By Francesco Petrone and Andrea Durastante

What is “Identity Governance and Intelligence”? 

Identity Governance and Intelligence, or IGI, is a network, appliance-based, integrated Identity Governance solution from IBM. This solution employs business-centric rules, activities, and processes. It empowers line-of-business managers, auditors, and risk managers to govern access and evaluate regulatory compliance across enterprise applications and services. 

Identity Governance and Intelligence offers many functions and services. In particular, it provides: 

• A single identity governance foundation platform to help organizations understand, control, and make business decisions that are related to user access and access risks. 
• A business-activity-based approach that facilitates the communication between auditors and IT staff and helps determine segregation of duties violations across enterprise applications, including SAP. 
• Better visibility and user access control through the consolidation of access entitlements from target applications and the employment of sophisticated algorithms for role mining, modeling, and optimization. 
• User lifecycle management, including provisioning and workflow capabilities, along with integration with IBM Security Identity Manager and third-party tools. 

• A mobile interface from which users can change the passwords of their accounts and managers can accept, reject, or redirect access requests from other users. The app can be downloaded from the App (iOS) or Google Play (Android) stores. 

But given the complex subject matter and the many different corporate client policies, it is not always possible to have all out-of-the-box scenarios. For this motive, IGI is able to customize the specific scenarios of each customer and to extend the native capabilities of the product with the use of the rules.  

What are IGI rules? 

In a nutshell, a rule is a piece of Java code that is used to customize additional business logic for a specific customer. The rule element has a high degree of flexibility and can be also scheduled with the IGI Task Planner module. In other words, the flexibility of rules represents a real added value for customers of IBM Security Identity Governance and Intelligence. An IGI Administrator can write rules for accomplishing different goals.  Although Java is one of the major programming languages, and although an administrator can write directly into Access Governance Core the rules, very often the task of writing rules is difficult due to: 

• Little knowledge of the IGI model 

• Lack of knowledge of the Java libraries involved 
• Absence of a useful IDE for writing 
• Impossibility to debug and verify the correctness 
• Little Developer experience and knowledge 

For all these reasons, a toolkit was developed for the IGI administrator that eases and simplifies the development and compilation of rules.  

The Rule Development Toolkit: how you work with it 

The Identity Governance and Intelligence Rule Development Toolkit is a project for the Eclipse Java Integrated Development Environment. It is designed to assist the IGI administrator in developing and troubleshooting Java rules for IGI. The project aims at recreating a local IGI Rule Engine logic environment, where administrators develop and troubleshoot Java rules for IGI, before the rules are loaded to the production environment. For the Live Events processing rules - a rules subset - the tool processes events in real time by reading input data from the IGI database. The pre-configured Eclipse project contains all the required libraries and configuration files for compiling rule source code and locally running the rule engine.  

The use of the tool is very simple! Let's see how. The pre-configured Eclipse project contains all the required libraries and configuration files for compiling rule source code and locally running the rule engine. The Rules Development toolkit is a zip archive located inside the IGI Database Installation Scripts and Tools package. You first extract the Database Installation Scripts and Tools archive, then you locate the Rules Toolkit zip file, and finally unzip it. 

In this way, you create a folder containing your entire Rules Toolkit environment. The project includes a file that you edit to set all the properties: the bootstrap.properties file. In this file, you configure the JDBC connection to your IGI database by setting the hostname, port and database name. You find this information in the "Database server configuration" menu item of the IGI Virtual Appliance console. 

In the bootstrap.properties file, you can set up a lot of interesting variables. For example: 

• IDEAS_HIB_SHOW_SQL: set to true if you want to show the exact SQL query that IGI is executing. 
• EVENTS NUM: controls how many events, pulled from the IGI environment, each execution processes. The oldest unprocessed events are run first; therefore, if you set the value to 1, you execute events in a First In First Out order. 
• REPEAT and SLEEP: to control the automatic execution of unprocessed events. 
• RULES FLOW FILTER: to filter exactly for rule types. The possible values are system, for live events, advanced, scheduled, auth, attestation, hierarchy, account, and password. 
• RE_LOG_LEVEL: to customize the debugging level. The default level of INFO is, in general, enough to test and troubleshoot rules. 

The project essentially contains three main folders: 

• The source folder: initially empty, it will contain all the IGI rules downloaded from the IGI environment. 
• The config folder: contains the configuration files. As an example, the aforementioned bootstrap.properties file. This folder contains other two subfolders: 

• properties: contains all the IGI configuration files. These files must not be modified. 

• templates: contains the java class templates used by the Download functionality to build Java classes from the drools rules. 

• The run folder: contains the runnable java classes that implement the toolkit functionalities. 

To start the tool and download the rules, you execute the DownloadRules Java class to establish a connection to the database. Informational messages on the Eclipse console will update you on the progress. If the download goes well, a success message indicates the end and success of the operation. 

The rule Download functionality creates a class package for each rule flow in IGI. In each package, the tool creates one or more Java classes for each rule, and a TestFlow.java class to call all the active rules in the correct sequence. To make sure that the events are processed locally, it is necessary to stop the RuleEngine task in the IGI Task Planner application. In this way, you can control how the Rules Toolkit processes live events. 

The tool is ready for use. You are invited to watch the attached video that explains in detail how to download and start the tool in a simple way. 

There is an entire public repository on GIT for the IGI rules. Follow the link to find a lot of rules ready for use on a lot of most common scenarios. 

The tool is updated constantly. In the next version, it will overcome the main limitation of the current version: uploading the rules. It will be possible to upload the changes made directly from IDE Eclipse. And not only, you will also be able to manage and change the order of execution of the rules (i.e. flow rule management) and select a specific event through its id.  

The Identity Governance and Intelligence Rule Development Toolkit simplifies your life! The best solution to write a perfect rule for your governance scenario! Enjoy it! 

Video toolkit: https://www.securitylearningacademy.com/enrol/index.php?id=3395 

Repository rules: https://github.com/IBM-Security/igi-rules