With Novell Identity Manager 3.5, Novell expands on the capabilities of the award-winning Identity Management 3.0 and continues to set the standard by which identity infrastructures are defined. Organizations deploy an identity management solution for three primary reasons:
- maximize agility
- enforce security and compliance
- reduce complexity across heterogeneous systems and platforms
"Identity and access management projects are much more than technology implementations; they have real business value by reducing direct costs, improving operational efficiency and enabling regulatory compliance." (Five Business Drivers of Identity and Access Management, Robert Witty, Gartner Group.) Novell Identity Manager 3.5 delivers several new features that focus specifically on helping you achieve these three objectives. Let's explore some of the new features delivered in Identity Manager 3.5 and look at some scenarios to see how the improvements address business processes, enterprise integration, compliance and role management.
You can easily interact with the identity management system and administrators to adapt and apply policy that maps to the process of the organization. Now let's focus on two key areas of Identity Manager 3.5 and the new features in the User Application and the MetaDirectory engine.
Provisioning Services–User Application
The User Application of Identity Manager is the primary interface that allows users to manage personal information, search on and utilize identity information for others in the organization (phone numbers, e-mail addresses, managers, etc.), and request or approve access to resources. A few of the enhancements to the User Application include:
User Interface: The Organization Chart is probably the most-used feature of the User Application. With Identity Manager 3.5 you can now define and display complex relationships, such as Manager/Employee, User Groups or User Location. With this information easily accessible, you can better understand your organization's managerial hierarchy, geographical locations or matrix management/dotted-line reporting structures. If external resources need to view this data, they can with anonymous access. You can now provision users such as temporary workers or visitors who need access to applications in the enterprise, with self-service registration. (See Figure 1.)
Team Management: This provides a high degree of flexibility for requesting and approving access to resources, and it is no longer limited to the direct report relationship that is predefined in Identity Manager 3. Teams can be created that allow users to request resources through membership in the team, thus providing the flexibility to support the matrix management structure that is present in many organizations today.
Following the features of Identity Manager 3, team managers have the same ability to Manage Team Requests and Manage Team Tasks as with the traditional Direct Reports model. Additionally, the existing Delegation/Proxy/Availability in the Direct Reports model is carried over to Team Managers and Team Members.
Requests and Approvals: Several new features in the work-flow and approval-flow definitions have been added; however, probably the most sought-after feature is the Web Services enablement of the work-flow system. The new Integration Activity adds the capability to use Web Services externally to the work flow. There are several interesting uses of this capability. Suppose an employee requests a new cell phone. Part of the request includes the type of phone desired, such as a standard phone or PDA, and a coverage plan, such as number of minutes and data access.
Utilizing Web Services, the work flow can retrieve contracted phone and plan costs from the company's cell phone provider and incorporate this information in the approval process. Now when deciding whether or not to approve the request, the approver has more detail, including possible alternatives. Integration with other Web-based interfaces and portals is also available. Leveraging the Web Services interfaces of the User Application allows other portals such as SAP, WebSphere and many others to consume and pass information to the workflow and approval system within Identity Manager. For example, if a user is requesting access to a particular SAP module, the request not only can be viewed and approved through the portal, but other provisioned resources can also be incorporated providing the approver with relevant information, thus eliminating potential issues.
Enhanced flexibility for work-flow approvals: In addition to the approval options provided in Identity Manager 3.0x, new approval behavior options are also available.
- Single/Parallel—An approval request is assigned to only one approver (existing Identity Manager 3.0x behavior).
- Group—An approval request is assigned to one or more approvers (existing Identity Manager 3.0x behavior). The approvers behave as a group. All members can view the task in their work queue, but only one member acts on the task.
- Multiple—An approval request is assigned to one or more approvers. All approvers must approve the task before it is forwarded to the next step. As soon as all members approve, the request proceeds to the next step, or if one member denies, the request process ends.
- Quorum—An approval request is assigned to one or more approvers. All approvers can view and act on the task. As soon as a predetermined condition of the quorum is met, the work flow forwards to the appropriate next step. You can specify the quorum approval condition as a percentage (1–99) or as an absolute number.
To support and comply with the Paperwork Elimination Act, digital signatures are now supported as part of the approval process.
