Wp Workflow En

A Bull Evidian White Paper

Author i zat ion management workf low

By Jean-Louis Glas

Version 1.0

May 2006

Summary ACME uses workflow to manage identities

and authorizations. The solution implemented at ACME. Speeding up and making identity management

more reliable.

Workflow-based identity and access management

2006 Evidian

The information contained in this document represents the view of Evidian on the issues discussed at the date of publication. Because Evidian must respond to changing market conditions, it should not be interpreted as a

commitment on the part of Evidian, and Evidian cannot guarantee the accuracy of any information presented after the date of publication.

This is for informational purposes only. EVIDIAN MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

We acknowledge the rights of the proprietors of trademarks mentioned in this book.

39 A2 60LT Rev00 3

Authorization management workflow

Contents ACME uses workflow to manage identities and authorizations ..................................... 4

A single, centralized identity-management directory .....5 Administration fully based on a web interface ...........5 The 3 major events in an employee's "lifecycle" .........6 Scenario 1: Recruiting a new employee ...................7 Scenario 2: A change in an employees function ..........9 Scenario 3: Departure of an employee ...................10

The solution implemented at ACME ...................... 12 The main functions of a workflow .......................13 Providing connection information (login and password) ...................................19 Departure of an employee ...............................20 Measuring the return on investment .....................22

Speeding up and making identity management more reliable ......................................... 23

39 A2 60LT Rev00 4


ACME uses workflow to manage identities and authorizations ACME has set up a corporate directory for the management of its human resources. This computer tool is used by the Human Resources Department to manage the organizations employees.

However, as at last year, certain tasks were still being performed manually on paper.

For example, paper forms were still being used to update the application- access rights of newly recruited employees, promoted employees, or employees leaving the company.

In fact, this led to the creation or modification of user access rights for various computer resources, such as accounting or messaging applications. These rights were generally based on function (accountant, computer technician, etc.) or hierarchical position (director, system manager, etc.).

The said rights were updated manually, upon reception of the paper forms, for all the systems to which the user needed to have access. It could take several days to enter the information into the corporate directory and to update user rights. Furthermore, the paper process was not controlled, and the departure of some employees was not recorded.

Therefore, due to poor-quality-of-service-related costs and the security risks inherent in information system accesses, the company's management asked the IT Department to reduce implementation time and make these operations more reliable.

39 A2 60LT Rev00 5


A single, centralized identity-management directory The IT Department, has thus implemented a solution that updates user accounts from the information contained in the corporate directory. This solution manages an employee's application-access rights:

Based on his/her job attributes, Automatically, without increasing the IT teams

workload

According to an access-security policy fully negotiated and formalized between the IT Department and the user departments.

Employee identities and the associated attributes are now managed from a single point and trigger all the associated provisioning1 operations.

Administration fully based on a web interface All the administrative, identity and authorization management functions in the corporate directory are performed from a user-friendly web interface.

This interface is accessible not only to administrators but also to the end-user who can view his/her existing authorizations and, if necessary and depending on the security rules, request for new ones. This request follows an approval cycle, configurable according to the level of validation (line manager, application manager, IS security manager, etc.), with (permanent/temporary) delegation of administration rights. The parties concerned are notified by e-mail about the processing of their request.

Thanks to this flexibility, unplanned situations are easy to handle within the standard process and the system can respond immediately to any identified threat.

1 A provisioning operation is an operation that creates, modifies or deletes user accounts on the target applications and systems.

39 A2 60LT Rev00 6


The 3 major events in an employee's "lifecycle2" There are 3 main reasons for updating an employee's application accounts:

1. Recruitment

2. Change of function, promotion, or change of organization

3. Departure from the company.

If you take the IT user aspect into account, you have to add all the operations or lost-password related helpdesk requests.

These events constituted a heavy workload for the IT teams. In fact, they concerned just one employee each time but generated a lot of specific account management tasks and occurred randomly and unexpectedly.

Automating them was, therefore, a big challenge for the IT Department.

2 A user's lifecycle: within the context of an identity and access management project, the expression "lifecycle" corresponds to the different stages in the management of a users identity and rights within the Information System.

39 A2 60LT Rev00 7


We will now look at the scenarios associated with each of the events in an employee's "lifecycle"...

Scenario 1: Recruiting a new employee George Martin has now joined the company.

When a new employee is recruited, one of the first things to do is to register him/her in the corporate directory.

After validating the various screens used to enter the new -the HRM creates the record in the corporate directory.

Figure 1. Registering a new recruit, George Martin

His function entitles him to an Active Directory resources and Oracle resources (accounting applications) account.

Previously, the accounts and associated rights creation request had to be submitted in paper form to the Active Directory resources administrator and to the professional applications administrator.

