This quick start provides a brief overview of the NetIQ Identity Governance and Administration hybrid solution and the tasks you need to complete to start using Identity Governance as a Service.
Figure 1 Overview of Identity Governance and Administration
Identity Governance and Administration (IGA) manages and governs digital identities and enforces appropriate access across the enterprise. With a unified governance framework, organizations can determine who has access to which resources and whether that access is appropriate. Scaling to billions of identities, IGA automates and streamlines processes related to access requests, access certification, identity lifecycle management, provisioning, and compliance reporting. IGA detects changes as they happen in the connected systems and adjusts security controls for continuous compliance, thus reducing risk and increasing efficiency for the organization.
IGA, as illustrated in the above diagram, includes following main components and additional services:
NetIQ Identity Governance helps organizations run effective access certification campaigns and implement identity governance. Key features include certification reviews, micro-certifications, access request and approval, segregation of duties (SOD), and governance insight. Identity Governance can be deployed on premises or using SaaS.
NetIQ Identity Manager powers the entire identity management lifecycle, managing identities and their associated attributes to minimize privileges. Key features include automated provisioning, identity attribute management, password synchronization, and data and event transformation to match organizational business processes.
You can use the IGA hybrid solution to log in to Identity Governance as a Service using Advanced Authentication as a Service for authentication based on methods and repositories configured in Advanced Authentication tenancy. In addition, you can collect data from on-premises Identity Manager using a data transfer bridge (Cloud Bridge), create custom workflows for request approval on fulfillment, and generate reports.
Identity Governance as a Service and Advanced Authentication as a Service will be deployed, configured, and maintained by Micro Focus. Once you receive your tenancy URL (http://tenantid.igasubdomain.hostedsaasdomain.com), you can log in to Identity Governance, assign authorizations, and perform governance tasks.
To log in to Identity Governance on their local devices, users must have one of the following browser versions, at a minimum:
Apple Safari 16.1
Google Chrome 103.0.5060.114
Microsoft Edge Browser 220.127.116.114.49
Mozilla Firefox 15.5
iPad (iOS 12 and later)
Apple Safari 15.5
Google Chrome 101.0
Mozilla Firefox 37
IMPORTANT:The browser must have cookies enabled. If cookies are disabled, the product will not work.
This section outlines the supported upgrade paths and integrated component versions.
Supported upgrade paths for Identity Governance and related products are listed below.
Identity Governance 3.7 or 3.7.3 to 4.2
Identity Reporting 6.7 or 6.7.2 to 7.2
Form Builder 1.5.1
Identity Reporting 7.2
Workflow Console 1.0.7.0000
Workflow Engine 1.0.7.0100 on the same Tomcat server as Identity Governance
Identity Governance provides IDM entitlement application definition and application templates to collect account and permission entitlements from an on-premises Identity Manager environment. To successfully collect all accounts and permissions, the supported drivers must be running. Find below a list of the Identity Manager and Identity Governance supported drivers.
Identity Governance Assignment collection: MFIGASGMTCOL_18.104.22.16820110104142
Minimum Driver Version
Minimum Package Version
SAP User Management
After signing up for Identity Governance as a Service, log in to your unique URL using the provided user name and password. You must log in with the bootstrap administrator account until you have collected and published identities and assigned a user as the Customer Administrator. Bootstrap administrator account is created during the onboarding process. Micro Focus recommends that you change the bootstrap administrator password. You can change the password by logging in to your aa service/account as tenantid\IGBOOTSTRAPS\bootstrap administrator email. For example, when Tenant ID is Tenant 1 and the bootstrap administrator email is firstname.lastname@example.org, log in to your aa.cyberresprod.com/account as TENANT1\IGBOOTSTRAPS\email@example.com.
In as a Service environment, Cloud Bridge is a data transfer bridge between the application in the cloud and data sources in on-premises environments. The Cloud Bridge Agent(CBA) is the entity that responds to the collection and fulfillment commands and directs them to the proper data source for execution. The following diagram provides a brief overview of the Cloud Bridge setup.
Figure 2 Overview of Cloud Bridge Setup
The Cloud Bridge Data Center in your Identity Governance tenancy is created by the SaaS team based on the information you provide in the technical questionnaire. Data Centers are a conceptual representation of your Cloud Bridge Agent instance and could reside in different on-premises and cloud environments. DataCenter.json contains customer-specific data center information. Defines the connection information between the CBC and a single CBA instance. Install the Cloud Bridge Agents on your local systems, then configure Identity Governance Data Source Connections and Data Sources as needed to connect to your on-premises data sources.
