General

Use this tab to enable or disable specific features, show user data and synchronization status, and to specify options for Separation of Duties, Security, User Access, Auditing, and Flier Notification.

The general configuration attributes are described in the following table:
Table 1. General configuration attributes.
Attribute Description
General Enable Bulk Load input file download Select to add the Input File column in the log records that are displayed after you upload Bulk Data Load files in Tools > Bulk Data Load.

For each log record, the Input File column shows the Input File icon icon. An administrator can select this icon to get the file that was used in the operation.

The option applies to the Bulk Data Load tool in the Access Governance Core and Access Risk Controls modules. It does not apply in Access Risk Controls for SAP, where the column is never present.

By default, the option is not selected.
Disable Access Certification dashboards Select to disable all certification dashboards in the Service Center.
Disable Access Requests dashboards Select to disable all Access Requests dashboards in the Service Center.
View Person's sensitive data If selected, all personal data is visible to Verify Governancemodules; otherwise, it is hidden.
View Person's synchronization status If selected, the Sync column is added in the Users list in Access Governance Core > Manage > Users. If there are synchronization errors, between the Access Governance Core records and the records that are stored in an external target, of a user's accounts, application access, or rights, the icon is 2 curving yellow arrows that face each other, with a yellow exclamation point in between. icon is displayed in the user's row. The administrator can click the icon to display the Fulfillment window, view the items that are out of synchronization, and select actions to synchronize them.

Note that if you select this option, the Fulfillment tab is removed from the right frame. The reason is that selecting icon is 2 curving yellow arrows that face each other, with a yellow exclamation point in between. in the Sync column, or the Fulfillment tab, have the same effect. The only difference is that, while the Fulfillment window lists only the user's items that are out-of-synchronization, the Fulfillment pane shows also the items that are aligned. The main advantage for opting to show the Sync column is that an administrator can more readily see which users have out-of-synchronization records.
Request Center Layout Select how the Request Center tabs are to be presented to the users holding administrative roles or users (for self-requests):
Task Based
The tabs are laid out based on the workflow setups that the users are assigned in Process Designer
Role Based
The tabs are laid out based on the roles that the users hold.
View Statistics for Access Certification Campaigns If selected, the Show Certification Progress Bar option is selected by default in the Details page of the configuration of Access Certification campaigns (Access Governance Core > Configure > Certification Campaigs). This means that the progress bars are directly displayed to reviewers and supervisors in the Campaign summaries in Access Certification.

If not selected, the Show Certification Progress Bar option is unselected by default. This means that the progress bars are displayed only if reviewers or supervisors select the three vertical blue bars of different heights icons in the Campaign summaries of Access Certification.

By default, this attribute is selected.
Log Level

Four different log levels can be set:

  • Error: Records errors only.
  • Warning: Records errors and indications of possible errors.
  • Info: Records errors, warnings, and information messages.
  • Debug: Records errors, warnings, information messages, and messages associated to the debugging phase.
Prevent account deletion when used in role(s) With IBM Security Verify Governance v10.0 Fix Pack 2, the administrator has the capability to prevent an account from being deleted if it is associated with one or more roles. For more information, see Prevent account deletion if associated with a role
SoD/External SoD Enable Role Policy If selected, all controls for role conflict (Access Risk Controls) are enabled, including controls for External SoD.
Enable external SoD If selected, the information about risks associated to users will be provided by external systems.
Split Role into Permissions If selected, the common hierarchical structure of a Role is split into a flat collection of component Permissions, before sending it to an external SoD engine.
Rest With this radio button you can specify the REST service address.
Class With this radio button you can specify the Java Class used for managing external SoD.
Security Token Validity (minutes) Indicates the time frame validity of the SAML token, expressed in minutes.

The SAML token contains sensitive information related to the user accessing the system, and is used for different steps of the authorization process.

Password Hashing Algorithm Select the algorithm to use for password hashing.

ISVG v10.0.2 Fix Pack 3 release supports PBKDF2 with HMAC-SHA256 algorithm, in addition to the SHA-256 algorithm.

