Identity Management · Peoplesoft Database SAP R&D Apps Employees Employee Purchase Select Identity...

© 2004 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice

Identity Management

Artur Kacała

Teta

• HP OpenView obszary funkcjonalne

• Zarządzanie tożsamością− wprowadzenie

− HP OV Select Access

− HP OV Select Identity

− HP OV Select Federation

Agenda

Obszary funkcjonalneHP OpenView

HP OpenView podejście do zarządzania

Trzy fundamentalne obszary zarządzania IT

Optymalizuj

Automatyzuj

Dopasuj

Optymalizacjainfrastruktury

Utrzymuj IT w ciągłym działaniu

Automatyzacjaprocesów IT

Dopasuj się do zmian

Zgodność z biznesem

Pokaż wartość IT

HP OpenViewAby odnieść sukces w dzisiejszym świecie IT,zespółinformatycznymusi adresowaćwszystkie trzy uzupełniające siękierunki zmian

Zgodnośćz biznesem



dojrzałość

dojrzałość

dojrzałość

HP OpenViewzarządzanie IT w przedsiębiorstwie

HP OpenViewkompletne rozwiązanie

Zgodność z regulacjamianalizy i raportowanie

Jakość usługbiznesowych

Zgodnośćz biznesem

Zarządzanieaplikacjami„end-to-end”

Skonsolidowanezarządzaniezdarzeniamii wydajnością

Zarządzaniesiecią/serweramipamięcią masową


Zarządzanie tożsamością

Zarządzanie konfiguracją

Zarządzanie środkami trwałymi

Skonsolidowany Service Desk


Optymalizuj

Automatyzuj

Dopasuj

HP OpenView portfolio

Point Tools Consolidated / Integrated Service Perspective

IT Operations

Focus

IT ProcessFocus

BusinessExternalFocus

Network Node Manager (with sub modules)

Service Desk (with sub-modules)

Service Center (with sub-modules)

Configuration Manager (with sub-modules)

Performance Manager

Performance Insight

OperationsSOA Manager

Application Smart Plug-Ins

Select Identity Select Access Select Federation Select Audit

SOA Manager

OS Smart Plug-Ins

System Insight Manager/Essentials Suite

Service Navigator

Transaction Analyzer

Internet Services

Dashboard Business Process

Insight

Service Navigator

Compliance Manager

Service Level Manager

Performance Insight

Reporter

Service Level Manager

Glance Plus

Service Desk Process Insight

Asset Center (with sub-modules)

Dashboard Operations View

Decision

Center

CMDB

Audit &Reporting

RegulatoryCompliance� �

Select Audit

• Standalone audit server

• Audit process modeling

• Attestation

• Tamper-Resistance

• Reports/Alerts

• Segregation of duties

the HP OpenView Identity Management suite

Accounts

&

Policies

PropagationRegistration

Termination Maintenance

Select Identity

• User life-cycle management

• Provisioning workflow

• Approvals tracking

• Password management

• Self Service

• Delegated administration

�

�

�

�

� �

Web &

Web Services

Authorization

Single

sign-on

Select Access

• Policy-based access control

• Web single sign-on

• Authentication

• Web Services security & access

• Privacy mgmt

• Personalization

Account linking

&

Cross-domain SSO

Trusted partnerships

Select Federation

• Open protocol federation with SAML and Liberty

• Cross site single sign-on

• Automated account creation

• Opt-in privacy consent

• User activity auditing

Desktop Apps

Where OpenView IdM fits in an Adaptive Enterprise

OperatingSystems

(Windows

Email

$

ExpensesSystem

EnterpriseDirectory

IDs

accts

Non ITResources

Databases,Directories

PhysicalAccess

OS(unix, non Stop)

HR,Finance

LocalStores

PeoplesoftDatabase

SAPDatabase

R&D Apps

Employees

EmployeePurchase

Select IdentitySelect Identity

Select AccessSelect Access

MSSQL

SharePoint Collaborati

on

OnlineeLearning

SuportBugTools

SalesToolsCRM

Select Select

FederationFederation

Citrix MPMCitrix MPM

@EmployeePortal

@ConsumerPortal

IDsPartner

Providers

SupplierSites

IDs

Partners

Partner Respository

@PartnerPortal

accts

retirement.co.uk

Zarządzanie tożsamością

Wprowadzenie

Po co zarządzać tożsamością ?

