Mysql Database Application Guide

MySQL Database Application Guide

Version 1.2 | November 2017

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

Contact Information Go to the RSA corporate website for regional Customer Support telephone and fax numbers: http://www.emc.com/domains/rsa/index.htm. For technical support, contact RSA at [email protected].

Trademarks

Dell, RSA, the RSA Logo, EMC and other trademarks, are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners. For a list of RSA trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm#rsa.

License Agreement This software and the associated documentation are proprietary and confidential to Dell Inc., are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person. No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by Dell Inc.

Third-Party Licenses This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed on the product documentation page on RSA Link. By using this product, a user of this product agrees to be fully bound by terms of the license agreements.

Note on Encryption Technologies This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product.

Distribution Use, copying, and distribution of any Dell software described in this publication requires an applicable software license. Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." DELL INC. MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

CONTENTS

Revision History ...... 3 Preface ...... 4 Supported RSA Identity Governance and Lifecycle Version(s) ...... 4 Supported MySQL Database Version(s) ...... 4 Audience ...... 4 What is covered in the Guide...... 4 Prerequisites for MySQL Database ...... 5 WildFly ...... 5 WebSphere ...... 6 WebLogic ...... 6 Manage Endpoint Credentials Using a Password Vault ...... 7 Creating MySQL Database Collectors ...... 7 Creating a New Identity Data Collector (IDC) ...... 7 Configuring the IDC Database Query ...... 9 Creating a New Account Data Collector (ADC) ...... 9 Configuring the ADC Database Query ...... 11 Creating a New Entitlement Data Collector (EDC) ...... 14 Configuring the EDC Database Query ...... 15 Creating a New Role Data Collector (RDC) ...... 20 Configuring the RDC Database Query ...... 22 How to Create Custom Attributes ...... 26 MySQL Database Connector Configuration ...... 28 Connector Capabilities ...... 29 Use-Cases ...... 36 Create Database Account Using a Request Form ...... 36 Use Stored Procedures in Connector ...... 39

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

REVISION HISTORY

Revision Number Description

Version 1.0 MySQL Server Application guide consist creation of Identity collector, Account collector, Entitlement collector creation, Connector and uses-cases.

Version 1.1 Added instructions for configuring the password vault with RSA Identity Governance and Lifecycle ,DB2 Database , Identity Data Collector, Account Data Collector and Entitlement Data Collector

Version 1.2 Updated document with minimum version support.

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

PREFACE The purpose of this guide is to provide an overview of setting up Collectors and Connectors in order to integrate MySQL Database with RSA Identity Governance and Lifecycle. This guide outlines required configurations, parameters, and mappings of different attributes in the connectors and collectors to create various components. The guide also includes use cases and troubleshooting tips.

Supported RSA Identity Governance and Lifecycle Version(s)  RSA Via Lifecycle and Governance 7.0.0 and later  RSA Identity Governance and Lifecycle 7.0.1 and later

Supported MySQL Database Version(s)  MySQL Server 5.6 and later

Audience This guide is intended for the users of RSA Identity Governance and Lifecycle, including security administrators, database administrators, and system configuration administrators.

What is covered in the Guide  Prerequisites section: explains the required configuration in order to integrate database with RSA Identity Governance and Lifecycle.  Database connectors and collectors configuration section: provides the details to configure or change the collector and connector settings, if required.  Tips & Troubleshooting section: provides information about probable errors and their solutions.

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

PREREQUISITES FOR MYSQL DATABASE a. Install MySQL database, against which data collectors will be configured b. Configure the MySQL database driver before creating MySQL data collectors

Steps to configure MySQL database driver: a. Download the JAR containing MySQL driver (com.mysql.jdbc.Driver) o for example: mysql-connector-java-5.1.25-bin.jar b. Make sure that the downloaded JAR is copied to locations according to respective app-servers on RSA Identity Governance and Lifecycle server

WildFly Customize RSA Identity Governance and Lifecycle

On an RSA Identity Governance and Lifecycle appliance or software appliance running v7.0 or later, you must use the customizeACM.sh tool to extract the aveksa.ear file, customize it, and repackage it. The following procedure requires that you know how to use the customizeACM.sh tool.

You can customize RSA Identity Governance and Lifecycle by modifying the aveksa.ear file located at /home/oracle/archive.

RSA provides a utility (customizeACM.sh in /home/oracle/deploy) that allows you to conveniently extract aveksa.ear file and rebuild a customized version. For more information, see "Customize RSA Identity Governance and Lifecycle" in the Installation Guide.

Procedure 1. Log on to the appliance as the admin user via SSH tool. Example: Putty 2. Verify that RSA Identity Governance and Lifecycle is running. Enter the following command:  sudo service aveksa_server status 3. If the server is running, the following message appears:  RSA Identity Governance and Lifecycle Compliance Manager Server is running. 4. If the message indicates that the server is not running, enter the following command:  sudo service aveksa_server start 5. Change to the oracle user. Enter the command:  su – oracle 6. Go to /home/oracle/deploy. 7. Run the customizeACM.sh script to extract the .ear file to modify and specify its location. Enter the command:  customizeACM.sh -c 8. Content of this .ear file will be extracted to a directory at the following location: /tmp/customizeACM/.

