An Oracle White Paper March Oracle Identity Manager Business Overview - PDF

Please download to get full document.

View again

of 19
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information Report
Category:

Services

Published:

Views: 5 | Pages: 19

Extension: PDF | Download: 0

Share
Related documents
Description
An Oracle White Paper March 2013 Oracle Identity Manager Business Overview Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and
Transcript
An Oracle White Paper March 2013 Oracle Identity Manager Business Overview Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. Executive Overview... 2 Introduction... 2 Key Features... 6 Simplified Self Service... 6 Extensible User Interface... 8 Advanced Identity and Role Administration... 9 Comprehensive Audit and Compliance Management Conclusion... 16 Executive Overview With the explosive growth in networked communications and ever increasing collaboration and mobile computing needs, today s enterprises struggle to determine which users have access to what resources and what they are doing with that access. A comprehensive awareness of access and enforcing governance controls is essential to reduce the risk that an employee, contractor, or malicious third party with inappropriately assigned access will take advantage of that access. It is also critical to comply with regulations that mandate access controls; without it companies have no way to provide meaningful evidence to auditors that explains how and why access was assigned within their environment. For many enterprises, enforcing all such governance controls has been an ongoing challenge that is increasingly difficult to master. Business users are getting more involved in driving the whole governance initiative, like requesting access or delegated administration activities, which once was considered to be an IT function. A simplified and more business user-friendly experience that is easily customizable becomes critical for the overall success of an enterprise s governance initiatives. In addition to this, in the past enterprises were also challenged by the lack of a unified governance suite offered by a single vendor. Provisioning, Privileged Access management, Role management and Compliance products evolved independent of each other that led to customers implementing multiple products from multiple vendors as point solutions to address these needs. As regulatory and provisioning requirements continue to grow and change, such multi-vendor solutions only increased the complexity and costs of managing and integrating these products. As a result, enterprises are in an inevitable position of having to rely heavily on each of these vendors for support and also committing significant resources to governance efforts for integration and manual processes with little assurance that they will prove successful. Recent research also has made it evident that organizations can save up to 48% in overall costs deploying a single vendor platform solution when compared to deploying multi-vendor point solutions. Introduction Oracle Identity Governance Suite enables organizations to simplify access grants and review access by consolidating the key strengths of its industry leading and best-in-class provisioning (Oracle Identity Manager), newly released privileged access (Oracle Privileged Access Manager), role, policy and risk management (Oracle Identity Analytics) into a common, 2 consistent and unified governance suite. With a single, converged platform, Oracle Identity Governance suite can provide benefits like: Increased end-user productivity - consistent and intuitive user interfaces, common business glossary, immediate access to key applications, role lifecycle management Reduced risk - guaranteed access revocation, detect and manage orphaned accounts, proactive and reactive IT audit policies detection and enforcement, fine grained authorization controlling who can do what, periodic re-certifications, continuous policy and role based access re-evaluation Increased operational efficiency - risk based identity certification reducing overall time to certify, automated repeatable user administration tasks, role consolidation, ease of deployment Reduced total cost - single vendor platform for governance, flexible and simplified customization framework, easily attest to regulatory requirements, common connector, standards based technology. This overall unified solution is depicted in Figure 1. 3 Figure 1: Oracle Identity Governance Suite Core Solution Components This whitepaper focuses on detailing the key features of Oracle Identity Manager providing an insight into its flexible, secure and scalable architecture to address every enterprise identity management need. Oracle Identity Manager (OIM) automates the administration of user access privileges across a company's resources, throughout the entire identity management life cycle from initial on-boarding to final de-provisioning of an identity. OIM helps to answer critical compliance questions like who has access to what resources and when? How did users get access to resources and why? 4 Figure 2: Oracle Identity Manager 11g Overview Figure 2 depicts the overall functions of Oracle Identity Manager. Its flexible architecture can orchestrate complex IT and business processes without requiring invasive changes to application infrastructure, policies or procedures. This hallmark flexibility is derived from the product s architecture, which distills core identity administration and provisioning functions into discrete layers. Changes to workflow, policy, data flow, or integration technology are isolated within the respective functional layers, minimizing impact to applications. In addition, Oracle Identity Manager is flexible because all configurations are done via its web interface, while also providing a powerful extensibility framework that allows the interface and its behavior to be tailored to the needs of the business. Its wide range of business-user friendly self-service functions that include a shopping cart like experience, allows business users to easily manage profiles and access using a personalize-able and extensible user interface. Oracle Identity Manager can be used both in enterprise-centric (intranet) environments, and customer/partner-centric (extranet) environments. In extranet environments, Oracle Identity Manager s superior scalability allows enterprises to manage millions of the company s resources. In this case, customers/partners that need access, OIM provides centralized onboarding and a combined self-registration interface to multiple enterprise applications, improving a company s operational efficiency and