Provisioning features

IBM Security Identity Manager provides support for provisioning, the process of providing, deploying, and tracking a service or component in your enterprise. In a suite of security products, Security Identity Manager plays a key role to ensure that resources are accessible only to authorized persons. Security Identity Manager safeguards the accuracy and completeness of information processing methods and granting authorized users access to information and associated assets.


Overview

Security Identity Manager provides an integrated software solution for managing the provisioning of services, applications, and controls to employees, business partners, suppliers, and others associated with your organization across platforms, organizations, and geographies. You can use its provisioning features to control the setup and maintenance of user access to system and account creation on a managed resource. The two main types of information are person data and account data. Person data represents the people whose accounts are being managed. Account data represents the credentials of the persons and the managed resources to which the persons were granted access.

At its highest level, an identity management solution automates and centralizes the process of provisioning resources. Resources range from operating systems and applications to people in, or affiliated with, an organization. Organizational structure can be altered to accommodate the provisioning policies and procedures. However, the organization tree used for provisioning resources does not necessarily reflect the managerial structure of an organization.

Administrators at all levels can use standardized procedures for managing user credentials. Some levels of administration can be reduced or eliminated, depending on the breadth of the provisioning management solution. Furthermore, you can securely distribute administration capabilities, manually or automatically, among various organizations. For example, a domain administrator can serve only the people and resources in that domain. This user can do administrative and provisioning tasks, but is not authorized to do configuration tasks, such as creating workflows.

Security Identity Manager supports distributed administration capabilities, which include the secure distribution of provisioning tasks, whether manual or automatic, among various organizations. Distributing administrative tasks in your organization improves the accuracy and effectiveness of administration and improves the balance of the work load of an organization.

Security Identity Manager addresses provisioning of enterprise services and components in the following areas:


Account access management and the provisioning system

With an effective account access management solution, your organization can track precisely who has access to what information across the organization. Access control is a critical function of a centralized, single-point provisioning system. Besides protecting sensitive information, access controls expose existing accounts that have unapproved authorizations or are no longer necessary. Orphan accounts are active accounts that cannot be associated with valid users. For orphan accounts on a managed resource, the account owner cannot be automatically determined by the provisioning system. To control orphan accounts, the provisioning system links together account information with authoritative information about the users who own the accounts. Authoritative user identity information is typically maintained in the databases and directories of human resources.

Improperly configured accounts are active accounts that are associated with valid users but were granted improper authorization because the organization allowed local administrators to add or modify users outside of Security Identity Manager. The ability to control improper accounts is much more difficult, and requires a comparison of “what should be” with “what is” at the account authority level. The existence of an account does not necessarily expose its capabilities. Accounts in sophisticated IT systems include hundreds of parameters that define the authorities, and these details can be controlled by your provisioning system.

New users can be readily identified with the data feed that you establish from the human resources directory. The access request approval capability initiates the processes that approve (or reject) resource provisioning for them.


Workflow and lifecycle automation

When a user becomes affiliated or employed with an organization, the lifecycle of the user begins. Your business policies and processes, whether manual or semi-automated, provision the user with access to certain resources based on role and responsibilities. Over time, when the role and functions of a user change, your business policies and processes can provision the resources that are available to the user. Eventually, the user becomes unaffiliated with the organization, associated accounts are suspended and later deleted, and the lifecycle of the user in the organization is finished. You can use workflows to customize how accounts are provisioned. You can customize the lifecycle management of users and accounts, such as adding, removing, and modifying users and accounts. A complete provisioning workflow system automatically routes requests to the appropriate approvers and preemptively escalates to other approvers if actions are not taken on the requests.

You can define two types of workflows in Security Identity Manager: entitlement workflows that apply to provisioning activities, and operational workflows that apply to entity types. An entitlement workflow defines the business logic that is tied specifically to the provisioning actions of provisioning policies. A provisioning policy entitlement ties the provisioning actions to entitlement workflows. For example, an entitlement workflow is used to define approvals for managing accounts. An operational workflow defines the business logic for the lifecycle processes for entity types and entities. You can use workflow programming tools to automate key aspects of the provisioning lifecycle, specifically the approval processes that your organization uses. A workflow object in the organization tree can contain one or more participants and escalation participants. A participant is a signature authority that approves or rejects a provisioning request.