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

a. Note: If you do not specify the path to the .ear file, the script prompts you to use the currently deployed .ear file. If you want to use the currently deployed .ear, enter ‘yes’ b. Otherwise, enter ‘no’ 9. Go to /tmp/customizeACM/ and copy Mysql-connector-java-5.1.25-bin.jar to /tmp/customizeACM/APP-INF/lib 10. After completing the file modification, run the customizeACM.sh script again to rebuild the .ear file. Go to /home/oracle/deploy, enter the command:  customizeACM.sh –d 11. The script deploys the new customized .ear file and archives it to the following location, appending time and date stamp to name: /home/oracle/archive

Note: No need to Restart ACM or AFX.

WebSphere 1. Copy the Mysql-connector-java-5.1.25-bin.jar to the "lib" directories Under APP-INF folder:  /opt/IBM/WebSphere/AppServer/profiles/aveksaProfile/installedApps/No de01Cell/aveksa.ear/APP-INF/lib 2. Restart WebSphere Application Server.

WebLogic 1. Copy the Mysql-connector-java-5.1.25-bin.jar files to following location and restart the server.  Location for aveksa.ear: /home/oracle/ACM-WebLogic 2. Create a new folder: mkdir /tmp/aveksa.ear 3. Unzip aveksa.ear to /home/oracle/ACM-WebLogic  Example: unzip -q -X /home/oracle/ACM-WebLogic/aveksa.ear -d /tmp/aveksa.ear 4. Rename existing aveksa.ear file to aveksa.ear.old in /home/oracle/ACM-WebLogic/  Example: mv /home/oracle/ACM-WebLogic/aveksa.ear /home/oracle/ACM- WebLogic/aveksa.ear.old 5. Copy Mysql-connector-java-5.1.25-bin.jar file to /tmp/aveksa.ear/APP-INF/lib/ 6. Repackage aveksa.ear  Note that you are creating the ear file at a new location: /home/oracle/ACM-WebLogic  cd /tmp/aveksa.ear  zip -q -r -u /home/oracle/ACM-WebLogic/aveksa.ear * 7. Deploy new ear file.  Login to WebLogic Admin console: Example: http://:7001/console  Go to Deployment > Server  Select aveksa.ear and click the Update button  Select path /home/oracle/ACM-WebLogic and select aveksa.ear  Click Next and then Finish  Restart the WebLogic Server

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

Manage Endpoint Credentials Using a Password Vault To use a third-party password vault to manage the endpoint credentials, perform the following steps.

1. Configure the password vault according to the third-party provider’s instructions.

2. Create a new password vault profile in the RSA Identity Governance and Lifecycle system for retrieving the MySQL password from the vault. See the RSA Identity Governance and Lifecycle Help for more information about creating a password vault profile.

3. Ensure that a MySQL account has been created at the configured password vault to store the password.

CREATING MYSQL DATABASE COLLECTORS Refer to this section to create MySQL Database collectors in RSA Identity Governance and Lifecycle.

RSA Identity Governance and Lifecycle support the following collectors for MySQL Database  Identity Data Collector (IDC)  Account Data Collector (ADC)  Entitlement Data Collector (EDC)  Role Data Collector (RDC)

Identity Data Collector collect Users and details like firstname, lastname, email, BusinessUnit, and city. Once a Database Identity collector is configured correctly and collected Identity records, User records will be listed in Users > Users menu after unification.

Account Data collectors collect Account Names, Groups and mapping between Database Accounts and RSA Identity Governance and Lifecycle Users.

Entitlement Data Collector Resources (such as Room) and associated Action (such as LockRoom, UnlockRoom), application roles are associated with Accounts, Groups and Users. Entitlements = Resource + Action.

Creating a New Identity Data Collector (IDC) 1. Login to RSA Identity Governance and Lifecycle. 2. Go to collectors > Identity Collectors. 3. Click Create Identity Collector button. 4. On the collector description screen, configure the following fields:

Field Value Collector Name Provide a unique identity collector name. Description Provide a description for this Collector

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

Data Source Type Select “Database” from the list Agent Select any available Agent; default is AveksaAgent Directory Select Database Directory from the drop-down. If Database Directory doesn’t exist, create a new directory from Resources > Directories menu. Status Set status as Active Copy From If a configured Identity Collector exists and all the parameters can be copied, select it from the list to copy it Schedule This parameter schedules runs of this Collector instance. Set Start and Frequency when selecting this option.

5. Click Next. 6. On the Connection page, set the following parameters:

Field Value DB Type Select Database Type from available list (ex: MySQL) Driver Class It will automatically set driver class if you have selected Database type, except for a custom DB type. (Ex: If you have selected MySQL, it will set driver class as com.mysql.jdbc.Driver) URL JCBC URL to access Database. (Ex: jdbc:mysql://my-sql- hostname.domainname:port/databasename) User Name User name having administrator privileges for MySQL database (such as root) Static Password Select this option to provide the password manually, and enter the password for the MySQL user. Dynamic Password Select this option to use a configured password vault to manage the endpoint credentials.

After you select this option, either select a previously configured password vault profile from the drop-down, or click Create Profile to add a new password vault profile to use with this connector. RSA Identity Governance and Lifecycle uses this profile to retrieve the appropriate credentials from the password vault during connector deployment and connection tests.

For more information about using static or dynamic passwords during collector creation and in the configuration wizard, refer to Manage Endpoint Credentials Using a Password Vault in the prerequisites section. 7. Click Test Connection to check database URL, username and password. Make sure the test connection to database is successful. After a successful connection, see Configuring the IDC Database Query.

