OOTB Tasks Purpose

The task types are:

# Account Aggregation — scan all applications, discover users and entitlements on those applications, and then correlate those users and entitlements with roles.

#Account Group Aggregation — scans applications and aggregates account groups and application object types. These are then used for group certification (either permissions or membership) or for displaying group information in identity certifications.

# Activity Aggregation — scan all applications, discover activity on the applications, and then correlate that activity with identity cubes. This enables you to track and monitor all activity for possible policy violations.

# Alert Aggregation — scan applications and aggregates alerts from a set of Alert Collectors. These are then used to generate alert actions.

# Alert Processor — process the aggregated alerts against the alert definitions and launch the appropriate action.

#Application Builder — create multiple IdentityIQ applications or update the attribute map of an existing IdentityIQ application.

# ArcSight Data Export — export data for HP ArcSight Database Connector to an external database table.

# Data Export — generate a de-normalized data report to export to an external database table.

# Effective Access Indexing — generate an index of any indirect access that was granted through another object. For example a nested group, an unstructured target, or another role.

# Encrypted Data Synchronization Task —re-encrypt data with user-generated encryption key.

# Entitlement Role Generator — scans the entitlements in the system and automatically generates a simple role and appropriates a profile for each one that it finds.

# FIM Application Creator — automatically discover and create FIM Management Agent Applications.

# IQService Public Key Exchange — change the public keys that are used for IQService communications

# ITIM Application Creator — inspect the IBM Tivoli Identity Manager (ITIM) and retrieve information about the ITIM services (applications). This task auto-generates an application for each service defined in ITIM. 

# Identity IQ Cloud Gateway Synchronization — Synchronize the specified objects to the Cloud Gateway.

# Identity Refresh — scan all applications, including the IdentityIQ application, to ensure that all identity information is up-to-date and accurate. Refresh identity scans are also used to detect and report on policy violations and trigger event certifications.

# Identity Request Maintenance — scan for completed Lifecycle Manager access requests.

# Missing Managed Entitlements Scan — scan the selected application to create entitlement objects for items added after the application was last aggregated

# Novell Application Creator — inspect the Novell IDM application and retrieve information about all connected applications.

# OIM Application Creator — inspect the OIM application and retrieve information about all connected applications.

# Policy Scan — runs policies against identity cubes and update identity score cards with any policy violations discovered.

# Propagate Role Changes — refreshes identities who have an assigned role whose associated entitlements have changed.

# Refresh Logical Accounts — is used to refresh composite accounts for all identities that could, potentially, have a composite account on the composite applications selected.

# Role Index Refresh — updates all role information and creates the indexes needed to perform role searches. You must run this task before performing any role searching.

#  Run Rule — runs the specified rule with name/value pairs.

# Sequential Task Launcher — launches the specified tasks in the order defined. This enables you to launch tasks that must be run sequentially in the proper order without having to schedule each separately based on estimated run times.

# "System Maintenance" — tasks designed to run in the background.

# Target Aggregation — scan selected applications for activity targets. 

How To Create a New Workflow (or) How To Use an Existing Workflow to Create a New Business Process

 How To Create a New Workflow ::-

1. Navigate to Setup -> Business Processes.

2. Click New to create a new workflow and then enter a name for your process.

3. Specify a name and description for the workflow. Use a short descriptive name for the workflow and use a

the description that provides an overview of the workflow function.

4. In the Type field:

a. Select from the drop-down list of predefined workflow types. The available types are restricted to

the process options related to the workflow.

b. To enter a custom type, manually enter the type name in the box instead of selecting one from the

list. See the Workflow Basics chapters for any limitations to custom types.

5. Navigate through each of the process tabs and specify workflow data.

6. Click Save.

How To Use an Existing Workflow to Create a New Business Process ::-

1. Navigate to Setup -> Business Processes.

2. Select an existing workflow from the Edit an Existing Process list.

3. Navigate through each of the process tabs to view or modify the workflow data.

4. Click Save As and enter a unique name for the workflow.

Important Workflow Objects

Provisioning Plan : 

# It contains a list of requested changes to an identity.

# Identity or IdentityName variable will be present most of the time in workflow

# Provisioning plan is created for each identity.( One provisionig plan <==> Identity <===> Workflow case)

Enabling Lifecycle Manager

Navigate to the C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\identityiq\WEB-INF\bin directory

Launch the iiq console by running this command:  iiq console

The console is running when you see a > symbol in the command prompt.

In the IdentityIQ console, run this command:  

import init.xml

import init-lcm.xml

a. Notice the types of objects being imported into IdentityIQ

b. List two that you are familiar with:

When the import is complete, type quit to exit from the IdentityIQ console.

Setting Top Level Workflows

Starting in version 7.0, the top-level workflows used by LCM are configured on the Gear ===> Lifecycle Manager ===> Business Processes page in the IdentityIQ user interface.

There are four main default LCM workflows which are applied to complete the required provisioning actions, depending on the origin of the provisioning request:

LCM Provisioning

LCM Manage Passwords

LCM Create and Update

LCM Registration

As shown here, the same workflow can be used to drive provisioning in response to different starting events.  

For example, by default, LCM Provisioning handles requests coming from the Request Access LCM option (role and entitlement requests) as well as Manage Accounts requests (new accounts or enable/disable/unlock/delete requests), among others.

#Implementing a custom workflow for any of these functional areas in a specific customer implementation requires creating the workflow (often by cloning and modifying these core workflows) and pointing IdentityIQ to the custom workflow through this user interface page.

#Understanding how the default workflows work is critical to successfully modifying the processes to meet specific customer needs.

