Skip to main content
Version: 17.x

Discover NetIQ Access Patterns with Teleport Policy

With Teleport Policy's Access Graph, you gain insights into your NetIQ organization structure, the resources each user can access, and the roles that grant them access. Access Graph provides a visual representation that enhances security and improves understanding of large NetIQ organizations.

Access Graph helps answer key questions such as:

  • Which resources does each user have access to?
  • Which roles grant access to specific resources?

Access Graph is a feature of the Teleport Policy product, available to Teleport Enterprise edition customers.

If enabled, Teleport Policy options can be found under the Policy section in the left navigation menu.

How it works

Access Graph synchronizes various NetIQ resources, including users, resources, roles, and groups. These resources are then visualized in a graph representation, detailed in the Access Graph page.

The import process involves two primary steps:

Querying NetIQ APIs

The Teleport cluster continuously scans the configured NetIQ organization and retrieves the following resources:

  • Users
  • Groups
  • Resources
  • Roles (Business, Permissions, and IT Roles)
  • Role and Group memberships

Once all necessary resources are fetched, Teleport pushes them to the Access Graph, ensuring it remains updated with the latest information from your NetIQ organization.

Importing resources

Teleport Policy’s Access Graph processes the imported resources and their relationships, generating a graphical representation to visualize access structures effectively.

Prerequisites

  • A running Teleport Enterprise cluster v17.2.4 or later.
  • Teleport Policy enabled for your account.
  • An OpenTex NetIQ instance with a user that has read access to the organization.
  • For self-hosted clusters:
    • Ensure that an up-to-date license.pem is used in the Auth Service configuration.
    • A running Access Graph node v1.27.0 or later. Check the Teleport Policy page for details on how to set up Access Graph.
    • The node running the Access Graph service must be reachable from the Teleport Auth Service.

Step 1/3. Create NetIQ IDM OAuth Client

To register a new OAuth client with OSP (IDM Authorization Server), modify the OSP's ism-configuration.properties file.

The file is located in the {osp-path}/tomcat/conf/ directory.

Define the following values:

  • ClientID: client-id
  • Client Secret: client-secret.

Users can store the OAuth Client Secret in the OSP ism-configuration.properties file either in an encrypted or plaintext format. For enhanced security, we strongly recommend encrypting the secret.

To store the client secret in an encrypted format, run:

java -jar /opt/netiq/idm/apps/tomcat/lib/obscurity-*jar client-secret

This command will generate an encrypted value:

InSKM1mSmpWfjPk6etI/...

Then, update ism-configuration.properties by adding:

com.example.client-id.clientID = client-idcom.example.client-id.clientPass._attr_obscurity = ENCRYPTcom.example.client-id.clientPass = InSKM1mSmpWfjPk6etI/....

Once the file is updated, restart OSP to apply the new settings.

Step 2/3. Set up Access Graph NetIQ Sync

To configure NetIQ Sync, run the following command:

tctl plugins install netiq

The wizard will prompt for:

  • IDM OSP address – Typically https://idm.example.com/osp or https://osp.idm.example.com
  • IDM API address – Typically https://idm.example.com/IDMProv or https://idmapps.idm.example.com
  • OSP OAuth Client & Secret – Values configured in Step 1
  • IDM User & Password – A user with organization read access

After completing the setup, the wizard will create the necessary Teleport resources and start synchronization.

Step 3/3. View NetIQ resources in Access Graph

Once NetIQ resources are imported, navigate to the Access Graph page to visualize them.

The graph representation will display the relationships between users, groups, roles and resources within your organization.