Provisioning Metrics: Administrators can analyze and monitor process flow and team performance. Added as an administrative tool, Process Metrics allows for analysis of the work-flow system for items such as Request Decisions, Weekly Request Loads and Assignment statistics. (See Figure 2, Figure 3 and Figure 4.)
Themes and Branding: Additional customization options themes with more branding features let you easily achieve your organizations "look and feel" Web standards. The User Application administration console now has selections to customize branding areas including navigational display, headers, tabs and the login panel.
Provisioning Services—MetaDirectory Services
One of the most critical components of an identity management deployment is the connectivity to the disparate identity stores and a robust policy definition engine that can be easily configured to stringently maintain the integrity of identities and their attributes, yet flexible enough to match the nuances of company policy. Since its inception, the Identity Manager MetaDirectory engine has been extremely flexible when it comes to electronically expressing business policy. With the release of Policy Builder in Identity Manager 2, the ease of defining the business policies was made infinitely easier, and with Identity Manager 3.5, the following new features add to the arsenal of capabilities.
Jobs: Represented as objects in the Identity Vault, a Job allows an administrator to define just about any desired action on a scheduled basis. Jobs also have access to eDirectory data and can interact with another driver's subscriber channel. There are several built-in example Jobs, such as:
- Trigger a driver to do something periodically
- Search for passwords that will expire, and send an expiration e-mail
- Start or stop a driver on a schedule
- Generate random passwords for users in connected applications and populate the eDirectory SecretStore for use with Novell SecureLogin and/or Novell Access Manager
- Check for date-sensitive transactions such as provisioning access expiration.
As an example, the Job feature is especially useful when organizational changes occur, because there is typically a cross-training turnover period. Now, instead of automatically deprovisioning access to systems entitled by the old job based upon a change in the ERP system, an expiration date can be set for the transition period. As that expiration date approaches, the former manager, new manager and employee are notified of impending expiration in case the date needs to be extended. When the date arrives, the appropriate deprovisioning actions take place. Although similar functionality was available through utilities such as driver heartbeat, the Trigger Job makes it even easier to initiate an action in the Identity Vault.
Policy Libraries: Policies can always be shared amongst drivers, but now a more defined mechanism has been implemented. The policy library is a container in the Identity Vault used to store shared policies.
ECMAScript: This was introduced in the work-flow and approval process in Identity Manager 3.0. Now, ECMAScript is extended to the Meta Directory engine. Administrators have the flexibility to use Policy Builder, XSLT, ECMAScript or a combination to define provisioning policies.
Policy Builder: Several new policies were added to Policy Builder, such as:
- Flow Control Actions: These actions allow advanced policy definition, such as nested if-then-else and while loops until some condition is met. Previous versions of Identity Manager's Policy Builder focused specifically on if-then scenarios. Now, an if-then-else statement or while loop can be used in lieu of several if-then policies.
- Start Work-flow Action: This allows a work-flow item to be initiated from a policy. A typical use of this new action could be demonstrated during a new-hire process. If a new hire is not a contractor, then policy states the employee is provisioned an e-mail account. If a new hire is classified as a contractor, then the responsible manager has to approve the provisioning of the contractor's e-mail account. With this new action, if employee status is equal to contractor then the Start Work-flow Action could be utilized to begin the approval process for the new contractor. Once the approval has occurred, then the provisioning of the e-mail account can be completed.
- Mapping Tables: Ever had the need to define a complex placement policy? Mapping tables greatly simplifies expressing criteria. Based upon a table match, you can determine where an identity object is going to be placed in the target directory. Figure 5 shows the mapping table editor and how the table will be used to determine container placement based upon the department name. For example, if the department name is Marketing, the user's object will be placed in the Mktg\People container. (See Figure 5.)