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

Configuring the IDC Database Query Perform the following steps after successful database connection on the connection page. The following steps are required to collect Users and its attributes like email, firstname, and lastname using the database query. 1. After a successful Test Connection on Connection screen, click Next. 2. It displays Identity to be collected. Users check-box is selected by default. 3. Click Next. 4. The mapping page accepts the configuration for mapping the database user attributes to RSA Identity Governance and Lifecycle user attributes. The two are compared against each other, and if mapped, are collected. The following table lists the parameters on the “Mapping for user attributes” screen, while creating the Collector.

Field Value Users Data Query Query used for collecting user data. Example: select user_id,first_name,last_name from t_users User ID Database column name mapped to User ID attribute of RSA Identity Governance and Lifecycle’s account. Example: user_id

Additional Database attributes that can be collected for users include: Unique id, first name, last name, etc. Account attributes can be collected by mapping them to RSA Identity Governance and Lifecycle’s custom attributes. Custom attributes can be created from Admin > Attributes > User > Edit. See How to Create Custom Attributes for more information. 5. Click the Test button to test SQL Query. 6. Click Finish. 7. The Identity Data collector is created. 8. Test the database connection by selecting the created identity collector and clicking the Test button, which will display a sample response from database tables.

Creating a New Account Data Collector (ADC)

1. Login to RSA Identity Governance and Lifecycle. 2. Go to Collectors > Account Collectors. 3. Create a new Account Collector using the Create Account Collector button. 4. On the Collector description screen, configure the following fields:

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

Field Value

Collector Name Name for Database Account Collector. Description Description for ADC (such as MySQL Account Collector) Data Source Type Select Database from available list. Business Source Select the required application. Agent Appropriate agent (default: AveksaAgent) Status Active Copy From Select an existing Database collector to copy its configuration (Default: Blank) Scheduled Select yes if collection is to be scheduled

5. Click Next. 6. On the Connection page, set the following parameters: For more information about using static or dynamic passwords during collector creation and in the configuration wizard, see Manage Endpoint Credentials Using a Password Vault in the prerequisites section.

Field Value

DB Type Choose DB type as ‘MySQL’ if it is present in the already defined list, otherwise select “Custom” Driver Class com.mysql.jdbc.Driver

URL JCBC URL to access Database such as jdbc:mysql://fully-Qualified- host-name-Or-IP:port/databaseName User Name User name having administrator privileges for MySQL database such as sa Static Password Select this option to provide the password manually, and enter the password for the MySQL user. Dynamic Password Select this option to use a configured password vault to manage the endpoint credentials.

7. Click Test Connection to check database URL, username and password. The test connection to database must be successful. After a successful connection, see Configuring the ADC Database Query.

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

Configuring the ADC Database Query Perform the following steps after a successful database connection. The following steps are required to collect accounts, groups, and sub-groups using the database query.

1. After a successful Test Connection on Connection page, click Next. 2. Select type(s) of account data to collect:  Accounts  User Account Mappings  Groups  Sub Groups Note: Based on the above selection, only respective pages will be displayed. 3. Click Next. 4. The mapping page accepts the configuration for mapping the database account attributes to RSA Identity Governance and Lifecycle account attributes. The two are compared against each other, and if mapped, are collected. The following table lists the parameters on the “Mapping for Account Attributes” screen, while creating the Collector.

Field Value Account Data Query Query to collect account data (such as select account, last_login_date from t_accounts) Account Id/Name Database column name which can be mapped to ‘Account ID/Name’ attribute of the RSA Identity Governance and Lifecycle Account

Additional Database attributes that can be collected for account include: ID, given name and family name. Map them to RSA Identity Governance and Lifecycle’s custom attributes.

Custom attributes can be created from Admin > Attributes > Account> Edit. See How to Create Custom Attributes for more information. 5. Click on Test button test SQL Query. 6. Click Next. 7. Mapping for user account mapping attributes screen accepts configuration for mapping of database account attributes and RSA Identity Governance and Lifecycle User attributes:

Field Value User Account Mappings Data Query used for collecting user Query accounts mapping data (such as select account, user from user_account_mapping_data)

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

User ID Database column name which can be mapped to ‘User ID’ attribute of the RSA Identity Governance and Lifecycle User

8. Click Next. 9. The mapping page accepts the configuration for mapping the Group Attribute to RSA Identity Governance and Lifecycle Group attributes. The two are compared against each other, and if mapped, are collected.

Group Data: Field Value

Groups Data Query Query which can be used for collecting group attribute values (such as select group_id, description from t_groups) Group ID/Name (Mandatory) Database column name which can be mapped to ‘Group ID/Name’ attribute of the RSA Identity Governance and Lifecycle group.

Account Membership Data: Field Value

Query which can be used for collecting Account Membership Query account members of groups such as select account_id from t_group_memberships where type=’account’ Account Id/Name Database column name which can be mapped to ‘Account ID/Name’ attribute of the RSA Identity Governance And Lifecycle Account

Additional Database Group attributes that can be collected for group include: email. This group attribute can be collected by mapping them to RSA Identity Governance and Lifecycle’s custom attributes. Custom attributes from Custom attributes can be created from Admin > Attributes > Group > Edit. See How to Create Custom Attributes for more information. 10. Click Next. 11. The mapping page accepts the configuration for mapping the Subgroup Attribute to RSA Identity Governance and Lifecycle Database Subgroup attributes. The two are compared against each other, and if mapped, are collected.