39 A2 60LT Rev00 8


Today, thanks to the authorization management validation workflow, the following processes are used:

Figure 2. Workflow associated with the recruitment of George Martin

Registration in the

companys directory

Assignment of a job profile

Validation of the profile by management

Application of the Policy

Creating the account in the Active Directory resources directory

Creating the Oracle account

Initializing the Active Directory provisioning procedure

Initializing the Oracle provisioning procedure

Registration validation by the ISSM

Creating the identity

Creating the associated accounts

- WORKFLOW -

- WORKFLOW -

The new solution implemented by the IT Department is first used to create a valid user identity then, in a second phase, to create user accounts on the target systems and applications, while respecting the control procedures for the most sensitive applications.

After validation, George Martin's accounts are automatically created in the Active Directory resources directory and in the professional application used to manage customer accounts.

The user's identity and all his authorizations were managed via a web interface. The process followed an approval and notification workflow that ensured compliance with security standards and request follow-up.

Thus, George Martin can access his applications and become operational very quickly.

39 A2 60LT Rev00 9


Scenario 2: A change in an employees function Following a general reorganization, George Martin's function in the company has changed.

His new assignment entitles him to new Windows resources, a new role in the accounting application and to access a new application. Previously, in order to create new rights and delete the old ones, the different application administrators had to be notified on paper about the new function. These administrators then had to connect to each application system via a different administration interface. The security manager did not have a centralized view of all the user authorizations.

Thanks to the new solution, accesses to old resources can be modified or deleted, and access rights for new resources created from a single web interface. Furthermore, this interface gives a centralized view of all the authorizations.

The authorization management process is as follows:

Figure 3. Workflow for George Martin's new function

Function modification request by the user

Modification of jobprofile

Validation of the new profile by management

Application of the Policy

Modifying the account in the resources AD

Creating the Oracle account

Initializing the Active Directory modification

procedure

Initializing the Oracle provisioning procedure

Validation of the registration

by the ISSM

Modification of the identity

Modification of the associated accounts

- WORKFLOW -

Deleting the Oracle account associated with the old profile

- WORKFLOW -

- WORKFLOW -

Notifying the ISSM

- WORKFLOW -

The resources associated with the Active Directory account are modified. On the other hand, the modifications in Oracle correspond to a change of job: the initial Oracle account is deleted, and a new one created and then validated by the ISSM.

George Martin can access his work environment for his new assignment. Furthermore, all the accesses to the resources of the previous assignment are automatically deleted.

39 A2 60LT Rev00 10


Scenario 3: Departure of an employee When George Martin leaves the company, all his Information System access

rights must be deleted.

After the different screens concerning his departure have been validated, the record is deleted from the corporate directory.

Figure 4. George Martin leaves the company

The process associated with an employees departure is used to delete his or her resources access rights.

Figure 5. George Martin leaves the company

Report from the HRMabout the user's

departure

Deleting the user from the directory

Applying the PolicyDeleting the identity data

Deleting the associated accounts

Deleting the accounts associated

with the old profile

Notifying the ISSM

- WORKFLOW -

- WORKFLOW -

39 A2 60LT Rev00 11


George Martin's rights must be deleted when he leaves the company. Previously, the administrators of the different systems should have been notified so they could delete his accesses manually. Unfortunately, the procedure was not applied, and user accounts remained valid until an annual account cleaning operation was performed.

The new solution automatically suspends George Martins application access rights, almost in real time.

Henceforth, once an employee leaves the company, all his or her application accounts are immediately disabled3. After a configurable period, these same accounts are deleted. Therefore, there are no so-called dormant4 accounts any more in the systems and applications.

3 When an employee leaves, his/her accounts are first disabled. They are then present in the system but are unusable. Then, after a configurable period, they are deleted. This mechanism allows traces of user accounts to be kept for a legally specified period of time, for example.

4 A system or application account is said to be dormant when it is not used but still present, generally because the account owner has left the company.

39 A2 60LT Rev00 12


The solution implemented at ACME The solution is based on the AccessMaster software, which natively integrates (without duplication or synchronization) the users defined in an LDAP directory, in particular that of a corporate directory.

AccessMaster automatically provisions the different application systems and includes a secure SSO.

AccessMaster offers a workflow environment in order to automate the access- authorization approval circuit.

Figure 6. Architecture

AccessMaster server

Administrators via

web interface Administration

console

Windows Systems

Unix Systems

Main-frames

HTTP

Identity management (Workflow) Provisioning

User directory

Web Interface

This solution can handle the 3 scenarios associated with the major events in a user's lifecycle. It also enables you, among other things, to:

Take into account a user created in the directory Have the administrator assign or modify a user profile Report validation requests Report a change of request status Display the statuses to the administrator or user Create or modify accounts on the target applications Supply connection information (login and password) Delete all the accounts of a user removed from the directory

39 A2 60LT Rev00 13


The main functions of a workflow Taking into account a user created in the directory

When George Martin's record is created in the corporate directory, it is immediately taken into account by the AccessMaster software.

The organization displayed on the AccessMaster console corresponds to that of the corporate directory.

