IBM Security Identity Adapter for Guardium GDPR 7.1.2 is available. Compatibility, installation, and other getting-started issues are addressed.
Welcome to the IBM Security Identity Adapter for Guardium GDPR.
These Release Notes contain information for the following products that was not available when the IBM Security Identity Server manuals were printed:
The Guardium GDPR Adapter is designed to reconcile Users on resources. The Guardium GDPR Adapter supports reconciling Support Data for user on resources.The Guardium GDPR adapter offers data integration. The adapter runs in "agentless" mode and communicates using httpClient Connector to the systems being managed. IBM recommends the installation of this adapter (and the prerequisite IBM Security Directory Integrator, previously known as IBM Tivoli Directory Integrator) on each node of an IBM Security Identity Server WAS cluster. A single copy of the adapter can handle multiple IBM Security Identity Server Services.
The deployment configuration is based, in part, on the topology of your network domain, but the primary factor is the planned structure of your IBM Security Identity Server Provisioning Policies and Approval Workflow process. Please refer to the IBM Knowledge Center for a discussion of these topics.
The IBM Security Identity adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from the IBM Security Identity server will fail if the adapter is not given sufficient authority to perform the requested task. IBM recommends that this adapter run with administrative (root) permissions.
Note: Service group name change is not supported.
The Guardium GDPR Adapter does not support management of service groups.
Review and agree to the terms of the IBM Security Identity Adapter license prior to using this product. The license can be viewed from the
"License" folder included in the product package.
Adapter Version
|
Component |
Version |
|
Build Date |
2018 March 14 01.13.15 |
|
Adapter Version |
7.1.2 |
|
Component Versions |
Adapter build: 7.1.2.4 Profile: 7.1.2.4 Connector: N/A (uses the HTTP Client connector from Tivoli Directory Integrator) Dispatcher 7.0.32 (packaged separately) |
|
Documentation |
The following guides are available in the IBM Knowledge Center: Guardium GDPR Adapter Installation and Configuration Guide |
New Features
|
Enhancement # (FITS) |
Description |
|
|
Items included in current release (7.1.2) |
|
RTC 171003 |
US - As a Guardium GDPR adapter developer, I must support business activity-to-permission mapping
|
|
RTC 170586 |
US - As a Guardium GDPR adapter developer, I need to support other database types besides DB2
|
|
|
Items included in 7.1.1 release |
|
RTC 166606 |
Initial release Note: This version of the adapter offers data integration. In early 2018 we will add support for taxonomy classification and improved IGI business activity integration
Note: Please refer to the ‘igi_Guardium_Document.docx’ in the adapter package for installation and configuration instructions. |
Closed Issues
|
CMVC# |
APAR# |
PMR# / Description |
|
|
|
Items included in current release (7.1.2) |
|
|
|
None |
|
|
|
Items closed in 7.1.1 release |
|
|
|
Initial release |
Known Issues
|
Internal# |
APAR# |
PMR# / Description |
|
|
|
None |
Known Limitations
|
CMVC# |
APAR# |
PMR# / Description |
|
|
|
GDPR Adapter is supporting only 30,000 records |
See the IBM Security Identity Adapter Installation Guide for detailed instructions.
The following configuration notes apply to this release:
None
The following corrections to the Installation Guide apply to this release:
Please refer to the ‘igi_Guardium_Document.docx’ in the adapter package for installation and configuration instructions.
Steps for generating report for Oracle and MSSQL that will go in installation guide under GDPR Reports overview > Creating GDPR Report
Steps for generating report for Oracle12C Database
STEP 1: Working with Classification Processes
1. Go to Discover > Classification>Classification Process Builder. From the Classification Process Builder, click New to open the Define Classification Process panel.
2. Click ADD (+) to open the Define Classification Process panel.
3. Enter a name for the process in the Process Description box.
4. Select a Classification Policy from the list or create a new policy by clicking Modify button.
5. In Classification Policy Finder panel, click ADD (+) to create a new policy. A new tab will be opened for creating new Policy.
6. In Classification Policy Definition, provide the Name, category and Description of the policy. Click Apply.
7. Click Edit Rules to add the rules. In Classification Policy Rules, click Add Rule.
8. In Classification Rule panel, provide Rule Name, Category, Classification, description, Rule Type etc. as per your GDPR data classification requirement.
Note: Description in this panel will be your Taxonomy Criteria Name for permission to Business Activity mapping activity.
