Identity Manager Overview and Futures
IO163: Novell Identity Manager Overview and Futures
Key concept is that there is a main Identity Vault for Identity Manager. It doesn’t have to be authoritative for everything, but it conttains the whole identity for individuals, aggregated from whatever sources throughout your systems that are authoritative for each piece.
An example is if you have your HR system to be authoritative for most user attributes, but other place are authoritative for filesystem access, and maybe the email system is authoritative for email addresses. This is an example of “Role Based User Provisioning”, where an intial resource creation in one system kicks off an automated provisioning process that creates accounts on servers, dekstops, mail systems and enterprise applications.
The corollory of this is “Role Based De-Provisioning”, which means a single event should be able to kick off a workflow that ensures that access is quickly and completely revoked for departing staff members. We need work in this area, as we have been managing it with paper workflow, and it could be faster if we automated some of it.
IDM 3 was released in 12/2005, and in addition to having much improved configuration tools and tasks and an expanded list of datastore connector drivers, they have included a very amazing workflow tools that incorporate dynamic provisioning workflows for all kinds of iidentity requirements. It also incorporates a lot of features that enable identity regulatory compliance for organizations that have strong regulatory requirements.
Auditing is a key functionality. People who are responsible for resources are able to see exactly who has been given access to what.
We should look at IDM3 to auto-deploy Linux accounts on our gazillion Linux servers. Alternatively, get LDAP LUM integration working.
A new security feature is the ability to have encrypted attributes end-to-end. That includes encrypted data stored right inside the identity vault. Passwords, secrets etc. can be stored inside eDirectory in encrypted form for the use of IDM.
The presenter went through the workflow features again. This is pretty cool technology that we could really leverage. It occurs to me that you need strongly documented policies for corporate work processes if you want to implement this kind of workflow stuff. Detailed documentation would need to be developed and approved with the all the stakeholders prior to implementation. Once the documentation is produced, in general there is no actual programming required for most basic workflow operations.
The system also includes functionality of eguide, but also integrated with the workflow engine, plus email, instant messaging integration, and other advanced features.
Oops, out of laptotp power. Switching to dead-tree blogging. Should be updated later.