Figure 7. Declaring a user in the corporate directory

Figure 8. Taking a user into account in AccessMaster

39 A2 60LT Rev00 14


User profile assignment or modification by the administrator

From the web administration interface, the administrator requests for a "Standard Profile" type authorization for the user. For George Martin, this Standard Profile corresponds to Windows resources access rights and an Oracle application role.

Figure 9. Requesting for George Martin's authorizations

39 A2 60LT Rev00 15


Sending validation requests

User-profile-validation and application-account-creation requests are sent by e-mail. These e-mails contain a URL that points to the request-processing screens.

Figure 10. Request-processing by the application manager

Reporting a change of request status

Users are informed by e-mail about the status of their authorization requests.

Figure 11. Notifying George Martin

39 A2 60LT Rev00 16


The administrators view of the statuses via the user management console

The administrator can display user rights by simply clicking on the person object.

Figure 12. AccessMaster Console: displaying George Martin's authorizations

39 A2 60LT Rev00 17


The administrator or user's view of the statuses via the workflow interface

The user in question (or an authorized administrator) can view his/her authorizations via a web interface.

Figure 13. Web interface: displaying George Martin's authorizations

39 A2 60LT Rev00 18


Viewing the request-processing phases

The person making the authorization request can also display the request-processing phases.

Figure 14. Monitoring the processing of George Martin's authorizations

The AccessMaster administrator has a view of all user authorizations, especially those of George Martin.

Creating or modifying accounts on the target applications

At the end of the process, the Provisioning Manager module will create, modify, disable or delete the users accounts on the target systems. This provisioning module provides status reports that, in a case of success, can be used to close an authorization-management process and, in case of failure, can be used to notify the different players (administrator, ISSM, users, etc.).

39 A2 60LT Rev00 19


Providing connection information (login and password) When an account is created for an application, the associated user must be able to retrieve his or her connection information.

AccessMaster makes this information available to the user in 2 ways:

Through the "password management" interface, which can be used to know and synchronize logins and passwords

Through secure SSO, which enables the user to use these logins and passwords without knowing them, thanks to the enterprise SSO "WiseGuard" and "SAM SE", web SSO "SAM Web"-, or SAML management "SAM J2EE" modules.

The use of these solutions depends on the company's security policy and the level of security required for the target applications.

39 A2 60LT Rev00 20


Departure of an employee The departure of an employee is a particularly sensitive issue that MUST be handled within the framework of authorization management. When a user leaves the company, all his/her application-access rights must be suspended on all the target systems.

The AccessMaster "Provisioning Manager" module automatically deactivates all the user's rights for the target applications once it detects the deletion of his/her reference in the company directory.

Figure 15. Departure of a user

39 A2 60LT Rev00 21


Figure 16. Declaring a users departure in AccessMaster

For example, once the user George Martin no longer exists in the LDAP directory, his accounts on the different systems are suspended. There are no longer any risks of the use of dormant accounts, and the procedure has only taken a few minutes.

39 A2 60LT Rev00 22


Measuring the return on investment The project was launched after calculating the return on investment.

Here are some examples of the potential savings calculated for 1,000 users, each using an average of 5 applications:

Users A new user or a user changing his or her function is granted access rights immediately. He or she no longer has to wait several days for these rights to be granted.

Time is saved by no longer having to enter multiple passwords.

Potential annual savings: 80,000


Help desk Lost passwords typically represent 30% of calls to the help desk. Installing an Identity and Accesses Management solution, such as AccessMaster, can considerably reduce these costs.


System administrators

The procedures for declaring a new user are automatic. It takes just a few seconds to delete all the accounts of a user leaving the company.


The total potential annual savings5 were estimated at 475,800. This return on investment calculation was validated by the company's finance department and was a key factor in the decision to launch the project.

5 For details of a Return on Investment calculation, please contact Evidian at: [email protected]

39 A2 60LT Rev00 23


Speeding up and making identity management more reliable The introduction of an authorization management process has sped up and made the user-account-management processes more reliable.

These optimizations have resulted in cost savings, which in turn have been used to finance the project:

The efficiency of the company's employees has been improved thanks to the decrease in the time spent waiting to obtain user rights or user right modifications. The time has dropped from several days to just a few minutes.

Accessright-management functions have been centralized, and the associated workload reduced thanks to the use of a single console.

The access security policy is now applied, audited and optimized.

For more information go to www.evidian.com/

Email: [email protected]

Authorization management workflowContentsACME uses workflow to manage identities and authorizationsA single, centralized identity-management directoryAdministration fully based on a web interfaceThe 3 major events in an employee's "lifecycle"Scenario 1: Recruiting a new employeeScenario 2: A change in an employees functionScenario 3: Departure of an employee

The solution implemented at ACMEThe main functions of a workflowProviding connection information (login and password)Departure of an employeeMeasuring the return on investment

Speeding up and making identity management more reliableFor more information...

Wp Workflow En

Documents

Transcript of Wp Workflow En