Configure a Quicklink Population and Applications to Support Account Requests

 1. Configure the Manager Quicklink population to allow account only requests.

a. Navigate to ===> Global Settings ===>  Quicklink Populations and open the Manager

population

b. Click the Quicklinks tab and next to Manage Accounts, click Config…

 The default Quicklink Populations used to determine who can make

different types of requests are:

# The user themselves (designated as Self Service)

# Manager (make requests for direct reports)

# Help Desk (users with help desk capability who can request items for populations)

# Everyone (control what can be done by all users not fitting into the above categories)

Often, as the result of these requests, we must provision the appropriate accounts and entitlements

to the target systems. 

c. Turn on Allow requesting new accounts as shown here and Save the Manage Accounts Options

d. Save the Quicklink Population

2. Configure the applications that allow account only requests.

a. Navigate to ===> Lifecycle Manager

b. Scroll down to the Manage Accounts Options and in the drop down selection box that says:

Applications that support account only requests add AD and OUD to the list:

        c. Click Save

OOTB Tasks Purpose

 Prune Identity Cubes task ::

 The purpose of the Prune Identity Cubes task is to delete non-authoritative Identity Cubes that house no accounts. 

 As long as the new identity obtains access (the Identity Cube has correlated accounts) by this date,

 it won’t be pruned; if access is not obtained by this date, it will be pruned. 

 This value can be set in the LCM configuration.

Business Process (or) Workflow

What is Workflow / Business Process? 

# A sequence (or) series of steps (or) operations that are launched to perform work

NOTE: Workflow is similar to Orchestration in OIM

Process Details: Specify Name, Type, and Description of the workflow. 

Process Variables: Specify any variables that apply to the workflow. Variables in any input variables, return values, and working variables for use within the process's steps. 

Process Designer: To graphically represent the process, specify the actions involved in each step, and provide the evaluation conditions for moving from one step to another. 

Process Metrics: Review statistics gathered for the process as it launches. 

The following events can trigger a workflow:

• Role creation or modification

• Account Group creation or modification

• Identity update

• Identity refresh

• Identity correlation

• Deferred role assignment, de-assignment

• Deferred role activation, deactivation

• Any Lifecycle Manager event

• Any Lifecycle Event (marked by changes to an Identity's attributes)

Custom workflows can be defined to do a wide variety of processing tasks. You can use:

• IdentityIQ workflow library methods and rules.

• Custom BeanShell scripts and rules.

Customizing or creating workflows generally involves a combination of XML and Java/BeanShell programming. 

How many ways to implement Business Process?

# 2 ways

# One way is from UI (Business Process)

# Other way is to implement workflow in XML file then we can import that XML file into IIQ

How to delete a workflow in IIQ?

# Login to Debug page

# Search workflow or select from workflow drop-down menu under Object Browser

# Then search with a specific workflow name and select it

# Right side corner selects an action which drops down after that click on Delete.

LCM Workflow Process and Structure::-

#To promote code reuse, the core functions needed across multiple processes have been encapsulated in subprocesses which can be called by each of the main "top-level" workflows. 

#This allows the main workflows to include their needed variances while maximizing uniformity across the processes.  

#The organization of these subprocesses also makes it easy to customize the workflows for individual customer needs by using the desired modules and skipping others.

The overall process flow for the default LCM workflows is this, with each of these process steps being controlled by a separate subprocess workflow:

(This workflow follows the full core process for LCM Workflows, which includes these key steps)

Initialize: Compile the provisioning plan, set up the identity request, perform initial auditing, check policies, do pre-approval data gathering

Approve: Gather approvals from the appropriate parties and filter the provisioning project to remove non-approved items

Provision: Do post-approval data gathering and complete the provisioning actions to update the target systems

Notify: Send emails to interested parties informing them of the final status of the provisioning request

Finalize: Mark the identity request with the final status of the provisioning request, perform final auditing

Life Cycle Event

Life Cycle Events ::-

# Cube creation (Joiner)

# Change in the inactive attribute (Leaver)

# Attribute change or change in manager (Mover)

# Custom detected change (Rule Based) 

Joiner Event ::- If a person joins the Organization

Mover Event ::- If a person department is changed or manager changed ( Attribute changed )

Leaver Event ::- If a person leaves from the Organization

Note: The terms Business Process and Workflow are synonymous. The IdentityIQ user interface refers to these terms as Business Processes which is the term business managers use most often. The IdentityIQ object model and XML use the term Workflows. 

# An integral part of Lifecycle Manager and Provisioning is our workflow engine. 

# Workflows within IdentityIQ are called Business Processes. 

# All Lifecycle Manager provisioning requests and Lifecycle Events initiate a workflow.

What is Event Type in IIQ ? 

# Event Type specifies  that when the life cycle should be trigger

What is disabled option in life cycle event ?

# If you don't want to trigger any specific event we will check (by default checked) that event

# If you want trigger any events, we will uncheck the event.

What is Included Identities in Life Cycle Event ?

# If this life cycle event or specific life cycle event should trigger for specific users / all users / as per our business requirement we will select from the drop down menu (All / Match List / Rule / Script).

High Level steps of Joiner Workflow ::

# Create the Provision plan

# Compile the provisioning plan into provisioning project

# Provision the user 

What is Orphan Account and how to handle un-correlated account?

Orphan Account :: An account from a target system with no identity to attach or link.

When correlation fails, we get uncorrelated identities created to house the accounts that did

not correlate. There are two solutions to this problem:

# Determine what went wrong with the correlation, adjust your correlation rule and

re-aggregate the accounts.

# Manually correlate the accounts using the UI. This involves moving the uncorrelated

account to the proper Identity Cube.

Once this is done, you can prune the Identity Cubes that have no accounts to remove the

uncorrelated cubes.

Online Digital Courses

 # Internet Business Bundle | A2Z Digital Courses