Requirement
IM can have many permissions\entitlements defined in it (such as Provisioning Roles or Groups). If ID-Portal is used, this will probably be used for Access Requesting. This means that the permissions in IM will all have to appear in the ID-Portal Entitlements Tree.
In a high-volume environment (50k+ permissions in IM) maintaining this data consistently in both products will be a considerable overhead.
The aim is to define the items once, but have them appear consistently in both tools.
Options
There are 2 possible ways of approaching this:
- Define items in IM (with extra data as needed to support IP)
- Define items in a separate area (eg a database), with all data needed for IM and IP (or to support IG certifications, or risk)
- Push this data into IM
- Push this data into IP
- (Also use to enrich IG, or provide risk scores to IP and IG)
This proposal is to define the items in IM, and push the data into IP.
This Proposal
It is possible to define a transformation-process to map IM-Permissions to IP-Permissions – so this can be automated for a large-volume environment. The aim of this document is to provide a proposed mapping.
However, these things to be noted:
- IM Permissions that are to be requested through IP Access-Requests:
- Must to be defined in a consistent way
- Need data on them that will be used by IP.
- IM Admin Roles that define what can be requested through IP Access-Requests:
- Must to be defined in a consistent way
- Must have member-rules and scope-rules written in a certain way
- Need data on them that will be used by IP.
- Must contain IM Tasks that can be safely used by the IP-Access-Requests processes
How this may work
The steps in the transformation would be:
- Read and format IM Permissions – reformat – output as a complete set of IP items (result: 7 files)
- Read IP items (result: 7 files)
- Compare IM and IP items: find adds/removes/changes to items (for the 7 compares)
- Format update files for IP (7 sets of 3 update types: 21 files)
- Import files into IP (in appropriate sequence)
The item-types would be the IP items (there are 7):
- Tasks
- Forms
- Target Permissions
- Target-Permission-Rules
- Applications (Groups)
- Permissions
- Permission key-value pairs
See attached documents for proposed mapping, detailed mapping and an example.