An introduction to IBM® Security Identity Governance and Intelligence database schemaIBM SECURITY SUPPORT OPEN MIC

April 9, 2019

An introduction to IBM® Security Identity Governance and Intelligence database schemaIBM SECURITY SUPPORT OPEN MIC

April 9, 2019

An introduction to IBM® Security Identity Governance and Intelligence database schemaIBM SECURITY SUPPORT OPEN MIC

April 9, 2019

An introduction to IBM® Security Identity Governance and Intelligence database schemaIBM SECURITY SUPPORT OPEN MIC

April 9, 2019

2 IBM Security

Name – Presenter – role in IBM

Name – role in IBMName – role in IBMName – role in IBMName – role in IBM

Name – Moderator - role in IBM

IBM Security Learning Academywww.SecurityLearningAcademy.com

Learning Videos ● Hands-on Labs ● Live Events

Learning at no cost!

New content published daily!

3 IBM Security

Panelists

Gabriel Rebane – Presenter –Security Support Agent

Chris Weber – Presenter – Security Support Agent

Dan Barto – Moderator – Security Support Manager

4 IBM Security

Goal of session

Gain understanding of parts of IGI database schema, focus on new Identity Brokerage tables.

Explore parts of IGI database schema by looking at some common scenario and issues encountered.

5 IBM Security

Agenda

• Identity Brokerage tables

• Identifying issues utilizing SQL queries

Identity Brokerage Tables

7 IBM Security

Identity Brokerage Tables

• Describing main parts of Identity Brokerage(IB) LDAP contents moved into IGI 5.2.5 database tablesProfilesServices(targets)Groups and supporting dataAccounts

• Outbound Identity Brokerage enterprise connector request data

• Inbound/sync Identity Brokerage enterprise connector data

• How to find versions of all IB enterprise connector profiles loaded into IGI

8 IBM Security

Identity Brokerage Tables

• Version 5.2.5 removes the dependency on the external LDAP directory for the support of Identity Brokerage target integration.

• New set of itimuser.ib_re_* named tables created in the IGI database to contain all the data that was previously located in the LDAP.

• Upgrade to IGI 5.2.5 from previous versions migrates the IB LDAP data into the IGI database tables.

9 IBM Security

Identity Brokerage Tables

Main parts of the IB LDAP moved to in IGI 5.2.5 database.

• The profile entries under the ou=serviceProfile location

• Now in the itimuser.ib_re_service_profiles table

10 IBM Security

Identity Brokerage Tables• The assembly line configurations for SDI/RMI based adapters in ou=assemblyLine

• Now in the itimuser.ib_re_adapter_operations table

11 IBM Security

Identity Brokerage Tables

• The IB enterprise connector driver configuration(service details)

• Now in the itimuser.ib_re_services table

12 IBM Security

Identity Brokerage Tables• The accounts under the ou=0,ou=accounts,erglobalid=###… location in IB LDAP

• Now in the itimuser.ib_re_users table

13 IBM Security

Identity Brokerage TablesThe itimuser.ib_re_user_attrs table contains all individual attributes of accounts.

• Reference EXTERNAL_ID column from ib_re_users table to USER_EXTERNAL_ID column in ib_re_user_attrs table

14 IBM Security

Identity Brokerage Tables

• The groups/entitlements objects from IB enterprise connector in the itimuser.ib_re_groups table

• Other non-group/entitlement data in the itimuser.ib_re_supporting_data table

15 IBM Security

Identity Brokerage Tables

Looking at example outbound IB enterprise connector request

• An IB account modify “Out events” from IGI console UI monitor

• The row in the igacore.event_out table, ID=445. The CHANGELOG column value of 250.

• The row in the igacore.changelog table, ID=250. JSONATTRS column contains attribute/field data

16 IBM Security

Identity Brokerage Tables

The row in the igacore.changelog table, ID=250. JSONATTRS column ASCII contents

{"remoteAttributes":{},"fixedAttributes":{"@fixed_name":{"oldValue":null,"newValue":""},"@fixed_dn":{"oldValue":"CN=myadmin,CN=Users,DC=ibmcw,DC=local","newValue":"CN=myadmin,CN=Users,DC=ibmcw,DC=local"},"@fixed_email":{"oldValue":null,"newValue":"myadmin@test.com"},"@fixed_isDefault":{"oldValue":"0","newValue":"0"},"@fixed_accountType_name":{"oldValue":null,"newValue":null},"@fixed_expire":{"oldValue":null,"newValue":null},"@fixed_code":{"oldValue":"myadmin","newValue":"myadmin"},"@fixed_surname":{"oldValue":"admin","newValue":"admin"},"@fixed_displayName":{"oldValue":"myadmin","newValue":"myadmin"}}}

17 IBM Security

Identity Brokerage Tables

The IB request tables for data going out to endpoint adapters

• The igacore.ib_requests table. The JSON_OBJ column of data sent to broker to go to adapter.

