| Oracle® Identity and Access Management Introduction 10g (10.1.4.0.1) Part Number B31291-01 |
|
|
View PDF |
| Oracle® Identity and Access Management Introduction 10g (10.1.4.0.1) Part Number B31291-01 |
|
|
View PDF |
The Oracle Identity Manager platform automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager instantly connects users to resources they need to be productive and revokes and restricts unauthorized access to protect sensitive corporate information.
The identity audit and compliance automation component of Oracle Identity Manager also provides automated attestation and reporting.
This chapter describes the architecture, benefits, and key features of Oracle Identity Manager. It contains the following topics:
Automating user identity provisioning can reduce IT administration costs and improve security. Provisioning also plays an important role in regulatory compliance. Compliance initiatives focus on the enforcement of corporate policies as well as the demonstration of compliance with these standards. An enterprise identity management solution can provide a mechanism for implementing the user management aspects of a corporate policy, as well as a means to audit users and their access privileges. Oracle's enterprise user provisioning solution is Oracle Identity Manager.
Due to a number of recent government and industry initiatives, corporations must stringently enforce internal controls and regulatory compliance. All organizations with trade-able securities in US markets are required to authorize and validate user identity information for all internal and external users, including their entitlements, as well as the access policies and workflow processes defined by and in use within various divisions in the organization. The process of authorizing established internal controls, processes, policies, programs, and data, is commonly referred to as attestation.
In most corporate entities, attestation is performed by using manual processes and spreadsheets, which can be very time consuming and costly. Such manual processes are subject to human errors and must be repeated at every audit. By automating these routine tasks, organizations can realize significant time and cost savings. Oracle provides automated attestation using the identity audit and compliance automation component of Oracle Identity Manager .
Automated attestation capabilities allow organizations to quickly generate reports across the organization's business and IT environment. Automated attestation complements existing internal control mechanisms and provides a means of verifying the data, practices and policies put in place for ensuring compliance. This is particularly critical when the user population is large and dynamic. The use of automated attestation features enables organizations to create and follow standard practices and policies across various departments within an organization, while ensuring that the organization is meeting diverse regulatory compliance requirements. This can be achieved without costly, time-consuming, and error-prone manual processes
Key features and functionalities of Oracle Identity Manager provisioning are:
Scalable Architecture—The J2EE application server model of Oracle Identity Manager provides scalability, failover, and load-balancing, and inherent Web deployment. Based on an open, standards-based technology, and featuring a three-tier architecture (the Client application, Oracle Identity Manager supported J2EE-compliant Application Server and ANSI SQL-compliant database), Oracle Identity Manager can provision both LDAP and non-LDAP enabled applications.
Extensive User Management—Oracle Identity Manager includes unlimited user organizational hierarchies and user groups with inheritance, customizable User ID policy management, password policy management, and user access policies that reflect customers' changing business needs. Oracle Identity Manager also provides a resource allocation history, and the ability to manage application parameters and entitlements. Delegated administration is also a key element of user management with comprehensive permission settings.
Web-based User Self-Service—Oracle Identity Manager contains a customizable Web-based user self-service portal with the ability to manage user information, change and synchronize passwords, reset forgotten passwords, request available applications, review and edit available entitlements, and effect or react to workflow tasks.
Powerful and Flexible Process Engine—With Oracle Identity Manager, you can create business and provisioning process models in easy-to-use applications, such as Microsoft Project and Microsoft Visio. Process models include support for approval workflows and escalations. You can track the progress of each provisioning event, including the current status of the event and error code support. Oracle Identity Manager provides support for complex, branching, self-healing processes, and nested processes with data interchange and dependencies. The process flow is fully customizable and does not require programming.
Integration Using the Adapter Factory™—Attempting to support all systems with hand-coded adapters is impractical. Thus, Oracle has developed an automated tool for adapter generation. This tool, the Adapter Factory, supports a wide range of interfaces and virtually any application or device. These adapters run on the Oracle Identity Manager server, and do not require agents to be installed or updated on target platforms. In situations where the target application resource does not have a network-enabled interface, you can create remote integration by using UDDI/SOAP-based support. With the Adapter Factory, integrations that take months to implement can now be accomplished in a few days. Numerous adapters can be generated instantly. With the Adapter Factory, not only can you keep existing integrations updated, you can also support new integration needs quickly. Oracle Identity Manager has the ability to run programs on external third-party systems using the remote managers.