Enforce Security and Compliance
Knowing who has access to what resources, when the access was granted, where the access came from, for example, inside or outside the firewall, and who (if applicable) approved the access are all needed components for effective security and to ensure compliance to internal/external audit and regulatory directives. With Sentinel 5.1.3, enforcing security and compliance is much less complex. Sentinel enables organizations to analyze provisioning events in real time, correlate events from multiple sources and automate the remediation and/or notification of activities that fall outside acceptable boundaries. Although historical reporting is an important aspect in the audit life cycle, relying solely on reporting can be costly in a number of ways, including the loss of confidential data and the financial implications of such a breach. The data provided in a report is only accurate up to the point when it is generated and then only beneficial if an individual reviews the information and realizes an anomaly has occurred. Sentinel automates the entire process of data analysis, correlation and remediation/notification eliminating the manual analysis of stale data from a report generated in the past. Let's now look at the different aspects of Sentinel integration and new audit actions made available in Identity Manager 3.5.
Sentinel 5.1.3 integrated Novell Audit event collection in the iSCALE Message Bus and logging to the historical repository. Figure 6 describes how Novell products instrumented for Novell Audit (such as eDirectory, Identity Manager, SecureLogin, Access Manager, BorderManager, Open Enterprise Server/NetWare) can collect and log events through the iSCALE Message Bus. (See Figure 6.)
- Integration of existing Identity and Access Management event framework expands the current Sentinel Collector set.
- Identity Manager enriches collected events with identity specific business relevance
- Bidirectional ties into the provisioning features of Identity Manager allow automatic account updates as part of remediation.
Sentinel Collectors gather information from multiple sources as seen in the External Event Sources in Figure 6, including Identity Manager, Access Manager, eDirectory and others. The events are analyzed in the iSCALE message bus where they can be correlated with events from other sources and displayed in an Active View real-time dashboard in the Sentinel Control Center. As activities occur and events are correlated, an iTRAC remediation can be initiated to automate the resolution or notification of the questionable actions. Of course remediation can have both a positive and negative aspect. For example, an employee can request access to generate Accounts Receivable invoices and upon approval is appropriately provisioned. This is a perfectly acceptable activity. If a rogue administrator tries to "go around" the system and grant the same employee access to pay invoices this would be seen as a segregation of duties violation. Sentinel collects events from both Identity Manager and application events, correlates the two separate activities and automates the remediation—removes the employee's access to both generate and pay invoices, immediately notifies the appropriate security individuals and, if desired, automatically disables or removes the rogue administrator's access. Relying only on historical reporting would most likely allow the violation to stay in tact for a period of time, allowing inappropriate activities to occur. Once discovered, security administrators would have to expend a great deal of time on the arduous task of searching through several system logs to determine exactly what took place during the period of violation. As for positive remediation, if a user attempts to access a particular system that requires an approval before the approval process is completed, instead of displaying some form of error message to the user, the event can be analyzed in the iSCALE message bus. The remediation activity will redirect the user to the work-flow system with a much friendlier message indicating that access requires approval and an option to initiate the process if desired.
This is just a small subset of the vast benefits gained by integrating Sentinel with the Novell Identity and Access Management suite of products. The capabilities of the iSCALE Message Bus, Active View dashboards and Crystal-based reporting provides any auditor with a substantial amount of data validating that policies and regulations are being strictly followed.
Several new audit actions have been added, including SSO credential provisioning actions (See Password Management) and Attribute Reset. Attribute Reset, which enforces the integrity of identity attributes from the authoritative source, is also now captured as an audit action. Since identity attributes typically determine other provisioning activities and the inadvertent or malicious change of identity attributes can trigger an unwanted activity, Novell Identity Manager not only reverses the change with the Reset Attribute option in the Filter Policy, but now the activity can also be easily logged.
Identity Manager 3.5 not only simplifies the administration of the identity infrastructure with tools such as Designer for Identity Manager, significant focus has been placed on one of the most cumbersome areas for the user—password management. In this section we will focus on Designer for Identity Manager, an industry unique tool for designing, deploying and documenting Identity Manager and enterprise password management.
