1 Oracle Identity Analytics Overview

This chapter contains the following sections:

1.1 Introducing the Role-Based Access Control Model

With the enactment of strict compliance-related legislation, like the Sarbanes-Oxley (SOX) Act, the Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley (GLB) Act, it has become imperative for companies to secure their information and exercise control over access to mission-critical applications within the organization. Oracle understands that organizations today need a strong governance environment around access control. To establish strong governance, a robust framework around access control is necessary. This can be attained using the Role Based Access Control (RBAC) framework and an enterprise-wide role definition effort.

Role-based access control (RBAC) limits access to system applications to only authorized users within an organization. The model simplifies identity and access control compliance by managing access based on a user's roles within a company, not on an individual, user-by-user basis. Roles are created based on usage and enterprise policies. For example, new employees need access to certain system applications in order to perform their job responsibilities. Using the RBAC model, the new employees can be assigned to existing roles, which automatically give them access to the necessary set of system applications. Business managers are required to check and certify or revoke access to system applications on a regular basis.

1.2 Understanding Oracle Identity Analytics Benefits

Oracle Identity Analytics software addresses all aspects of role-based access control. The software allows organizations to streamline the access-control process, simplify attestation, and enhance audit effectiveness, thereby resulting in secure and robust role management.

Oracle Identity Analytics enables you to accomplish the following tasks:

  • Simplify the assignment and management of user access

  • Create and manage roles rather than users

  • Achieve compliance by way of access certifications and segregation of duties (SoD)

  • Align business and IT processes with a common terminology for IT access permissions

  • Ensure an ongoing understanding of access: who has it, who approved it, and what access violations exist

  • Reduce the risk of security violations and access control-related deficiencies

  • Manage the role lifecycle through the use of workflows, versioning, consolidation, history, and ownership

  • Provide complete rule lifecycle management to effectively manage the rapid on-boarding and off-boarding of users

1.3 Understanding the Oracle Identity Analytics Model

Oracle Identity Analytics is organized into the following modules: Identity Warehouse, Identity Certification, Role Engineering and Management, and Identity Auditing.

1.3.1 Identity Warehouse

The Identity Warehouse is a central repository that contains data on user entitlements. This data is imported from one or more databases within your organization on a scheduled basis. The Oracle Identity Analytics import engine supports complex entitlement feeds saved as either text or XML files. Extract, Transform, and Load (ETL) processing capabilities are also available. Imported data is then correlated or mapped to various roles during the certification phase. A glossary description of each entitlement is also captured during the import process.

1.3.2 Identity Certification

Managing and auditing enterprise-wide attestations is a major challenge to companies with a large number of employees. Because individual users may have access to a multitude of platforms, systems, and applications, organizations need an easy-to-use tool that managers can use to review user entitlements on a regular basis. Moreover, federal requirements require time-based certifications, granular entitlements, and so on.

The Oracle Identity Analytics identity certification module makes user entitlements easy to monitor and distribute. Managers can easily communicate with IT administrators to monitor, authorize, add, or revoke application access based on changes. The Oracle Identity Analytics identity certification module allows managers to collect, manage, and distribute user entitlements. In addition, these certifications can be scheduled depending upon the compliance requirements of the entitlement certification.

The identity certification module can perform four types of certifications:

  • User Entitlement Certification. Allows managers to certify employee access to roles and other related entitlements.

  • Role Entitlement Certification. Allows role owners to certify roles and role content.

  • Resource Entitlement Certification. Allows resource owners to certify user access to resources.

  • Data Owner Certification. Allows data owners to certify users.

Each certification addresses different audience types and ensures stringency at every step of the access management process.

1.3.3 Role Engineering and Management

Role-based access control is one of the complex and challenging efforts carried out in security administration. RBAC restricts access of the systems to authorized users by using predefined and approved roles. Within an organization, roles are seldom stationary. With a dynamic business environment, role management is also in a constant state of flux. New roles need to be created while old ones need to upgraded or managed on a regular basis.

Oracle Identity Analytics offers an end-to-end solution to define roles based on existing user entitlements. Roles can also be generated using the software's role mining module. The Oracle Identity Analytics role mining interface uses sophisticated algorithms to create new roles based on user entitlements, and cuts the role definition time by about fifty percent. Multiple rules and a combination of attributes (such as job codes, department, and location) can be used to assign role-based access to new and existing users.

The Oracle Identity Analytics software is a good alternative to manual access control methodologies because its superior framework facilitates easy management of users and their access to roles in a controlled and effective manner. Oracle Identity Analytics provides a complete setup of security, workflow, and auditing features to manage the lifecycle of roles. The built-in workflow engine provides the ability to configure the best suited workflow processes depending on the business requirements and allows stakeholders to call external functions from the workflows. This functionality enables greater efficiencies from a role-based access control model. Additionally, multiple rules and a combination of attributes (such as job codes, department, and location) can be used to assign role-based access to new and existing users.