Built-in Change Management—Oracle Identity Manager enables you to package new processes, import and export existing ones, and move packages from one system to another.
The Oracle Identity Manager architecture consists of three tiers:
The Oracle Identity Manager three-tier architecture shown in Figure 9-1.
The first tier provides two distinct interfaces, the Java Administrative and User Console applications.
|
Note: This guide contains information related solely to the behavior of the Design Console edition of the Oracle Identity Manager product. For information on the functions and usage of the Oracle Identity Manager Administrative and User Console, refer to the Oracle Identity Manager Administrative and User Console Guide. |
The Oracle Identity Manager application GUI component reside in this tier. Users log in by using the Oracle Identity Manager client. By doing so, the Oracle Identity Manager client interacts with the Oracle Identity Manager server, providing it with the user's login credentials. The Oracle Identity Manager server then validates these credentials. In addition, through the Oracle Identity Manager client, you can submit requests to search for information in the database as well as save, edit, or delete that information.
The second tier implements the business logic, which resides in the Java Data Objects that are managed by the supported J2EE application server (JBoss application server, BEA WebLogic, and IBM WebSphere). The Java Data Objects implement the business logic of the Oracle Identity Manager application, however, they are not exposed to any methods from the outside world. Therefore, to access the business functionality of Oracle Identity Manager, you can use the API layer within the J2EE infrastructure, which provides the lookup and communication mechanism.
The Oracle Identity Manager supported J2EE-compliant application server is the only component that interacts with the database and is responsible for:
Logging into Oracle Identity Manager: The Oracle Identity Manager supported J2EE-compliant application server connects the Oracle Identity Manager client to the database.
Handling Client Requests: The Oracle Identity Manager supported J2EE-compliant application server processes requests from the Oracle Identity Manager client. It then sends the appropriate information from these requests to the database. The Server also delivers responses from the database to the client.
Scalability (Connection Pooling/Sharing): The Oracle Identity Manager supported J2EE-compliant Application Server supports single- or multi-application usage in a manner that is transparent to Oracle Identity Manager clients. Connection pooling improves database connectivity performance and dynamically resizes the connection pool by optimizing resources for usage scalability.
Securing System-Level Data (Metadata): Oracle Identity Manager employs row-level security to prevent unauthorized access by users who might otherwise accidentally delete or modify system-level information (system metadata).
|
Note: If an unauthorized user attempts to add, modify, or delete system-level information, the following message is displayed:"The security level for this data item indicates that it cannot be deleted or updated." |
The third tier consists of the database. This is the layer that is responsible for managing the storage of data within Oracle Identity Manager.
Attestation is the process of having people or system managers confirm people's access rights on a periodic basis. Existing Sarbanes-Oxley requirements demand enterprises to perform attestation for all financially significant systems every 3 to 6 months. Identity Manager includes a highly flexible attestation solution to help enterprise customers meet these regulatory requirements in a cost-effective and timely manner. By setting up Attestation Processes in Identity Manager, enterprise customers can automate the process of generation, delivery, review, sign-off, delegation, tracking, and archiving of user access rights reports for reviewers on a scheduled or ad-hoc basis.
This section contains the following topics:
Key features of Oracle's current attestation offering include:
Step-by-step definition of attestation processes
On-demand or periodic scheduling of attestation tasks and processes
Attestation of users' fine-grained entitlements across multiple resources
Ability to tag resources as "financially significant" for participation in the attestation process
Ability to certify, reject, decline, or delegate each item in an attestation request
Fine-grained attestation actions for each entitlement for each user for each resource
Notifications to reviewers, users, and process owners regarding attestation actions
Reports on attestation requests processed, summarized by reviewer, by user, and by resource
Archiving of attestation data, for periodic auditing and reporting
Archiving of attestation actions taken, for periodic auditing and reporting
Oracle Identity Manager currently provides two types of attestation reports:
Operational Reports—Present a snapshot of current status. They include:
User Entitlements (Who Has What)—This report provides administrators or auditors the ability to query entitlements for users that match the query parameters. This report can be used for operational and compliance purposes. This is an operational report, not a historical report.
Resource Access List—This report provides administrators or auditors the ability to query all existing users provisioned to a resource. This report can be used for operational and compliance purposes. This is an operational report, not a historical report.