9. Click Apply. Go back to Define Classification Process window.
10. Select the newly created Classification Policy. Add the Data source for required Database server. Make sure the test connection to the Oracle is successful.
11. Select Apply and this completes the definition of the classification process.
12. Click on Run once now. You should be able to view the classification results. This report shows you all the Table Names and their respective column names that contain the GDPR related data as per your defined Rules/Policy/Process.
STEP 2: Joining Classification process with Entitlement Reports
1. Search for CUSTOM DOMAIN BUILDER in the User Interface Search. Under the Domain Finder, click ADD (+).
2. Provide a Domain Name. Click on Filter beside Available entities. Clear the ‘Custom’ filter for Available entities.
3. Select ‘Classification Process Results’ in Available entities and move it to the right pane Domain entities.
4. Select applicable Entitlement report on in the left pane. For e.g. select ORA Object Privileges.
5. Provide column name on which join condition to be applied
6. Click Add Pair and move ORA Object privileges to right Pane with Classification Process Results.
7. Select the Timestamp Attribute and click Apply.
8. Open Custom Table Builder in the User Interface Search.
9. Select the entity you have selected in Custom Domain Builder and Click on Upload Data Button. For Oracle select ORA Object Privs
10. Then click on Add Data source to add Oracle Database and then click Run Once Now button.
11. Success message should be displayed with Total records inserted. Click on OK
STEP 3: Generating Database Entitlement Reports
1. Search for CUSTOM QUERY BUILDER in the User Interface Search. Under the Domain Finder, Look for Domain Name that has been created in previous step. Select the domain name and search.
2. In next Query Finder screen, select the Main Entity and click ADD (+).
3. Provide query details. Click Next.
Note: Query Name field will be name of Entitlement Report for GDPR classification on service form.
4. Add different Conditions and Field values from the Entities on the left.
5. After adding the fields, enable Order By clause on GRANTEE.
6. Include fields Rule Description and Schema from Classification Process Result in left pane
7. Right Click on PRIVILEGE and select Add Condition. Under operator select LIKE and then mention SELECT
8. Check the Add Distinct checkbox to get final report with Unique records.
9. Save the Query. Click on Create Report.
10. Once report is created Click Add to My Custom Reports.
11. The custom reports are available under Reports > My Custom Reports > Query Name.
Note: The order by clause column for both the reports that will make entry on the service form, will be different
12. User Data Recon: Entitlement Report for User to permission mapping should be order by GRANTEE.
13. Support Data Recon: Entitlement Report for permission to taxonomy criteria mapping should be order by Schema.
14. Data source Type filed is must in User Data Recon and Support Data Recon report.
15. Rule Description field is must in Support Data Recon report
Steps for generating report for MSSQL Database
STEP 1: Working with Classification Processes
1. Go to Discover > Classification>Classification Process Builder. From the Classification Process Builder, click New to open the Define Classification Process panel.
2. Click ADD (+) to open the Define Classification Process panel.
3. Enter a name for the process in the Process Description box.
4. Select a Classification Policy from the list or create a new policy by clicking Modify button.
5. In Classification Policy Finder panel, click ADD (+) to create a new policy. A new tab will be opened for creating new Policy.
6. In Classification Policy Definition, provide the Name, category and Description of the policy. Click Apply.
7. Click Edit Rules. to add the rules. In Classification Policy Rules, click Add Rule.
8. In Classification Rule panel, provide Rule Name, Category, Classification, description, Rule Type etc. as per your GDPR data classification requirement.
Note: Description in this panel will be your Taxonomy Criteria Name for permission to Business Activity mapping activity.
9. Click Apply. Go back to Define Classification Process window.
10. Select the newly created Classification Policy. Add the Data source for required Database server. Make sure the test connection to the MSSQL is successful.
11. Select Apply and this completes the definition of the classification process.
12. Click on Run once now. You should be able to view the classification results. This report shows you all the Table Names and their respective column names that contain the GDPR related data as per your defined Rules/Policy/Process.
