1. Access Governance Cloud Service
  2. Integrate
  3. Getting Started with Integration
  4. Access Governance Integration with Connected Systems

Access Governance Integration with Connected Systems

Connected Systems Overview

Oracle Access Governance can be integrated with target identity systems by defining a connected system.

A connected system allows you to load data from a remote target identity system into Oracle Access Governance. The connected system will define parameters such as connection details that are required to access remote identity data. Where a direct connection between Oracle Access Governance and the target identity system is not possible, an agent may be deployed to bridge between the two.


Identity Orchestration in Access Governance

Integration Concepts

Identity Orchestration in Oracle Access Governance is made up of the following components:

  • Connected System: A connected system is the footprint definition for a target identity system that can be integrated with and provide data to Oracle Access Governance. Once defined, the connected system enables integration and data synchronization between target identity systems and Oracle Access Governance, through either a direct connection or an agent.
  • Oracle Access Governance Console: The Oracle Access Governance Console allows users with the Administrators application role, to register the connected system, download the agent docker image where connection to the target system is indirect, and configure and monitor the progress of the connected system in real-time. The Oracle Access Governance Console also supports life cycle activity such as resetting the connected system status to trigger full or incremental synchronization, or disable or enable the connected system.
  • Agent:

    The Oracle Access Governance agent is a docker image-based agent, which allows Oracle Access Governance to synchronize continuously or periodically with target identity systems where a direct connection is not available. The agent runs scheduled distributed extract-transform-load (ETL) jobs to perform full or incremental synchronization of remote identity data, such as users, roles, application instances, entitlements, and entitlement assignments, to Oracle Access Governance. Once registered and installed, the agent can be monitored via the Oracle Access Governance Console. The agent runs in a docker environment located at the customer. This environment should meet the following prerequisites:

    • Installation of Docker or Podman
    • Allow connection to the customer's target identity database
    • Allow connection to the customer's Oracle Access Governance instance hosted in Oracle Cloud.

    The agent uses the configuration entered in Oracle Access Governance to connect to the connected system. The agent extracts data from the connected system, transforms it, and then pushes it to Oracle Cloud Infrastructure Object Storage over HTTPS. Once transferred to object storage, the data is then picked up by the Oracle Access Governance ingestion service and is loaded into Oracle Access Governance for consumption. On completion of access review campaigns, any permissions that have been revoked in Oracle Access Governance will be remediated by raising a revoke operation in the connected system. This revoke request will be passed to the connected system via the agent.

    Agents are applicable only in cases where a direct connection cannot be established with Oracle Access Governance. Typically, you will need an agent when integrating with the on-premises target systems. The Oracle Access Governance agent acts as an arbitrator supporting synchronization of identity data between target systems and Oracle Access Governance.

Manage the Connected System

The connected system can be added and managed from the Oracle Access Governance Console.

Note:

The connection details depends on the type of connected system. This section explains the Manage Connected System screen, and lists the general steps to manage the connected systems. Refer documentation on integration with target systems to connect to a specific target system.
In the Oracle Access Governance Console, from the navigation menu, select Service Administration → Connected Systems, and then select Add a connected system to add a new connected system, or select Service Administration → Connected Systems to manage the existing connected systems.

On the Manage Connected System screen, for each connected system, you can view a list of activities, their statuses, when they were initiated, total time taken to complete each activity, and name of the user who performed that activity. You can also initiate a data load, update connection settings, and disable the connected system.

In the Activity Log, you can view the following activities:
  • Data load: Initiates when the data is either run on-demand by the Administrator, or when data is auto-synced as per the system settings. Currently, the data automatically refreshes after 24 hours from the previous data load activity.
  • Full data load: Initiates when the data is synced for the first time after the new connection is established.
  • Validate: Initiates when a new connection is established or when you update the connection settings.
  • Revoke: Initiates when an access reviewer revokes one or more user privileges in the access review tasks. This activity occurs to support closed-loop access remediation.
  • Schema discovery: Initiates when a new connection is established, or when you select the Fetch attributes button in the Custom Identity Attributes page.

Data Load

To initiate a data load from the target connected system instance, perform the following tasks.

  1. In the Oracle Access Governance Console, access the navigation menu by selecting the Navigation Menu icon. Select Service Administration → Connected Systems.
  2. In the Connected Systems screen, select the Manage button for the Oracle Access Governance connected system you want to manage.
  3. Select the Load data now option from the Actions drop-down menu in the top right-hand corner. This will initiate a data load and you can track the status in the Activity Log.

Update Connection Details

To update the connection details used by the connected system to connect to the target identity system perform the following tasks.

  1. In the Oracle Access Governance console, access the navigation menu by selecting the Navigation Menu icon. Select Service Administration → Connected Systems.
  2. In the Connected Systems screen, select the Manage button for the connected system you want to update.
  3. Select the Change Settings option from the Actions drop-down menu in the top right-hand corner. Update connection settings and click Save.

Disable the Connected System

To disable the agent from running, perform the following tasks.

  1. In the Oracle Access Governance Console, access the navigation menu by selecting the Navigation Menu icon. Select Service Administration → Connected Systems.
  2. In the Connected Systems screen, select the Manage button for the connected system you want to disable.
  3. Select the Disable button in the top right-hand corner. The agent will display a status of Disabled on the Connected Systems page.