Group Membership—This report provides administrators or auditors the ability to view lists of groups and their members, across all resources in the provisioning environment. This report can be used for operational and compliance purposes. This is a group membership snapshot report across all resources, not a historical report.
Historical Reports—Provide a view of historical data. They include:
User Access History (Who Had What)—This report provides administrators or auditors the ability to view user's resource access history over user's lifecycle. This report can be used for compliance and forensic auditing purposes. This is not a user access profile snapshot report. This is a lifetime report showing entire history of user's entitlements.
Resource Access List History—This report provides administrators or auditors the ability to query all users provisioned to a resource over its lifecycle. This report can be used for compliance and forensic auditing purposes. This is not a resource access list snapshot report. This is a lifetime report showing entire history of resource's access list / entitlements.
User Profile History—This report provides administrators or auditors the ability to view user's profile history over user's lifecycle. This report can be used for compliance and forensic auditing purposes. This is not a user profile snapshot report. This is a lifetime report showing entire history of user's profile.
User Membership History—This report provides administrators or auditors the ability to view user's membership history in user groups over user's lifecycle. This report can be used for compliance and forensic auditing purposes. This is not a membership snapshot report. This is a lifetime report showing entire history of the user's group memberships.
Group Membership History—This report provides administrators or auditors the ability to view a user group's historical membership over the group's lifecycle. This report can be used for compliance and forensic auditing purposes. This is not a group membership snapshot report. This is a lifetime report showing entire history of the group's membership.
User Lifecycle—This report provides administrators or auditors the ability to obtain full information detailing all account-related data about a specific user (user identity lifecycle) within the corporate environment. This report can be used for compliance and forensic auditing purposes. This is not a user profile snapshot report. This is a lifetime report showing entire history of user's profile and user's entitlements in various resources.
An attestation process, as defined in Oracle Identity Manager (OIM), includes the reviewers, the data to be attested to, and the schedule for attestation tasks.
Oracle's automated attestation capabilities involve presenting user identity and fine-grained entitlement data to authorized reviewers for sign-off on the accuracy of the data and providing reviewers with the means to document and correct any inaccuracies. Attestation processes can be run on demand or can be scheduled for periodic execution at regular intervals, whether it is once a year, once every six months, or once every quarter.
The data to be attested to can range from basic user profile data to access privileges or entitlements assigned to users and roles. Specific actions that can be undertaken by a reviewer for attestation include the ability to certify, reject, decline or delegate each entry in the attestation request. Reviewers can enter specific comments for each entry in the request to justify the action taken, and they can enter generic comments that apply to all entries in the request.Each attestation request may contain a number of entries, for instance, to include each entitlement assigned to each user. The reviewer has the ability to take one of four actions—certify, reject, decline, or delegate—for each of these entries. The reviewer can select responses for some of the entries in the request, save the selections, then review the request again at a later time to complete the actions for other entries, and finally submit the entire attestation request for processing. E-mail notifications are sent to the reviewer and the users affected, so they are aware of the actions taken on the data. Each of these attestation requests is archived for subsequent auditing and reporting.Resources can be tagged as "financially significant" and the user entitlements for such resources are automatically selected to participate in attestation processes. Optionally, specific resources that are not tagged as financially significant also can be selected for attestation on demand.All data and actions taken on attestation requests are also archived for subsequent auditing and reporting purposes.
The process flow is as follows. First, a scheduled or on-demand attestation request is generated and a snapshot of the data required for the attestation task is compiled. The reviewer is then notified of the attestation request. The reviewer logs into the system and views the attestation request displayed in his/her attestation inbox. The attestation request is typically composed of a number of entries, one for each item of user profile data or user entitlement data to be attested to for each user. The reviewer can make one of four selections for each entry:
Certify—reviewer attests to the data as accurate
Reject—reviewer marks the data as inaccurate
Decline—reviewer refuses to perform any attestation on this entry
Delegate—reviewer delegates the attestation task for this entry to an alternate reviewer
The reviewer has the option of making the selections only for a subset of the entries in the request, saving the actions taken, and then returning at a later time to complete the attestation request. The reviewer can also enter individual comments for each entry or a generic comment for all entries in the request. Once the reviewer has completed taking an action for each entry, he/she can submit the entire attestation request for further processing. At this point, e-mail notifications are sent to the reviewers, the users, and the process owners associated with this attestation request.
