Unstructured Target Aggregation Basics

  • 7011209
  • 12-Sep-2011
  • 02-Nov-2012

Environment

NetIQ Access Governance Suite

Situation

The following steps detail the Access Governance Suite feature to aggregate "unstructured" targets on an application. The feature requires the IQService executable running on a server (preferably a domain server) with access to the (directory or share) targets.

1) configure Target Aggregation on an AD Application

The "objectSid" attribute must appear in both account and group schemas, with "Correlation Key" enabled, for the target aggregation to correlate properly.

Active Directory applications display the "Unstructured Targets" tab.  This tab configures the targets to process for links to accounts and groups.

The first part holds the settings required for connection to Access Governance Suiteservice:
a) IQService Host
b) IQService Port
c) Number of targets per block : blocksize in targets (files)

The second part defines the targets. Each target requires the following:
a) Path : UNC Style path to a share or local directory
b) WildCard : Which files within the share or directory to include
c) Directory Depth: How far deep the collector should traverse
d) Administrator: Admin with has access to this share  This value could be the users principal name, user@xyz.com, or the fully qualified domain user, name domain\\user format.
e) Password: credentials to Admininstrator value

note: running IQService as System or any user with access makes the Administrator/Password fields optional.

The last part specifies the rules to correlate and to transform the targets.

a) Correlation Rule: runs on each target's users/groups
                     to correlate to an Access Governance Suite identity or account group

The Windows implementation correlates based on "objectSid" attr. This rule runs with the following args:

target : target returned, containing native account/group ids with normalized rights
application : application where the targetsource is defined
targetSource : configuration data
context : NetIQContext for object lookups
isGroup : true if id is a group id otherwise its an account id
nativeId : native id of a group or account

b) Creation Rule: runs before storing the target info

This rule can massage the target, modifies the target directly, returns nothing, and runs with the following args:

target : target returned, containing native account/group ids with normalized rights
application : application where the targetsource is defined
targetSource : configuration data
context : NetIQContext for object lookups

2) cfg/run "Account Aggregation" task
3) cfg/run "Account Group Aggregation" task

This provides accounts/groups that the targets' access lists to correlate to.

4) cfg/run "Target Aggregation" task on the application

This task scans the shares, returns any files/directories, and correlates them to identities and account groups.

note: the "iiq console" tool offers a cmd to test target aggregation,
      "connectorDebug <App> iterate unstructured", similar to "account" and "group"

5) Run Identity Refresh w/"Refresh assigned and detected roles" enabled

This promotes "targetPermissions" settings to the entitlement tab.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.