Environment
NetIQ Access Governance Suite
Situation
The following steps detail the Access Governance Suite feature to aggregate "unstructured" targets on an application. The feature requires the IQService executable running on a server (preferably a domain server) with access to the (directory or share) targets.
1) configure Target Aggregation on an AD Application
The "objectSid" attribute must appear in both account and group schemas, with "Correlation Key" enabled, for the target aggregation to correlate properly.
Active Directory applications display the "Unstructured Targets" tab. This tab configures the targets to process for links to accounts and groups.
The first part holds the settings required for connection to Access Governance Suiteservice:
a) IQService Host
b) IQService Port
c) Number of targets per block : blocksize in targets (files)
The second part defines the targets. Each target requires the following:
a) Path : UNC Style path to a share or local directory
b) WildCard : Which files within the share or directory to include
c) Directory Depth: How far deep the collector should traverse
d) Administrator: Admin with has access to this share This value could be the users principal name, user@xyz.com, or the fully qualified domain user, name domain\\user format.
e) Password: credentials to Admininstrator value
note: running IQService as System or any user with access makes the Administrator/Password fields optional.
The last part specifies the rules to correlate and to transform the targets.
a) Correlation Rule: runs on each target's users/groups
to correlate to an Access Governance Suite identity or account group
The Windows implementation correlates based on "objectSid" attr. This rule runs with the following args:
target : target returned, containing native account/group ids with normalized rights
application : application where the targetsource is defined
targetSource : configuration data
context : NetIQContext for object lookups
isGroup : true if id is a group id otherwise its an account id
nativeId : native id of a group or account
b) Creation Rule: runs before storing the target info
This rule can massage the target, modifies the target directly, returns nothing, and runs with the following args:
1) configure Target Aggregation on an AD Application
The "objectSid" attribute must appear in both account and group schemas, with "Correlation Key" enabled, for the target aggregation to correlate properly.
Active Directory applications display the "Unstructured Targets" tab. This tab configures the targets to process for links to accounts and groups.
The first part holds the settings required for connection to Access Governance Suiteservice:
a) IQService Host
b) IQService Port
c) Number of targets per block : blocksize in targets (files)
The second part defines the targets. Each target requires the following:
a) Path : UNC Style path to a share or local directory
b) WildCard : Which files within the share or directory to include
c) Directory Depth: How far deep the collector should traverse
d) Administrator: Admin with has access to this share This value could be the users principal name, user@xyz.com, or the fully qualified domain user, name domain\\user format.
e) Password: credentials to Admininstrator value
note: running IQService as System or any user with access makes the Administrator/Password fields optional.
The last part specifies the rules to correlate and to transform the targets.
a) Correlation Rule: runs on each target's users/groups
to correlate to an Access Governance Suite identity or account group
The Windows implementation correlates based on "objectSid" attr. This rule runs with the following args:
target : target returned, containing native account/group ids with normalized rights
application : application where the targetsource is defined
targetSource : configuration data
context : NetIQContext for object lookups
isGroup : true if id is a group id otherwise its an account id
nativeId : native id of a group or account
b) Creation Rule: runs before storing the target info
This rule can massage the target, modifies the target directly, returns nothing, and runs with the following args:
target : target returned, containing native account/group ids with normalized rights
application : application where the targetsource is defined
targetSource : configuration data
context : NetIQContext for object lookups
2) cfg/run "Account Aggregation" task
3) cfg/run "Account Group Aggregation" task
This provides accounts/groups that the targets' access lists to correlate to.
4) cfg/run "Target Aggregation" task on the application
This task scans the shares, returns any files/directories, and correlates them to identities and account groups.
note: the "iiq console" tool offers a cmd to test target aggregation,
"connectorDebug <App> iterate unstructured", similar to "account" and "group"
5) Run Identity Refresh w/"Refresh assigned and detected roles" enabled
This promotes "targetPermissions" settings to the entitlement tab.