microsoft’s identity and access - kuppingercole · pdf filemicrosoft’s identity...
TRANSCRIPT
Microsoft’s Identity and Access
Management Strategy
Rüdiger BerndtChef Architect / CEO
Oxford Computer Group Deutschland
www.oxfordcomputergroup.de
Oxford Computer Group
Offices:
Munich
Oxford
Seattle
Toronto
Vienna
The leading Microsoft partner for IDA Pure Microsoft-based IDA solutions
Build and buy approaches
We partner with Microsoft-focused ISVs
Currently involved with 40 projects worldwide
Focus: Execution of Planning, Design, Build and Test
through to final implementation
Enterprise IDA Management solutions
Enterprise SSO / Strong AuthN Solutions
Microsoft IDA Training Programmes
Identity Management Support (24x7)
Agenda
IDA Architectures
Components
Identity Store
Role Management
Workflow
Audit / Reporting
SAP Integration
SSO / PW Sync
Summary
Product Overview
Guidance
Developer
SystemsManagementActive Directory
Federation Services (ADFS)
IdentityManagement
Services
Information Protection
Client and Server OS
Server Applications
Edge
Identity Lifecycle
Manager 2007
Certificate Lifecycle
Manager 2007
Identity Lifecycle Manager
2007
Identity Synchronization (MIIS)Provides single view of a user across enterprise systemsAutomatically keeps identity information consistent
Brings together metadirectory, certificate management, and user provisioning across Windows and enterprise systems into a single packaged offering.
User ProvisioningAutomates the process of on-boarding and off-boarding usersSimplifies compliance through automated IDA enforcement
Enforces consistent credentials across systems
Certificate and Smart Card Management (CLM)Reduces cost of managing certificate-based credentialsAutomates workflow-driven certificate issuance and revocationVastly simplifies deployment of smart cards
IDA Solution from MSFT/OCG
Single Point of Administration
Application integration with Corp Directory
Workflow / Rules for automatic admin processes
Password Synchronization over MIIS
Role-Based Application Provisioning
Compliance Reporting via SRS Plugins
Centralizedmanagement,Provisioning
DataWarehouse
SAP EP
Self Services
Infrastructure AD
LDAP /
Web Services
Phone
system
Novell/
Notes
Identity Store
Unix/
RACF
SAP/HR
systems
Management
Agents
Microsoft
Identity
Integration
Server 2003
Audit &
Reporting DB
OCG
Role Calc
Centralizedmanagement,
Role ManagementOCG
Event
Workflow –
User Request /
Approval Process
Infopath, Mail
WebPart/Website OCG
WF Module
MIIS Terms
Connected Data Source (CD) Any source and/or destination containing identity data
Management Agent (MA) Facilitates the communication between MIIS and the CD
Connector Space (CS) Staging area (SQL) for inbound or outbound synchronized attributes
Metaverse (MV) Central (SQL) store of identity information Matching CS entries to a single MV entry is called ―join‖
CD
MIIS
CS
MV
MA
MV entries are linked to CS entries through: Projection Provisioning a
connector Joining
CS entries represent objects in Connected Data Sources
Synchronization is between MV and CS
Staging is from CD to CS
Export is from CS to CD
MIIS Concepts
MIISMetaverse
(MV)
Connector
Space
(CS)
User
Connected
Data Sources
(CD)
Notes
Oracle
SQL
SAP
Let’s zoom in on what MIIS
does
MIIS Sequence Of Events
SAP HR database staged and projected
Provision and export to SQL-based approval system
