To learn more about Directory Concepts and how we can help your organisation please contact a Directory Concepts relationship manager near you: Sydney Melbourne Brisbane Wellington National Support: or
Using an organisation’s identity information to enable TRIM
Agenda Introduction Identity Lifecycle Management Integrating TRIM
Who are Directory Concepts? Offices Brisbane, Sydney, Melbourne and Wellington 6o+ technical staff across these locations 10 years speciality in identity driven solutions Platinum partner status with Novell Technical staff are recognised in the industry as maintaining the deepest identity specialty skill set in the Asia Pacific region Consult and support to government on identity and access management across the region
DC Offerings Consulting Services Architecture Consultancy Business analysis Design Project management Professional Services Project build and deploy Post project support Specialty managed services 24 x 7 helpdesk services Contract onsite services
Introductions My background? ─ Software Development (corporate and startup) ─ Experience in Education, Financial and Government sectors ─ Head of Development Vertical at Directory Concepts
Information Management (IM) Documents Identities Identity Management (IDM)
Identity Lifecycle Management What does it promise? ─ Automation of the process to manage access rights from the day a user is hired until the day they leave the organisation ─ Consistent and accurate information and access rights across all connected systems So what is it?
Identity Lifecycle Management
Key Elements of Identity Management Identity Integration Roles management Integrated workflows and provisioning policies Self Service
Identity Integration Roles management Integrated workflows and provisioning policies Self Service Key Elements of Identity Management
Business Issue: Your Enterprise has many Identity Stores Human Resources Network/NOS Directory Enterprise Application PBX Identity Stores Many of your Enterprise’s applications own a piece of the User's Identity. This Identity data can be expensive to maintain. The Data may not be shared by everyone who needs it. This Data may not be accurate, consistent or kept up to date.
Novell's Solution: Create a Central Identity Vault Human Resources Network/NOS Directory Enterprise Application PBX Identity Stores Identity Isolation problems can be solved by creating an Identity Vault. A location for centralized identity management Many applications share the same identity data and authentication and authorization functionality Lays foundation for access control Provides basis for role-based personalization based on rights Identity Vault
The Solution: Advanced Identity Synchronization Human Resources Network/NOS Directory Enterprise Application PBX Identity Stores In order to aggregate this identity data into the Identity Vault we utilize Identity Synchronization technology. This allows you to utilize data owned by many systems to create a single rich identity It allows for distributed ownership of portions of an identity, while allowing a single, centralized identity that can be leveraged by a myriad of systems. Identity Vault
Distributed Ownership of Data a centralized view Help Desk System System File & Print PBX HR System Identity Vault Address First Name Last Name Employee ID Address Location Phone Number Network Address First Name Last Name Location Address First Name Last Name First Name Last Name Location First Name Last Name Employee ID Location User ID
Novell IDM Application Coverage
Key Elements of Identity Management Identity Integration Roles management Integrated workflows and provisioning policies Self Service
Roles Management Maps Business Roles to IT Entitlements Assign users to Roles based on business policies and an exception approval process
Novell Solution: Roles Based Provisioning Module Role represents business function/position Business and user centric (authorisation workflows) Assign resources to roles and then assign the roles to the users or groups or organisational units (Inheritance) Delegation Separation of duties
Novell Identity Manager Roles Based Provisioning Module 20 Integrated Roles Management & Workflow
Key Elements of Identity Management Identity Integration Roles management Integrated workflows and provisioning policies Self Service
Novell Solution: Automated Provisioning Human Resources Network/NOS Directory Enterprise Application Financial Application Identity Stores In order to give user's access to the resources they need we utilize dynamic provisioning capabilities. This allows Identity Manager to capture events that occur in an authoritative system such as an HR system The Identity Management system provisions user in realtime based on policies Identity Vault Policies HR Personnel
