Layer7 Identity Management

Expand all | Collapse all

Managing Permissions Data in both IM and IP

  • 1.  Managing Permissions Data in both IM and IP

    Posted 04-28-2017 07:15 AM

    Requirement

    IM can have many permissions\entitlements defined in it (such as Provisioning Roles or Groups). If ID-Portal is used, this will probably be used for Access Requesting. This means that the permissions in IM will all have to appear in the ID-Portal Entitlements Tree.

     

    In a high-volume environment (50k+ permissions in IM) maintaining this data consistently in both products will be a considerable overhead.

     

    The aim is to define the items once, but have them appear consistently in both tools.

     

    Options

    There are 2 possible ways of approaching this:

    • Define items in IM (with extra data as needed to support IP)
      • Push this data into IP
    • Define items in a separate area (eg a database), with all data needed for IM and IP (or to support IG certifications, or risk)
      • Push this data into IM
      • Push this data into IP
      • (Also use to enrich IG, or provide risk scores to IP and IG)

     

    This proposal is to define the items in IM, and push the data into IP.

     

    This Proposal

    It is possible to define a transformation-process to map IM-Permissions to IP-Permissions – so this can be automated for a large-volume environment. The aim of this document is to provide a proposed mapping.

     

    However, these things to be noted:

    • IM Permissions that are to be requested through IP Access-Requests:
      • Must to be defined in a consistent way
      • Need data on them that will be used by IP.
    • IM Admin Roles that define what can be requested through IP Access-Requests:
      • Must to be defined in a consistent way
      • Must have member-rules and scope-rules written in a certain way
      • Need data on them that will be used by IP.
      • Must contain IM Tasks that can be safely used by the IP-Access-Requests processes

     

    How this may work

    The steps in the transformation would be:

    • Read and format IM Permissions – reformat – output as a complete set of IP items (result: 7 files)
    • Read IP items (result: 7 files)
    • Compare IM and IP items: find adds/removes/changes to items (for the 7 compares)
    • Format update files for IP (7 sets of 3 update types: 21 files)
    • Import files into IP (in appropriate sequence)

     

    The item-types would be the IP items (there are 7):

    • Tasks
    • Forms
    • Target Permissions
    • Target-Permission-Rules
    • Applications (Groups)
    • Permissions
    • Permission key-value pairs

     

    See attached documents for proposed mapping, detailed mapping and an example.



  • 2.  Re: Managing Permissions Data in both IM and IP

    Posted 04-28-2017 12:35 PM

    Thank you for sharing this tip with the community Richard!

    Managing Permissions Data in both IM and IP 



  • 3.  Re: Managing Permissions Data in both IM and IP

    Posted 08-01-2018 02:59 AM

    I have been looking for this information. This should be part of the Product Documentation.