Manager approval app causes import and delta synchronization
Sun One and Notes connectors provisioned and exported
Connected
Data Sources
(CD)
User
Oracle
SQL
Metaverse
(MV)
Connector
Space
(CS)
Notes
SAP
ILM as Provisioning System
10
E-Mail Connected Data SourceExchange, Notes, Groupwise, etc
Database Connected Data SourceSQL, DB2, Oracle, etc
Directory Connected Data SourceActive Directory, LDAP, eDirectory, etc
Directory
logical area
(object
attributes)
Database
logical area
(object
attributes)
logical area
(object
attributes)
Connector Space Metaverse
Microsoft Identity Integration Server 2003
(MIIS)
Directory MA
Database MA
E-Mail MA
Identity Lifecycle Manager 2007
Object creation
CD
HR
MV
Person
Object
Provision Step
MV Rules
Extension
CS
Person
Object
Connector
1) HR MA imports new user object
2) Project new user
3) Create new connector
4) Set Anchor Value
5) Set other initial values
6) Export attribute flow
7) Normal MA Export Run
(creates object in CD)
Object Deletion
CD
HR
MV
Person
Object
CS
Person
Object
Connector
Connector filter
“status=terminates”
Satisfied
CS Object becomes dis-
connector
MV Object deleted
Make normal disconnector
Make explicit disconnector
Delete Object
Custom extension
Make normal disconnector
Disconnector cleanup
MA Rules
Extension
Deprovision
(3)(4)
1) HR MA imports user object with status = “terminated”
2) Object deletion rule applies
5) MA Export deletes CD
object
MIIS Management AgentsSelection of the main system connections: Active Directory®supporting Windows 2000/2003, Exchange 2000/2003/(12)
Active Directory Application Mode (ADAM) (R2)
Global Address List (GAL) Synch—supporting Exchange 2000 and Exchange 2003 / (12)
Netscape/iPlanet/Sun ONE Directory
IBM DB2 Universal Database (7 or 8.1 on Windows or Linux)
IBM Directory Server (4.x/5.x on Windows 2000/2003)
SQL Server™— (7/2000/2005)
Oracle Databases—supporting version 8i, 9i, 10, 10g
Directory Services Markup Language (DSML)—supporting DSML version 2.0
LDAP Interchange Format (LDIF) / De-Limited Text, Attribute-Value Pair Text
Open-LDAP
Windows NT® 4.0 Domains and Exchange Server 5.5, Exchange Server 5.5 Bridgehead
Lotus Notes—supporting versions 4.6, 5.0, 6.0, 7.x
Novell eDirectory—supporting versions > 8.6.x
Host RACF, TS, ACF systems
Microsoft SAP HR + SAP R3 > V4.6d
Management AgentsAdditions to Standard Agents (Selection)
Highly Scalable SAP MA for HR
CUA
UM
OM, PDORG
Workflow integration
Host RACF via LDAP
Unix systems (VMS, HPUX, SUN, Linux, SCO, other)
additional HR systems (e.g. Peoplesoft, Paisy,…)
Various telephone systems (Alcatel, HICOM, AVAYA, …)
Sharepoint, Biztalk
Live ID, Office Live
Vintela/Quest/Omada/bHold
RSA SecurID
Other LDAP Servers e.g. Siemens DirX, CP, Syntegra, …
CLM
IDA Lösung von MSFT/OCG V2
Zentrale rollenbasierte Administration
Applikations Integration ins Corporate Directory
Workflows für automatische Admin prozesse
Password Synchronisation über ILM
Compliance Reporting / Audit über SRS Plugins
Centralizedmanagement,Provisioning
DataWarehouse
SAP EP
Self Services
Infrastruktur AD
Phone
system
Novell/
Notes
Unix/
RACF
SAP/HR
systems
Management
Agents
Identity
Lifecycle
Manager
2007
Audit &
Reporting DB
Centralizedmanagement,
Role ManagementMIISMIIS
Workflow + Rollenmanagement + AR
User
Job Profile 2
Job Profile 1 Role A
Role B
Role C
OMADA
Identity
Manager