Novell Solution: Workflow Based Provisioning Human Resources Network/NOS Directory Enterprise Application Financial Application Identity Stores In situations where access to resources should require approval, a user facing provisioning environment is created. Users only see the resources that they can request based on their Identity Policies determine who should approve access to the resource Identity Vault Policies User Application User User's Manager
Novell Solution: Workflow Based Provisioning Human Resources Network/NOS Directory Enterprise Application Financial Application Identity Stores The Manager can access the Provisioning User Application. Here the manager can deny or approve the request Access is Granted immediately Identity Vault Policies User Application User User's Manager
Workflows - simple
Workflow Features Highly flexible ─ Can be as simple or complex as desired Time-outs and escalation Third-party integration (SOAP/Web Services) ─ Generate service desk tickets Can be user initiated or automatically initiated Customisable forms
Business Process Automation
Key Elements of Identity Management Identity Integration Roles management Integrated workflows and provisioning policies Self Service
End Users: typical issues Unfavourable user experience ─ Required to call service desk ─ “I have too many passwords” Service desk over-utilisation ─ Password resets ─ Simple requests (file access etc.) Security ─ Users creating their own credential store Lost productivity
Case Study Organisation with 2000 users ─ 3592 password resets (forgotten/expired) ─ 1162 requests for additional access 3592 password resets pa ─ Gartner: ~25AUD (22USD) for each password reset ─ 3592 x 25 = $89,800* pa 1162 file access requests pa ─ ~15 minutes to complete each request ─ 1162 x 15 = minutes = 290 hrs = 36 days * Does not account for lost productivity
User Application Web-based interface to display and allow users to view and manage identity data in the identity vault. – Organization Charts – White Pages – Profile management – Password management
Novell ® Identity Manager Novell Identity Manager delivers: User Provisioning Roles Based Access Control Identity Integration Password Management Delegated Administration/Self Service Automated workflows (both data driven and approval driven) Databases GroupWise PeopleSoft LDAP Directories Mainframes Windows Server BMC Remedy Notes Avaya PBX Administer my resources or workgroup Search / browse users or resources Request access to resources Recover forgotten password Self-administration Approved Identity and provisioning environment Identity Vault
Identity Manager Reach global customers Tighter supplier relationships More productive partnerships Consistent security policy Immediate system-wide access updates Consistent identity data Automated risk mitigation Enterprise SoD Eliminate redundant administration tasks Reduce helpdesk burden Fast employee ramp-up User self service Focused, personalized content Delegated Administration Comprehensive profile view Password management Identity Management SOD requirements Role-based access Least privilege access Real-time visibility and disclosure Basic compliance reporting Business Facilitation Governance & Security Increased Productivity & Cost Reduction Regulatory Compliance Increase Service Level Allow the enterprise to address Pain Points and business initiatives from the IT Manager to the CxO
Integration with HP TRIM Connecting Translating Access Control
Connecting User Lifecycle Integration ─ Indirect Database Staging Table ─ Direct Web Services via SOAP Connector –Stateless Custom IDM Connector –“Stateful” –Bi-directional
Translating Mapping LDAP Classes to TRIM Locations ClassLocation UserPerson GroupGroup/Project Team/Workgroup Organizational UnitOrganization
Managing Locations Create, Update and Delete ─ Persons ─ Workgroups ─ Organisational Units
Access Control Some Options ─ Minimal rights initially, manually adjusted by TRIM administrator ─ Based on Org Unit, Group membership, other identity attribute ─ Configurable via On-Boarding application
Case Study Government Department in Victoria Involves multiple systems Simple workflow via ‘Best guess’ for access based on Org Unit then modified/approved by TRIM administrator
Conclusion IDM integrated with TRIM can ─ Reduce the cost of managing user and access management ─ Provide timely and secure access to services like TRIM ─ Increase business leaders trust in IT, in regard to compliance ─ Reduce the risk of human error ─ Strengthen security without raising costs or diminishing productivity
Questions?
Directory Concepts Come and visit us if you have any further questions or would like more information on Identity Management