{"operations":[{"op":"replace","path":"urn:ibm:idbrokerage:params:scim:schemas:extension:ADAccount:2.0:User:mail","value":"myadmin@test.com"}],"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"]}

• Additional details of request in the igacore.ib_request_logs table, REQUESTID column reference.

18 IBM Security

Identity Brokerage TablesThe incoming data from running sync of IB enterprise connector for accounts and group/supporting data.

• The itimuser.ib_account_deltas table has incoming accounts

• The itimuser.ib_group_detlas table has incoming group/supporting data

19 IBM Security

Identity Brokerage Tables

How to view version of IB adapter profiles loaded?

• The “Status and information” section of Driver Configuration of IB enterprise connector does not currently update/refresh when newer profiles versions uploaded to IGI.

• The itimuser.i18nmessage table has the adapter profile version information for all IB adapter profiles uploaded to IGI.

“select profile, message from itimuser.i18nmessages where messagekey=‘ProfileVerson’”

20 IBM Security

Identity Brokerage Tables

The profile version information on “Status and information” section of Driver Configuration.

Identifying issues utilizing SQL queries

22 IBM Security

CSV Enterprise Connector no key issueUser <master_uid> already exists and it is linked to a different user_erc record, id=###

• Adapter mapping does not contain an attribute that is set as KEY;

• The Enterprise Connector handles every entry of the file as INSERT operations;

• USER_ERC has multiple records for the same master UID.

How to solve it

• Define a KEY for the adapter mapping;

• Delete “duplicate” entries from USER_ERC;

• The following query will help you identify the duplicated information: SELECT COUNT(UE.ID) FROM IGACORE.USER_ERC AS UE LEFT JOIN IGACORE.PERSON AS P ON UE.ID = P.USER_ERC

WHERE P.USER_ERC IS NULL DELETE FROM IGACORE.USER_ERC WHERE ID IN (SELECT UE.ID FROM IGACORE.USER_ERC AS UE LEFT JOIN

IGACORE.PERSON AS P ON UE.ID = P.USER_ERC WHERE P.USER_ERC IS NULL)

23 IBM Security

Hierarchy causes error in certification campaignsCycle detected in a hierarchical query

• After building a hierarchy, e.g.: manager’s hierarchy using ATTR1, certification campaign will fail;

• If log file contains “Cycle detected…”, means that you have something like: Manager A > Employee B > Manager A;

How to solve it

• No easy way to detect the issue, depending on the depth of the cycle;

• Hierarchy build can take hours to complete, just to discover a cycle exists;

• If we understand the data model, we can check if a cycle exists with a query as simple as: SELECT ID FROM IGACORE.USER_ERC CONNECT BY PRIOR ATTR1 = PM_CODE;

• In case a cycle is detected we can try to detect by running something like: SELECT T1.PM_CODE, T1.ATTR1, T2.PM_CODE, T2.ATTR1 FROM IGACORE.USER_ERC T1, IGACORE.USER_ERC T2 WHERE

T1.ATTR1 IS NOT NULL AND T2.ATTR1 IS NOT NULL AND T1.PM_CODE = T2.ATTR1 AND T2.PM_CODE = T1.ATTR1 --TWO DEPTH CYCLE

24 IBM Security

Entitlements listed to OUsAfter adding entitlements to an organizational unit and selecting “hierarchy”, how can we confirm the entitlement was added to all structure?

• In a small structure might be possible to utilize the UI;

• For a larger structure, using the UI can be a pain point and prone to human errors.