Omada Identity Manager + MIIS/ILM
ADAM as Identity StoreFlexible & automatic User Administration
Flexible Schema – simple extensibility without
changes to the NOS AD
Administration at Org structure level
Inheritance of attributes from OUs to users
Better performance than AD
Integration of Vendors / other companies / External
people possible
Single Point for Authentication for all applications
IDA Architektur
Single Point of Administration
Application integration with Corp Directory
Workflow / Rules for automatic admin processes
Password Synchronization over ILM
Role-Based Application Provisioning
Compliance Reporting via SRS Plugins
Centralizedmanagement,Provisioning
DataWarehouse
SAP EP
Self Services
Infrastructure AD
LDAP /
Web Services
Phone
system
Novell/
Notes
Identity Store
Unix/
RACF
SAP/HR
systems
Management
Agents
Identity
Lifecycle
Manager
2007
Audit &
Reporting DB
OCG
Role Calc
Centralizedmanagement,
Role ManagementOCG
Event
Workflow –
Benutzerantrag /
Freigabe Prozess
Infopath, Mail
WebPart/Website OCG
WF Modul
Enterprise Roles
User
User
App RoleEnterprise
Role
OU, O, Group Task Operation / Action
Task Operation / Action
Task Operation / Action
Task Operation / Action
Task Operation / Action
App Role
User Lifecycle Mgmt Role Design
ADAM
(Identity- Data Store)
OCG
Role Calc
OU Object 1 in ADAM
(User 2 is assigned to OU 1)
User Object 1 in ADAM
Role Objects in ADAM
(assigned to group object)
Enterprise Role A
Ora Roles (ORA1-activ,Ora2)
SAP Roles (SAP1, SAP4, SAP6)
Enterprise Role B
Ora Roles (ORA5-activ,Ora7)
SAP Roles (SAP1, SAP3, SAP9)
Ro
le M
ap
pin
g
EntRoleA
EntRoleB
EntRoleA
EntRoleC
Enterprise Role C
Ora Roles (ORA7-activ,Ora2)
SAP Roles (SAP1, SAP8, SAP9)
OCG
Role Calc
Flexible Role Assignment
Roles can be assigned directly or rules
based to:
User
Goups
Organizational
Structures
Views
Organization Object 1 in ADAM
ocgOrgMember (multiValue):
User Object in ADAM
ocgOrgView (multiValue):(managed by Admin Console)
DN Ref to OrganizationUnit 1
DN Ref to Organization 1
DN Ref to User 1
DN Ref to User ...
Automatic back linked
Organization Unit Object 1 in ADAM
ocgOrgMember (multiValue):
DN Ref to User 1
DN Ref to User ...
Automatic back linked
DN Ref to Organization / OU ...
DN Ref to User ... DN Ref to User ...
OCG
Role Calc
Multiple Views on Users
Flexible Rights Management through
multiple views
User can be assigned to multiple
Organizational structures (e.g. Projects)
Views can be automatically imported
(e.g. SAP-OM)
IDA Architecture
Single Point of Administration
Application integration with Corp Directory
Workflow / Rules for automatic admin processes
Password Synchronization over ILM
Role-Based Application Provisioning
Compliance Reporting over SRS Plugins
Centralizedmanagement,Provisioning
DataWarehouse
SAP EP
Self Services
Infrastructure AD
LDAP /
Web Services
Phone
system
Novell/
Notes
Identity Store
Unix/
RACF
SAP/HR
systems
Management
Agents
Identity
Lifecycle
Manager
2007
Audit &
Reporting DB
OCG
Role Calc
Centralizedmanagement,
Role ManagementOCG
Event
Workflow –
Benutzerantrag /
Freigabe Prozess
Infopath, Mail
WebPart/Website OCG
WF Modul
Persistence
DBADAM
Workflow Runtime
(Microsoft
Windows Workflow
Foundation)
Microsoft
Identity
Integration
Server 2003
Based on WWF
State is stored in
ADAM
Event based WF
start
Compatible with
SP2007 WF
Designer
No licence costs!