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

Field Value

Subgroup Membership Query Query which can be used for collecting sub-group members of group. Example: select grp_id, sub_grp_id from t_group_memberships where type = ‘group’ Subgroup ID/Name Database column name which can be mapped to ‘Subgroup ID/Name’ attribute of the RSA Identity Governance and Lifecycle group. Group ID/Name Database column name which is mapped to ‘Group ID/Name’ attribute of the RSA Identity Governance and Lifecycle Group Collect Screen.

12. Click Next. 13. To configure the User Resolution Rules screen, refer to the following table.

Field Value Target Collector Identity source collector. (Default: Users) User Attribute RSA Identity Governance and Lifecycle’s user attribute for resolution of database account to use. (Default: UserID)

14. To configure the Member Account Resolution Rules screen, refer to the following table.

Field Value Target Collector Database Account collector. Account Attribute The configured account attribute for group member resolution. (Default: Account Name)

15. To configure the Sub-group Resolution Rules screen, refer to the following table.

Field Value Target Collector Database Account collector Group Attribute The configured group attributes for sub-group (membership) resolution. (Default: Name)

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

16. Click Finish. 17. The Account Data collector is created. The database connection can be verified by selecting the DB Account Collector and clicking the Test button. It will check the database connection and will show sample response from database tables.

Creating a New Entitlement Data Collector (EDC) 1. Login to RSA Identity Governance and Lifecycle. 2. Go to Collectors > Entitlement Collectors. 3. Create a new entitlement collector using the Create Entitlement Collector button. 4. In the Collector description screen, configure the following fields:

Field Value

Collector Name Name for the Database Entitlement Collector. Description Description for EDC. Example, Database Entitlement Collector Data Source Type Select Database Directory. Business Source Select the required application. Agent Appropriate agent (default: AveksaAgent) Status Active Copy From Select existing Database Entitlement collector if you want to copy its configuration. (Default: Blank) Scheduled Select yes if collection is to be scheduled

Field Description

DB Type Choose DB type as ‘MySQL’ from list. Driver Class com.mysql.jdbc.Driver

URL JCBC URL to access database. Example: jdbc:mysql://fully-Qualified-host-name-or- IP:port/databaseName User Name User name having administrator privileges for MySQL database. Example sa Static Password Select this option to provide the password manually, and enter the password for the MySQL user. Dynamic Password Select this option to use a configured password vault to manage the endpoint credentials.

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

7. Click Test Connection to check the database URL, username and password. The test connection to database must be successful. After a successful connection, see Configuring the EDC Database Query.

Configuring the EDC Database Query Perform the following steps after a successful database connection on the connection screen, which are required to collect Entitlements, Application roles using database query.

1. After successful Test Connection, click Next. 2. On Select types of entitlement data to collect screen, there are two options to collect data: “Collect Resource-Action entitlement for__” and “Collect Application role entitlement for__.”

• Collect resource-action entitlements for__ Available entitlement data types for this option are: Users, Accounts and Groups. You can select multiple entitlement data types for this option as applicable.

• Collect application role entitlements for__ Available entitlement data types for this option are: Groups, Accounts and Users. You can select multiple entitlement data types for this option as applicable

Note: Based on the above selection, respective and associated “next” screens will be displayed.

3. Click Next. 4. “Define the General Column Names” screen accepts the configuration for mapping Database columns. Those column names will be returned by database queries defined on the next screen(s)

Field Value User References ID/Name Provide DB column name for User Common User Reference ID or Name, Column name will be returned from several queries. Resource Fully Qualified Name Provide DB column name for Common Resource Fully Qualified Name. Action ID/Name Provide DB column name for

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

Common Action ID or Name. Application Role/Name Provide DB column name for Common Application Role ID or Name.

5. Click Next. 6. The mapping page accepts the configuration for mapping the Resource Attribute to RSA Identity Governance and Lifecycle Database Resource attributes. The two are compared against each other, and if mapped, are collected.

Field Value Resources Data Query Query to return resource attribute values for resource-action entitlements. The column names resulting from the query will be used in the following fields. Example, select resource as FQN, Owner, Location from t_resources Resource ID/Name Resource ID or Name column name resulting from . Resource Fully Qualified Name Resource Fully Qualified Name defined in Generic Column Names.

7. Click Next. 8. The mapping page accepts the configuration for mapping the Resource-action based entitlements to RSA Identity Governance and Lifecycle Database Resource-action attributes. The two are compared against each other, and if mapped, are collected.

Resource Entitlement Data Field Description Resource Entitlements Query Query to return entitlement attribute values for resource-action entitlements. Example, select distinct resource as FQN, action from t_resource_ents Resource Fully Qualified Name Resource Fully Qualified Name defined in Generic Column Names. Action ID/Name Action ID/Name defined in Generic Column Name page.

User Data Field Description Entitlements for Users Query Query to return resource-action

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

entitlements granted to users. Example, select resource as FQN, action, user_id from t_resource_ents where type = 'user' Entitled User User Reference ID/Name defined in Generic Column Names. Resource Fully Qualified Name Resource Fully Qualified Name defined in Generic Column Names. Action ID/Name Action ID/Name defined in Generic Column Name page.

Group Data Field Description Entitlements For Groups Query Query to return resource-action entitlements granted to groups. Example, select resource as FQN, action, user_id from t_resource_ents where type = 'group' Entitled Group User Reference ID/Name defined in Generic Column Names. Resource Fully Qualified Name Resource Fully Qualified Name defined in Generic Column Names. Action ID/Name Action ID/Name defined in Generic Column Name page.

