Inconsistency during Access Review

We are using Identity Governance with a collector called "Acessos do IDM" which gathers permissions directly from IDM. However, we are facing an inconsistency in the behavior of permissions related to user profiles.

In the permissions menu, we observe that some profiles are correctly associated with the application "Acessos do IDM" as expected. However, for other profiles, the related application is displayed with the name of the synchronization driver in IDM.

For example, profiles from the SAP_BV system should be associated with the "Acessos do IDM" application, but they are being displayed as belonging to the "SAP USER ECC" application, which is the name of the synchronization driver for this system. On the other hand, profiles from the SAP_GRC system are correctly associated with the "Acessos do IDM" application.

This segregation is causing an issue when we open reviews for the "Acessos do IDM" application, as some permissions are not automatically included in the review, forcing us to manually select the corresponding drivers in the applications.

We would like to understand the reason for this segregation and how we can ensure that all collected permissions are associated with the "Acessos do IDM" application, without depending on individual driver names, so that the reviews are comprehensive and do not require manual application selection.

  • Verified Answer

    0  

    Hello,

    1) This is working as designed and expected.

    a) The IDM Driver is from (Examples: SAP or AD) will be treated as child Application of IDM. You can see this within Goverance in the following ways:
    a.1) Catalog -> Applications page where there will be the circles next to the names (Dark Circle with small light circle will be IDM and the reverse will be the associated/collected "Application").
    a.2) Go to Data Sources -> Application page when you look at your IDM AE collector. It will have the text: Collects %number% application(s) If you click on the link it will show the name of the IDM Driver(s).
    a.3) If you select the IDM AE Application from the above page at the top you will see a section labeled "Collected Driver Applications" which will list the IDM Driver(s)

    2) Any Resource that has an Entitlement from another IDM Driver will be associated to that Driver/Application as outlined above

    3) If a User is assigned the above Resource, then their Account will be associated to that Driver/Application.


    In other Applications Sources (like AD) one can set this up utilizing "multi-application collection". With the IDM AE Application Source, it is done by default.

    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • 0 in reply to   

    Hello Steve,

    Thank you for the response. I have some questions:

    1. Is there a way, during the access review process, to select all applications that have that parent application automatically? This would help streamline the review process and avoid having to manually select each associated driver application.

    2. Additionally, we've noticed that some permissions linked to entitlements still appear under "Acessos do IDM." Could you clarify why this happens and if there's a way to ensure that these permissions are correctly linked to the respective driver/application?

    Looking forward to your feedback.

  • 0   in reply to 

    I think you could edit the application record for each of those IDM apps, and add a value to one of the attributes to flag it as related to IDM.  Then in the review, use that attribute as criteria to select review items.   I haven't done that before, but that's what I would try first.

    --Jim