File Access Manager Classification Process

Bringing classification data from File Access Manager into IdentityIQ, and including classifications in your lifecycle and data governance practices, is a multi-step process. An overview of these processes is provided here.

This section assumes you have already completed the configuration in File Access Manager to classify resources and identify which groups have access to those resources. It also assumes that you have applications configured in IdentityIQ for aggregating group and account data.

When you work with classifications that originate in File Access Manager, the assumption is that both the IdentityIQ instance and the File Access Manager instance use the same group data. If this is not the case, you may need to configure rule-based logic to correlate your File Access Manager accounts and groups with your IdentityIQ accounts and groups. You can specify a custom correlation rule for this aggregation in Global Settings > File Access Manager Configuration, in the SCIM Correlation Rule field.

At a high level, these are the steps for aggregating and managing classifications from File Access Manager.

  1. Configure the IdentityIQ application(s) that aggregate group data. As part of this configuration, you must specify a correlation key in each application's group schema, to correlate groups in IdentityIQ to groups in File Access Manager.
    For Active Directory applications, the group schema attribute to set as the correlation key is MsDs-PrincipalName.

  2. In the File Access Manager Configuration (under the gear menu > Global Settings), add each of the applications that aggregate group data to the SCIM Correlation Application field.

IdentityIQ uses tasks to aggregate accounts, groups, and File Access Manager classification data. If you do not already have tasks set up to aggregate accounts and groups, you will need to set these tasks up as part of implementing this feature. You must also create and configure a File Access Manager Classification task. For more detail about setting up tasks see Tasks Overview.

These tasks should be run on a recurring basis, to keep your classification data in IdentityIQ current.

  1. Run a task to aggregate groups. Typically these will be Active Directory groups.

  2. Run a File Access Manager Classification task. Full details about configuring the options for this task is in File Access Manager Classification

  3. Optional: Run an Effective Access Indexing task. You only need to run this task if you are tracking classification data for effective access items. These options are important for managing classifications on effective access items:

Index classifications

Use this option to add an entitlement's classifications to the target association that is created when the entitlement target is indexed; in the UI, this means that an entitlement's classifications will be displayed whenever that entitlement occurs as Effective Access. For example, if an IT role contains EntitlementA, and EntitlementA has a classification, the indexing option will make EntitlementA's classification also appear on that role.

Promote classifications

Promote is used with applications such as Active Directory that can have "nested" entitlements, to ensure that classifications are adorned to all entitlements along the effective access chain. For example, if EntitlementA grants you effective access to EntitlementB, and EntitlementB has a classification assigned to it, then with the Promote Classifications option enabled, the classification assigned to EntitlementB will also be displayed in the UI for EntitlementA.