Account Data Field Description Resource Entitlements Query Query to return entitlement attribute values for resource-action entitlements. Example, select distinct resource as FQN, action from t_resource_ents Resource Fully Qualified Name Resource Fully Qualified Name defined in Generic Column Names. Action ID/Name Action ID/Name defined in Generic Column Name page.

9. Click Next. 10. The mapping page accepts the configuration for mapping the application-role attributes to RSA Identity Governance and Lifecycle Database application-role attributes. The two are compared against each other, and if mapped, are collected.

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

Application Role Data Field Description Application Roles Query Query to return application role attribute values for application-role entitlements. Example, select distinct approle from t_approle_defs Application Role ID/Name Application Role ID/Name defined in Generic Column Names.

Resource-Action Entitlements Data Field Description Resource-Action Entitlements of Query to return resource-action App Roles Query entitlement sub-components of application role entitlements that were collected above. Example, select approle_parent as approle, resource as FQN, action from t_approle_members where type = 'resource' Application Role ID/Name Application Role ID/Name defined in Generic Column Names. Resource Fully Qualified Name Resource Fully Qualified Name defined in Generic Column Names. Action ID/Name Action ID/Name defined in Generic Column Names.

Child Application Roles Data Field Description Child App Roles of App Roles Query to return application role Query Query entitlement children of application role entitlements that were collected above. Example, select approle_parent as approle, approle_child from t_approle_members where type = 'app-role' Child Application Role ID/Name Child Application Role ID or Name column name resulting from Child App Roles of App Roles Query. Application Role ID/Name Application Role ID/Name defined in Generic Column Names.

The mapping page accepts the configuration for mapping the application role based entitlements to RSA Identity Governance and Lifecycle Database application-role based attributes. The two are compared against each other, and if mapped, are collected.

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

User Data Field Description Query to return application role entitlements granted to users. App Roles for Users Query Example, select approle, user_id from t_approle_ents where type = 'user' User Reference ID/Name defined in Entitled User Generic Column Names. Application Role ID/Name defined in Application Role ID/Name Generic Column Names.

Group Data Field Value App Roles for Groups Query Query to return application role entitlements granted to groups. Example, select approle, user_id from t_approle_ents where type = 'group' Entitled Group User Reference ID/Name defined in Generic Column Names. Application Role ID/Name Application Role ID/Name defined in Generic Column Names.

Account Data Field Value Query to return application role entitlements granted to user App Roles for Accounts Query accounts. Example, select approle, user_id from t_approle_ents where type = 'account' User Reference ID/Name defined in Entitled Account Generic Column Names. Application Role ID/Name defined in Application Role ID/Name Generic Column Names.

11. Click Next. 12. To configure the Entitled User Evaluation screen, refer to the following table.

Field Value Target Collector Identity source collector (Default: Users) User Attribute RSA Identity Governance and Lifecycle’s user attribute for resolution of Database account to use

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

(Default: UserID)

13. Click Next. 14. Confirm the Entitled User Evaluation and click Next. 15. To configure the Group Evaluation screen, refer to the following table.

Field Description Associated Collector Select the appropriate Database Account Collector which can collect group. Group Attribute RSA Identity Governance and Lifecycle’s Group attribute for resolution of Database Group to use.

(Default: Name)

16. Click Next. 17. Confirm the Group Evaluation and click Next. 18. To configure the Account Evaluation screen, refer to the following table.

Field Value Target Collector Select the appropriate Database Account Collector which can collect DB accounts. Account Attribute RSA Identity Governance and Lifecycle’s Account attribute for resolution of Database account to use. (Default: Account Name)

19. Click Next and confirm the Account Evaluation. 20. Click Finish. 21. A new Entitlement collector has been created. Verify database connection and sample response by selecting the entitlement collector and click on Test button. It will test connection and show sample response from database table.

Creating a New Role Data Collector (RDC) 1. Login to RSA Identity Governance and Lifecycle. 2. Go to Collectors > Role Collectors. 3. Create a new role collector using Create Role Collector button. 4. On the collector description screen, configure the following fields:

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

Field Value

Collector Name Name for the Database Role Collector. Description Description for RDC Role Set Select an existing role set. If not available, create a new role set from Roles > Role Sets Data Source Type Select Database from drop-down. Agent Select the appropriate agent (default: AveksaAgent) Status Active Copy From: Select an existing Database Role collector to copy its configuration. (Default: Blank) Has Data Select this checkbox. Members of these roles will automatically receive the entitlements of these roles. (Default: checked) Scheduled Select yes if collection will be scheduled.

5. Click Next. 6. The configuration screen accepts the connection parameters to connect to database, as described in the following table.

Field Description

DB Type Choose DB type as ‘MySQL’ if it is present in the already defined list, else select “Custom”. Driver Class com.mysql.jdbc.Driver

URL JCBC URL to access Database. Example, jdbc:mysql://fully-Qualified- host-name-or-IP:port/databaseName User Name User name having administrator privileges for MySQL database. Example, root Password Password for the user name

7. Click Test Connection to check database URL, username and password. The test connection to the database must be successful. After successful connection, see Configuring the RDC Database Query.

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

Configuring the RDC Database Query Perform the following steps after a successful database connection to collect Roles and associated entitlements using a database query.

1. After a successful Test Connection on the Connection page, click Next. 2. Select the types of role data to collect, and the screen will accept the configuration. The different types of role data available to be collected from Database are:

Type Check box Roles Roles (Default: Selected) Role Memberships Users Role Entitlements Application entitlements Application Roles Group Entitlements Roles Hierarchy Parents Roles

Note: Based on above selection, respective and associated “Next pages” will be displayed for RDC wizard.

