Working with Classifications in IdentityIQ

Classifications in IdentityIQ are managed as attributes on entitlements; if you are integrating with File Access Manager, these entitlements will most typically be group entitlements. For example, a Human Resources group is aggregated into IdentityIQ as a group entitlement; if this group is categorized in File Access Manager (or some other source) as having access to sensitive information, an attribute that flags the Human Resources group entitlement as having this access is added to the group entitlement. Once you have defined classifications in IdentityIQ, you can apply classification attributes to any entitlement, not just group entitlements.

Entitlements are managed in IdentityIQ, using IdentityIQ's range of compliance and lifecycle management features, such as access requests, certifications and access reviews, policies, and reporting.

You can view and manage classifications in these areas of IdentityIQ:

A global setting in Lifecycle Manager determines whether classification data is shown with the access items (such as roles or entitlements) that you can request for users in the Manage Access feature. This global setting is provided so that you can choose whether or not to alert requesters to the fact that certain roles or entitlements may allow access to sensitive or protected data.

To enable the display of classifications in Access Requests:

  1. Click the gear menu > Lifecycle Manager.

  2. On the Configure tab, scroll to the Manage Classifications Options section.

  3. Check the Display classifications in Access Request box.

  4. Save your change.

If this setting is enabled in Lifecycle Manager, roles and entitlements are flagged with relevant classification information in the Access Requests pages. You can click the Details button for flagged roles and entitlements, to see more information about the classifications.

Classification data also appears in the Approvals page for access requests. Classification flags always appear in the Approvals page, regardless of the setting in the Lifecycle Manager's Manage Classifications Options section, since reviewers will always need to know when granting access will allow access to sensitive or protected data.

For File Access Manager integrations, classifications can be added to entitlements by running a task. This process is described in more detail in Integrating with File Access Manager for Classifications.

For classifications that come from a source other than File Access Manager, classifications can be added manually to roles and entitlements.

  1. Click Setup > Roles.

  2. To add classifications to existing roles, find the role you want to edit in the Role Viewer, then click Edit Role; for new roles, click New Role > Role.

  3. In the Role Editor, select the classifications you want to add from the drop-down list.

  4. Save your changes.

You can also include classifications as criteria in “Match List” Assignment Rules for the role. Assignment Rules are used to automatically assign roles to identities during a correlation process.

In the Role Search tab you can include classifications as search criteria.

  1. Click Applications > Entitlement Catalog.

  2. To add classifications to existing entitlements, use the Filter field or Advanced Search to find the entitlement you want to edit; for new entitlements, click Add New Entitlement.

  3. On the Classifications tab, select the classifications you want to assign from the drop-down list, then click Add to assign the classification.

  4. Save your changes.

In the Advanced Search feature of the Entitlement Catalog, you can include classifications as search criteria.

When scheduling a certification campaign, you can opt to show classification data in the campaign's access reviews. Classifications can be shown in Manager, Application Owner, Advanced, Role Membership, and Targeted certifications. You can also use classifications as a criterion for what to certify, in Targeted certifications.

You can set a global default to show classifications for all your certification campaigns, and modify the default setting in any individual certifications you schedule.

To set the global default for showing classifications in your certification campaigns:

  1. Click the gear menu > Compliance Manager.

  2. In the Behavior section, use the Show Classifications checkbox to enable or disable showing classifications by default.

In Advanced policies, you can use classifications as criteria for your policy rules.

To add classifications to an Advanced policy rule:

  1. Click Setup > Policies.

  2. To add classifications to an existing policy, use the Filter field or Advanced Search to find the policy you want to edit; for new policies, click New Policy > Advanced Policy.

  3. Click Create New Rule, or double-click an existing rule you want to edit. Classifications can be used as rule criteria in Match List, Rule, Script and Filter rules.
    Rules and scripts are written in BeanShell, and Filters are an XML specification.

  4. For Match List rules:

    1. Under Selection Method, choose Match List.

    2. Click Add Role Attribute or Add Entitlement Attribute.

    3. In the Name field choose Classification.

    4. Choose an operator: Equals, Not Equals, or Is Null.

    5. In Value, type the name of the classification to use. (To find the name of a classification, you can use the Debug pages to open the classification object and find the name value.)

  5. When you have added all the classification criteria you want to use, you can run a simulation of the rule, or click Done to save your changes and exit.

In the Advanced Analytics page, you can search for roles and entitlements using classifications as search criteria.

  1. Click Intelligence > Advanced Analytics.

  2. Choose Role or Entitlement as the Search Type.

  3. Choose a classification to search on, from the drop-down.

  4. If you want to see classification details in your search results, select Classifications in the Fields to Display panel.

  5. Click Run Search.

To see which entitlements a user has that are flagged with classifications, in the Identity Warehouse:

  1. Click Identities > Identity Warehouse.

  2. Select an identity.

  3. Click the Entitlements tab. Any entitlement or role with a classification assigned to it is flagged with the classifications icon.

The Manage Identity feature shows classifications for entitlements on identities.

  1. In the Quicklinks menu, click Manage Identity

  2. Choose Edit Identity or View identity.

  3. Click on the identity; the Access panel for the identity shows a classification icon for any entitlements with classifications assigned. Click the classification icon for more details.

The option to make classification flags visible in Access Requests is a configurable option. This option is provided so that you can choose whether or not to alert requesters to the fact that certain roles or entitlements will given them access to sensitive or protected data. Note that classification flags always appear in Access Approvals, regardless of the setting for Access Requests.

  1. Click the gear menu> Lifecycle Manager.

  2. On the Configure tab, scroll to the Manage Classifications Options section.

  3. Check the Display classifications in Access Request box.

  4. Save your change.

Users responsible for approving access can see classification information in the approval Ul. Click the classification icon to see details about the classification.

Click the Show Details link in the main Approvals UI to open a dialog with more details.