Objective :
In this article we will try to understand why there is need of OIM ?
Identity Management :
An Identity Management system is required in company for :
1)Managing users , organizations , roles , resources :OIM is web , centralised application used as provisioning solution . In organization you may have many resources like linux machine , active directory , web application , seibel , etc , OIM will be used to create account on them and also to manage the account on various resources using centralized control . Roles are group of users who are performing similar job functions within the Enterpise. For e.g. Managers , I will make all the managers member of same role . So roles typically represent a gorup of users with a common access .
2)Manage authentication and authorization : Authentication provides a way of identifying a user, typically by having the user enter a valid user name and valid password before access is granted. The process of authentication is based on each user having a unique set of criteria for gaining access. Following authentication, a user must gain authorization for doing
certain tasks. After logging into a system, for instance, the user may try to issue commands. The authorization process determines whether the user has the authority to issue such commands. Simply put, authorization is the process of enforcing policies: determining what types or qualities of activities, resources, or services a user is permitted. Usually, authorization
occurs within the context of authentication. Once you have authenticated a user, they may be authorized for different types of access or activity.If an employee leaves an organization and still hass access to the resources and treated as authorrized person , it will be the biggest security breach , which cannot be handled manually in an organization which has 10000 & 100000 of employees. OIM takes care of all these things
3) Enforce security policies for user accounts :
Password Security :
If user authentication is managed by the database, then security administrators should develop
a password security policy to maintain database access security. For example, database users
should be required to change their passwords at regular intervals, and of course,
when their passwords are revealed to others. By forcing a user to modify passwords in such
situations, unauthorized database access can be reduced.
Privilege Management:
Security administrators should consider issues related to privilege management for all types of users. For example, in a database with many user names, it may be beneficial to use roles (named groups of related privileges that you grant to users or other roles) to manage the privileges available to users. Alternatively, in a database with a handful of user names,
it may be easier to grant privileges explicitly to users and avoid the use of roles.
End-User Security:
Security administrators must define a policy for end-user security. If a database has many users, then the security administrator can decide which groups of users can be categorized into user groups, and then create user roles for these groups. The security administrator can grant the necessary privileges or application roles to each user role, and assign the user roles to the users. To account for exceptions, the security administrator must also decide what privileges
must be explicitly granted to individual users. OIM is the best implemetation for Enterprise to enforce security policies .
4) Providing Auditing and Logging Attestation processes.
Attestation is one of the mandatory process which has to be performed periodically.
5) Information flow between various resources to keep them in sync .
From the above screen shot we can see that AD is one of the target resource . OIM can interact with that and provision & de-provision the users with AD .Internally AD can be used as user store for so many applications , it could be a Banking application , accounts payable or general ledger etc . All these applications are using AD as the user store .
OIM is capable of managing the access on resources , manage the identity life cycle across all the resources. There will be one user in OIM , which will be mapped to various resources . User means OIM access and account is access to target resource . The ROI is that suppose if I forget the password for any of my account , I can login to OIM , and reset the password for all my accounts . The conflicting Business drivers improved quality service & reduce costs make you to implement OIM within the enterprise
Busines Drivers :
OIM also allows open access to Business partner & even minimizes security risk , by allowing the business partners to view only required information instead of accessing complete details of the enterprise . Sarbanes-Oxley act is meant for protecting investors against accounting frauds . Organization should be compliant to this Sarbanes-Oxley regulatory act .
