IBM Security Verify

 View Only

First steps into Identity Governance with IBM Security Identity Governance and Intelligence (IGI)

By Pier Luigi Rotondo posted Thu October 17, 2019 03:35 PM

  

IBM Identity Governance and Intelligence (IGI) offers two approaches for role management: role definition and role mining. 

In role definition, the IGI administrator defines the new role upon existing knowledge of what that role should contain. The second approach uses the advanced role mining features of IGI to assist the role engineer in discovering and then defining new roles, using the Access Optimizer application. 

 

The IGI data model defines entitlements, permissions, IT roles, business roles, and external roles. An entitlement identifies a structured set of permissions. These permissions are assigned to a user to access the resources of an organization. Permissions, IT roles, business roles and external roles are collectively referred to as entitlements. Entitlements are structured in a hierarchy. 

Permissions are the basic authorization object. Permissions are defined as a permitted action on a protected object, for example, reading and writing a local file. 

IT roles are a collection of permissions and other IT Roles defined within the context of a single system or application. Business roles are structured objects composed by any combination of simple permissions, IT roles, and other business roles from the same or different applications. Admin roles are business roles that are composed of IGI application permissions and used to grant administrative access to the IGI application. 

External roles are a special case. They are IT roles imported from target applications. 


One of the most useful functionalities of IGI is role mining. With role mining IGI performs an automatic analysis of existing roles, suggesting new candidate roles that would aggregate a large number of users and a large number of component entitlements. 

Access Optimizer is the IGI application that you can use to conduct a role mining, from data that is contained within IGI or from data that is imported from external sources. 

IGI performs role mining, by 

  • Partitioning: Define a subset of the data to inspect 
  • Candidate Extraction: Generate candidate roles for each partition according to defined priorities 
  • Visual Role Selection: Select and refine generated roles for production use 

Role mining is risk aware. At the end of the role mining, you can check whether the candidate roles could violate any risk constrains, and then promote to production only the roles that does not generate new risks. 

 

For further details on how roles are implemented and used in IGI, watch the video tutorial at https://www.securitylearningacademy.com/course/view.php?id=3406 

You can also experiment role lifecycle management in IGI, by using the online lab available at https://www.securitylearningacademy.com/mod/hvp/view.php?id=15133 



0 comments
21 views

Permalink