Chapter 1 Identity Manager Overview

The Sun Identity Manager system allows you to manage and audit access to accounts and resources. By giving you the capabilities and tools to quickly handle periodic and daily user-provisioning and auditing tasks, Identity Manager facilitates exceptional service to internal and external customers.

The Big Picture

Today’s businesses require increased flexibility and capabilities from its IT services. Historically, managing access to business information and systems required direct interaction with a limited number of accounts. Today, managing access means handling not only increased numbers of internal customers, but also partners and customers beyond your enterprise.

The overhead created by this increased need for access can be substantial. As an administrator, you must effectively and securely enable people – both inside and outside your enterprise – to do their jobs. And after you provide initial access, you face continuing detailed challenges, such as forgotten passwords, and changed roles and business relationships.

Additionally, businesses today face strict requirements governing the security and integrity of critical business information. In an environment dictated by compliance-related legislation – such as the Sarbanes-Oxley (SOX) Act, the Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley (GLB) Act – the overhead created by monitoring and reporting activities is substantial and costly. You must be able to respond quickly to changes in access control, as well as satisfy the data-gathering and reporting requirements that help keep your business secure.

Identity Manager was developed specifically to help you manage these administrative challenges in a dynamic environment. By using Identity Manager to distribute access management overhead and address the burden of compliance, you facilitate a solution to your primary challenges: How do I define access? And once defined, how do I maintain flexibility and control?

A secure, yet flexible design lets you set up Identity Manager to accommodate the structure of your enterprise and answer these challenges. By mapping Identity Manager objects to the entities that you manage – users and resources – you significantly increase the efficiency of your operations.

In a service provider environment, Identity Manager extends these capabilities to managing extranet users as well.

Goals of the Identity Manager System

Manage account access to a large variety of systems and resources.

Securely manage dynamic account information for each user’s array of accounts.

Set up delegated rights to create and manage user account data.

Handle large numbers of enterprise resources, as well as an increasingly large number of extranet customers and partners.

Securely authorize user access to enterprise information systems. With Identity Manager, you have fully integrated functionality to grant, manage, and revoke access privileges across internal and external organizations.

Keep data synchronized by not keeping data. The Identity Manager solution supports two key principles that superior systems management tools should observe:

The product should have minimal impact on the system it is managing, and

The product should not introduce more complexity to your enterprise by adding another resource to manage.

Define audit policies to manage compliance with user access privileges and manage violations through automated remediation actions and email alerts.

Conduct periodic access reviews and define attestation review and approval procedures that automate the process of certifying user privileges.

Monitor key information and audit and review statistics through the dashboard.

Defining User Access to Resources

Users in your extended enterprise can be anyone with a relationship to your company, including employees, customers, partners, suppliers, or acquisitions. In the Identity Manager system, users are represented by user accounts.

Depending on their relationships with your business and other entities, users need access to different things, such as computer systems, data stored in databases, or specific computer applications. In Identity Manager terms, these things are resources.

Because users often have one or more identities on each of the resources they access, Identity Manager creates a single, virtual identity that maps to disparate resources. This allows you to manage users as a single entity. See Figure 1-1.

To effectively manage large numbers of users, you need logical ways to group them. In most companies, users are grouped into functional departments or geographical divisions. Each of these departments typically requires access to different resources. In Identity Manager terms, this type of group is called an organization.

Another way to group users is by similar characteristics, such as company relationships or job functions. Identity Manager recognizes these groupings as roles.

Within the Identity Manager system, you assign roles to user accounts to facilitate efficient enabling and disabling of access to resources. Assigning accounts to organizations enables efficient delegation of administrative responsibilities.

Identity Manager users are also directly or indirectly managed through the application of policies, which set up rules and password and user authentication options.

User Types

Identity Manager provides two user types: Identity Manager Users and Service Provider Users, if you configure your Identity Manager system for a service provider implementation. These types enable you to distinguish users that might have different provisioning requirements based on their relationship with your company, for example extranet users versus intranet users.

A typical scenario for a service provider implementation is a service provider company with internal users and external users (customers) that it wants to manage with Identity Manager. For information about configuring a service provider implementation, see Identity Manager Service Provider Deployment.

Delegating Administration

To successfully distribute responsibility for user identity management, you need the right balance of flexibility and control. By granting select Identity Manager users administrator privileges and delegating administrative tasks, you reduce your overhead and increase efficiency by placing responsibility for identity management with those who know user needs best, such as a hiring manager. Users with these extended privileges are called Identity Manager administrators.