STEP 2: Joining Classification process with Entitlement Reports
1. Add database to the appliance and assign data sources to entitlements.
2. Comply>Custom Reporting>Custom Table Builder.
3. Click on Upload Definition
4. Choose any name for Entity Description and Table Name.
5. Put the following sql statement under the SQL Statement EXEC sp_table_privileges @table_name = '%';
6. Click on Add Data source and choose your MS SQL database and Click on Retrieve. You should see the report under Custom Tables
7. Click on Run Once Now and new insets should be imported.
8. Comply > Custom Reporting > Custom Domain Builder
9. Search for CUSTOM DOMAIN BUILDER in the User Interface Search. Under the Domain Finder, click ADD
10. Provide a Domain Name.
11. Click on Filter beside Available entities.
12. Clear the ‘Custom’ filter for Available entities
13. Select Classification Process Results in Available entities and move it to the right pane Domain entities.
14. Select applicable Entitlement report on in the left pane. It should be same as one created in above step
15. Provide your input join condition.
16. Click Add Pair and move applicable entity selected above to right Pane with Classification Process Results.
17. Select the Timestamp Attribute and click Apply.
STEP 3: Generating Database Entitlement Reports
1. Comply > Custom Reporting > Custom Query Builder
2. Under the Domain Finder, Look for Domain Name that has been created in previous step. Select the domain name and search.
3. Click + (plus) button to make a new query
4. Enter a name and select the domain from the Main Entity dropdown. Click Next.
5. Provide query details. Click Next.
6. Note: Query Name field will be name of the Entitlement Report for GDPR classification on service form.
7. Build query for the report
8. Drag the entities shown from left pane into the query.
9. After adding the fields, enable Order By clause on GRANTEE.
10. Include fields Rule Description and Schema from Classification Process Result in left pane
11. Right Click on PRIVILEGE and select Add Condition. Under operator select LIKE and then mention SELECT
12. Check the Add Distinct checkbox to get final report with Unique records.
13. Check the Add Distinct checkbox to get final report with Unique records.
14. Click on Save and then click Create Report
15. Add to My Custom Reports. You should find the report under Reports> My Custom Report
16. The custom reports are available under Reports > My Custom Reports > Query Name.
Note:
1. The order by clause column for both the reports that will make entry on the service form
2. User Data Recon: Entitlement Report for User to permission mapping should be order by GRANTEE.
3. Support Data Recon: Entitlement Report for permission to taxonomy criteria mapping should be order by Schema.
4. Data source Type filed is must in User Data Recon and Support Data Recon report.
5. Rule Description field is must in Support Data Recon report
Steps for Generation Support Data report
1. Steps for generating Support Data report for DB2, Oracle and MSSQL databases are same.
2. Click the icon Edit the Query For This Report on User Data report created in above steps
3. Click on Clone Button to generate a clone report
4. In the clone report instead of GRANTEE, select order by for Schema field (TABSCHEMA in case of DB2).
5. Save the report
6. Regenerate the report
7. Add Report to Custom Report by clicking on Add To My Custom Report button
Addition to Installation Guide:
Following contents should be added as separate sections in installation guide:
IGI Bulk Load - Activities:
The business activities must be defined in IGI before permissions
can be mapped to a business activity. IGI provides an option to bulk
load business activities.
Steps to import Activities Bulk Load File
2. Go to Tools > Bulk Data Load
3. Using Insert Activities Hierarchy upload file Insert+Activities+Hierarchy_GDPR.xlsx
4. Refresh the operation until it is Complete
Contents of Activities Bulk Load
File
The format, is the pre-determined format of the bulk load files in IGI.
|
Information |
Description |
Validation |
|
CODE |
Activity code |
Mandatory |
|
ACTIVITY |
Activity name |
Mandatory |
|
ENVIRONMENT |
Environment identifier name |
Optional |
|
DESCRIPTION |
Activity description |
Optional |
|
PARENT_CODE |
Activity parent code |
Optional |
2. The CODE and ACTIVITY fields contain the activity code and name, respectively.
3. The existence of an activity with the given code is verified. If the given name does not match the activity name, the row is skipped. If there is no such activity, it will be inserted.
4. The PARENT_CODE field is used for positioning the activity in the hierarchy.
5. If this field is left blank, the activity will be inserted as a child of the root activity.
6. If there is no such activity associated to the given parent code, the activity is inserted as a child of a technical activity called Undefined, which will be created as needed.
|
|
A |
B |
C |
D |
E |
|
1 |
CODE |
ACTIVITY |
ENVIORNMENT |
DESCRIPTION |
PARENT_CODE |
|
2 |
GDPR |
GDPR |
|
|
Root |
|
3 |
42 |
Credit Cards |
|
|
GDPR |
|
4 |
74 |
Passwords |
|
|
GDPR |
7. To know more details about Bulk Load please refer IGI documentation: https://www.ibm.com/support/knowledgecenter/en/SSGHJR_5.2.3
Guardium GDPR Adapter’s Taxonomy Mapping properties file.