For e.g. in public sector companies there could be so many investors and the company CEO should not see the investors . Public sector organization will audited periodically to check whether your organization is complaint to these regulatory act or not. To get some of the ISO standards , this act is mandatory and is stcrictly folowed in many countrlies like UK , Australia etc . For e.g. if you consider a loan department , there should be three different users ,the person who accepts the loan application , the person who aaproves the loan , and the person who verifies the loan . These three users must be different i.e. only one of them should have access to accept the loan application when he logins & not to approve the loan .Similary next user should only be able to verify the loan appliactionand so on . So if a single person is doing all the three tasks he can introduce some fake applications , accept , approve and verify then it can incur huge loss to the Bank . Similarly the same person should not have access to both accounts payable & accounts receivable. If the person has access to accounts payable and the same person tries requesting for accounts receivable, OIM rejects saying that it is a conflict of seggregation of duties .So these rules you can define it and implement it using OIM . So auditor will come & check whether your organization is compliant to this regulatory act, not only this act but there are other acts too like Gramm-Leach-Bliley Act & Health Information Portability Accountability Act & European Data Protection Directive Act . So to make your organization
compliant of all these acts you need to implement OIM . When auditor's visit they will ask for certain reports like user acces report , compliance reports , role reports , etc and keeping track of all these reports is not possible . So with the help of OIM you can extract all these reports from repository required and present it to auditors .
Now we will take another scenario, suppose we have organizations of 1000 users accessing the enterprise applications . We can use Database in this case to store the user credentials . But if the business grows and the users are 10 million , in this case we cannot use Database it fails . For eg gmail may have millions or billions of users and if we use database to authenticate users it has to scan millions of record which would take 5 to 10 minutes to authenticate the users , which is not feasible . Database is meant operations ( create , retrieve , update , delete ) . When the users are in millions we cannot use database to store the user identity. In the IT world , they have come up with something called Directory Servers to store the user identity , these are well tuned for high speed retrieval , whereas CRUD operations are slower . Directory servers are used when the no of users are more . There may be 10 application in your enterprise , all the 10 application will be using Directory Server to store the credentials and other information also . In Oracle , for Directory Server we have Oracle Internet Directory (OID) , Oracle Unified Directory(OUD), Oracle Directory Server Enterprise Edition (ODSEE). OID has some performance issue and infrastructure reuired for OID was huge , whereas OUD(which was OPEN LDAP product from Sun Micro Systems & later picked up by Oracle ) is very light weight & infrastructure requirement is very minimum and performance is high . So OUD is the strategic product from Oracle for Directory Server Applications.
Similarly IBM has Tivoli Directory Server, Microsoft has Active Directory . All these servers use LDAP as the standard protocol to access all the directory service. For accessing the Banking Application , the credentials are store in AD .
Business Partners may have acces to various resource , they may request Call Centre , Help Desk etc as shown below .
This is the scenario when there is no Identity Management solution . Its very difficult to manage the resource access . But if you have Identity Management solution such as OIM , no admin will create account for resource directly , all your account creation will have to go through OIM i.e. the standard practice that has to be followed once OIM is impmeneted . So Business partners can login to OIM or they can send email and then administrators will create a request for resource on their
behalf . After this there will be one approving manager who will approve the request then only the access will be granted . So all the account creation process happens through Identity Manager . Former employees will not be having access to anything because administrator will login to OIM and delete the user , and if you delete the user all of the resource acces will also deleted .
With the help of Auto Provisioning 100 of users request at atime can be handled smoothly with OIM .
Mandatory resources are provisioned automatically . Later user himeslf has option to request any
other adhoc resources .
Since Microsoft applications are not compatible directly with Java you require Connector-Server for ADS then only OIM can provision the account for Active Directory Services (ADS). If it is any other Directroy Server it is agent less . So for Mainframes connector uses 3720 protocol, if it is a web application it uses SOAP/XMLRPC protocol , if its Unix/Linux it uses SSH protocol and so on. Java knowledge is required to develop the connectors . There are adapter / generator utilties that
generate java classes . Skeleton code will be generated and you need to write the logic within the message.
In the above screen shot the OIM user is Joe Smith and he has acces to three resources . You can see that all the account ids(Jsmith, j145183, smitty) are different .OIM links all the accounts with the user Joe Smith . When you provision this user to one of the accounts it asks for user name if you give it will take that otherwise it will keep it as Joe Smith itself .
OIM repository keeps all those records .
Apps2Fusion Articles 