WHAT'S NEW IN IBM SECURITY VERIFY GOVERNANCE V10.0.0 FIX PACK 2
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
WHAT’S NEW IN
IBM SECURITY VERIFY GOVERNANCE
V10.0.0 FIX PACK 2
Date: July 30, 2021
IBM Security Verify Governance v10 FP2 Contents WHAT’S NEW IN ISVG10 FP02 .............................................................................................. 3 PREVENT ACCOUNT DELETION IF ASSOCIATED WITH A ROLE ......................................................... 3 PROVISION FOR INTERNAL EVENT FOR ADMIN ROLE SCOPE ASSIGNMENT CHANGE ......................... 5 CAPABILITY TO GENERATE A DISK SPACE REPORT ...................................................................... 16 NOTICES, COPYRIGHT LICENSE AND TRADEMARKS ................................................................... 18 WHAT’S NEW IN THIS RELEASE © Copyright IBM Corp. 2021 Page |2
IBM Security Verify Governance v10 FP2
What’s new in ISVG10 FP02
IBM Security Verify Governance (ISVG) version 10 Fix Pack 2 release delivers the following new
features:
• Capability to prevent account deletion if associated with one or more roles.
• Provision for new internal events for admin user role scope changes: When admin role
scope is changed (scope added or deleted) for any user based on the scope defined for
that admin role (Application/Organization Units/Entitlement/Risk/Attribute Hierarchy),
then an internal event is generated. These events are listed under “Internal Event” and
operation codes are available to filter out such records.
User now has the capability to define custom rules for the generated events.
• Capability to generate a disk space report using command line.
Prevent account deletion if associated with a role
Consider a scenario in which, as an administrator, you want to ensure that certain critical ac-
counts are not inadvertently deleted when they are being used in a role. With IBM Security Ver-
ify Governance v10.0 Fix Pack 2, the administrator now has the capability to prevent an account
from being deleted if it is associated with one or more roles. To enable this feature, perform the
following steps:
1. Log in to Administration Console as an administrator.
2. Go to Access Governance Core.
3. Go to the Settings → Core Configurations → General tab.
4. Enable the check box “Prevent account deletion when used in role(s)”.
Note: By default, this check box is not selected.
5. Save the changes.
WHAT’S NEW IN THIS RELEASE © Copyright IBM Corp. 2021 Page |3
IBM Security Verify Governance v10 FP2
When the check box is unchecked (Default behavior)
For example, consider a user ‘John’ has a Developer role, for which John requires an account
Acct1 for each application. If administrator removes Acct1, then the account will be removed
with preserving Developer role membership to user John.
It is also possible to recover the deleted or missing account. Perform the following steps:
1. Go to View Entitlement.
2. In Account Selection, select the application for which you want to recover the de-
leted or missing account.
3. Click Add New.
4. In the Account Creation Dialog, provide the required details, and save the changes.
If the check box is selected
When the “Prevent account deletion when used in role(s)” check box is selected, if you try to
delete an account that is used in one or more roles, you will see an error message informing
you that the account is being used in the specified roles and hence cannot be deleted until
you de-link the associated roles.
WHAT’S NEW IN THIS RELEASE © Copyright IBM Corp. 2021 Page |4
IBM Security Verify Governance v10 FP2 Provision for internal event for admin role scope assignment change With IBM Security Verify Governance (ISVG) version 10 Fix Pack 2, you can implement custom behaviors based on the changes in the admin role scope change for any user. When the admin role scope changes for any user (for example, scope is added or deleted), then, based on the scope defined for that admin role (Application/OU/Entitlement/Risk/Attribute Hi- erarchy), an internal event is generated and displayed under the “Internal Events” list. You can then filter out such records using the appropriate operation codes. These internal events are created with Entity Type as “User” and hence capture all the information about the user along with the entitlement and the scope details. The following types of internal events are generated when a new scope is added or deleted for any admin role assignment from the Administration Console or the Service Center: • Add User Role Scope • Delete User Role Scope In this topic, we will see how to generate these internal events from the Access Governance Core UI (Administration Console) as well as from the Service Center using the Admin Access Request workflow. Generating internal events from Administration Console 1. Log in to Administration Console as an administrator. 2. Click Access Governance Core. 3. First, we need to enable the settings for internal events. Go to Settings tab and then select Internal Events tab. WHAT’S NEW IN THIS RELEASE © Copyright IBM Corp. 2021 Page |5
IBM Security Verify Governance v10 FP2
4. Under the User section, select the option Enable Personal Data Internal Events. Click Save.
Internal events are now available for usage.
5. Next, we will configure the required events. Go to Configure tab and select Admin Roles.
6. From the list of Admin roles, select the required admin roles.
7. Go to the Scope tab and select the type of scopes from the list.
8. Next, let us change the scope by adding a new user. The next steps are for guidance purpose
and can be modified based on your requirement.
