Technical overview
IBM® Security Identity Governance and Intelligence is designed to retrieve and manage data from multiple targets through a set of modules, a directory integrator, and a database.
- Administration Console
- Service Center
See Features overview and User interface for more information about the user interfaces and the modules.
Identity Brokerage is the gateway to directly integrate Identity Governance and Intelligence with targets and hubs using IBM Security Identity Adapters. These IBM Security Identity Adapters are sometimes referred to as Identity Brokerage Adapters in Identity Governance and Intelligence.
Directory integrator
The Security Directory Integrator is built-in to the Identity Governance and Intelligence virtual appliance and multiple instances of it can be installed and configured.
- AIX®
- HP
- LDAP
- Linux®
- Solaris
All Identity Governance and Intelligence supported adapters can be installed externally on the virtual appliance. Depending on the adapter, an external Security Directory Integrator may be required.
Some IBM Security Identity Adapters can be installed in the selected Security Directory Integrator instance on the virtual appliance:
See the Identity Adapters product documentation at http://www.ibm.com/support/knowledgecenter/SSIGMP_1.0.0/com.ibm.itim_pim.doc/c_adapters_intro.htm to determine which adapters are supported in Identity Governance and Intelligence , and which can be installed on the virtual appliance.
Data tier
The Identity Governance and Intelligence data source is composed of various data entities, which are stored in the database and directory server.
- Database server
-
The database server contains the following data entities.
Table 1. Data entities stored in the database server Data entities Description Identity Governance and Intelligence data store It is inherited from the IBM Security Identity Governance data store, but it contains other data artifacts that are used for the Identity Brokerage Providers module.
Changes that are initiated from Identity Governance and Intelligence or from external target systems are recorded and processed in an asynchronous manner through queues.
Identity Governance and Intelligence support backward compatibility with existing IBM Security Identity Governance releases to support database upgrade.
Identity Brokerage data store It contains data entities that are used by Identity Brokerage. The virtual appliance can be deployed with an internal Postgres database or an external database. For the supported external database server and directory server, see the IBM Security Identity Governance and Intelligence Software Product Compatibility Report, http://www-969.ibm.com/software/reports/compatibility/clarity/softwareReqsForProduct.html.Attention: An embedded PostgreSQL database environment requires higher resource consumption than the standard external DB2 database, making it critical to increase memory and CPU allocation to ensure a stable operation of the environment. When the database is co-resident in the VA, the CPU and memory resources will be taxed additionally to provide services to the Identity Governance processes, as well as the database management processes. In laboratory tests, the CPU requirements on the VA are 2 to 3 times higher when running with PostgreSQL, versus the combined requirements of a VA and DB running with DB2. The additional memory and CPU requirements are most important in the PostgreSQL cluster scenario when data replication is enabled. Despite additional memory and CPU, the performance of this environment also falls behind that of DB2.At this time, PostgreSQL is not recommended for mission-critical environments, or deployments where performance requirements are high.
The virtual appliance administrator can later change the setup, from using an internal database to using an external database. See Managing the database server configuration and Managing the Postgres database.
- Directory server
-
Data that is stored in the directory server includes the target configuration and target cache. Identity Brokerage uses these data entities when processing change requests.
Data models
- Different entities that are registered in the organization
- Links and relationships between these entities
- Sets of application policies and processes that the organization uses to manage those entities
| Data models | Elements |
|---|---|
| Core data model This data model contains elements that define the organizational structure. |
|
| Extended data model This data model contains elements that support the risk definition and detection layer of Identity Governance and Intelligence . |
High availability and disaster recovery
Implementing high availability is about ensuring that services are always available. Disaster recovery is the process of restoring the service to a production state in the event of an outage.
To deploy Identity Governance and Intelligence with high availability, set up a virtual appliance cluster and use a load balancer. See Planning for high availability.
If the master Postgres database fails or the primary node becomes unavailable, follow the failover procedure to recover the system. See Recovering from a Postgres database failure.
For a basic level of disaster recovery, set up the Identity Governance and Intelligence virtual appliance into two appliances with active-passive configuration. See Setting up a secondary virtual appliance for active-passive configuration.