Complex and high
available WF
OCG
WF Module
Workflow IntegrationTechnical Implementation
1) Joiner Process Example
A Joiner Process initiated via Self Service from Microsoft SharePoint
Configuration by AdministratorRequest for a new employee Role assignment ApprovalUser Provisioning through MIIS
IDA Solution Architecture
Single Point of Administration
Application integration with Corp Directory
Workflow / Rules for automatic admin processes
Password Synchronization over MIIS
Role-Based Application Provisioning
Compliance Reporting via SRS Plugins
Centralizedmanagement,Provisioning
DataWarehouse
SAP EP
Self Services
Infrastructure AD
LDAP /
Web Services
Phone
system
Novell/
Notes
Identity Store
Unix/
RACF
SAP/HR
systems
Management
Agents
Microsoft
Identity
Integration
Server 2003
Audit &
Reporting DB
OCG
Role Calc
Centralizedmanagement,
Role ManagementOCG
Event
Workflow –
Benutzerantrag /
Freigabe Prozess
Infopath, Mail
WebPart/Website OCG
WF Module
The MIIS Reporting Module uses its own MIIS Reporting
Database
Automatic Configuration of the Report Interface on
schema changes
Multiple pre-defined Reports available for
Changelog (who changed what when)
Management Log (Number of accounts, changes per system,
newly created accounts, …)
Who is in what kind of Role (Enterprise / Application)
MIIS Reporting
Reporting IDA Workflow Events
MIIS
Identity
Integration
Identity Management Store
Corporate Directory
SQL
Reporting
Services
IdM Event Logging
ADAM
LDAP
IdM Events sent
to MIIS
Event Archiving
2
ILM ReportingExamples
2
Reports of Role Membership
ILM Reporting / Changelog
IDA Solution Architecture
Single Point of Administration
Application integration with Corp Directory
Workflow / Rules for automatic admin processes
Password Synchronization over MIIS
Role-Based Application Provisioning
Compliance Reporting via SRS Plugins
Centralizedmanagement,Provisioning
DataWarehouse
SAP EP
Self Services
Infrastructure AD
LDAP /
Web Services
Phone
system
Novell/
Notes
Identity Store
Unix/
RACF
SAP/HR
systems
Management
Agents
Microsoft
Identity
Integration
Server 2003
Audit &
Reporting DB
OCG
Role Calc
Centralizedmanagement,
Role ManagementOCG
Event
Workflow –
User Request /
Approval Process
Infopath, Mail
WebPart/Website OCG
WF Module
SAP Identity IntegrationMIIS/ADAM supported Scenarios
User Account Creation (UM, CUA)
Password Sync to SAP Systems
Read/write employee data in the HR
System
Read Organizational structures
Read SAP Roles
Assignment of Roles to Users
High Scalability
SAP Concentrator supports > 100 SAP
Systems per MIIS MA
SAP IntegrationILM SAP MA (Version 1.0)
OCG MA (Version 2.3)
No changes on the target SAP Systems necessary
Delta if supported SAP BAPI/RFC Functions
Detailed Error Reporting on object and attribute level
OCG Version only: Can run on different Servers (via
optional SQL Interface)
Can connect multiple (>100) SAP systems/clients with one ILM MA
ILM Sync
Engine
BAPISAP
ILM Server
SAP
MA
SAP CUA
SAP MA
SAP MA (PW Sync)
SAP R/3 SAP R/3 SAP R/3 SAP R/3Active Directory
Forests
Active Directory MA
ADAM
(Identity- Data Store)
MIIS
ADAM MA
Web Admin GUI
LDAP Queries
SAP EP 6.0
Intranets
member
companies
LDAP Queries
LDAP
Active Directory MA
IDA Architecture with SAP
IDA Architecture
Single Point of Administration
Application integration with Corp Directory
Workflow / Rules for automatic admin processes
Password Synchronization over ILM
Role-Based Application Provisioning
Compliance Reporting over SRS Plugins
Centralizedmanagement,Provisioning
DataWarehouse
SAP EP
Self Services
Infrastructure AD
LDAP /
Web Services
Phone
system
CLM
Identity Store
Unix/
RACF
SAP/HR
systems
Management
Agents
Identity
Lifecycle
Manager
2007
Audit &
Reporting DB
OCG
Role Calc
Centralizedmanagement,
Role ManagementOCG
Event
Workflow –
Benutzerantrag /
Freigabe Prozess
Infopath, Mail
WebPart/Website OCG
WF Modul
Certificate Lifecycle Manager (CLM)