1. During Guardium GDPR adapter reconciliation operation, values in Rule Description column of Support Data report will be mapped to Activity at IGI end.
2. For Guardium GDPR Adapter, Def file consist of Criteria Name and relevant Criteria_ID e.g. Credit Card=42. This file should be present on TDI machine and path of the file needs to be specified on service form with label Taxonomy Criteria Name-ID mapping file path.
3. Criteria Name in Def file will be same as value present under Rule Description column in final Support Data report. e.g. Credit Cards, Passwords are the values under Rule Description column in Support Data report, so Def file will have Criteria Name as Credit Cards and Passwords.
4. Criteria_ID in Def file should be same as values under CODE column present in Insert+Activities+Hierarchy_GDPR.xlsx. e.g. In above image 42 is the code for Credit Cards then Def file should have Criteria Name as Credit Cards and Criteria_ID as 42. Credit Cards=42
5. Guardium application does not have Criteria_ID e.g.42 (refer above image) of its own. It fetches Criteria_ID from the Def file based on Criteria Name it gets from Rule Description column
6. Taxonomy Criteria will be the relevant Criteria_ID present in Def file for the particular Criteria Name
7. Adapter uses this mapping file to get Criteria_ID while returning the report entry to IGI
8. If there is another GDPR adapter (StealthBits GDPR adapter) at IGI, and bulk load for activity is already done, we can reuse the activity that are common with Guardium. In such scenario, for correct activity to permission mapping Guardium adapter must return the Criteria_ID values with Table permission, that match the activity ID value already bulk loaded at IGI end and this can be accomplished when the Criteria_ID of bulk loaded data at IGI should be same in the Def file. e.g. If the bulk loaded data at IGI contains Credit Cards=43 then Def file should also contain Credit Cards=43.
9. Sample ActivityToPermissionMapping.def file is provided in the package.
Note:
1. Def file is vital for Activity to Permission Mapping as it is the only source for the adapter to fetch Criteria_ID. For below cases Guardium GDPR Adapter will use Criteria Name as Criteria ID.
o If Def file path mentioned on service form is incorrect
o If the file is present on mentioned path but is empty
o If Criteria Name present in Rule Description column of Support Data report is not present in Def file
o If Criteria_ID for Criteria Name is empty
2. Criteria_ID not necessary to be numeric value only. It can be alphanumeric value also but it should be in sync with Insert+Activities+Hierarchy_GDPR.xlsx
The adapters use a separate language package from the IBM Security Identity Server. See the IBM Security Identity Server Knowledge Centre for information about installing the adapter language pack.
IBM Security Identity Server Knowledge Centre
The IBM Security Identity adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Getting Started
Customizing and extending adapters requires a number of additional skills. The developer must be familiar with the following concepts and skills prior to beginning the modifications:
Note: If the customization requires a new IBM Tivoli Directory Integrator connector, the developer must also be familiar with IBM Tivoli Directory Integrator connector development and working knowledge of Java programming language.
IBM Security Identity Server Resources:
Check the "Training" section of the IBM Knowledge Center for links to training, publications, and demos.
IBM Security Directory Integrator Resources:
Check the "Training" section of the IBM Security Directory Integrator Support web site for links to training, publications, and demos.
Support for Customized Adapters
The integration to the IBM Security Identity Server "the adapter framework" is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.
Installation Platform
The IBM Security Identity Adapter was built and tested on the following product versions.
Adapter Installation Platform:
IBM Tivoli Directory Integrator 7.1 with Fix Pack 5 or higher
IBM Tivoli Directory Integrator 7.1.1 with Fix Pack 2 or higher
Security Directory Integrator 7.2 with Fix Pack 3
Note: The adapter supports IBM Security Directory Integrator 7.2, which is available only to customers who have the correct entitlement. Contact your IBM representative to find out if you have the entitlement to download IBM Security Directory Integrator 7.2.
Managed Resource:
Identity Governance and Intelligence (IGI):
IGI v5.2.3
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the users responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.
Other company, product, and service names may be trademarks or service marks of others.