3. Click Next. 4. Configure how roles are collected; the screen accepts the configuration and searches for the role from the database and maps it to the database roles based on those within RSA Identity Governance and Lifecycle. The two are compared against each other, and if mapped, are collected.

Field Value Role Query Query to return role data. The column names, resulting from the query will be used in the following fields. Example, select role_name,CustomeString from t_roles Role Name Provide column name which is returned from Role Query. Example, role_name

Additional Database Role attributes that can be collected for role include: role owner. This group attribute can be collected by mapping it to RSA Identity Governance and Lifecycle’s custom attribute. Custom attributes from Custom attributes can be created from Admin > Attributes > Role > Edit. See How to Create Custom Attributes for more information.

5. Click on the Test button to test SQL Query.

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

6. Click Next. 7. Configure how role members are collected; the screen accepts the configuration and searches for the role member from the database and maps it to the database roles based on those within RSA Identity Governance and Lifecycle. The two are compared against each other, and if mapped, are collected.

Field Value

User Membership Query Query to return role-membership data. The column names resulting from the query will be used in the following fields. Example: select role_name,UserID,CustomeString from t_roles_membership Role Name Provide column name which is returned from Role Query. Example: role_name User ID Provide column name which is returned from role Query (such as UserID). This attribute will be resolved with IDC attribute on User Resolution screen.

8. Click Next. 9. Configure how application entitlements are collected; the screen accepts the configuration and searches for the application entitlements from the database and maps it to the application entitlements based on those within RSA Identity Governance and Lifecycle.

Field Value Application Entitlements Query Query to return role to application entitlements mapping data. The column names resulting from the query will be used in the following fields. Example: select role_name, application_name, resource name,action_name, from t_role_entitlements Role Name Role Name defined in configure How roles are collected screen. Example: role_name Application Name Provide column for Application Name which has resulted from Application Entitlement Query. Example: application_name Resource Name Provide column for Resource Name which has resulted from Application

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

Entitlement Query. Example: resourceName Action Name Provide column name for Action Name which has resulted from Application Entitlement Query. Example: action_name

10. Click Next. 11. Configure how application roles are collected; the screen accepts the configuration and searches for the application roles from the database and maps it to the application roles based on those within RSA Identity Governance and Lifecycle.

Field Value Application Roles Query Query to return role to application role data. The column names resulting from the query will be used in the following fields. Example: select role_name, application_name, application_role from t_role_entitlements Role Name Role Name defined on configure How roles are collected page. Example: role_name Application Name Application Name defined in Configure how application entitlements are collected. Example: application_name Application role Provide column name for Application Role from the Application Role query result.

12. Click Next. 13. Configure how groups are collected; the screen accepts the configuration and searches for the groups from the database and maps it to the groups based on those within RSA Identity Governance and Lifecycle.

Field Value Group Query Query to return role to Group entitlement mapping data. The column names resulting from the query will be used in the following fields. Example: select group_name, role_name, application_name from t_role_entitlements Role Name Role Name defined on configure How

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

roles are collected screen. Example: role_name Application Name Application Name defined in Configure how application entitlements are collected. Example: application_Name Entitled Group Provide column name for Group from Group Query result. Example: group_name

14. Click Next. 15. Configure how Roles are collected; the screen accepts the configuration and searches for the Roles from the database and maps it to the Roles based on those within RSA Identity Governance and Lifecycle.

Field Description Roles Query Query to return role to role entitlement mapping data. The column name resulting from the query will be used in the following fields. Example: select role_name, subrole_name from t_role_entitlements Role Name Role Name defined in configure How roles are collected screen. Example: role_name Role Name of Entitlement Provide column name for role name of entitlement. Column name a result of Roles Query. Example: subrole_name

16. Click Next. 17. Configure how role hierarchy are collected; the screen accepts the configuration and searches for the Roles and Parent role from the database and maps it to the Roles based on those within RSA Identity Governance and Lifecycle. 18. Field Description Parent Roles Query Query to return role to parent role definition mapping data. The column names resulting from this query will be used in the following fields. Example: select role_name,parentrole_name from t_role_entitlements Role Name Role Name defined in configure How

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

roles are collected screen. Example: role_name Role Name of Entitlement Provide column name for parent role. Column name has resulted from Parent Roles Query. Example: parentrole_name

19. Click Next. 20. To configure the User Resolution Rules screen, refer to the following table.

Field Value Target Collector Identity source collector. (Default: Users) User Attribute RSA Identity Governance and Lifecycle’s user attribute for resolution of Database account to use. (Default: UserID)

21. Click Finish.

How to Create Custom Attributes RSA Identity Governance and Lifecycle supports creation of custom attributes. Custom attributes are used as placeholder to store data which are retrieved from MySQL Database. Follow the steps to create custom attributes for the Identity collector:

1. From menu, Go to Admin > Attributes 2. Go to the User tab. 3. Click Edit. 4. At bottom, Click Add Attribute. 5. Provide Attribute Name, Datatype, Data source For example:

Field Value Attribute Name county Data type String Length 256 Data Source Collected

6. Click Ok.

Custom attribute for Identity collector is created and will be available for mapping all identity collectors.

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

 For Account related custom attributes, Go to Admin > Attributes > Account tab  For Role Related custom attributes, go to Admin > Attributes > Role tab Once those custom attributes are created, they can be mapped in all respective type of collectors.