the ability to address increasing compliance and privacy regulations through centralized management of external users and partners. These are some of the many reasons why OIM is considered the most advanced enterprise identity management solution available. For more details on Oracle Identity Manager, please visit 5 Key Features Simplified Self Service OIM offers a wide range of self-service functions enabling business users to register for an account, manage their own profiles and credentials. These self-service capabilities easily pay for it many times over through reduced help desk calls and administrative costs. Self Registration OIM provides a configurable interface where end users (typically in an extranet environment) can submit a request for an account for themselves in the enterprise. A configurable workflow allows such requests to be approved before actually granting and notifying the account details to the user. Profile Management Using OIM s self-service interface, users can easily manage their own mutable profile data like changing their ID, postal address, telephone number, emergency contact info, their password recovery questions and answers or set up a proxy/delegate user to act on their behalf for a specified time period. Password Management OIM s self-service interface enables users to manage their enterprise password that is used in single sign-on (SSO). OIM then synchronizes this password across all target resources provisioned to the user. OIM enforces compliance of this password with enterprise password policies, which may be authored in OIM itself. For the recovery of forgotten passwords, OIM employs the security challenge questions set during the user s first login or captured during self-registration. OIM also provides random password generation capabilities that may be invoked during registration or administratorbased password reset. The randomly generated password is compliant with password policies and may be sent to the user using various notification mechanisms including , text message, or other means. Additionally, OIM s password management features are integrated with all login and password related flows in Oracle Access Manager (OAM) and Oracle Adaptive Access Manager (OAAM). Integration with OAAM includes password recovery mechanism using knowledge-based authentication (KBA) or one time password (OTP) based challenge questions and responses. The integration serves as a platform for advanced user and administrator authentication for scenarios requiring stronger authentication. 6 Request Catalog OIM provides a centralized catalog of access rights, including enterprise and application roles, application accounts, and entitlements. Figure 3: Oracle Identity Manager - Request Catalog As shown in Figure 3, OIM automatically harvests privileges into the request catalog when new definitions of entitlements are detected in a target application or when the roles are defined or modified using the role administration features built in the product. Catalog administrators then enrich the harvested data to make it friendly for the business users. In particular, for each role and entitlement in the catalog, administrators can author business friendly descriptions, list the audit objectives, and set a risk level. While the catalog management system automatically populates a set of search tags based on names and descriptions of the catalog entities, catalog administrators can also seed keyword tags by which business users can find the roles and entitlements in various search results. Additionally, administrators can provide metadata for the catalog items. For example, they can specify the users or roles that will be involved in approval, certification or manual provisioning fulfillment activities related to the corresponding roles, accounts or entitlements. Once configured, catalog information is available across the identity governance processes including request creation, request tracking, approval, request history, manual provisioning, and certification. Self-Service Access Request OIM provides a browser-based tool to request access. The access request experience is similar to the shopping cart metaphor used on commercial websites, so users are able to request access without training on the tool and with only a basic understanding the organization s roles and entitlements. End users simply search for the roles and entitlements they require by entering keywords. They can further refine and filter search results by using the tool s automated suggestions. Once users find the entitlements they need, they simply place the appropriate entitlements in a cart and submit the request. 7 OIM also supports delegated access request, meaning a user may request access on behalf of another person. A request can be as simple as a self-service request for access to a single application or as complex as multiple requested entities including roles, accounts and entitlements for multiple beneficiaries. OIM enables users to bundle frequently requested privileges and model them as a saved shopping cart. In OIM, a saved shopping cart is called a request profile that can also be shared with other users. For example, managers who need to submit multiple, similar requests for their direct reports on an ongoing basis can save a request cart for the first request, and use the saved request profile to submit subsequent requests for other employees that require the same access (e.g., bank branch manager creates a teller cart). Tracking a Request Users and helpdesk administrators can track the progress of their requests online through OIM s tracking tool. The tracking tool graphically displays the current state of the request approval in the provisioning workflow. An image displays what steps are complete and what steps remain to fulfill the request. Using this tool, users can then help ensure their requests are handled in a timely fashion. Handling Requests Complex Workflows OIM allows approvers to take various actions on an access request without significant difficulty. In addition to approving or denying the request, the approver may delegate the approval step to another person or role. As approvals may get critical in the overall user productivity, the system also supports configurable approval reminders and escalations. The approver may change the requested access information before approval. The approver may also upload various documents as attachments as part of the approval step. Approvers also have the capability to approve or reject directly from their without needing to log in to the self-service interface. Once the request is approved, OIM initiates the provisioning actions. Some