• Security− At best only about 62% of a user’s access is removed

upon termination (Meta). Orphan accounts compound an organization’s risk of security breech by 23 X

− 81% of security breaches come from disgruntled employees (Computer Security, Issues, & Trends)

− Insider security lapses cost $250K per incident (FBI/CSI Computer Crime and Security Survey)

• Audit/Regulatory Compliance− Only 50% of companies attempt to audit rights on a regular

basis

− Up to 60% of access profiles are no longer valid. In high turnover industries this can be as high as 80% (IDC)

− Regulatory issues raising stakes on audit

Regulations (incomplete list …)

Regulatory Compliance (Example of Process)

Regulacje prawne

Po co zarządzać tożsamością ?

• Efficiency and Productivity− 15-25% of access and provisioning activities need to be

redone due to paper and manual processing errors across the identity lifecycle (Intl Security Forum Report)

− 27% of companies take greater than 5 days to grant or remove access rights (Intl Security Forum Report)

• Cost Reductions− 40-60% of helpdesk workload deals with password mgmt

(Meta and Intl Security Forum Report)− 45% of help desk calls are password related, and

deploying identity management will reduce help desk call volumes by 33% and a 32% increase in overall security. (Meta)

− Company with 12 applications can save 3.5MM in 3 years and see a 295% ROI (14,000 hours in user mgmt and 6,600 hours at the help desk) -Gartner 2003.

Korzyści biznesowe

• Regulatory Compliance

• Cost Reduction and Revenue Enhancement

• User Self Sufficiency

• IT Efficiency

• Increased Security

• User Experience and Productivity

Services

Web

Services

Client Server

Directories

Meta-Directories

Virtual Directories

Applications

Messaging

Databases

CRM

ERP

Custom

Web

Web Servers

Portal

Java App

Custom

Non Digital

Facilities

Equipment

Entry Control

IT Admin Employees Mobile

EmployeesPartners CustomersOutsourced

Admin

HP C&I

•Business process consulting

•Technical deployment

Select Access

Access Control

•Single Sign On

•Authorization

External User

Provisioning

•Self Enrollment

•Self Management

•Delegated Admin

Select Federation

id

Federation

•Account Linking

•Attribute Exchange

•Session Management

•Liberty, SAML, WS

HP OpenView Identity Management

Select Identity

Provisioning,

Synchronization

•Password Reset•Workflow

•User Management

Access Management

• Authentication• Authorization• Single Sign On• Delegation• Secure Audit• Federation

Select AccessUnequaled Policy Admin

N-Tier Delegation of ApprovalsLiberty & SAML Federation

Tamper Resistant Event AuditWeb Services Security

HP OpenView Identity Management

Identity Management

• Internal/External Users• Self Service• Workflow• Robust Provisioning• Modifs/Terminations• Delegation• Password Mgmt• Secure Segmented Audit