Single administration point for digital certificates and
smart cards
Configurable policy-based workflows for common tasks
Enroll/renew/update
Recover/card replacement
Revoke
Retire/disable smart card
Issue temporary/duplicate smart card
Personalize smart card
Detailed auditing and reporting
Support for both centralized and self-service scenarios
Integration with existing infrastructure investments
Windows Active Directory; Windows Certificate Services
CLM - Komponenten
CLM Server (Web Portal)
Email Server
SQL Server
Partners Users Customers
Certification
Authority
AD
MIIS
Server
CLM Interface
CLM Middleware / Smart Cards CLM supported smart card middleware
Microsoft Smart Card Base CSP
Axalto Client Software (ACS) v 5.2
AET SafeSign v2.2
Aladdin eToken RTE 3.65
Gemplus GemSafe v4.2 Sp 3
Siemens HiPath SIcurity Card API v3.1.026
Supported smart cards
Palmera, Cyberflex Access, e-gate lines of cards by Axalto
Java Card 2.1.1+ compliant smart cards by G&D, GemPlus, IBM,
MartSoft, Oberthur, ORGA and Axalto
eToken Pro, eToken NG-OTP, eToken Pro (Smart card) by Aladdin
GemXpresso Pro3.2 and GemSafe GPK lines of cards by Gemplus
CardOS and CardOS/M4 lines of cards by Siemens
Other smart cards and tokens that are supported through the AET
SafeSign v2.1 middleware
IDA Solution Architecture
Single Point of Administration
Application integration with Corp Directory
Workflow / Rules for automatic admin processes
Password Synchronization over MIIS
Role-Based Application Provisioning
Compliance Reporting via SRS Plugins
Centralizedmanagement,Provisioning
DataWarehouse
SAP EP
Self Services
Infrastructure AD
LDAP /
Web Services
Phone
system
Novell/
Notes
Identity Store
Unix/
RACF
SAP/HR
systems
Management
Agents
Microsoft
Identity
Integration
Server 2003
Audit &
Reporting DB
OCG
Role Calc
Centralizedmanagement,
Role ManagementOCG
Event
Workflow –
User Request /
Approval process
Infopath, Mail
WebPart/Website OCG
WF Module
MIIS
Employee Data
Passwords
SAP, Unix, RACF
Provision /
Deprovision
Users
+ Sync Password
Active Directory Application Mode
(ADAM)
Application server
Provision /
Deprovision
Users + Sync^Password
Authorization /
Role Mapping
Source
Active Directory Infrastructure
Target
Active Directory Infrastructure
Provision /
Deprovision
Users + Sync Password
• SSO
• Kerberos Integration (native / VAS)
• Token Translation (Proxy)
(SAP2KERB, RSA2SAP, …)
• Client based SSO (Evidian, …)
• Password Synchronization
• PCNS
• OCG PCNS + OCG Password Policy
• MIIS Management Agents
• Password Self Services
• Passwort Portal (Evidian, Quest, …)
Password Management / SSOModule:
ILM
Employee Data
Passwords
SAP, Unix, RACF
Provision /
Deprovision
Users
+ Sync Password
Active Directory Application Mode
(ADAM)
Application server
Provision /
Deprovision
Users + Sync^Password
Authorization /
Role Mapping
Source
Active Directory Infrastructure
Target
Active Directory Infrastructure
Provision /
Deprovision
Users + Sync Password
1. User changed
Password in AD
(Ctrl+Alt+Del)
2. Password will be
checked for
additional Policies
(SAP/Unix)
3. Password will be
encrypted and send
to the ILM Server
4. The ILM Server set
the Password of this
user in each target
system
Passwort Sync via ILM
Password Sync scenarios
Function Microsoft PCNS + OCG Add
On
OCG PCNS
Prerequisites for
Installation
An Active Directory Trust is
required
No AD trust is required
Consequences
for the Source
AD
An extension of the AD
Schema is performed
during installation
No AD schema extension
is required
Ability to set
additional
password
policies
Additional password policies are configurable:
Maximum/Minimum PW Len
Exclusion wordlists (like “SAP”)
Exclusion characterlists, to specify prohibited
characters (e.g. *, @, #)
Include + Exclude Filter for samaccountname
Configuration of
the target MIIS
system
The user objects in MIIS
must be directly joined
with both the source AD
and the target system.
