To learn more about Directory Concepts and how we can help your organisation please contact a...

To learn more about Directory Concepts and how we can help your organisation

please contact a Directory Concepts relationship manager near you:

Sydney +61 2 9904 3430Melbourne +61 3 9804 8500Brisbane +61 7 3369 3500Wellington +64 4 460 5273

National Support: 1300 366 946 or [email protected]

Using an organisation’s identity information to enable

TRIM

Agenda

• Introduction• Identity Lifecycle Management• Integrating TRIM

Who are Directory Concepts?

• Offices Brisbane, Sydney, Melbourne and Wellington

• 6o+ technical staff across these locations• 10 years speciality in identity driven

solutions• Platinum partner status with Novell• Technical staff are recognised in the

industry as maintaining the deepest identity specialty skill set in the Asia Pacific region

• Consult and support to government on identity and access management across the region

DC Offerings

Consulting Services

ArchitectureConsultancyBusiness analysisDesignProject management

Professional Services

Project build and deployPost project supportSpecialty managed services

24 x 7 helpdesk servicesContract onsite services

Introductions

• My background?─ Software Development (corporate and startup)

─ Experience in Education, Financial and Government sectors

─ Head of Development Vertical at Directory Concepts

Information Management (IM)

Documents IdentitiesIdentity

Management(IDM)

Identity Lifecycle Management

• What does it promise?─ Automation of the process to manage access rights from the day a user is hired until the day they leave the organisation

─ Consistent and accurate information and access rights across all connected systems

• So what is it?

Identity Lifecycle Management

Key Elements of Identity Management

• Identity Integration• Roles management • Integrated workflows and provisioning

policies • Self Service

Business Issue: Your Enterprise has many Identity Stores

Human Resources

Network/NOSDirectory

Email

Enterprise Application

PBX

Identity Stores

Many of your Enterprise’s applications own a piece of the User's Identity.• This Identity data can be expensive to

maintain.• The Data may not be shared by everyone

who needs it.• This Data may not be accurate, consistent

or kept up to date.

Novell's Solution:Create a Central Identity Vault

Human Resources


Email


PBX

Identity Stores

Identity Isolation problems can be solved by creating an Identity Vault.• A location for centralized

identity management• Many applications share the same

identity data and authentication and authorization functionality

• Lays foundation for access control

• Provides basis for role-based personalization based on rights

Identity Vault

The Solution:Advanced Identity Synchronization

Human Resources


Email


PBX

Identity Stores

In order to aggregate this identity data into the Identity Vault we utilize Identity Synchronization technology.• This allows you to utilize data

owned by many systems to create a single rich identity

• It allows for distributed ownership of portions of an identity, while allowing a single, centralized identity that can be leveraged by a myriad of systems.

Identity Vault

Distributed Ownership of Dataa centralized view

Help Desk System

E-Mail System

File & Print

PBX

HR System

Identity Vault

Email Address

First NameLast NameEmployee IDAddressLocation

Phone Number

Network Address

First NameLast NameLocation

Email AddressFirst NameLast Name

First NameLast NameLocation

First NameLast NameEmployee IDLocation

User ID

Novell IDM Application Coverage

Roles Management

• Maps Business Roles to IT Entitlements• Assign users to Roles based on business

policies and an exception approval process

Novell Solution:Roles Based Provisioning Module

• Role represents business function/position• Business and user centric (authorisation

workflows)• Assign resources to roles and then assign

the roles to the users or groups or organisational units (Inheritance)

• Delegation• Separation of duties

Novell Identity Manager Roles Based Provisioning Module

20

Integrated Roles Management & Workflow

Novell Solution:Automated Provisioning

Human Resources


Email


Financial Application

Identity Stores

In order to give user's access to the resources they need we utilize dynamic provisioning capabilities.• This allows Identity Manager

to capture events that occur in an authoritative system such as an HR system

• The Identity Management system provisions user in realtime based on policies

Identity Vault

Policies

HR Personnel

Novell Solution:Workflow Based Provisioning

Human Resources


Email



Identity Stores

In situations where access to resources should require approval, a user facing provisioning environment is created.• Users only see the

resources that they can request based on their Identity

• Policies determine who should approve access to the resource

Identity Vault

Policies

UserApplication

User

User'sManager

Novell Solution:Workflow Based Provisioning

Human Resources


Email



Identity Stores

• The Manager can access the Provisioning User Application. Here the manager can deny or approve the request

• Access is Granted immediately

Identity Vault

Policies

UserApplication

User

User'sManager

Workflows - simple

Workflow Features

• Highly flexible─ Can be as simple or complex as desired

• Time-outs and escalation• Third-party integration (SOAP/Web Services)

─ Generate service desk tickets• Can be user initiated or automatically

initiated• Customisable forms

Business Process Automation

End Users: typical issues

• Unfavourable user experience─ Required to call service desk─ “I have too many passwords”

• Service desk over-utilisation─ Password resets─ Simple requests (file access etc.)