Delegation only works, however, within a secure model. To maintain an appropriate level of control, Identity Manager lets you assign different levels of capabilities to administrators. Capabilities authorize varying levels of access and actions within the system.

The Identity Manager workflow model also includes a method to ensure that certain actions require approval. Using workflow, Identity Manager administrators retain control over tasks and can track their progress. For detailed information about workflow, see Identity Manager Workflows, Forms, and Views.

Identity Manager Objects

A clear picture of Identity Manager objects and how they interact is crucial to successful management and deployment of the system. These objects are:

User Accounts

A user is anyone who holds an Identity Manager system account. Identity Manager stores a range of data for each user. Collectively, this information forms a user’s Identity Manager identity.

The user account setup process is dynamic. Depending on the role selection you make during account setup, you may provide more or less resource-specific information to create the account. The number and type of resources associated with the assigned role determine how much information is required at account creation.

Administrators are users with additional privileges to manage user accounts, resources, and other Identity Manager system objects and tasks. Identity Manager administrators manage organizations, and are assigned a range of capabilities to apply to objects in each managed organization.

Roles

A role is an Identity Manager object that allows resource access rights to be grouped and efficiently assigned to users. Roles are organized into four role types:


Note	When naming Identity Manager objects, do not use the following characters: ' (apostrophe), . (period), \| (pipe), [ (left bracket), ] (right bracket), , (comma), : (colon), $ (dollar sign), " (double quote), \ (backslash), or = (equals sign). The following characters should also be avoided: _ (underscore), % (percent-sign), ^ (caret), and * (asterisk).

Business Roles organize into groups the access rights that people who do similar tasks in an organization need to do their job duties. Typically, Business Roles represent user job functions.

IT Roles, Applications, and Assets organize resource entitlements (or access rights) into groups. To provide users with access to resources, IT Roles, Applications, and Assets are assigned to Business Roles so that users can access the resources they need to do their jobs.

IT Roles, Applications, and Assets can be required, conditional, or optional. A required resource will always be assigned to the user. A conditional resource has conditions that must evaluate to true in order for the resource to be assigned. An optional resource can be requested separately, and, upon approval, assigned to the user.

Because resources can be conditional or optional, users with the same general job description can have the same Business Role, but still have different access rights. This approach allows a Business Role designer to define coarse-grained access to resources in order to achieve regulatory compliance, while still allowing flexibility for the user’s manager to fine-tune the user’s access rights. With this approach, there is no need to define a new Business Role for each permutation of access needs in the enterprise—a problem known as role explosion.

Resources and Resource Groups

Identity Manager stores information about how to connect to a resource or system. Resources to which Identity Manager provides access include:

There are two ways to assign resources to users. A resource can be assigned to a user directly (this is known as a individual or direct assignment), or a resource can be assigned to a role, which is then assigned to a user (this is a role-based or indirect assignment).

A related Identity Manager object, a resource group, can be assigned to user accounts in the same way resources are assigned. Resource groups correlate resources so that you can create accounts on resources in a specific order. Also, they simplify the process of assigning multiple resources to user accounts.

Organizations and Virtual Organizations

Organizations are Identity Manager containers used to enable administrative delegation. They define the scope of entities that an Identity Manager administrator controls or manages.

Organizations can also represent direct links into directory-based resources. These are called virtual organizations. Virtual organizations allow direct management of resource data without loading information into the Identity Manager repository. By mirroring an existing directory structure and membership through a virtual organization, Identity Manager eliminates duplicate and time-consuming setup tasks.

Organizations that contain other organizations are parent organizations. You can create organizations in a flat structure or arrange them in a hierarchy. The hierarchy can represent departments, geographical areas, or other logical divisions by which you manage user accounts.

Directory Junctions

A directory junction is a hierarchically related set of organizations that mirrors a directory resource’s actual set of hierarchical containers. A directory resource is one that employs a hierarchical namespace through the use of hierarchical containers. Examples of directory resources include LDAP servers and Windows Active Directory resources.

Each organization in a directory junction is a virtual organization. The top-most virtual organization in a directory junction is a mirror of the container representing the base context defined in the resource. The remaining virtual organizations in a directory junction are direct or indirect children of the top virtual organization, and also mirror one of the directory resource containers that are children of the defined resource’s base context container.

You can make Identity Manager users members of, and available to, a virtual organization in the same way as an organization.