Various search criteria can
be configured
EMS Ticket Translation OCG EMTT
RSA ACE
Reverse
Proxy (IIS)
192.168.5.86
RSA ACE
Reverse
Proxy (IIS)
192.168.5.87
ISA
Server
ISA
Server
F5 Load Balancer
HT
TP
S
HT
TP
S
HTTP
SecurID SecurID
HTTP
(RSA Cookie)
HTTP
(RSA Cookie)
ADAM
LDAP
F5 Load Balancer
HTTP
(SAP Cookie)
HTTP (Header:
REMOTE_USER2)
HTTP
(SAP Cookie)
HTTP
(RSA Cookie
SAP Cookie)
HTTP
(RSA Cookie
SAP Cookie)
HTTP
(RSA Cookie
SAP Cookie)
HTTP
ADAM
LDAP
HTTP
(RSA Cookie
SAP Cookie)
HTTP
(SAP Cookie)
HTTP (Header:
REMOTE_USER2)
1
SAP EP SAP EP...
LDAP LDAP
HTTP HTTP
2
3
4
5
6
7
8
9
10
11
Demo
EMS Ticket Translation
SSO durch einmalige Anmeldung mit RSA
Token (Strong Auth)
Ticket Umwandlung (RSA2Kerb,
RSA2SAPLT) durch OCG Module
ADAM Integration für Vendoren / Externe
Automatisches Erstellen der RSA Tokens
Über SAP2Kerb auch Weiterleitung von
SAP Portal auf OWA möglich
EMS Logistic
ILM 2007
ADAM
RSA Token
XML File
1) Import der
RSA Token
Import Daten
Tokenzuweisungen (CSV)
3) Import der Tokenzuweisungen:
Zugewiesene TokenId, Kostenstelle des Token
RSA
Sync
Tabelle
5) Export User
+ Tokenzuweisung RSA ACE6) Import des
Token Status
(„New Pin― Mode
oder nicht)
2) Neue Token exportieren
4) Tokenzuweisungen exportieren
7) Export des Token Status
Benutzer
RSA Token
RSA Token
RSA Token Benutzer
Benutzer
Benutzer
1) Import der
RSA Token
RSA Token
Geräteverwaltung
XML File
RSA Token
8) Export aller Token,
die zugewiesen wurden
und eine Kostenstelle besitzen
EMS Logistic
ISA/RSA/SAP Portal Integration
Abschottung RSA Server durch ISA Server in einem Extrasegment
Flexibles Handling durch RSA Ticket Wandler (simple WebSSO)
RSA Auth einzig notwendige Authentifizierung
ILM/RSA/ externer Shop (SAP EBP)
Universelles Interface für Tokenmanagement
* Auslagerung Tokenlogistik an externen Dienstleister
* Automatischer Import der Tokenzuweisunge
Automatische Benutzer (De-) Provisionierung
* Rollenbasiert Aktualisierung des RSA Systems ohne manuellen Eingriff
* keine Systemleichen (Sicherheit)
* Sofortige Arbeitsfähig nach Token Auslieferung
Trennung RSA Token Zulieferwege möglich (Mandantenfähigkeit)
z.B. für unterschiedliche Mandaten oder interne und externe Benutzer
schnellen Massenimport von Benutzern & Tokenzuweisungen
Batchschnittstelle Entlastung der Administraton / Reduktion Kosten
Summary technical OCG Assets
Flexible Role Management
Event Trigger for real-time sync scenarios
Graphical admin interface for ADAM (OUM)
PCNS Add Ons to support Password policies
from SAP, RACF, Unix, …
Kerberos Ticket Translations for RSA, SAP, …
Additional System Connections like Unix (ssh),
RSA ACE, SSO Systems, Telephone systems,
SAP Integration for enterprise environments
Made in Germany
IDA Project Release Phases
1. Build / (Migrate) Identity Store
2. Connect primary user repositories (Init Load/Join)
3. Integration of Workflow systems
4. Reporting, Logging