Select IdentityContextual Identity Mgmt

N-Tier Delegation of Business ProcessSecure Segmented Process Auditing

100% Web Based100% J2EE

Identity Federation

• Cross site SSO• Privilege Management

Select FederationLiberty Alliance 1.1, Liberty Alliance 1.2

SAML 1.0, SAML 1.1

Services

Web

Services

Client Server

Directories

Meta-Directories

Virtual Directories

Applications

Messaging

Databases

CRM

ERP

Custom

Web

Web Servers

Portal

Java App

Custom

Non Digital

Facilities

Equipment

Entry Control

IT Admin Employees Mobile

EmployeesPartners CustomersOutsourced

Admin

HP C&I

•Business process consulting

•Technical deployment

Select Access

Access Control

•Single Sign On

•Authorization

External User

Provisioning

•Self Enrollment

•Self Management

•Delegated Admin

Select Federation

id

Federation

•Account Linking

•Attribute Exchange

•Session Management

•Liberty, SAML, WS

Przykład: Nowy pracownik

Select Identity

Provisioning,

Synchronization

•Password Reset•Workflow

•User Management

1. New employee entered in HR system.

3. First stage of workflow may involve getting managers approval or having special entitlements added

2. Select Identity detects change in HR system, determines context and triggers workflow(s)

4. Next stage of workflow may be the provisioning of various resource entitlements

5. Select Access automatically picks up the access entitlements and enforces them

6. Select Federation provides seamless access to the enterprises outsourced services (e.g. Travel, 401K)

Select Identity

Role i użytkownicy

ResourcesGroupsIdentities Roles

Common role based approach…

– Create Roles

– Link Resources and Entitlements to Roles

– Link identities (users) into groups

– Link Groups into Roles

– Solution may offer Hierarchical Roles allowing for inherited entitlements

Każdy system konfigurowany oddzielnie

Order Mgmt FulfillmentInventory Logistics Acct Rec Gen Ledger

Order Entry Warehouse Shipping Accounting

Order and Fulfillment Process

• Resource-centric organization introduces inefficiencies

• Roles are tightly coupled to resources

• Auditing is difficult

HP OpenView Select Identity

Select Identity’s Contextual Identity Management (CIM) is a new paradigm for

Identity Management that eliminates the complexity associated with managing

IdM business processes.

Order Mgmt FulfillmentInventory Logistics Acct Rec Gen Ledger

Order Entry Warehouse Shipping Accounting

Order and Fulfillment Process

Order & Fulfillment

IdM Service

At O&F process level, integrate:• Provisioning• Approval workflow• Delegation• Notifications• Forms• Policies

Business Relationships


ResourcesComposite

Service

•Select Identity Services are reusable objects that can be built quickly and combined into composite services

• Each service can be owned and managed independently

• Each service owner can define what other service owners are allowed to use in their composite services

• Services can thus be hierarchical as well

Service A Service B

Groups Business

Relationship


Identities are also handled differently:− Each Service can be offered to an unique hierarchy

− Remember Services incorporate all the options for workflows, forms, policies and notifications

− Delegation is implicit throughout the hierarchy using Business Relationships

Resources

Corporate

Europe AsiaUSA Americas

USA East USA Central USA West Canada

Latin

America

Service


Enterprise

App A

InventoryEnterprise

App B

Billing Documentation Purchasing

IT Manager Agency Manager HR Manager Accounting

Resources

IdM Service:Defines the superset of ALL Identity

Functions necessary to manage identity for

Business Process

Business Relationship:Extends a subset of the Service

along business lines

BR BR BR BR

Communications

Officer

BR

Compliance

Manager

BR

Project

Manager

BR

Identity Service Object

Identity Relationships are

inherited, rather than hard

coded

• NO RULE CODING

All Identity management

maintenance done in one

place

• Huge reduction in

management overhead

At each delegation level,

there is a subset of

services, but complete

management of

Identities…full

empowerment


Porównanie

Change Mgmt

Events

Delegated

Administration

Delegated

Reporting

Resources/

Entitlements

Workflow

(Registration/

Provisioning/

Approval)

Total Cost of Ownership Comparison

Select Identity vs. RBAC Solutions

RBAC Approach 3.5x

RBAC Approach 3.5x

RBAC Approach 3x

RBAC Approach 5x

RBAC Approach 4x

Select Identity 1x

Select Identity 1x

Select Identity 1x

Select Identity 1x

Select Identity 1x

0 1 2 3 4 5

Relative Man-Hour Effort/Cost Per Activity

• Centralized Management of the Identity

Lifecycle

• Registration: self, delegated and HR

driven

• Robust tightly integrated, multi-stage,

multi-step workflow

• User self-service: Profile, password

management and synchronization

• Robust Provisioning of accounts,

resources and entitlements

• Account Terminations and modifications

• Segmented Auditing and Reporting

• N-tier delegated authority

• 100% Web Based to meet the

demands of security and contingency

• 100% J2EE for maximum scalability,

reliability and performance, JCA

Agentless connectors


Agenda

Architektura

Select Identity OverviewHP OpenView Select IdentityArchitektura rozwiązania

Select Identity OverviewHP OpenView Select IdentityPrzykład: zmiana adresu email

Select Identity OverviewHP OpenView Select IdentityPrzykład: zmiana hasła

A Case Study:Depository Trust and Clearing Corporation

"HP OpenView’s Contextual Identity Management approach went beyond the traditional roles and rules to provide a unique and flexible way to address DTCC'scomplex extended-enterprise requirements."

Stephen Cooper

Senior Manager, Accenture

Depository Trust & Clearing CorporationDTCC is the world’s largest post-trade financial services infrastructure

− Within the Customer’s clearance business:

• 9.59 million - Average daily number of transactions

• $244 billion - Average daily value of transactions

• 30+ customer-facing services

• Each service has 3+resources

• 5,000+ customer organizations, each with up to 1,000 users

• Resources administered by 8 business units using 20different admin tools

• Multiple tiers of business relationships (up to 5 deep)

DTCC wyniki

User Set-up 7 – 10 days Real-time to 24 hrs

Before Select Identity

Customer Satisfaction

Password Reset 2 days Immediate & Self Service

Account Termination

Scalability Limited User Mgmt Capacity

Capacity meets or exceeds requirements

Operation Issues

Audit timeframes 2+ weeks Real-time

7 – 10 days Real-time to 1-click

Introduction of new business services

Frequent Delays Reduced Time to Market

Business Efficiency

After Select Identity

Select Access

Corporate Web Sites &Applications

Pension Plan

HR

Asset Management

Sales Forecast

Competitive Analysis

Intranet

Ask the Expert

KnowledgeBase

Order Accessories

Product Updates

Schedule Service

Customer Service

Virtual StoreFront

Product Catalogs

Auctions

Configurators

Pricing

eCommerce

Negotiation

Reverse Auction

Decision Optimization

Catalog Management

Contract Management

Supply Chain

Inventory

Pricing

Sales Forecasting

Pipeline Reporting

Quoting

Channel Management

Server-based Access Control ListsWeb Sites & Applications

PartnersSuppliersCustomerEmployeesEnd UsersPIN/PasswordSign-on to resources

IT Administration ofAccess Control Lists

Business Mgr. Business Mgr. Business Mgr.Business Mgr. Business Mgr.Request to IT-useraccountadd/deletemodify

Brak spójnego rozwiązania

Virtual StoreFront

Product Catalogs

Auctions

Configurators

Pricing

PartnersSuppliersCustomerEmployees

Users

Business Mgr.

Inventory

Pricing

Sales Forecasting

Pipeline Reporting

Quoting

Corporate Web Sites &Applications

401 K

HR

Asset Management

Sales Forecast

Competitive Analysis

Intranet

Ask the Expert

KnowledgeBase

Order Accessories

Product Updates

Schedule Service

Customer Service eCommerce Apps

Negotiation

Reverse Auction

Decision Optimization

Catalog Mgmt

Contract Mgmt

Supply Chain Apps Channel Management

Web Servers, ApplicationServers – theWeb enabled business.

Select Access governs and manages access, roles, privilege and access policy.

HP Open View Select Access

Spójne podejście do zarządzania tożsamością

Przykład #1: dostęp do danych

Table T1 with PII Data Enterprise Privacy Policies/Guidelines

If role==“empl.” and intent == “Marketing” ThenAllow Access (T1.Condition,T1.Diagnosis)

Else If intent == “Research” ThenAllow Access (T1.Diagnosis)

Else Deny Access

HIVDrug AddictedRob2

HepatitisContagious IllnessJulie3

CirrhosisAlcoholicAlice1

DiagnosisConditionNameuid

Access content Table T1(SELECT * FROM T1)Intent = “Marketing”

Privacy PolicyEnforcement

Enforcement: Filter data

HIVDrug Addicted-2

HepatitisContagious Illness-3

CirrhosisAlcoholism-1


Table T1 with PII Data and Customers’ Consent

Enterprise Privacy Policies &Customers’ Consent

If role==“empl.” and intent == “Marketing” ThenAllow Access (T1.Condition,T1.Diagnosis) & Enforce (Consent)

Else If intent == “Research” ThenAllow Access (T1.Diagnosis) & Enforce (Consent)

Else Deny Access2

3

1

ResearchMarketingConsent

xx x


HepatitisContagious Illness

Julie3

CirrhosisAlcoholicAlice1


Access Table T1(SELECT * FROM T1)Intent = “Marketing”

