Chat now with support
Chat mit Support

Identity Manager 8.2.1 - Attestation Administration Guide

Attestation and recertification
One Identity Manager users for attestation Attestation base data Attestation policies Sample attestation Custom mail templates for notifications Suspending attestation
Approval processes for attestation cases
Approval policies for attestations Approval workflow for attestations Selecting attestors Setting up multi-factor authentication for attestation Prevent attestation by employee awaiting attestation Attestation by peer group analysis Managing attestation cases
Attestation sequence Default attestation and withdrawal of entitlements User attestation and recertification Mitigating controls Setting up attestation in a separate database Configuration parameters for attestation

Setting up attestation in a separate database

Scheduled attestations are often processes that generate a high load. It is possible to outsource such processes to a separate database and thus relieve the central database. To synchronize both databases, set up system synchronization using the One Identity Manager connector. You can optimize use of One Identity Manager functionality by synchronizing with a central database, containing all the data, on a regular basis.

All data required for attestation are transferred from the central database to a work database. The attestation is set up and carried out in the work database. The results of the attestation are transferred to the central database. Subsequent processes, such as the withdrawing entitlements after attestation is denied or risk index calculations, are carried out in the central database.

Detailed information about this topic

Requirements for the central database

The prerequisites and guidance for connecting a One Identity Manager database apply, as described in the One Identity Manager User Guide for the One Identity Manager Connector.

Prerequisites
  • The central database has at least version 8.2.

  • The System Synchronization Service Module (ISM) is installed in the central database.

    • Disable the ISM | PrimaryDB | AppServer configuration parameter. The central database connection parameters are configured in the work database.

  • Even if the work and central database have the same product version, it is recommended you connect the central database through an application server and enable the required plugins. This is the only way to use the function that automatically revokes entitlements if attestation is denied.

The Attestation Module can be present in the central database, but it does not have to be. Regardless of this, attestation configuration, such as attestation policies or approval workflows, and the attestation cases themselves, are not synchronized with the central database. Only the attestations results are transferred to enable the evaluation and further processing of the results in the central database.

Related topics

Setting up work databases

Ensure that the minimum system requirements for installing the work database are met. For more information, see the One Identity Manager Installation Guide.

To set up the work database

  1. Install a work database with at least version 8.2.

    • Install the same modules as in the central database, including the System Synchronization Service Module.

    • In addition, install the Attestation Module (ATT).

  2. Set up a Job server to handle SQL processes for the work database.

  3. To be able to use the Web Portal for attestations

    1. Install an application server

    2. Install an API Server.

    For more information, see the One Identity Manager Installation Guide.

  4. In the work database, set the following configuration parameters and specify the credentials to connect to the central database's application server.

    Use the same settings that are used when setting up synchronization between the central and working databases.

    • ISM | PrimaryDB | AppServer | AuthenticationString:

      Authentication data for establishing a connection using the REST API of the central database's application server.

      Syntax: Module=<authentication module>;<property1>=<value1>;<property2>=<value2>,…

      All authentication modules provided by the application server being addressed are allowed. For more information about authentication modules, see the One Identity Manager Authorization and Authentication Guide.

      Recommended values are:

      • Module=DialogUser;User=<user name>;Password=<password>

      • Module=DialogUserAccountBased

      • Module=Token

        For authentication using an OAuth 2.0 access token, additionally specify ClientId, ClientSecret, and TokenEndpoint in the ConnectionString configuration parameter. For more information about OAuth 2.0/OpenID Connect authentication, see the One Identity Manager Authorization and Authentication Guide.

    • ISM | PrimaryDB | AppServer | ConnectionString:

      Connection parameters for establishing a connection using the REST API of the central database's application server.

      Syntax: Url=<application server URL>

      If Module=Token is set in the AuthenticationString configuration parameter, the following parameter are required in addition:

      • ClientId: Client ID for authentication at the token endpoint.

      • ClientSecret: Secret value for authentication at the token endpoint.

      • TokenEndpoint: URL of the token endpoint.

      Syntax: url=<application server URL>[;ClientId=<client ID>;ClientSecret=<secret>;TokenEndpoint=<token endpoint>]

Related topics

Setting up synchronization between central and work databases

Synchronization between the work and central databases is handled by the One Identity Manager connector. You can set up synchronization through individual configuration, configuring it completely manually. To ensure that all data required for attestation are transferred to the work database and the attestation results are returned, set up the system synchronization. The One Identity Manager supports you with the scripts provided.

System synchronization allows you to map selected application data from the central database to the work database. The synchronization configuration is generated completely automatically based on selected criteria. The synchronization project is set up on the work database.

To set up the system synchronization, proceed as described in the One Identity Manager User Guide for the One Identity Manager Connector.

To set up the system synchronization

  1. Provide One Identity Manager users with the necessary permissions to set up synchronization.

  2. Install and configure a synchronization server and declare the server as a Job server in One Identity Manager.
  3. Determine which application data to attest.

    1. In Designer, mark the tables and columns required for this purpose. You can use the scripts provided for this purpose.

      NOTE: The scripts select all tables and columns that contain application data to attest. If only a limited section of this application data requires attesting, you can also mark the required tables and columns manually.

    2. Check the automatically selected tables and columns. You can modify this selection to suit your requirements.

  4. Generate a synchronization project with the Synchronization Editor.

    When selecting the database system, use the same settings that are specified in the configuration parameters under ISM | PrimaryDB | AppServer.

  1. Start the initial synchronization.

To automatically mark the tables and columns

Run the following scripts on the given database using a suitable program for SQL queries. The scripts are located on the installation media in the ATT\dvd\AddOn\SDK\SystemSyncPreConfig directory.

  1. On the work database, run the AttestationInAnotherOneIMDB_Part1_GeneralConfig.sql script.

    The script makes some general settings.

  2. On the central database, run the AttestationInAnotherOneIMDB_Part1_GeneralConfig.sql script.

  3. On the work database, run the AttestationInAnotherOneIMDB_Part2_TableConfig.sql script.

    The script selects all the necessary tables and sets the values required in the table properties.

  4. On the work database, run the AttestationInAnotherOneIMDB_Part3_ColumnConfig.sql script.

    The script selects all required columns and sets the mapping direction.

  5. Check the selected tables and columns as well as the set properties and adjust if necessary.

NOTE:

  • If you change the tables or columns to be synchronized after the synchronization project has been generated, the synchronization project will be updated automatically.

  • Only the connection credentials for the connected systems may be changed manually in a generated synchronization project.

Related topics
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen