Fuselogic ReadyToUse IDM OIM Snel geïmplementeerd FuseLogic 2016 OGH, 16 februari 2015
Uitgangspunten Best of both worlds: de zeer uitgebreide IAM functionaliteit van Oracle én snel resultaat Best Practices Nadruk op gebruiksgemak en business waarde Low Risk Go-live Snel resultaat Toekomstbestendig door standaard Oracle IAM gebruik Think Big, Start Small 2
Solution Basis Basis Elementen Voorgeconfigureerd Oracle IDM Ondersteuning voor meerdere dienstverbanden Instroom, doorstroom en uitstroom met efficiënte koppeling met HRprocessen door integratie Best Practices Ondersteuning van grace period en start & end dates Provisioning van identities naar aangesloten applicaties Self service functionaliteit voor medewerkers voor het zelf aanvragen van autorisaties Gemakkelijk autorisatie aanvragen met self service op basis van afdeling, functie of gelijkwaardig collega Twee staps goedkeuringsproces door manager en vrij te administreren derde partij voor de self service autorisatie aanvragen 3
Wat was het doel De Basis functies ondersteunen op een manier waarbij dit zoveel mogelijk alleen configuratie in het Self Serivce deel van OIM vergt De overige OIM onderdelen voorconfigureren. Dat wil zeggen: Binnen mogelijkheden die OIM hier voor beidt, technische componenten toevoegen of configureren Zodanig dat basis Identity Life-cycle processen (instroom, doorstroom, uitstroom) ondersteund worden met automatische toekennen, onttrekken of beschikbaar maken van rechten Met begrip voor de realiteit van de bedrijfsprocessen waarvoor dit nodig is (meerdere identiteiten, werkzaamheden en organisatie relaties) 4
IDENTITY INTEGRATION PROVISIONING Oracle IDM IDM System IDENTITY SOURCES (HR-Proces) DATA OBJECTS USER ROLE ORGZN IDENTITY LIFE-CYCLE & ACCESS AUTOMATION Event Handling Revalidation REQUEST PROCESSES Catalog Config. Validation Workflows Grace Period Fulfilment process Rules On-premise Apps ACCESS OBJECTS Access Policies INTELLIGENCE & GOVERNANCE Reports Attestation proces IDM SYSTEM CONFIGURATION Directory Request Roles Notification Authentic. Config System Config. Org. Stucture Implementation requires advanced system configuration or coding by someone with in-depth system knowledge Configuration by a System administrator. Requires only basis system knowledge 5
IDENTITY INTEGRATION PROVISIONING Ready to Use Oracle IDM Ready to Use IDM System On-premise Apps IDENTITY SOURCES (HR-Proces) DATA OBJECTS USER ROLE ORGZN IDENTITY LIFE-CYCLE & ACCESS AUTOMATION Event Handling Revalidation REQUEST PROCESSES Catalog Config. Validation Workflows Grace Period Fulfilment process Rules Workflow Config. Directory ACCESS OBJECTS Access Policy Request Roles INTELLIGENCE & GOVERNANCE Reports Attestation proces IDM SYSTEM CONFIGURATION Notification Authentic. Config System Config. Reporting Config. Org. Stucture System Admin Cloud Apps Implementation requires advanced system configuration or coding by someone with in-depth system knowledge Configuration by a System administrator. Requires only basis system knowledge Pre-configured as part of the Ready to Use IDM 6
Gewerkt vanuit een Generieke Use Case Hoe is dit gerealiseerd De juiste balans tussen standaard Identity Life-cycle ondersteuning (IDU) en de mogelijkheid om dit op (frontend) configuratiebasis aan de klant specifieke wensen aan te passen Technische add-ons op het OIM product Een plan om het te implementeren 7
Generic Use Case Function Domain De Generic IAM Use Case HR Process or other process that follows a Life Cycle for the Identity s relation with the organization Identity & Access Management Applications & Directories Reason for Access join leave move - Access Automation - Access Request workflows - Access Validation workflows - Attestation workflows - User credentials mngmt. - Reporting - Etcetera Access Provisioning Joins department ABC Starts working in job-role (Multiple dept. & Job-roles supported) From (date) Provide Access to the Applications used by Dept. ABC (automatically or by Request) Automatic Grant Access On Access Requestable from Validation Workflow Account & Entitlement: Provisioning To (date) Revoke Access on Grace Period De-provisioning 8
Generic Use Case Function Domain De OIM Pre-configuration HR Process or other process that follows a Life Cycle for the Identity s relation with the organization Identity & Access Management Applications & Directories Reason for Access join leave move - Access Automation - Access Request workflows - Access Validation workflows - Attestation workflows - User credentials mngmt. - Reporting - Etcetera Access Provisioning Joins department ABC Starts working in job-role (Multiple dept. & Job-roles supported) From (date) Provide Access to the Applications used by Dept. ABC (automatically or by Request) Automatic Grant Access On Access Requestable from Approval Workflow Account & Entitlement: Provisioning To (date) Revoke Access on Grace Period De-provisioning Standard interface to User Profile and Resource Objects to store multiple relations of the identity to the organization Added logic to handle future dated events Configurable Rules for Role and Dynamic Organization Memberships Standard Approval workflow for approval by manager, members of approver-group or both. Configurable on the Role (not as workflow) Configurable delayed revocation of the role membership. Configurable on the Role (not as workflow) Future: Standard Provisioning to Cloud Applications 9
integration integration DEMO De implementatie van de FuseLogic ReadyToUse IDM volgt een Stepby-Step implementation Guide die de benodigde technische configuratie bepaalt vanuit een visie op het bedrijfsproces Demo toont een voorbeeld hiervan: De Banking Use Case Pre configured functions Identity Source Systems Grant/Revoke Access Automation Access Approval Workflows Provisioned Target Applications & Directories Config. Configuration Configuration Config. Configuration = Implementation-specific configuration 10
WHY? WHY? DEMO: Voorbeeld van implementatiestap join leave move What is reason to grant a person access? 1 - Because of the Department he/she is in - Because of the Function he/she has - Reason is not related to the process of the source system Define the Base Role 2 - Because of the Department he/she is in - Because of the Function he/she has - Reason is not related to the process of the source system How is this reason represented in the process of the Source System? 3 Configure the Organization Structure Configure the Source System Interface 4 5 Deptmnt.. Dept. x Dept. y Dept z Org. Function. Func. A Func. B Func C 11
DEMO: Voorbeeld configuratie Voor DEMO Use Case zijn er twee redenen om rechten aan een medewerker toe te kennen: Job Role: cashier mortgage adviser Department: Private Banking Corporate Banking De Organization Structure wordt hierop ingericht 12
DEMO: Voorbeeld Rollensamenstelling Bepalen welke rolconfiguratie echt nodig is Why? The reason for Access is having Job-Role A What? (policies) What Access Rights are required or allowed for Job-Role A? How? How are the access rights granted to the person? Approval Required? Delayed Revocation? (grace period) Role Configuration Application X Read Access Automatically Role for Job-Role A Application X Write Access Self Service Request By Manager Role for Appl-X access Base Role for People in Job Role A Application Y Standard Access Automatically Application Y Privileged Access Self Service Request By Manager By Approver Group Y Role for Appl-Y priviledged access Application Z Access-Type 1 Automatically By Manager Role for Appl-Z (suggest & approve) Application Z Access-Type 2 Self Service Request Role for Appl-Z No apprvl required Application Z Read Access Only Automatically 30 days Role for Appl-Z (delayed revocation) 13
DEMO: Voorbeeld Rollensamenstelling Rol Beschikbaar voor Auto Grace Goedk. Mgr. Cashier Authorization Job Role: Cashier yes - - - Extra goedkeuring Private Banking Authorization Private Banking additional Auth. Mortgage Base Auth. Mortgage. Approver Corporate Banking Auth. Dept: Private Banking Dept: Private Banking Job Role: Mortgage Adv. Job Role: Mortgage Adv. Dept: Corp. Banking yes 10 days - - no 10 days no no yes 10 days - - no - yes High-risk approver group yes - - - 14
Auto Assigned Authorization Available Self Service Authorization Brodie Harlow s DEMO Use Case New Employee Additional Job Role Department Change Leaves Company HR PROCESS starts Identity Life-cycle + Identity cashier + mortgage adv. Sheila Mercer Leaves Priv. Bnkg Joins Corp. Bnkg Private Banking Acc. Mgr. retail Exit on 1-1-17 Corporate Banking Dept. = Priv. Bnkg. Grace = 10 d. ROLE 3: Private Banking additional Auth. Validation Process Func. = Mort. Adv. High Risk Appr.1 = Manager Appr.2 = High Risk appr. group Func. = Cashier ROLE 1: Cashier Authorization ROLE 5: Mortg. Approver Brodie Self Service Request Sheila Approves Member of High Risk appr. group claims and Rejects Dept. = Priv. Bnkg. Grace = 10 d. ROLE 2: Private Banking Authorization Func. = Mort. Adv. Grace = 10 d. ROLE 4: Mortgage Base Auth. Dept. = Corp. Bnkg. ROLE 6: Corporate Banking Auth. 15
Bedankt voor de deelname 16