For information about the Cloud Bridge Agent and related Identity Governance procedures, see the following sections.
Prior to installing the Cloud Bridge Agent on premises, the SaaS operations team must have granted you the privilege to use Cloud Bridge. You or an authorized user can then add an external repository in the IGA Advanced Authentication tenancy.
NOTE:Use TENANT_ID_AA_ER, where TENANT_ID is in uppercase, as the name of the external repository. For more information about adding Cloud Bridge external repository, refer to the NetIQ Advanced Authentication Administration Guide.
Regarding upgrading your Cloud Bridge Agent, before you upgrade an existing CBA installation, you should review your environment and do some planning for high availability. For more information about installing and upgrading the Cloud Bridge Agent on premises, refer to the NetIQ Cloud Bridge Agent Release Notes and the NetIQ Cloud Bridge Agent Installation and Administration Guide.
IMPORTANT:The connector jar files used for identity and application data collection and fulfillment have been updated to Java 11. The Cloud Bridge Agent 1.10.0 has been updated to JDK 17, which is backward compatible with JDK 11. If you have custom connectors that were compiled with JDK 8, you will need to recompile them with JDK 11. You must also ensure that any new custom connectors are compiled with JDK 11.
The CBA installation script does not automatically remove custom connectors from the bridge-lib folder, so you must manually remove them if you want to replace them with the updated connectors.
Additionally, with JDK 17, the Nashorn JS Engine is no longer a part of the JDK. As a result, Identity Governance 4.2 and Cloud Bridge 1.10.x now utilize the Graal JS Engine. This change could impact your transformation scripts in collectors and fulfillment, as well as your code in a custom collector or fulfillment. Ensure that you review and test all of your transformation scripts and custom code accordingly.
After installing the agent, you must configure a data source connection in Identity Governance, then add credentials using the Cloud Bridge Agent UI. For information about configuring data source connections, and adding credentials, see Identity Governance as a Service User and Administration Guide and Cloud Bridge Installation and Administration Guide.
When adding credentials, in addition to unique ID, user name, and password, you must also specify the appropriate ordinal for the authentication method. When a connector (collector or fulfiller) takes only one credential pair, then the default ordinal value of 0 is used. When a connector supports more than one credential pair (user name and password) combination such as the IDM AE Permission Collector and SCIM collectors and fulfiller, then you need to specify additional ordinals.
NOTE:The user name and password fields are limited to 255 characters.
You can view the existing credentials you have by visiting http://localhost (CBA IP address or DNS name):8080/api/v1/credential. Since the connector can only be configured for one type of authentication, the other credential sets will be unused by the connector.
IMPORTANT:When configuring the Cloud Bridge Agent, it is critical that the proper ordinal value be utilized for the authentication method being utilized. For example, if a SCIM Identity Collector is being configured in Identity Governance and Basic Auth is selected for the Authentication Method, the basic authentication credentials would need to be added to the Cloud Bride Agent using ordinal value 3. Also note that if an authentication method is chosen that requires multiple credential sets, ALL of these credential sets must be added to the CBA using specific ordinal values. For addition information about specific ordinal values and authentication methods, refer to the Identity Governance as a Service User and Administration Guide.
Once you have completed the above procedures and established data source connections with the Cloud Bridge, enable the collection using the out-of-the-box templates, then start collecting and fulfilling change requests. For information about collection and fulfillment see the following chapters in the Identity Governance as a Service User and Administration Guide:
For information about requesting access and performing other governance tasks such as setting up access reviews, and creating policies, and managing data, refer to the Identity Governance as a Service User and Administration Guide. For additional information regarding creating and customizing your request approval and fulfillment workflows, refer to the Workflow Service Administration Guide.
For additional documentation, visit the Micro Focus Identity Governance and Administration website.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@microfocus.com. We value your input and look forward to hearing from you.
For general corporate and product information, visit the Corporate Website.
For interactive conversations with your peers and experts, become an active member of our community. The online community provides product information, useful links to helpful resources, blogs, and social media channels.
The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.
Copyright 2023 Open Text.