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

MYSQL DATABASE CONNECTOR CONFIGURATION To set up a new instance of Database connector, complete the following: 1. Login to your RSA Identity Governance and Lifecycle instance. 2. Go to AFX > Connectors. 3. Click Create Connector. 4. Configure each of the three sections: General, Settings and Capabilities.

General: General settings for the connector are as follows:

Field Value

Name Database Connector Description Database Connector Server AFX Server Connector Template MySQL Status Test Export As Template Provide template Name if user wants to export this Connector as Connector template.

Settings: The connection settings required to connect RSA Identity Governance and Lifecycle to MySQL Database are as follows:

Field Description

Database Driver JDBC Driver to talk to MySQL Database Server. Example, com.mysql.jdbc.Driver JDBC URL JDBC URL string to connect to MySQL Database Server. Example, jdbc:mysql://Db- Hostname:port/databaseName Login Name Login name for the MySQL Database Server. Password Login password for MySQL Database user.

Click Test Connection Settings to check the validity of connection.

Capabilities: This tab has the list of capabilities supported by this connector.

Once completed with the three sections, save the connector. To test this connector, please wait until the connector status turns to “Running” and then check any capability using “Test Connector Capability.”

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

Connector Capabilities The following commands are supported by the RSA Identity Governance and Lifecycle MySQL Database connector:  Create Account  Delete Account  Reset Account Password  Update Account  Add Entitlement to Account  Remove Entitlement from Account

Note: Spaces are not allowed in the value of any parameters.

Command Input Parameters Create Account Field Name Value Parameter Name User Type STRING Default Value - Is the parameter Yes required? Is the parameter No encrypted? Display Name User Name Mapping ${AccountTemplate.Name} Description MySQL user name

Field Name Value Parameter Name Host Type STRING Default Value - Is the parameter Yes required? Is the parameter No encrypted? Display Name Host Mapping ${AccountTemplate.Host} Description MySQL database host name

Field Name Value Parameter Name Password

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

Type STRING Default Value - Is the parameter Yes required? Is the parameter Yes encrypted? Display Name Family Name Mapping ${AccountTemplate.Password} Description Password value

Command Code Field Name Value SQL command CREATE USER '${User}'@'${Host}' IDENTIFIED BY '${Password}'

Delete Account Field Name Value Parameter Name Account Type STRING Default Value - Is the parameter Yes required? Is the parameter No encrypted? Display Name Account Name Mapping ${Account.Name} Description Database user name

Field Name Value Parameter Name Host Type STRING Default Value - Is the parameter Yes required? Is the parameter No encrypted? Display Name Host Mapping Description MySQL database host name

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

Command Code Field Name Value SQL command DROP USER '${Account}'@'${Host}'

Reset an Account’s Password Field Name Value Parameter Name Account Type STRING Default Value - Is the parameter Yes required? Is the parameter No encrypted? Display Name Account Name Mapping ${Account.Name} Description Database user name

Field Name Value Parameter Name Host Type STRING Default Value - Is the parameter Yes required? Is the parameter No encrypted? Display Name Host Mapping Description MySQL database host name

Field Name Value Parameter Name Password Type STRING Default Value Is the parameter Yes required? Is the parameter Yes encrypted? Display Name New password to reset to Mapping Description New password value

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

Command Code Field Name Value SQL command SET PASSWORD FOR '${Account}'@'${Host}' = PASSWORD('${Password}')

Update Account Field Name Value Parameter Name Account Type STRING Default Value - Is the parameter Yes required? Is the parameter No encrypted? Display Name Account Name Mapping ${Account.Name} Description Database user name

Field Name Value Parameter Name Host Type STRING Default Value - Is the parameter Yes required? Is the parameter No encrypted? Display Name Host Mapping Description MySQL database host name

Command Code Field Name Value SQL command ALTER USER '${Account}'@'${Host}' PASSWORD EXPIRE)

Add Entitlement to Account Field Name Value Parameter Name Account Type STRING Default Value -

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

Is the parameter Yes required? Is the parameter No encrypted? Display Name Account Name Mapping ${Account.Name} Description Database user name

Field Name Value Parameter Name Host Type STRING Default Value - Is the parameter Yes required? Is the parameter No encrypted? Display Name Host Mapping Description MySQL database host name

Field Name Value Parameter Name Resource Type STRING Default Value - Is the parameter Yes required? Is the parameter No encrypted? Display Name Resource Name Mapping Description Database user resource name

Field Name Value Parameter Name Action Type STRING Default Value - Is the parameter Yes required? Is the parameter No encrypted?

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

Display Name Action Mapping Description Action

Command Code: Field Name Value SQL command GRANT ${Action} ON ${Resource} TO '${Account}'@'${Host}'

Remove Entitlement to Account Field Name Value Parameter Name Account Type STRING Default Value - Is the parameter Yes required? Is the parameter No encrypted? Display Name Account Name Mapping ${Account.Name} Description Database user name

Field Name Value Parameter Name Host Type STRING Default Value - Is the parameter Yes required? Is the parameter No encrypted? Display Name Host Mapping Description MySQL database host name

Field Name Value Parameter Name Resource Type STRING Default Value - Is the parameter Yes required?