How to solve it

• Understanding the data model and with enough knowledge in SQL, is possible to create a query that will return that particular information and where the entitlement is missing:

SELECT OU.NAME, T.NAME FROM IGACORE.ORGANIZATIONAL_UNIT OU LEFT JOIN (SELECT JU.ORGANIZATIONAL_UNIT, ENT.NAME FROM IGACORE.JOB_UNIT JU JOIN IGACORE.ENTITLEMENT ENT ON JU.ENTITLEMENT = ENT.ID WHERE ENT.NAME = 'My Business Role') T ON T.ORGANIZATIONAL_UNIT = OU.ID WHERE OU.ID IN (SELECT ID LEVEL FROM IGACORE.ORGANIZATIONAL_UNIT OU START WITH CODE = 'Security' CONNECT BY PRIOR ID = PARENT)

25 IBM Security

Using ACTION_CAUSE from USER_ERCDuring mapping of an HR connector, is possible to use ACTION_CAUSE to define a small message of why that particular event happened

26 IBM Security

Questions for the panel

• Q: Is there a document describing IGI database tables and relations of them for the V5.2.4?

A: Currently nothing complete. We have a few of the events tables listed in the Knowledge Center. There is currently a doc being worked on by Support to try to get more of the tables/schema documented. We don't yet have a date for the release of this doc. L2 and Product Services have started a draft IGI Schema document. We would like Business Partner input on the types of information and priority of schema that needs to be documented. _________________________________________________________

• Q: Where is the group memberships delta? in which table? How to determine a change of memberships in a group on a target system for account?

A: the ib_group_detlas table for the rows that have operationtype=modify and then in the delta_jsoncolumn data will have the members information.

_________________________________________________________

27 IBM Security

Questions for the panel

• Q: Does each connector need that PMcode set? I do not recall the AD Adapter having the green flag on the mapping of attributes?

A: The AD adapter IB connector has the "CODE" in the read-from that is what is equiv of the pmcode on a person/hr connect.

________________________________________________________________

• Q: Do we have any performance comparison between old (ldap) and new (db) schema?

A: Nothing that I am aware of currently. I would not expect though any worse performance with the data now in the IGI db versus external ldap before.

_______________________________________________________________

• Q: When I create a manager hierarchy the tree consist of user pm_codes. How can I show names instead of names in the manager hierarchy?

A: Unfortunately you can't. This would be an RFE.

________________________________________________________________

28 IBM Security

Questions for the panel

• Q: Can we extend Group/Entitlement attributes?

A: Assuming like adding more attributes/values on a group. If so, it will depend more on the adapter side if it can be modified to return more values on the group.

_______________________________________________________________

• Q: All Adapters v7.x support the new model of brokerage or will be available a new version of the adapters?

A: Answered aloud.

________________________________________________________________

• Q: I mean, Is it possible to extend OU_ERC table like USER_ERC?

A: Unfortunately you can't.

You can use Properties on the OU to add data

________________________________________________________________

29 IBM Security

Questions for the panel

• Q: Do we have Database Schema details for IGI documented?

A: nothing currently available that is complete, there is work on a new doc (also not complete, work in progress) that will be a technote published soon hopefully.

Subscribe to My Notifications so you learn when it is published.

________________________________________________________________

• Q: Where do I download the presentation?

A: You can download the presentation at http://www.ibm.com/support/docview.wss?uid=ibm10879143

30 IBM Security

IBM Communities > Security Community > IAM Group

http://ibm.biz/IAMgroup-SecCommunity

31 IBM Security

Where do you get more information?Ask questions and find answers on this or other IGI topics in the NEW IBM Support forum:

https://ibm.biz/IGI-SupportForum

• Security Learning Academy: https://www.securitylearningacademy.com• IBM Knowledge Center: https://www.ibm.com/support/knowledgecenter/SSGHJR_5.2.5/com.ibm.igi.doc/kc-

homepage.html• IGI Support home: https://ibm.biz/IGI-Support

Useful links:Get started with IBM Security Support

IBM My Support | Sign up for “My Notifications”FREE learning resources on the Security Learning Academy

ibm.com/security/community

Follow us:

www.youtube.com/user/IBMSecuritySupport twitter.com/askibmsecurity http://ibm.biz/ISCS-LinkedIn

© Copyright IBM Corporation 2019. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

FOLLOW US ON:

THANK YOU

xforce.ibmcloud.com

@askibmsecurity

youtube/user/IBMSecuritySupport

securityintelligence.com

SecurityLearningAcademy.com

ibm.com/security/community

IBM Security Client Success

33 IBM Security

An introduction to IBM® Security Identity Governance and Intelligence database schema