Deep and Shallow Use Cases

Contents
cg143
Contents
Identity Governance
supports two modeling strategies. You can use one of these strategies in any given
Identity Governance
universe.
  • Shallow use case
    A shallow use case involves role modeling based on business or organizational roles. The shallow use case enables you to analyze roles arising from the activities of your organization, and requires the product to import data from several different endpoints. We refer to this approach as “shallow” because the use case examines data from across your organization’s endpoints to a depth of one level of application privileges. For example, this use case can analyze privileges to resources in an ERP application, Active Directory, and several Unix servers.
  • Deep use case
    A deep use case involves role modeling based on application roles. This strategy enables you to build your role model around user permissions within a single application. For example, you would use a deep use case to analyze permissions within your organization’s SAP system. This requires the product to import data from only one endpoint. We refer to this approach as "deep" because it views the data from a granular perspective.
The deep use case is supported with the CA IAM Connector Server.
Shallow Use Case
A shallow use case works with data from several different endpoints to analyze organizational roles and perform certification or role modeling. The object mapping between
Identity Governance
and the endpoint system is less granular than in a deep use case.
  • Shallow Use Case with
    Identity Governance
    and
    Identity Manager
    When importing data in a shallow use case where endpoints are managed with
    Identity Manager
    , a specific universe is generated. Endpoint privileges, groups, and roles are mapped to
    Identity Governance
    resources, and
    Identity Manager
    provisioning roles and account templates are mapped to
    Identity Governance
    roles. When
    Identity Governance
    exports universe data back to
    Identity Manager
    , it updates changes to provisioning roles and account templates, and any additional or removed links between users, provisioning roles, nested provisioning roles, account templates, and endpoint privileges.
    Identity Manager
    translates these changes into links between user accounts and endpoint privileges, and where an account does not exist, a new account is created.
    Identity Governance
    does not export changes or additions to user attributes or resource attributes (you should manage these attributes with the user management tool or the native utilities of the endpoint, respectively).
  • Shallow Use Case with
    Identity Governance
    and CA IAM Connector Server
    You use
    Identity Governance
    with the CA IAM Connector Server (an optional part of the
    Identity Governance
    installation) to perform shallow mapping when your endpoints are not managed with
    Identity Manager
    . You do this by importing data from multiple endpoints through the CA IAM Connector Server. The selected endpoint permissions are modeled as resources, and business roles are modeled as roles. Export is not supported in this scenario.
Deep Use Case
A deep use case works with data from a single endpoint to perform certification or role modeling. The object mapping between
Identity Governance
and the CA IAM Connector Server is more granular than in a shallow use case. When you import data in a deep use case, you map some endpoint objects to
Identity Governance
resources and map other endpoint objects to
Identity Governance
roles. When you import data into a deep universe, ensure that you map all mandatory attributes of the endpoint to appropriate
Identity Governance
roles or resources.
You can use the CA IAM Connector Server to create a deep use case where you can analyze roles within an application. The CA IAM Connector Server allows you to connect to and manage endpoints in environments that are not managed by <imgr>. The CA IAM Connector Server is an optional part of the
Identity Governance
installation.