Symantec IGA

Hello Community Members, 

We have seen Model configuration misses some resource-links once the campaign is launched. However, Master conf has all target endpoint links intact. We see some of the important links to be certified getting missed in Model.

As per documentation below is the only difference b/w master and model. 

Is there any settings within IG to verify what is the evaluation criteria for creating Model configuration ?

Also, is it a good practice to run the certification on Master instead of Model ?

Thanks,
Sai

Hi Sai,
The model configuration is reflect to your campaign result.  You can run certification on master instead of model by changing the certification template on  "Select Configuration" field.
Best regards,
Frank

------------------------------
------------------------------
And, as always Perhaps there are others in the communities who have experience in doing this and we invite them to comment here also.
Another option may be to reach out to our partner HCL Technologies to see in what way they can assist further. The Enterprise Studio team of HCL can be reached at enterprisestudio@hcl.com. https://www.hcltech.com/enterprise-studio
------------------------------

Original Message:
Sent: 07-08-2020 09:38 AM
From: Sai Kumar Valluri
Subject: Details on Model Configuration - Governance

Hello Community Members,

We have seen Model configuration misses some resource-links once the campaign is launched. However, Master conf has all target endpoint links intact. We see some of the important links to be certified getting missed in Model.

As per documentation below is the only difference b/w master and model.

• Master -- A file that contains real-world user and user privileges information.
• Model -- A file that starts as a copy of the Master configuration, but is updated to reflect any user privilege or role hierarchy changes

Is there any settings within IG to verify what is the evaluation criteria for creating Model configuration ?

Also, is it a good practice to run the certification on Master instead of Model ?

Thanks,
Sai

Here is how you can end-up with a Model configuration that is different from the Master:

Updates with Identity Governance through role modeling or the Auto-fix feature of audit finding such as out-of-pattern audit by HR, should always be applied to the Model configuration.

To push updated Identity Governance data to Identity Manager, you perform an export. The export process takes the differences between the Master and Model configurations, creates a DIFF file and sends those changes to Identity Manager. Once CA Identity Manager completes all the changes defined in the DIFF file, it sends a notification back to Identity Governance. At that time, Identity Governance updates the Master to reflect what is in the Model and Continuous Update keeps  Identity Manager and the Identity Governance Master configuration synchronized. 

Certification is typically run against the Model. 

The question now, do you have Identity Governance integrated with Identity Manager, and are you doing any modeling or anything that would cause the Model configuration to be different from the Master?

P.S it is OK to run the certification against the Master but at least make sure you export the configuration from the Universe first.

Thanks!
Original Message:
Sent: 07-08-2020 09:49 AM
From: Yuan-Heng Lin
Subject: Details on Model Configuration - Governance

Hi Sai,
The model configuration is reflect to your campaign result.  You can run certification on master instead of model by changing the certification template on  "Select Configuration" field.
Best regards,
Frank

------------------------------
------------------------------
And, as always Perhaps there are others in the communities who have experience in doing this and we invite them to comment here also.
Another option may be to reach out to our partner HCL Technologies to see in what way they can assist further. The Enterprise Studio team of HCL can be reached at enterprisestudio@hcl.com. https://www.hcltech.com/enterprise-studio

Original Message:
Sent: 07-08-2020 09:38 AM
From: Sai Kumar Valluri
Subject: Details on Model Configuration - Governance

Hello Community Members,

We have seen Model configuration misses some resource-links once the campaign is launched. However, Master conf has all target endpoint links intact. We see some of the important links to be certified getting missed in Model.

As per documentation below is the only difference b/w master and model.

• Master -- A file that contains real-world user and user privileges information.
• Model -- A file that starts as a copy of the Master configuration, but is updated to reflect any user privilege or role hierarchy changes

Is there any settings within IG to verify what is the evaluation criteria for creating Model configuration ?

Also, is it a good practice to run the certification on Master instead of Model ?

Thanks,
Sai

Original Message:
Sent: 7/8/2020 10:10:00 AM
From: Iyes Dendeni
Subject: RE: Details on Model Configuration - Governance

Here is how you can end-up with a Model configuration that is different from the Master:

Updates with Identity Governance through role modeling or the Auto-fix feature of audit finding such as out-of-pattern audit by HR, should always be applied to the Model configuration.