1.3.4 Identity Auditing

Today, organizations need to manage continuous exception monitoring, segregation of duties (SoD) violations, detective scanning, inter and -intra-application SoD enforcement, actual vs. assigned exceptions, exception lifecycle management, and so on. Organizations also tend to have numerous exceptions related to the access users have to target systems.

Close monitoring is an integral part of Oracle Identity Analytics. The identity auditing module has a detective mechanism that monitors users' actual access to resources and captures any violations on a continuous basis. The software can also be programmed to conform to audit policies and to report exceptions. It provides a summary of all exceptions, which helps security analysts, executives, or auditors accept or mitigate the exceptions.

Figure 1-1 Oracle Identity Auditing Dashboard

Surrounding text describes Figure 1-1 .

1.4 Understanding Oracle Identity Analytics Components and Terminology

This section introduces Oracle Identity Analytics components and defines terminology that you need to know in order to be successful with the software.

1.4.1 Understanding Users

A user is defined as a discrete, identifiable entity that has a business need to access or modify enterprise information assets. Typically a user is an individual, but a user can also be a program, a process, or a piece of computer hardware.

Users are associated with business structures in various ways. A user can be assigned to several business structures based on access level and other details within an organization. A business user has a manager or an application approver who is tasked with carrying out various user- and role-management functions on the user.

1.4.2 Understanding Resources and Resource Types

Resources are the applications and enterprise information assets that users need to do their jobs. In Oracle Identity Analytics, a resource is an instance of a resource type, which is a grouping of like resources. A resource type defines meta-data common to all resources of that type. For example, a resource type of "Oracle DBMS" might define entitlements (that is, attribute-values of Oracle database accounts) that are common to all database instances. Each resource of that type represents a specific database instance to which a user might have access

Common resource types include platforms (Windows 2000, UNIX®, Mainframe) or business applications (such as, billing and accounts payable applications). Each resource has an owner who handles the various operations on the resource, such as reviewing user entitlements. The user entitlements are collected from different resources and stored in a central repository.

Note:

In older releases, the term endpoint was used to denote a resource, while the term namespace was used to denote a resource type.

1.4.3 Understanding Business Structures

A business structure in Oracle Identity Analytics is defined as a department or sub-department within an organization. An organization can be segregated into as many business structures, with as many levels of hierarchy as is required to represent teams and sub-teams within the organization. There is no limit to the number of users that can be assigned to a business structure. All operations in Oracle Identity Analytics such as identity auditing and identity certification are performed on the basis of a business structure.

1.4.4 Understanding the User Store

The user store is the central platform or database or directory where user records are stored. Commonly used user stores include Active Directory, Exchange, ORACLE, SAP, UNIX, and RDBMS Tables.

Initially, an organization in Oracle Identity Analytics is populated with users using a feed from an HR system. The HR system is used to create all the global identities in Oracle Identity Analytics. Alternatively, the global identities can be created from a provisioning system such as Oracle Waveset (Sun Identity Manager).

The entitlements from the various applications are stored in a centralized user store in Oracle Identity Analytics. The user store can be a relational database that handles the various user entitlements. Once the entitlements are in the user store, the role engineering and management, identity certification, and identity auditing pieces can be carried out on them.

A user is a global identity to which various accounts are associated. A user can have multiple accounts, but all of the accounts are associated with a single global identity in Oracle Identity Analytics. This global identity is defined under the Users View, which shows the entire list of users that belong to the organization.

A naming convention for all users needs to be established. A common naming convention is a combination of a user's name in lowercase letters and a set of numbers. For example, John Smith's user name might be josmit01. User names must be unique.

1.4.5 Understanding Roles

A role represents a job function. Roles contain policies that describe the access that individuals have on a directory. Roles represent unique job functions performed by users in the domain. For example, a person can function as a manager, a developer, and a trainer. In this case, there are three roles that represent each job function because each requires different privileges and access to different resources.

Roles give you the flexibility and power to enforce enterprise standards, so that you can do the following:

  • Manage users who perform the same tasks the same way no matter where they are located in the enterprise.

  • Perform less work when managing users because you do not have to manually specify privileges every time a change is made to a person's job function.

A role can be embedded inside a role as a nested role. Role hierarchy can be defined to any level required in an organization.

1.4.6 Understanding Policies

Policies define account attributes and privileges that users have on different platforms or applications. In OIA, a policy represents a specific privilege on a specific data resource. Policies are assigned to roles, and roles are assigned to users. Policies provide consistent directory permissions and user rights across and within the organization for all of the users in a role.

1.4.7 Understanding Orphan Accounts

An orphan account is an account that is no longer associated with any user entry. (The user may have left the organization or shifted departments, but the account was not deactivated when the user left or moved.)