Capabilities

Each user can be assigned capabilities, or groups of rights, to enable him to perform administrative actions through Identity Manager. Capabilities allow the administrative user to perform certain tasks in the system and act on Identity Manager objects.

Typically, you assign capabilities according to specific job responsibilities, such as password resets or account approvals. By assigning capabilities and rights to individual users, you create a hierarchical administrative structure that provides targeted access and privileges without compromising data protection.

Identity Manager provides a set of default capabilities for common administrative functions. Capabilities meeting your specific needs can also be created and assigned.

Admin Roles

Identity Manager admin roles enable you to define a unique set of capabilities for each set of organizations that are managed by an administrative user. An admin role is assigned capabilities and controlled organizations, which can then be assigned to an administrative user.

Capabilities and controlled organizations can be assigned directly to an admin role. They also can be assigned indirectly (dynamically) each time the administrative user logs in to Identity Manager. Identity Manager rules control dynamic assignment.

Policies

Policies set limitations for Identity Manager users by establishing constraints for account ID, login, and password characteristics. Identity system account policies establish user, password, and authentication policy options and constraints. Resource password and account ID policies set length rules, character type rules, and allowed words and attribute values. A dictionary policy enables Identity Auditor to check passwords against a word database to ensure protection from simple dictionary attacks.

Audit Policies

Distinct from other system policies, an audit policy defines a policy violation for a group of users of a specific resource. Audit policies establish one or more rules by which users are evaluated for compliance violations. These rules depend on conditions based on one or more attributes defined by a resource. When the system scans a user, it uses the criteria defined in the audit policies assigned to that user to determine whether compliance violations have occurred.

Object Relationships

Table 1-1 provides a quick glance at Identity Manager objects and their relationships.

Table 1-1 Identity Manager Object Relationships (Page 1 of 3)
Identity Manager Object	What is it?	Where does it fit?
User account	An account on Identity Manager and on one or more resources. User data may be loaded into Identity Manager from resources. A special class of users, Identity Manager administrators, have extended privileges	Role Generally, each user account is assigned one or more roles. Organization User accounts are arranged in a hierarchy as part of an organization. Identity Manager administrators additionally manage organizations. Resource Individual resources can be assigned to user accounts. Capability Administrators are assigned capabilities for the organizations they manage.
Role	Business Roles organize into groups the access rights that people who do similar tasks in an organization need to do their job duties. Application, and IT Roles group resources into groups so that resources can be assigned to users by way of Business Roles. Role-based resource assignments simplify resource management in large organizations.	Resource and resource group Resources and resource groups are assigned to Asset, Application, and IT Roles. User account User accounts with similar characteristics are assigned to Business Roles. Asset, Application, and IT Roles Asset, Application, and IT Roles are assigned to Business Roles.
Resource	Stores information about a system, application, or other resource on which accounts are managed.	Role Resources are assigned to Application and IT Roles, which are in turn assigned to Business Roles. A user account loosely “inherits” resource access from its Business Role assignments. User account Resources can be individually assigned to user accounts.
Resource Group	Ordered group of resources.	Role Resource groups are assigned to roles; a user account “inherits” resource access from its Business Role assignments. User account Resource groups can be directly assigned to user accounts.
Organization	Defines the scope of entities managed by an administrator; hierarchical.	Resource Administrators in a given organization may have access to some or all resources. Administrator Organizations are managed (controlled) by users with administrative privileges. Administrators may manage one or more organizations. Administrative privileges in a given organization cascade to its child organizations. User account Each user account can be assigned to an Identity Manager organization and one or more directory organizations.
Directory junction	Hierarchically related set of organizations that mirrors a directory resource’s actual set of hierarchical containers.	Organization Each organization in a directory junction is a virtual organization.
Admin role	Defines a unique set of capabilities for each set of organizations assigned to an administrator.	Administrator Admin roles are assigned to administrators. Capabilities and organizations Capabilities and organizations are assigned, directly or indirectly (dynamically) to admin roles.
Capability	Defines a group of system rights.	Administrator Capabilities are assigned to administrators.
Policy	Sets password and authentication limits.	User account Policies are assigned to user accounts. Organization Policies are assigned to or inherited by organizations.
Audit policy	Sets rules by which users are evaluated for compliance violations.	User account Audit policies are assigned to user accounts. Organization Audit policies are assigned to organizations.

Previous Contents Index Next
Sun[TM] Identity Manager 8.0 Administration