To push updated Identity Governance data to Identity Manager, you perform an export. The export process takes the differences between the Master and Model configurations, creates a DIFF file and sends those changes to Identity Manager. Once CA Identity Manager completes all the changes defined in the DIFF file, it sends a notification back to Identity Governance. At that time, Identity Governance updates the Master to reflect what is in the Model and Continuous Update keeps  Identity Manager and the Identity Governance Master configuration synchronized. 

Certification is typically run against the Model. 

The question now, do you have Identity Governance integrated with Identity Manager, and are you doing any modeling or anything that would cause the Model configuration to be different from the Master?

P.S it is OK to run the certification against the Master but at least make sure you export the configuration from the Universe first.

Thanks!
Original Message:
Sent: 07-08-2020 09:49 AM
From: Yuan-Heng Lin
Subject: Details on Model Configuration - Governance

Hi Sai,
The model configuration is reflect to your campaign result.  You can run certification on master instead of model by changing the certification template on  "Select Configuration" field.
Best regards,
Frank

------------------------------
------------------------------
And, as always Perhaps there are others in the communities who have experience in doing this and we invite them to comment here also.
Another option may be to reach out to our partner HCL Technologies to see in what way they can assist further. The Enterprise Studio team of HCL can be reached at enterprisestudio@hcl.com. https://www.hcltech.com/enterprise-studio

Original Message:
Sent: 07-08-2020 09:38 AM
From: Sai Kumar Valluri
Subject: Details on Model Configuration - Governance

Hello Community Members,

We have seen Model configuration misses some resource-links once the campaign is launched. However, Master conf has all target endpoint links intact. We see some of the important links to be certified getting missed in Model.

As per documentation below is the only difference b/w master and model.

• Master -- A file that contains real-world user and user privileges information.
• Model -- A file that starts as a copy of the Master configuration, but is updated to reflect any user privilege or role hierarchy changes

Is there any settings within IG to verify what is the evaluation criteria for creating Model configuration ?

Also, is it a good practice to run the certification on Master instead of Model ?

Thanks,
Sai

Once you have IM integrated with IG the synchronization between Master and Model will happen automatically after export.

Since you don't have IM integrated you can always save the Model as Master (manual sync). You will need to change the Master configuration lock to read/write (under review Database). Once the file is saved, then change the lock to read-only.

Original Message:
Sent: 07-08-2020 11:39 AM
From: Sai Kumar Valluri
Subject: Details on Model Configuration - Governance

Thank you Iyes and Frank. 

We do not have IDM connector in place yet. All HR and app data is through flat feed. 

Is there any way to configure system so that Model is exactly same as Master when we start the certification ? Idea is not to lose any links before hand. 

Thanks,

Sai

Original Message:
Sent: 7/8/2020 10:10:00 AM
From: Iyes Dendeni
Subject: RE: Details on Model Configuration - Governance

Here is how you can end-up with a Model configuration that is different from the Master:

Updates with Identity Governance through role modeling or the Auto-fix feature of audit finding such as out-of-pattern audit by HR, should always be applied to the Model configuration.

To push updated Identity Governance data to Identity Manager, you perform an export. The export process takes the differences between the Master and Model configurations, creates a DIFF file and sends those changes to Identity Manager. Once CA Identity Manager completes all the changes defined in the DIFF file, it sends a notification back to Identity Governance. At that time, Identity Governance updates the Master to reflect what is in the Model and Continuous Update keeps  Identity Manager and the Identity Governance Master configuration synchronized.

Certification is typically run against the Model.

The question now, do you have Identity Governance integrated with Identity Manager, and are you doing any modeling or anything that would cause the Model configuration to be different from the Master?

P.S it is OK to run the certification against the Master but at least make sure you export the configuration from the Universe first.