WHAT’S NEW IN THIS RELEASE © Copyright IBM Corp. 2021 Page |6
IBM Security Verify Governance v10 FP2
9. Go to User tab. Click Action and add a new user to the Employee role.
10. Select a new user from the list.
11. Add the new user to the Employee Role.
12. There are Scopes tabs in Resource window: Organization Units and Applications.
Select the Sales Division as Organization Units. Click on Add to Table on Right.
13. Thereafter, click Application tab and select the Sales Application. Click on Add to Table on
Right.
WHAT’S NEW IN THIS RELEASE © Copyright IBM Corp. 2021 Page |7
IBM Security Verify Governance v10 FP2
14. Click OK to save the user with two individual Scopes, that is, Organization Units and Appli-
cations
Modifying the User Scope
1. From the Access Governance Core, go to Monitor tab and then go to Internal Events.
The scopes for the new user that you added are displayed in the list: Organization unit
and Application.
2. We will now edit the scope for the newly added user. Go to Configure tab and then Ad-
min Roles tab. Select Admin role as Employee.
3. Next, go to User tab. From the list, select newly added user.
4. Click Action. Edit the scopes as shown below as an example:
WHAT’S NEW IN THIS RELEASE © Copyright IBM Corp. 2021 Page |8
IBM Security Verify Governance v10 FP2
a. In Organization Units, Select the Organization Unit from right pane. Click on
‘Remove from Table on Right’. Select the Organization Unit other that previously
added Organization Unit from left pane. Click on ‘Add to Table on Right’ Sales
Division with HR Organization
b. In Applications, Select the Application from right pane. Click on ‘Remove from
Table on Right’. Select the Application other that previously added Application
from left pane. Click on ‘Add to Table on Right’ Sales Application with Exter-
nal_Application.
Verifying the events generation from Admin Console:
1. From the Access Governance Core, go to Monitor tab and then go to Internal Events.
The Event List shows the previous two user role scopes as deleted (Delete User Role
Scope) and the two new scopes are added (Add User Role Scope).
2. You can also use the Filter menu to quickly search for the Added/Deleted events:
WHAT’S NEW IN THIS RELEASE © Copyright IBM Corp. 2021 Page |9
IBM Security Verify Governance v10 FP2
a) For example: Use Operation code as Add User Role Scope (from the drop-down)
and click Search. It will display the events under Add User Role Scope.
b) Similarly, if we use Delete User Role Scope as Operation code (from the drop-
down) and click Search. It will give the events under Delete User Role Scope.
Generating internal events from Service Center
1. Log in to the Service Center.
2. Go to Home tab and click Request Center. You can see the Admin Access Request
workflow.
3. Click the Catalog tab and then select the Current Entitlement tab to request a change
for Scopes.
4. Go to the Action tab and click Next.
5. Click Application Resource tab under Action toolbar to Change/Add the Scopes
6. Resource Assign window opens to Change/Add different Applications.
WHAT’S NEW IN THIS RELEASE © Copyright IBM Corp. 2021 P a g e | 10IBM Security Verify Governance v10 FP2
7. Select the Scope (for example: Sales_Application) from the list and Click on Add to Table
on Right then click OK.
8. Enter the Request Notes for approval and submit. A notification for successful request
submission is displayed. Click Logout.
For event generation, the request needs to be approved by the Approver. To approve the re-
quest:
1. Log in as the User’s Manager (or as administrator) in the Service Center portal , to ap-
prove the request.
1. Go to Request Center. The Authorize Admin access Request tab displays the pending
requests.
2. Click the Tick mark under Action toolbar to Approve the pending requests and add
Approval Note and click OK.
Verifying the event generation from Administration Console
6. Log in to Administration Console as an administrator.
7. Go to Access Governance Core.
8. Go to Monitor tab and click Internal Events. You can view the generated events for
adding the application as user role Scope.
WHAT’S NEW IN THIS RELEASE © Copyright IBM Corp. 2021 P a g e | 11IBM Security Verify Governance v10 FP2
Similarly, you can generate and view the events for removing a user role scope from the Service
Center.
1. Log in as an user to Service Center.
2. Go to Home tab and click Request Center.
3. Change or remove the Application Resource. Select the scope (for example, Sales_Ap-
plication) from the list, and Click on Remove from Table on Right then click OK.
4. Enter the Request Notes for approval and submit.
5. Next, log in as the Approver to approve the request.
6. Go to Request Center. The Authorize Admin access Request tab displays the pending re-
quests.
7. Click Approve the pending requests and then click OK.
Verifying the event generation from Administration Console
1. Log in to Administration Console as an administrator.
2. Go to Access Governance Core.
3. Go to Monitor tab and click Internal Events. You can view the generated events for de-
leting the application as user role Scope.
You can now use the rule flows for both the types of internal events (Add User Role Scope and
Delete User Role Scope) and implement change control using your custom rules.
