Integrating with File Access Manager for Classifications
For integration with File Access Manager's classification feature, the initial installation and configuration involves two steps:
-
Import the
init-fam.xmlfile into IdentityIQ, using the iiq console or the gear menu > Global Settings > Import From File feature. -
Click gear menu > Global Settings > File Access Manager Configuration.
| Field Name | Description |
|---|---|
| File Access Manager Hostname | The hostname of the File Access Manager website. For example, https://webclient.mydomain.com |
| Basic/OAuth | Choose your method of authenticating with the File Access Manager website. Basic uses a username and password. OAuth uses a client ID and client secret. Basic authentication can be used for identities that are configured in the File Access Manager Administrative Client as having the API User privilege. OAuth credentials can be retrieved from the File Manager website, through the Settings > General > API Authorization menu. |
| Username | For Basic authentication: the username for logging in to the File Access Manager web client. This identity must have the API User privilege in File Access Manager. |
| Password | For Basic authentication: the password for logging in to the File Access Manager web client. |
| Client ID | For OAuth authentication: the Client ID for logging in to the File Access Manager website. This value is stored in the File Access Manager website in Settings > General > API Authorization. |
| Client Secret | For OAuth authentication: the Client Secret for logging in to the File Access Manager website. This value can be copied from the File Access Manager website in Settings > General > API Authorization. |
| SCIM Correlation Rule | If the correlation logic in your configured applications does not meet your needs for correlating File Access Manager groups and accounts against IdentityIQ groups, you can use a custom rule to manage correlation. The rule must have a rule type of Correlationin order to appear in this dropdown. |
| SCIM Correlation Applications | Select the applications to correlate File Access Manager groups and accounts against. Typically these will be Active Directory applications. |
If you are implementing classifications that come from a source other than File Access Manager, you do not need to take any special steps to configure the feature. You can import your classification objects directly into IdentityIQ and manage classifications as described in the sections above.
File Access Manager Classification Process
Bringing classification data from File Access Manager into IdentityIQ, and including classifications in your lifecycle and data governance practices, is a multi-step process. An overview of these processes is provided here.
This section assumes you have already completed the configuration in File Access Manager to classify resources and identify which groups have access to those resources. It also assumes that you have applications configured in IdentityIQ for aggregating group and account data.
When you work with classifications that originate in File Access Manager, the assumption is that both the IdentityIQ instance and the File Access Manager instance use the same group data. If this is not the case, you may need to configure rule-based logic to correlate your File Access Manager accounts and groups with your IdentityIQ accounts and groups. You can specify a custom correlation rule for this aggregation in Global Settings > File Access Manager Configuration, in the SCIM Correlation Rule field.
At a high level, these are the steps for aggregating and managing classifications from File Access Manager.
Application Configuration
-
Configure the IdentityIQ application(s) that aggregate group data. As part of this configuration, you must specify a correlation key in each application's group schema, to correlate groups in IdentityIQ to groups in File Access Manager. For Active Directory applications, the group schema attribute to set as the correlation key is MsDs-PrincipalName.
-
In the File Access Manager Configuration (under the gear menu > Global Settings), add each of the applications that aggregate group data to the SCIM Correlation Application field.
Run Tasks to Aggregate and Process Classification Data
IdentityIQ uses tasks to aggregate accounts, groups, and File Access Manager classification data. If you do not already have tasks set up to aggregate accounts and groups, you will need to set these tasks up as part of implementing this feature. You must also create and configure a File Access Manager Classification task. For more detail about setting up tasks see Tasks Overview(LINK IN DOC)
These tasks should be run on a recurring basis, to keep your classification data in IdentityIQ current.
-
Run a task to aggregate groups. Typically these will be Active Directory groups.
-
Run a File Access Manager Classification task. Full details about configuring the options for this task is in File Access Manager Classification(LINK IN DOC)
-
Optional: Run an Effective Access Indexing task. You only need to run this task if you are tracking classification data for effective access items. These options are important for managing classifications on effective access items:
Index classifications
Use this option to add an entitlement's classifications to the target association that is created when the entitlement target is indexed; in the UI, this means that an entitlement's classifications will be displayed whenever that entitlement occurs as Effective Access. For example, if an IT role contains EntitlementA, and EntitlementA has a classification, the indexing option will make EntitlementA's classification also appear on that role.
Promote classifications
Promote is used with applications such as Active Directory that can have "nested" entitlements, to ensure that classifications are adorned to all entitlements along the effective access chain. For example, if EntitlementA grants you effective access to EntitlementB, and EntitlementB has a classification assigned to it, then with the Promote Classifications option enabled, the classification assigned to EntitlementB will also be displayed in the UI for EntitlementA.