Field name ListDataSource type string delimiter gt lt Field name M8A11 type string delimiter r n gt lt Record gt Node Nodes are elements that do perform some specific task In this example the Node INPUT reads from a CSV file the node TRANSFORM transforms the data and the last Node OUTPUT writes the resulting records into a CSV File The elements type refers to classes in CloverETL or to classes provided in Role Manager You can specify a complete class name or short class name Role Manager provides following Nodes to read and write CSV files com vaau rbacx etl clover components DelimitedDataReader and com vaau rbacx etl clover domain DelimitedDat
176. uling Reports Select Business Unit s Select Business Unit s Ei CIR Inc Ce Centers e D zio0 a e2101 pg e n Elle DH p g 220 epz L 2300 e CIg reiect H D1 identity Management H Ew eb Conversion e ORe Manager Eet Buff H snay yar H aau Financial Corporation Figure 10 9 Select Business Units B S 6 Scroll below to select the date and time for the report job to execute Reports gt Schedule Reports gt New Report Job Scheduled Dates Months January February March April May Scheduled Time Minutes Figure 10 10 Create Report Job 7 Click to create the report job Chapter 10 Role Manager Scheduling Years 2008 5 2009 2010 2011 2012 Seconds 1 0 of O Records Display 10 v Create X Cancel 147 Scheduling Reports 8 To delete a report job click the Delete icon Scheduling Reminder Emails Y Steps to configure Reminder Emails Similar to the Identity Certification Reminder Email Workflow reminder emails can be configured to send emails to various actors based on pre defined email templates 1 To configure this workflow click Administration gt Configuration gt Reports tab Figure 10 11 Configuration Reports Identity Audit Administration My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management System Namespaces Provisioning Servers Identity Cert
177. users have been verified by selecting Works for me and their roles and entitlements are to be certified select Go To Step2 Chapter 8 Identity Certifications 107 Completing a User Access Certification 108 Step2 12 Complete the certification process for a user by certifying the roles and entitlements associated with the user The Group Data By option can be used to filter the users to be certified based on various attributes such as location Job Code manager etc Certify Roles Once Roles have been defined for the Business Unit Sun Role Manager can help your organization move to an attestation based on Roles Business Unit managers would be responsible for certifying membership of Roles and Role Owners are responsible for role content 13 Select the user to certify by clicking the name of the user Home Logout Help amp Sun Role Manager Welcome admin admin My Settings My Requests Identity Warehouse Identity Certification Role Engineering Role Management Identity Audit Administration Dashboard gt My Certifications Certification Jobs i New Certification My Certifications gt Q1 Web Conversion User cert Your New Certifications will require a complete review of the users roles and or entitlements Pending certifications have had some review but the process has not been completed further action is still required Complete certifications are stored here for revisions o
178. ut Help Administration gt Dashboard My Certifications Certification Jobs Role Engineering Role Management Identity Audit Certifications By Status App Owner User Role E Ra E in Progress Complete Expired Notifications issued in last week Count o A A EE O Ee Notification Type First Reminder to manager E Second Reminder to manager B First Reminder to manager s manager Second Reminder to manager s manager m Reminder to IT security department Figure 8 1 Identity Certification Dashboard Chapter 8 Identity Certifications Summary Total number of users Total number of Accounts Total number of Namespaces Statistics Average certifications per business unit Average roles per user Average accounts per user Average users in business unit Certified 390 11 54 Total number of Endpoints ze zeen Certification Status Revoked 5 13 Incomplete 83 33 Revoked 20 Incomplete 325 Certified 45 User Roles Certification Status Certified 10 00 Incomplete 90 00 Revoked 0 Incomplete 18 ec Certified 2 93 Identity Certification Dashboard New Identity Certification 94 Y Steps to Create a New Identity Certification Job 1 Log into the Sun Role Manager Web Interface using a Java enabled web browser 2 Log in with credentials of administrator or business units manager 3 Select the My Certifica
179. ute path for the output File If the element rbacxRegxLookupFiles equals true but no file was found ETLManager runs the graph without defining the parameters inputFile and outputFile This can be used when reading from a database Chapter 7 Role Manager ETL Process 77 Introduction 78 Transformation Configuration ETL properties are configured in RBACX_HOME conf iam propetties ETL Graphs Location This is the location where we place the CloverETL graph files eTLManager graphsLocation opt Vaau RBACx2006 imports etl graphs ETL Drop Location This is the location where we drop the data files that need transformation eTLManager dropLocation opt Vaau RBACx2006 imports etl drop ETL Complete Location All processed files are moved to this location after the ETL Manager completes the processing of the file eTLManager completeLocation opt Vaau RBACx2006 imports etl complete ETL Output Location We can use this location to place the output of the transformation If we want the output to be imported by Role Manager IAM service then this location should point to the IAM File Imports Drop Location eTLManager outputLocation opt Vaau RBACx2006 imports drop Sun Role Manager 4 1 September 2008 Import Process Import Process Role Manager IAM service imports all the files from a pre configured drop location insert or updates objects in its repository and archives all the feeds IAM Service can import multipl
180. value 1 There is no Col_To because the reader uses the Metadata in order to know how many columns it has to read lt Node id INPUTI1 type com vaau rbacx etl clover components ExcelDataReader fileURL inputFile Row From 1 gt Transformation Examples 82 Merge This graph will be executed when a file with the pattern tss_ w _accounts w is found in the drop location by the ETL Manager It will read the file_O1 dat file_02 dat and file_03 dat csv files using the com vaau tbacx etl clover components DelimitedDataReader node and then merge the data with the MERGE node The outputFile will keep the sort order stated in mergeKey ShipName ShipVia The Sun Role Manager 4 1 September 2008 Transformation Examples file with the pattern tss_ w _accounts w is moved to the completed location The files file_01 dat file_02 dat and file_03 dat will stay in the c tss folder The output file will have the same name that the inputFile lt Graph name TestingMerge rbacxRegxLookupFiles tss_ w accounts w gt es This graph illustrates usage of MERGE component It merges data based on specified key gt lt Global gt lt Metadata id InMetadata fileURL graphsLocation metadata tss accunts fmt gt lt Global gt lt Phase number 0 gt lt Node id INPUTI1 type com vaau rbacx etl clover components DelimitedDataReader FMeCURbL CS rss i ile ddan 7 gt lt No
181. wing modules provide instructions for certifiers User Managers Role Owners and Application Owners to sign off the different types of Certifications Completing a User Access Certification 104 This sub section describes how to sign off a user access certification for attestation and reporting purposes User Access Certification in Role Manager is a two step process Step 1 Employment Verification This step entails confirming or denying whether the certifier is responsible for the accesses of the user being certified Various options such as Terminated Does not work for me and Works for someone else can be used for reporting an incorrect access Indicating an incorrect access at step1 completes the certification process for the user If Works for me option is selected then step two of the certification process must be completed Step2 Approve or Revoke Roles and Entitlements This step must be undertaken for each user who is verified as Works for me by the certifier Step2 entails certifying or revoking all the accesses granted to a Sun Role Manager 4 1 September 2008 Completing a User Access Certification user This includes Roles as well as entitlements outside roles Sun Role Manager provides flexibility for the certifier in completing the certification process Step1 can be can be completed for as many users as desired before going to Step2 The certifier may opt to complete Step1 for all users and then complete Ste
Download Pdf Manuals
Related Search