Identity Management

Many different roles and information systems in your organisation?

A modern ICT environment consists of various systems that are, or should be, connected to each other. Often different systems are managed by various people and this may lead to data inconsistencies. Furthermore, there are many roles within the organisation defining what kind of information should a user be able to access.

Diversity doesn’t have to equal chaos

The Identity Management (IDM) solution brings you centralised management of user accounts, combined with various automation tasks it helps to rationalise your business processes. Access to resources can be granted and revoked based on different roles, customised rules and approval workflows.

Ready to tune up your business processes?

Many different kinds of users benefit from an IDM system. Employees, business management and CISO (Chief Information Security Officer) as well as partners are able to save time and effort to be used in productive work instead of administration and use it more effectively elsewhere.

Several access methods are supported to ensure availability of the services also for mobile employees. A simple, compact user interface is provided for mobile terminals and a full featured view for the CISO.

Here are some examples of functionalities IDM is capable of:

  • Password management. Employees can use IDM's self-service functionalities, such as manage their passwords within different systems.
  • Resource requests. Employees can initiate requests for resources needed in their job, e.g. mobile phones.
  • Approval workflows. Business management can automate administrative processes, such as invoice approval.
  • Role based user management. Employees are associated with roles according to their job functions. The roles define general user rights according to the company security policy.
  • Reporting and indicators. The CISO can evaluate security policy compliance and provide reports for auditing purposes.
  • Combining roles and rules. Rules can facilitate the application of security policies. Segregation of duties –rules alert if a user is about to be assigned two roles that in combination violate the security policy.

Virtually any information system can be connected to the IDM solution. It can be used to manage user accounts in business applications, SaaS and operating systems as well as to control directory and physical access rights.

 

A new hire

In many organisations, user management is a resource-hungry and fault-prone task. This example illustrates how Identity Management can help these organisations.

Adding a user

John Doe has just been recruited by Company X. When the new user is added to the HR application database, an event is sent to the Identity Management System with the data of John Doe. This triggers data synchronisation with other systems, such as Active Directory, E-mail and Linux servers. Synchronised data can be restricted on each system to consist only of the required attributes needed. The role of Identity Management and its relation to other existing information systems is illustrated below.

Changing roles and user rights

When John Doe was hired, he entered the company as a salesperson. Later on, John moved to a position in the financial department. This meant that he needed updated access rights to various systems. By assigning John a new role in the financial department and removing his role at the sales unit he now has only the resources needed for his new position. Resources bound to relevant roles enables this in a few clicks.

Combining roles and rules

There are some specific roles within the financial department that are not normally assigned to the same person, e.g. the role that accepts payments and the role that commits payments. Separation of duties –rules normally prevent these assignments. However, John Doe’s position in the financial department requires him to have both of these roles. His supervisor requests an exception to grant him both roles. A workflow function points this request to the security officer who accepts it. The whole process is automated and fully traceable.

Removing the user

After a long service in the financial department, John is nominated as the financial director of a new subsidiary. This means that he no longer should have access to the resources in the Company X systems. A user removal process is initiated in the HR system and then propagated throughout all systems. His directory access rights and domain user accounts are removed entirely. However, the accounts in the email and financial systems should not be removed. The automated process propagates the removal with an account preserving option to these systems. Convenience at every step.