The following are the main processes when working with CA Identity Governance:
In a typical implementation, the Role Engineer first imports current access data from the security administration server. Source documents would include a users database file, resources database file, roles file (if existing) and possibly one or more files describing the relationship between one or more entities (users, resources, roles). Using a direct communications link to the production server, CA Identity Governance enables the importing of data from many formats including: CSV, SQL, and RACF. CA Identity Governance creates its own CA Identity Governance “configuration” document, which contains the known user, role, and resource information.
The role discovery process enables the discovery of roles that were not explicitly defined in the source data and the refining of existing roles. CA Identity Governance's role discovery tools include searching for and proposing basic roles, obvious roles, roles that are almost perfect matches of other roles, and identifying role hierarchy. These options contain sub-menus that enable fine-tuning CA Identity Governance's discovery algorithm to adapt it to the specific configuration that is being analyzed. The results of running these CA Identity Governance options are CA Identity Governance's proposals for role definitions. These roles are individually examined to determine their appropriateness and validity for the organization.
CA Identity Governance's basic auditing tools apply CA Identity Governance's internal logic and built-in algorithms to an existing configuration to analyze and identify many types of non-conformities or suspicions related to users, roles, and resources. The Role Engineer can apply individual tools to analyze a configuration or can run a comprehensive audit. The output of an audit is the AuditCard, which contains a list of all suspicious records and the type of suspicion involved (currently about 50 different types). The AuditCard also contains a built-in mechanism for tracking progress until resolution is achieved.
The CA Identity Governance Policy Compliance module is an additional audit tool that enables formulating a unique set of Business Process Rules (BPR) that represent various constraints on privileges. These rules are formulated independently of a specific CA Identity Governance configuration and can then be applied to different configurations.
Before uploading a processed CA Identity Governance configuration to the organization's production server, the differences between the original source data and processed CA Identity Governance configuration are examined using a built-in CA Identity Governance option. After verifying the differences and making any necessary changes, the configuration data is directly exported from the CA Identity Governance interface to the production computer's format. The export eliminates cross-platform conversion problems.
|
Copyright © 2014 CA.
All rights reserved.
|
|