of the provisioning actions may be automated if a provisioning connector is deployed for the specific target system and others may be completed manually. In the case of a manual fulfillment, an administrator will be assigned a provisioning task, make the appropriate changes in the target system, and then mark the task completed in OIM. As approval needs can change over the period of time, policy owners can change the approval routing logic using a web interface. Extensible User Interface While OIM out of the box includes a complete self-service access request capability that is business user friendly, organizations may want to customize the tool to cater to their organization specific user interface standards and principles. Global Customizations OIM supports customizations that range from simple branding/logo/style-sheet changes to changing the layout of the page or changing the labels of various widgets on the page. Some of the advanced customizations may involve extending the out-of-box definition of various entities like users, roles, 8 organizations, catalog entities by defining additional attributes on them and deciding various UI pages where the new attributes should appear. The new attributes may be added to search criteria, search results, various forms and other UI screens. The system also provides a sandbox environment to perform, test, commit or rollback all such customizations without impacting other users. Once the customizations are made final, they can then be easily moved from one environment to the other. Personalization OIM provides a powerful personalization framework as part of its business user interface. When using OIM, each user sees a home page with multiple regions for the most commonly used features and information. Business users can personalize the layout of the home page by rearranging or hiding regions. Additionally, some of the non-technical users like helpdesk administrators or delegated administrators may perform the same query over and over again on various entities. Rather than entering the query criteria again and again, users can save their searches and reuse them across sessions. Business end users can also personalize how various UI widgets are rendered to them, for example, they can decide which columns they want to see in the tables, set sort preferences and they can also personalize how much real estate should be given to each column in the table. The system remembers any changes a user makes to the view, stores the changes, and applies these preferences at the user s next login. Durability of UI Customizations UI customizations in OIM can be performed by drag-and-drop editing in a web browser, without any complex programming or proprietary scripting. The UI customizations are stored in a specialized and reserved namespace in OIM s metadata repository to ensure that they are durable and that they survive patching and upgrades. After patching and upgrades, customers are not required to reapply their customizations which eliminating merge and testing cycles making it easier for customers to keep their deployments current. Advanced Identity and Role Administration Users access rights are managed in OIM throughout the identity lifecycle. When new users are onboarded, they receive a set of accounts and entitlements based on any applicable birthright provisioning policies. Account and entitlement assignments may change as users identity attributes change in the enterprise as a result of promotions, transfers, or other organizational changes. OIM automatically provisions these changes in the target systems. Users may also get additional access by requesting roles, accounts, or entitlements using OIM s self-service capabilities. When a user s employment is terminated, OIM ensures that all of their accounts are disabled or de-provisioned, according to enterprise policies configured in OIM. Automatic assignment and provisioning of accounts and entitlements increases employee productivity by eliminating long manual cycles typically required to provision accounts manually. Similarly, automatic de-provisioning of accounts and entitlements ensures compliance to key regulatory requirements by ensuring that terminated employees are not able to access key corporate applications after termination. 9 OIM Data Warehouse The core of OIM is its centralized identity warehouse. The identity warehouse contains three key types of data: Identities: Users identities may be created based on authoritative systems or directly in OIM using selfservice or delegated administration features. OIM can create user accounts and reconcile attributes and access based on data from any number of authoritative systems such as Oracle E-Business HRMS, PeopleSoft HRMS etc. OIM ships with a default set of attributes for user profiles, but customers can change the composition of user profiles by adding, modifying, or removing the default attributes. User identities are stored in OIM s database, but OIM can synchronize the database with any number of LDAP directories. Many customers synchronize the identities created in OIM into an LDAP to setup an enterprise LDAP that may be wired to various authentication and authorization systems that may need access to user s identity attributes. Accounts: OIM reconciles users account attributes and provisioned entitlements from various target systems, and stores any associated account information with users profiles. Access Catalog: Catalog data includes all the entitlement and role definitions with their associated keywords and metadata to support catalog searches and access requests. Advanced Delegated Administration OIM employs a sophisticated delegated administration system that uses logical organizations to control the visibility of data to the delegated administrators. Logical organizations control the scope of the delegated administration functions of a user in an organizational hierarchy and ensure that only users can view and manage other users and entities they are authorized to view and manage. All managed entities including roles, entitlements, application or target instances are published to a set of logical organizations and are only available for request by the users of that organization. Such a secure delineation of entities is mandatory if an enterprise wants to limit what each user can see and request. In a typical extranet deployment, an enterprise can define delegated administrators for say Suppliers, Partners and Customer organizations that can perform different sets of operations. In OIM, each of these can be modeled as logical organizations and each one can have a set of de
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x