• Security─ Users creating their own credential store

• Lost productivity

Case Study

• Organisation with 2000 users─ 3592 password resets (forgotten/expired)─ 1162 requests for additional access

• 3592 password resets pa─ Gartner: ~25AUD (22USD) for each password reset

─ 3592 x 25 = $89,800* pa• 1162 file access requests pa

─ ~15 minutes to complete each request─ 1162 x 15 = 17430 minutes = 290 hrs = 36 days

* Does not account for lost productivity

User Application

• Web-based interface to display and allow users to view and manage identity data in the identity vault.

– Organization Charts

– White Pages

– Profile management

– Password management

Novell® Identity Manager

Novell Identity Manager delivers:• User Provisioning• Roles Based Access Control• Identity Integration• Password Management• Delegated Administration/Self Service• Automated workflows (both data driven and approval driven)

Databases

GroupWise

PeopleSoft

LDAP Directories

Mainframes

Windows Server

BMC Remedy

Notes

Avaya PBX

Administermy resourcesor workgroup

Search / browseusers or resources

Requestaccess toresources

Recover forgottenpassword

Self-administration

Approved

Identity and provisioningenvironment

Identity Vault

Identity Manager

•Reach global customers

•Tighter supplier relationships

•More productive partnerships

•Consistent security policy

•Immediate system-wide access updates

•Consistent identity data

•Automated risk mitigation

•Enterprise SoD

•Eliminate redundant administration tasks

•Reduce helpdesk burden

•Fast employee ramp-up

•User self service

•Focused, personalized content

•Delegated Administration

•Comprehensive profile view

•Password management

Identity Management

•SOD requirements

•Role-based access

•Least privilege access

•Real-time visibility and disclosure

•Basic compliance reporting

Business Facilitation

Governance &

Security

Increased Productivity &

Cost Reduction

Regulatory Complianc

e

Increase Service Level

Allow the enterprise to address Pain Points and business initiatives from the IT Manager to the CxO

Integration with HP TRIM

• Connecting• Translating• Access Control

Connecting• User Lifecycle Integration

─ Indirect• Database Staging Table

─ Direct• Web Services via SOAP Connector

– Stateless• Custom IDM Connector

– “Stateful”– Bi-directional

Translating• Mapping LDAP Classes to TRIM Locations

Class LocationUser Person

Group Group/Project Team/Workgroup

Organizational Unit Organization

Managing Locations

• Create, Update and Delete─ Persons─ Workgroups─ Organisational Units

Access Control

• Some Options─ Minimal rights initially, manually adjusted by TRIM administrator

─ Based on Org Unit, Group membership, other identity attribute

─ Configurable via On-Boarding application

Case Study

• Government Department in Victoria• Involves multiple systems• Simple workflow via email• ‘Best guess’ for access based on Org Unit

then modified/approved by TRIM administrator

OBA

Meta

1

1. Create new user request2. User created, basic services activated3. For eligible users, email sent to requestor, link to TRIM form4. Form completed by requestor, TRIM location(s) confirmed, submitted to Web App5. Web App queries DMC re TRIM client installation, emails ARS Remedy if required6. Enquiry User account created in TRIM7. User added to TRIM mailing lists in Notes

3

Web App

Requestor

4

2

DMC

6

7

5a

5b

Conclusion

• IDM integrated with TRIM can

─ Reduce the cost of managing user and access management

─ Provide timely and secure access to services like TRIM

─ Increase business leaders trust in IT, in regard to compliance

─ Reduce the risk of human error

─ Strengthen security without raising costs or diminishing productivity

Questions?

Directory Concepts

• Come and visit us if you have any further questions or would like more information on Identity Management

To learn more about Directory Concepts and how we can help your organisation please contact a...

Documents

Transcript of To learn more about Directory Concepts and how we can help your organisation please contact a...