To use this feature, you must complete the following steps:
  1. During the installation or upgrade to ISVG 10.0.2 Fix Pack 3 release, ensure to run the database upgrade script.
  2. Run the pepper value utility to set the pepper value.
  3. In Access Governance Core, go to SettingsCore ConfigurationsGeneralSecurity. Select the Password Hashing Algorithm option as PBKDF2-HMAC SHA-256
Attention:
  • Pepper is an application-wide value, and you can configure it only once.
  • By default, SHA-256 is selected. Note that once you select PBKDF2-HMAC SHA-256 option, you cannot go back to SHA-256.
Access

Select what credentials are requested by the system to grant users access to the Service Center.

Login UserID and Password The credentials requested in the login phase are User ID and password.
Login User ID Select this option if you are using a single sign-on authentication method that is based on Open Id Connect (with external user registry only) or on ISAM (external authentication). The identity of the user is paired with the name of an account that is owned by the user. These two items are used to grant access to a user.
When you select this option, you are asked to select an account name in another window.
  • If you select Ideas, you are also asked to select the name of an attribute of this account.
  • If you select another account, no attribute is asked. The account name alone is used.

If the system uses external authentication for single sign-on and this option is not selected, by default it authenticates with the Ideas account and the code attribute.

See Single sign-on overview for reference.
Login DN The credentials requested in the login phase include the distinguished name extracted from a digital certificate (generally stored into a smartcard).
Login SAML The credential requested in the login phase is a token SAML.
Internal authorization Select this option if you are using a single sign-on authentication method that is based on LPTA keys (internal authentication). Note that this option nullifies the Forget password feature.

See Single sign-on overview for reference.
Auditing Set Hour If selected, sets the Start (hh:mm) attribute and changes the measurement unit from minutes to hours of the Repeat every attribute.
Start (hh:mm) Defines the time to start the daily audit task.
Repeat every Defines the snooze time (in seconds).
Number of Lines Number of lines involved in the audit process.
Account Matching Enable automatic account matching When an automatic account creation is triggered, if this option is selected, the application attempts to find an already existing unmatched account and to associate it to the user. If there is no applicable unmatched account, the application creates a new account for the user.

If the option is not selected, the application creates a new account without searching for unmatched accounts.
Flier Notification
In the Administration Console and the Service Center, notifications to users are displayed in self-dissolving fliers at the top of the current window.
Note: This applies only to user notification messages. Messages that are issued following actions that involve the input or change of data are shown in pop up windows.
 Information message timeout (seconds) Specify the number of seconds, from 1 to 60, that flier notifications for Information messages are displayed before dissolving. The default is 3 seconds. If you enter -1, users must click on the fliers to close them.
Warning message timeout (seconds) Specify the number of seconds, from 1 to 60, that flier notifications for Warning messages are displayed before dissolving. The default is 5 seconds. If you enter -1, users must click on the fliers to close them.
Error message timeout (seconds) Specify the number of seconds, from 1 to 60, that flier notifications for Error messages are displayed before dissolving. The default is 10 seconds. If you enter -1, users must click on the fliers to close them.
Custom Hierarchy Hierarchy For detailed information about this section, see Hierarchy options.
Hierarchy options
Custom hierarchy for role consolidation and connector sync
Instead of the default hierarchy, you may choose a different (custom) hierarchy. From the drop-down list, select the type of hierarchy, for example - ORGANIZATIONAL_UNIT
Hierarchy empty node retain option

Prior to ISVG 10.0.2 FP4 release, all the empty nodes in the custom hierarchy were automatically deleted. ISVG 10.0.2 FP4 release provides you the capability to either retain or delete the empty nodes in the custom hierarchy, as per your requirement.

