Identity Administration and User Provisioning Are The Backbone of Identity Management
Provisioning implements an identity lifecycle for users, and with more and more users granted access to systems and applications, from full-time employees to short-term help, it is crucial for an organization to have a process in place to manage those identities.
Identity Administration and User Provisioning Service Capabilities
Identity administration and user provisioning provide a set of processes and an infrastructure to support the creation and maintenance of identity. This includes attributes, credentials, and entitlements and the secure facilitation of access to IT assets for various user populations from different channels, including intranet, extranet, Internet, mobile devices, and more.
It is critical to the health of the overall IAM infrastructure that the identity and entitlement information held in authoritative identity repositories be accurate and of high quality.
Identity and policy administration services include centralized, delegated, and self-service administration, as well as workflow approval. These services also include the ability to programmatically update identity information from existing authoritative sources of data or to make arrangements to obtain just-in-time identity assertions from a third party.
Provides a mechanism for administrators to push privileged activities to managers and end users securely through tailored interfaces and work-flows.
Self-Registration and Self-Service
Provides an interface for users to manage credentials and profile information and to request access to IT assets. Anonymous users may also register through this interface.
User & Group Management
Provides administrative tools and services that information security professionals utilize to administer user identity and group entries throughout the enterprise, including privileged and application or service accounts.
Identity Registration & Proofing
Provides on-boarding and verification of new users. Identity proofing may prescribe call-outs to external services such as credit agencies, utilities, and government agencies to provide a level of assurance that the subject matches a valid person.
Identity Storage & Publiication
Provides repositories for identity and/or account data. This typically includes services to routinely scan IT systems for discrepancies in expected and discovered accounts, and fires configurable processes which can notify application and business owners, disable or delete unknown accounts, create missing accounts, and revert or reapply authorizations.
Rules & Access Policies
Provides for the application of business logic and policy in how and which assets are provisioned and how data is processed and transformed as it flows through the identity system
An extensible package of adapters that leverage standard and vendor proprietary APIs to manage various account repositories and provide a generic interface to a provisioning system for managing account identifiers, profile attributes, credentials, and authorization information, such as group memberships. Some connectors provide the capability to directly manage generic data objects such as physical assets in LDAP stores.
Provides multi-step approval flows to automate request processes that require review and sign-off from authorized parties, such as managers, data owners, system owners, information security, etc., facilitating delegation to end users while still enforcing security policy controls.
Identity Attribute Mapping
Provides meta-directory capability of mapping account attribute names to the same identity attribute, e.g. such as last name to “sn” and “surname.”
Provides multi-step account provisioning to accommodate dependencies between accounts and to increase reliability, e.g. supporting creation of accounts in a specific order, performing retries or rollback in case of failure, sending notification of down systems, and more.
De-provisioning a user’s access rights is required every time an employee leaves a company. But without the proper process in place, many companies do not follow through with de-provisioning.