Thanks!
Original Message:
Sent: 07-08-2020 09:49 AM
From: Yuan-Heng Lin
Subject: Details on Model Configuration - Governance

Hi Sai,
The model configuration is reflect to your campaign result.  You can run certification on master instead of model by changing the certification template on  "Select Configuration" field.
Best regards,
Frank

------------------------------
------------------------------
And, as always Perhaps there are others in the communities who have experience in doing this and we invite them to comment here also.
Another option may be to reach out to our partner HCL Technologies to see in what way they can assist further. The Enterprise Studio team of HCL can be reached at enterprisestudio@hcl.com. https://www.hcltech.com/enterprise-studio

Original Message:
Sent: 07-08-2020 09:38 AM
From: Sai Kumar Valluri
Subject: Details on Model Configuration - Governance

Hello Community Members,

We have seen Model configuration misses some resource-links once the campaign is launched. However, Master conf has all target endpoint links intact. We see some of the important links to be certified getting missed in Model.

As per documentation below is the only difference b/w master and model.

• Master -- A file that contains real-world user and user privileges information.
• Model -- A file that starts as a copy of the Master configuration, but is updated to reflect any user privilege or role hierarchy changes

Is there any settings within IG to verify what is the evaluation criteria for creating Model configuration ?

Also, is it a good practice to run the certification on Master instead of Model ?

Thanks,
Sai

Hi Sai,

If you are through flat CSV feed to get master/model in the first place, then remove model configuration from client tool and rerun the import should get what you are looking for.

Best regards,
Frank

------------------------------
------------------------------
And, as always Perhaps there are others in the communities who have experience in doing this and we invite them to comment here also.
Another option may be to reach out to our partner HCL Technologies to see in what way they can assist further. The Enterprise Studio team of HCL can be reached at enterprisestudio@hcl.com. https://www.hcltech.com/enterprise-studio
------------------------------

Original Message:
Sent: 07-08-2020 11:39 AM
From: Sai Kumar Valluri
Subject: Details on Model Configuration - Governance

Thank you Iyes and Frank. 

We do not have IDM connector in place yet. All HR and app data is through flat feed. 

Is there any way to configure system so that Model is exactly same as Master when we start the certification ? Idea is not to lose any links before hand. 

Thanks,

Sai

Original Message:
Sent: 7/8/2020 10:10:00 AM
From: Iyes Dendeni
Subject: RE: Details on Model Configuration - Governance

Here is how you can end-up with a Model configuration that is different from the Master:

Updates with Identity Governance through role modeling or the Auto-fix feature of audit finding such as out-of-pattern audit by HR, should always be applied to the Model configuration.

To push updated Identity Governance data to Identity Manager, you perform an export. The export process takes the differences between the Master and Model configurations, creates a DIFF file and sends those changes to Identity Manager. Once CA Identity Manager completes all the changes defined in the DIFF file, it sends a notification back to Identity Governance. At that time, Identity Governance updates the Master to reflect what is in the Model and Continuous Update keeps  Identity Manager and the Identity Governance Master configuration synchronized.

Certification is typically run against the Model.

The question now, do you have Identity Governance integrated with Identity Manager, and are you doing any modeling or anything that would cause the Model configuration to be different from the Master?

P.S it is OK to run the certification against the Master but at least make sure you export the configuration from the Universe first.

Thanks!
Original Message:
Sent: 07-08-2020 09:49 AM
From: Yuan-Heng Lin
Subject: Details on Model Configuration - Governance

Hi Sai,
The model configuration is reflect to your campaign result.  You can run certification on master instead of model by changing the certification template on  "Select Configuration" field.
Best regards,
Frank

------------------------------
------------------------------
And, as always Perhaps there are others in the communities who have experience in doing this and we invite them to comment here also.
Another option may be to reach out to our partner HCL Technologies to see in what way they can assist further. The Enterprise Studio team of HCL can be reached at enterprisestudio@hcl.com. https://www.hcltech.com/enterprise-studio

Original Message:
Sent: 07-08-2020 09:38 AM
From: Sai Kumar Valluri
Subject: Details on Model Configuration - Governance

Hello Community Members,

We have seen Model configuration misses some resource-links once the campaign is launched. However, Master conf has all target endpoint links intact. We see some of the important links to be certified getting missed in Model.

As per documentation below is the only difference b/w master and model.

• Master -- A file that contains real-world user and user privileges information.
• Model -- A file that starts as a copy of the Master configuration, but is updated to reflect any user privilege or role hierarchy changes

Is there any settings within IG to verify what is the evaluation criteria for creating Model configuration ?

Also, is it a good practice to run the certification on Master instead of Model ?

Thanks,
Sai