Perform the following steps:
1. Log in to IBM Security Verify Governance.
2. Click Configure tab.
3. Under Rules section, select Rule Class as Live Events, and Queue as INTERNAL.
WHAT’S NEW IN THIS RELEASE © Copyright IBM Corp. 2021 P a g e | 12IBM Security Verify Governance v10 FP2
4. Under Rule Flow section, the following two new scopes are displayed:
a) Add User Role Scope
b) Delete User Role Scope
Let us proceed using Add User Role Scope as an example.
You can create different types of rules for following actions of event ‘Add User Role
Scope’:
a) Before
b) Run
c) After
5. Select Before and click Package Imports in the right-hand side column.
6. Under Package Imports section, beans are provided for these events:
• Event Internal Beans
• User Bean
• Entitlement Bean
7. Select Rules Package. Click Action tab and create.
WHAT’S NEW IN THIS RELEASE © Copyright IBM Corp. 2021 P a g e | 13IBM Security Verify Governance v10 FP2
• New window opens for Rule Creation.
• Enter the Rule Name, Description (logic) and Save.
8. Similarly, you can select the rule flow as Delete User Role Scope.
You can create different types of rules for following actions of event Delete User Role
Scope:
a) Before
b) Run
c) After
9. Select Before and Click Package Imports on the right-hand side column.
10. Under Package Imports section, beans are provided for these events:
• Event Internal Beans
• User Beans
• Entitlement Beans.
WHAT’S NEW IN THIS RELEASE © Copyright IBM Corp. 2021 P a g e | 14IBM Security Verify Governance v10 FP2
11. Select Rules Package. Click Action tab and modify or create.
• New window opens for Rule Creation.
• Enter the Rule Name, Description (logic) and Save.
12. Select Verify from the Action tab.
System checks all the rules created for compilation issues. After successful compilation, a
notification is displayed on the screen:
• Rule 1 - OK
NOTE: The information related to scope changes is stored in the EVENT_INTERNAL table.
• The column ENTITY2_ATTR1 displays the type of scope which is changed.
• The column ENTITY2_ATTR2 displays values for the scope which is changed.
WHAT’S NEW IN THIS RELEASE © Copyright IBM Corp. 2021 P a g e | 15IBM Security Verify Governance v10 FP2
For example, if for the scope Organization Units, you change the organization from SALES Divi-
sion to RV_Enterprise, then the table shows following details:
Column name ENTITY2_ATTR1 ENTITY2_ATTR2
Original value Organization Units SALES DIVISION
New value Organization Units RV_Enterprise
Capability to generate a disk space report
With IBM Security Verify Governance (ISVG) version 10 Fix Pack 2, you can use the disk_space_re-
port command to generate a list of all the virtual appliance files with file size greater than 10 MB.
To generate the disk space report, perform the following steps:
1. Access the command-line interface (CLI) of the virtual appliance from an ssh session or
the console.
2. From the command line interface, log on to the Verify Governance virtual appliance.
3. Type the cli command at the igivasrv prompt, as shown:
igivasrv > cli
4. Type the disk_space_report command at the igivasrv:cli prompt, as shown:
igivasrv: cli > disk_space_report
The command requires no arguments.
Disk space report is displayed in the command line output.
WHAT’S NEW IN THIS RELEASE © Copyright IBM Corp. 2021 P a g e | 16IBM Security Verify Governance v10 FP2
5. In addition, the disk space report is also stored in a file highdiskusagedetails.txt. To access
this file:
1) From the top-level menu of the Appliance Dashboard, go to Configure → Ad-
vanced Configuration → Custom File Management.
2) Go to the disk_space_report directory, and open the file highdiskusagedetails.txt.
WHAT’S NEW IN THIS RELEASE © Copyright IBM Corp. 2021 P a g e | 17IBM Security Verify Governance v10 FP2 NOTICES, COPYRIGHT LICENSE AND TRADEMARKS Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary. This information is for planning purposes only. The information herein is subject to change before the products described become available. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, WHAT’S NEW IN THIS RELEASE © Copyright IBM Corp. 2021 P a g e | 18
IBM Security Verify Governance v10 FP2
companies, brands, and products. All of these names are fictitious and any similarity to the
names and addresses used by an actual business enterprise is entirely coincidental.
Copyright License
This information contains sample application programs in source language, which illustrates
programming techniques on various operating platforms. You may copy, modify, and distribute
these sample programs in any form without payment to IBM, for the purposes of developing,
using, marketing or distributing application programs conforming to the application
programming interface for the operating platform for which the sample programs are written.
These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot
guarantee or imply reliability, serviceability, or function of these programs.
If you are viewing this information softcopy, the photographs and color illustrations may not
appear.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks of International Business Machines Corporation,
registered in many jurisdictions worldwide. A current list of IBM trademarks is available on the
web at "Copyright and trademark information" at http://www.ibm.com/legal/copytrade.shtml.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle
and/or its affiliates.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft
Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
The Oracle Outside In Technology included herein is subject to a restricted use license and can
only be used in conjunction with this application.
Other product and service names might be trademarks of IBM or other companies.
— End of Document —
WHAT’S NEW IN THIS RELEASE © Copyright IBM Corp. 2021 P a g e | 19You can also read