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

Is the parameter No encrypted? Display Name Resource Name Mapping Description Database user resource name

Field Name Value Parameter Name Action Type STRING Default Value - Is the parameter Yes required? Is the parameter No encrypted? Display Name Action Mapping Description Action

Command Code Field Name Value SQL command REVOKE ${Action} ON ${Resource} FROM '${Account}'@'${Host}'

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

USE-CASES

Create Database Account Using a Request Form

Consider a case in which New Account should be created using DB Connector. In this case, high-level steps are mentioned in following diagram.

1. Create 2. Create Request 3. Provision User

Directory, Identity Form and Account using Request

collector and DB Template Form form. Connector.

1. Create DB directory, Identity collector and DB connector.

To create new DB directory, follow this procedure: 1. From menu, go to Resources > Directories. 2. Click Create Directory. 3. Select Other Directory. 4. Click Next. 5. Provide any name for Directory Raw Name field. Example DB Directory 6. Click Finish.

A new Directory will be created. See Creating a New Identity Data Collector (IDC) and MySQL Database Connector Configuration to create new identity collectors and database connectors. After creating an Identity collector, collect Identity Records. After unification, users which are collected from IDC will be listed in Users > Users menu.

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

After creation of DB connector, test the settings. Make sure that DB connection is successful.

Next, edit DB connector and make the following changes: 1. Change Connector state from Test to Active. 2. Go to Capability Tab, select Create Account Capability checkbox, verify mapping for the following fields as detailed:

Create Account Mappings Field Name Mapping Value User ID ${User.User_Id} Host ${AccountTemplate.Host} Password ${AccountTemplate.Password}

2. Create Request Form and Account Template.

Request form configuration 1. From menu, go to Requests > Configuration. 2. Go to Request Forms tab. 3. Click Create Form. 4. Select create a new form radio button and click Next. 5. Provide following configuration on General properties screen. Keep other fields unchanged which are not mentioned in the following table.

Field Name Value Form Name Provide any name for Form. Example: DBAccountForm Description Provide description for Form Enable Select Enable check box Form Type Create Account Workflow variable Prefix Provide workflow variable Prefix. Default: FormName Availability Keep default Change Apply to One User with following attributes : All Request Grouping Use Default Pending Request Select this check box Check Outstanding Select this check box Request Approval Workflow Use Default Fulfillment Workflow Default AFX Fulfillment

6. Click Finish.

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

7. Request form has been created. Now, add the fields that require user input. Example: hostname, Password 8. Go to Field tab in request form. 9. Add the following variables.

Variable Name Question Control Type Host DatabaseName Text field Password Password Text Field

Account Template configuration 1. Now go to Requests > Configuration > Account Templates tab. 2. Click on Create Account Template. 3. Provide Account Template Name, Description, Is Service Account: No 4. In Account Creation form, select DB Request Form from new window. 5. After selecting request form, click OK. The Account Template is created. 6. Add template parameter in Account Template as mentioned in the following table.

Parameter Name Default Value Form Field Host Host Password Password

7. Add the following pending Account Parameters:

Parameter Name Default Value Form Field Name ${User.User_Id}

3. Provisioning RSA Identity Governance and Lifecycle User using Request form in MySQL DB

1. From Menu, go to Resources > Directories. 2. Select DB directory. 3. Go to AFX Connector Binding tab, select DB Connector (Connector must be in Active State). 4. Go to Request Tab. 5. Under Account Template Section, click edit Account template Association. 6. Select DB Create Account Template and click OK. 7. Under Fulfillment section, select Default AFX Fulfillment against Fulfilment Workflow field. 8. Go to the Account tab, and click Create Account. 9. Provide DB name and password and finish the wizard. 10. New Request will be created under Requests > Requests. 11. After successful completion of request, a new account will be created in DB.

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

Use Stored Procedures in Connector

MySQL connector allows using stored procedures while running/executing capabilities. The following are examples on how to use stored procedures in MSSQL connector capabilities:

Example 01: Stored procedure with IN parameters Pre-requisites 1. Create the stored procedure with required IN parameters. - Ex: we have created a stored procedure which takes Username as input. 2. Create a connector with AFX Input parameters which are to be given to the stored procedure as the IN parameters. - Ex: we will create Username as AFX Input parameters. How to call the stored procedure: 1. In the SQL command field for the concerned capability, write as follows: CALL dbname.storedprocedureName(‘${User}’)

Note: This example is considering only one INPUT parameter for stored procedure, but they can differ.

Example 02: Stored procedures which return values Description: there is a stored procedure which returns some value we need to store and use in some later operations/next capabilities. We can use AFX Output parameters support which can be added for capabilities. In the ‘Query’ field for it, execute a stored procedure which will return the value and it will be appropriately stored in the given mapping field.

Pre-requisites 1. Create the stored procedure which returns some value. - Ex: we have created a stored procedure which takes User as INPUT parameter and return UserID based on the User provided.

DELIMITER // CREATE PROCEDURE GetUserID(IN con VARCHAR(20)) BEGIN select UserID from mysql.user where User=con;

END// DELIMITER ;

2. Create the AFX Input parameter required to pass into the stored procedure. In this case, it should be User.

RSA Identity Governance and Lifecycle | Database MySQL Application Guide

3. Create an AFX Output parameter which will be used to store the value returned by the above stored procedure. In this case, this is UserID.

How to call the stored procedure: - In the ‘Query’ field of output parameter (AccountID), call the stored procedure as: CALL db1. GetUserID ('User') - The value returned as the part of the above query execution is stored in the appropriate mapping field defined for this output parameter. - This stored output parameter can be used in the subsequent capabilities.

Note: Stored procedures with OUT parameters are currently not allowed in the AFX Database connectors.