Designer for Identity Manager
Designer for Identity Manager is a significant identity management tool set. Novell alone provides an application specifically targeted to architect, deploy, document and maintain an identity management implementation. The primary focus for Designer in this release is to support the new features of Identity Manager 3.5. Previews to updates are available as release candidates on the Cool Solutions site (novell.com/coolsolutions/). Check often for updates or sign-up on the Designer Cool Solutions page for automatic notification for new releases. The "What's New" link provides a detailed list of new features introduced in the latest release candidate. Updates to Designer that have been added to support new Identity Manager features include:
- Job definition and scheduling
- Mapping Tables
- Policy Libraries
Several enhancements were made to the documentation generation feature including User Application data and credential provisioning information. The ability to produce complete documentation for the identity management infrastructure is a crucial audit requirement for security and compliance. The documentation that can be automatically generated from Designer can be included as part of your organization's compliance strategy and provided to an auditor or government agency as a record of policy enforcement for identity management. The historical reporting generated from Sentinel can be supplied as evidence that provisioning policies defined in Identity Manager are being enforced. And, most important, both the Designer documentation and audit reports can be generated in a matter of minutes.
To prevent inadvertently mixing version features, you can use several check points to protect yourself from applying new 3.5 features to a 3.0x installation.
Need help? Click the link on the help menu to launch the Identity Manager forums on novell.com.
Managing passwords has always been problematic at best. Each system has its own unique rules for password policy. It may or may not support secure password synchronization; you could use Web- and/or client-based applications; it may be internal to the organization or externally hosted by a service provider; and the list of issues goes on. Trying to apply a broad policy such as system-wide password synchronization has several negative implications, including reducing password strength to the least common denominator, or a single "key to the kingdom". Providing an interface to allow users to change passwords separately for each system is troublesome as well. It does not solve the issue that the end user still has to remember several different passwords. Additionally, how do you effectively handle the situation when the user cannot remember their password to the interface that lets them reset their password on each individual system? Identity Manager 3.5 addresses these and other issues by applying a holistic approach to managing passwords. It allows administrators to integrate different password management methodologies. The result is secure yet simple for the end user. The following are a few of the features that have been added:
- Credential Provisioning: Added in Identity Manager 3.0.1, this allows for a password to be created and set in the eDirectory SecretStore as part of the initial provisioning process or routine account maintenance. Because both Novell SecureLogin (client-based Single Sign-on) and Novell Access Manager (one feature of Access Manager being Web-based SSO) can utilize passwords or "secrets" stored in the SecretStore to provide a single sign-on experience for the user. For example, when a user is provisioned to RACF, the password can be generated as part of the process and stored in the SecretStore. When the user accesses the Mainframe from the terminal emulator on the desktop, SecureLogin can utilize the password stored in the SecretStore and automatically forward it to RACF. The user does not even have to know the password for RACF. Novell Access Manager can also utilize the SecretStore for Web-based applications. The user authenticates to the Directory via Access Manager, accesses the application (from the Web or via SSL VPN) and has the same single sign-on experience. Because the user has authenticated to the Directory, SecureLogin and Access Manager can access application passwords stored in the SecretStore and provide single sign-on to any application. Concerned about a single password "key to the kingdom"? Biometric, certificate, token or other types of authentication methods can be deployed with Novell Modular Authentication Services.
- Workstation client-based password reset: The challenge in implementing forgotten password support is how does a user get to a browser if they can't remember their Active Directory or eDirectory password? Workstation client-based password reset integrates with the Microsoft or Novell Client giving the user the option of launching a restricted browser directly from the login screen. The browser is automatically directed to the forgotten password Web page where the user can reset their password or be provided with a password hint after answering a series of challenge/response questions. After successful reset, the user is returned to the login screen and can then successfully authenticate.
- Visual Representation of password changes: The user can check the status of password changes, and if the change has been processed successfully. Figure 7 is an example of how a user, help desk personnel or administrator can easily verify the status of password synchronization. (See Figure 7.)
Identity Manager 3.5 delivers on the business drivers that face organizations as they respond to ever changing market demands, government regulations and the complexities that result from constantly shifting organizational structures. Novell can certainly deliver a solid identity foundation with Identity Manager, Access Manager, SecureLogin and Sentinel. And, with identity as a cornerstone in the ZENworks Suite and Workgroup products such as Novell Storage Manager, you can easily extend the benefits to other aspects of your organization. The ability to provision a new user, manage passwords, update Web-based access, deliver a customized desktop, allocate personal network storage and grant access to appropriate file shares is just a small sampling of the overall capabilities with an identity foundation powered by Novell Identity Manager.