Provisioning policies and auditing

An organizational role entity is assigned to one or more identities when you implement role-based access control for the resources that are managed by Security Identity Manager. An organizational role is controlled by a provisioning policy. The policy represents a set of organizational rules and the logic that the ISIM Server uses to manage resources such as applications or operating systems.

If a role is a member of another organizational role in a provisioning policy, then that role member also inherits the permissions of provisioning policy.

A provisioning policy maps the people in organizational roles to services that represent corresponding resources in Security Identity Manager. The policy sets the entitlements that people have when accessing the services. The provisioning policies you implement must reflect your organizational identity management policies in your security plan. To implement effective provisioning policies, you must analyze and document existing business approval processes in your organization. You must determine what adjustments to make those processes to implement an automated identity management solution. A provisioning policy provides a key part of the framework for the automation of identity lifecycle management.

Security Identity Manager provides APIs that interface to information about provisioning policies defined in Security Identity Manager, and interface to the access granted to an individual task. These APIs can be used effectively to generate audit data. When a provisioning policy is defined, the reconciliation function enables the enforcement of the policy rules. The reconciliation function keeps the participating systems (both the ISIM Server and the repositories of the managed resources) from potentially becoming a single point of failure.

When two or more provisioning policies are applied, a join directive defines how to handle attributes. Two or more policies might have overlapping scope, and the join directive specifies what actions to take when this overlap occurs.

Provisioning policies can be mapped to a distinct portion or level of the organizational hierarchy. For example, policies can be defined at a specific organization unit that affects organization roles for that unit only. Service selection policies extend the function of a provisioning policy by enabling the provisioning of accounts based on person attributes. A service selection policy is enforced when it is defined as a target of a provisioning policy. Using a JavaScript script to determine which service to use, the service selection policy defines provisioning based on the instructions in the script. The logic in the JavaScript typically uses person object attributes to determine which service to use. The attribute is often the location of the person in the organization tree.


Role-based access control

Role-based access control (RBAC) uses roles and provisioning policies to evaluate, test, and enforce your business processes and rules for granting access to users. Key administrators create provisioning policies and assign users to roles and that define sets of entitlements to resources for these roles. RBAC tasks establish role-based access control to resource. RBAC extends the identity management solution to use software-based processes and reduce user manual interaction in the provisioning process.

Role-based access control evaluates changes to user information to determine whether the changes alter the role membership for the user. If a change is needed, policies are reviewed and changes to entitlements are put in place immediately. Similarly, a change in the definition of the set of resources in a policy can also trigger a change to associated entitlements. Role-based access control includes the following features:


Self-regulating user administration

When your organization starts to provision resources across all internal organizations, you implement the self-regulating user administration capability. You can realize the advantages and benefits of provisioning users across organizational boundaries. In this environment, a change in a user's status is automatically reflected in access rights across organization boundaries and geographies. You can reduce provisioning costs and streamline the access and approval processes. The implementation realizes the full potential of implementing role-based access control for end-to-end access management in your organization. You can reduce administrative costs through automated procedures for governing user provisioning. You can improve security by automating security policy enforcement, and streamline and centralize user lifecycle management and resource provisioning for large user populations.


Incremental provisioning and other customization options

Your team can use business plans and requirements to decide how much to customize Security Identity Manager. For example, a large enterprise might require a phased roll-out plan for workflows and custom adapters that is based on a time line for incrementally provisioning applications that are widely used across geographies. Another customization plan might provide for two or more applications to be provisioned across an entire organization, after successful testing. User-application interaction can be customized, and procedures for provisioning resources might be changed to accommodate automated provisioning.

You can deprovision to remove a service or component. For example, deprovisioning an account means that the account is deleted from a resource.

Parent topic: Features overview