This field provides three options as described here: 
  • Retain All: All the empty nodes in custom hierarchy are retained, preserving the current structure.
  • Retain Default: Only those empty nodes in custom hierarchy that are assigned with default entitlements are retained. Other empty nodes are deleted.
  • Retain None: All the empty hierarchy nodes for custom hierarchy are deleted.
Consolidate role within assigned group
Use this check box to determine the behavior for role consolidation with respect to the groups (organization units) that are assigned to the role under Access Governance CoreManageRolesOrganization Units tab.
  • Check box is not selected (Default behavior): When the check box is clear, the roles are consolidated for users in all the groups from the hierarchy that is selected in Custom Hierarchy field. Furthermore, any group from the hierarchy which is not already assigned to the role, will be assigned if that group has a user who was a part of the consolidation process.
  • Check box is selected: When the check box is selected, the role will be consolidated for only those users in the groups that are already assigned to the role, belonging to the hierarchy selected in Custom Hierarchy field.
Note: In the scenario where this check box is selected but there are no groups assigned to the role before the role consolidation begins, the default behavior is applied (that is, the roles are consolidated for users in all the groups from the hierarchy that is selected in Custom Hierarchy field).

Click Save to record your selections.

Important: If you enabled Enable external SoD with the Rest radio button, you have to update two IBM Security Identity Governance Task Planner tasks:
  • NightShiftAccessRiskControls
  • HousekeepingCore
Proceed according to the following procedure:
  1. Access the Task Planner module
  2. Select Manage > Tasks
  3. Select Actions > Add
  4. In the Details tab, set the name of the new task as SystemRiskAnalysis
  5. In the Scheduler combo box, select the Singleton scheduler
  6. Click Save
  7. Repeat steps 3, 4, 5 and 6 for a new task that you name BatchProccessedActionsAGC
  8. In the Task tab, select the NightShiftAccessRiskControls task
  9. Stop the task with Actions > Stop
  10. Repeat steps 8 and 9 also for the HousekeepingCore task
  11. Select the stopped NightShiftAccessRiskControls task
  12. In the central frame, select the Job tab
  13. Select the SystemRiskAnalysis job and delete it with Actions > Remove
  14. Select the stopped HousekeepingCore task
  15. In the central frame, select the Job tab
  16. Select the BatchProccessedActionsAGC job and delete it with Actions > Remove
  17. In the Task tab, select the SystemRiskAnalysis task
  18. In the central frame, select the Job tab
  19. Select Actions > Add
  20. In the Specify a Job for This Task pop-up window, select the SystemRiskAnalysis job
  21. Click Ok
  22. Repeat steps 17,18 and 19 for the BatchProccessedActionsAGC task
  23. In the Add a Job to a Task pop-up window, select the BatchProccessedActionsAGC job
  24. Click Ok
  25. In the Task tab, select theNightShiftAccessRiskControls task
  26. Start the task with Actions > Start
  27. Repeat steps 25 and 26 for the HousekeepingCore, SystemRiskAnalysis, and BatchProccessedActionsAGC tasks
Important: To update the risk patterns of the registered users after enabling or disabling External SoD, run the Refresh Violation Detection operation. To do this, go to the Access Risk Controls module and select Tools > Refresh Violation Detection.

Prevent account deletion if associated with a role

Consider a scenario in which, as an administrator, you want to ensure that certain critical accounts are not inadvertently deleted when they are being used in a role. With IBM Security Verify Governance v10.0 Fix Pack 2 and later versions, the administrator has the capability to prevent an account from being deleted if it is associated with one or more roles. To enable this feature, perform the following steps:
  1. Log in to Administration Console as an administrator.
  2. Go to Access Governance Core.
  3. Go to the Settings > Core Configurations > General tab.
  4. Enable the check box Prevent account deletion when used in role(s).
    Note: By default, this check box is not selected.
  5. Save the changes.
When the check box is unchecked (Default behavior)

For example, consider a user ‘John’ has a Developer role, for which John requires an account Acct1 for each application. If administrator removes Acct1, then the account will be removed while preserving the Developer role membership to user John.

It is also possible to recover the deleted or missing account. Perform the following steps to recover the deleted or missing account:
  1. Go to View Entitlement.
  2. In Account Selection, select the application for which you want to recover the deleted or missing account.
  3. Click Add New.
  4. In the Account Creation dialog, provide the required details, and save the changes.
If the check box is selected

When the Prevent account deletion when used in role(s) check box is selected, if you try to delete an account that is used in one or more roles, an error message appears informing that the account is being used in the specified roles and hence cannot be deleted until you de-link the associated roles.