5. Connect additional user repositories
Web App
- Admin UI
Zentrale Benutzer
Directory
- Identity Store
Active Directory
(inkl. MS Exchange)
AbfragenAnwendung
z.B. Intranet
Benutzter / Admin- Authentifiziert im AD
Weitere Ausbau-Stufen
- Weitere Systeme Anschliessen
AD/AM
SAP 4.6C
SAP BW
SAP ISU
SAP EBP
PSFT
Portale
Zeiterfass.
ADAM Management Agent
MIIS
Web GUI
Release 1
- Identity Store Aufbau
- Integration Quell Systeme
- Enterprise Rollen &
Berechtigungen
AD AgentOCG SAP HR Agent
SAP HR (4.6)
Weitere MIIS
Management Agents
DMS
Unsw...SAP R/3 (4.6c)
OCG SAP R3 Agent
SAP EP
Web
Applications
Telefonanlage
HiCom
RSA
LDAP / File Agent
IBM iSeries
Host / RACF Agent
Workflow System
- Workflow Foundation
Benefits Summary Benefits from the 1. Implementation Phase
Create the Identity Store Consolidated View to all relevant user data
Single Log On with Password Synchronization
Central Reporting / Auditing (who has what kind of
rights/Roles)
Increase the data quality in all connected systems
Lower amount of Help Desk Calls (regarding Password
Sync + Reset Portal)
Automatic User Provisioning Cost savings in the user management!
Benefits Summary Benefits from the 2nd Implementation Phase
Workflow Integration Easy Electronic Processes in the user management
Self Registration Scenarios
Role based Rights Management Easy Administration trough global consolidated Enterprise
Roles (Employee, Vendor, Student, …)
No User to Role assignment in the connected Systems
(cost savings)
Central reporting of Roles
Questions and Answers
Rüdiger BerndtGeschäftsführer
Oxford Computer Group Deutschland
Winterlestraße 10b
85435 Erding
WWW.OXFORDCOMPUTERGROUP.DE
Identity Lifecycle Manager
Roadmap
User Management
AccessManagement
Credential Management
PolicyManagement
MIIS 2003
CLM
Today Mid 2007Single Product for
Identity SynchronizationCertificate & Smart Card MgmtUser Provisioning
Microsoft IdentityLifecycle Manager 2007
ILM “2“
2H 2008Builds on the ’07 Release
Empowers information workersProvides IT control with less effortImproves operational efficiency
Omada Identity Manager
A solution for Identity Management, empowering MIIS and enabling Clients to: Manage Access Requests and Approvals
Configure Role Based Access Control
Manage Segregation of Duties (SOD)
Maintain Audit Trail on all events
User
Job Profile 2
Job Profile 1Role A
Role B
Role C
Role-Based Access Control
Identity Management Processes
MIISMIIS
Omada Key Differentiators
Elegant and highly flexible process solution
Customers can maintain and configure the Identity Management
processes, roles and reporting without the need for programming
Integrated process management solution
Customers can design, document, execute and monitor the
Identity Management processes in one solution
Low cost of maintenance
The solution can be deployed to support the current processes
Can grown with the Customer as the business and organization
changes