Privacy PolicyEnforcement

Enforcement: Filter data


---2




Architektura rozwiązaniaPoszczególne komponenty

Validator

SAML Server

Secure Audit ServerEnforcer Plug-In

Admin Server

Directory Server

• Rich access control down to the URL, object or transaction level− With role-based authorizationWeb Server

Web Services

Portal

Java App Server

Application• Integrated with web-based resources

− Web servers

− Java EJB/J2EE application servers

− Portal servers

− Web-based & custom applicationsEnforcer Plug-In

• Implemented as plug-ins to the servers− The Policy Enforcement Point (PEP)

Users makes access or transaction requests, which are intercepted by the Enforcer plug-in

Architektura rozwiązaniaPolicy Enforcer

Enforcer Plug-In

The Enforcer plug-in queries the Validator via XML for access decisions

Validator

• Policy servers evaluate all access decisions− The Policy Decision Point (PDP)

Architektura rozwiązaniaValidator

ValidatorEnforcer Plug-In Directory Server

• Policy data Is stored in an LDAP v3 compliant directory− The Policy Repository

The Validator retrieves relevant policy data from the

Directory Server via LDAP, and evaluates the access logic based on the information passed from the Enforcer

Architektura rozwiązaniaLDAP

Microsoft Active

Directory

SunONE/iPlanet/Ne

tscape

Critical Path

Novell eDirectory

Oracle OID

Siemens DirX

CA eTrust

Syntegra

• User, group and policy information stored in LDAP v3 directory servers− No need to re-

populate/locate LDAP users or groups

− Existing Directory Information Tree (DIT) remains intact

• Maximizes benefit of LDAP directories− High Performance &

Availability

− Enhanced Scalability

− Centralized view of data for many applications

Directory Server

Architektura rozwiązaniaIntegracja z LDAP


The Validator returns authorization decisions to the Enforcer, which implements the decisions

Allow

Deny

Allow and

Personalize

Request

Authentication

Redirect

Logout

All authorization actions are audited

centrally to the Secure Audit Server and digitally signed

Secure Audit Server

Architektura rozwiązaniaAudit Server

Validator

Admin Server

Directory Server

Administrators

Partners

Managers

Delegated

Administrators

Administrators access the Admin Server with a browser which downloads an applet and launches the Policy Builder

Administrators can delegate user, group and/or policy management to managers both in and outside the

organization

Secure Audit Server

All policy and user administration actions are audited – for both

full and delegated administrators

Architektura rozwiązaniaAdmin Server

Validator

SAML Server

Enforcer Plug-In

Admin Server

Directory Server

• All SelectAccess components audit events to a centralized audit system

Secure Audit Server

Oracle

Microsoft SQL

Windows Event Log

UNIX Syslog

and/or File�Outputs to multiple data stores

• Includes user and policy administration changes

− What was changed

− Who made the changes

and when

− What the old data was

− What the new data is

�Digital signing of audit entries provides proof of administrative changes and a secure audit trail

Architektura rozwiązaniaAudit Server


• SelectAccess is designed around a three-tier architecture− Enforcers – Validators – Directory Servers

Enforcer Plug-Ins Validators Directory Servers

• All components can be replicated for scalability

− Load-sharing and failover is handled seamlessly and automatically over replicated components

Aggressive

Caching Advanced Caching

Minimizes traffic and

processing

requirements

Cache pre-loads itself

for resource access

Advanced Caching

Minimizes traffic and

processing

requirements

Cache pre-loads itself

for resource access

Architektura rozwiązaniaSkalowalność, wysoka dostępność

then proceeds to a partners site

Enforcer Plug-In Directory Server

• SSO and authorization across business boundaries− Regardless of authorization product (SelectAccess, other)

• User is authenticated at one web site,

SAML Server

Authentication, authorization and personalization data

passed to the partner using SAML

Secure Audit ServerValidator

Architektura rozwiązaniaSAML Server

Architektura Systemu

ValidatorValidatorValidator

SAML ServerSAML ServerSAML Server

Secure Audit ServerSecure Audit ServerSecure Audit ServerEnforcer Plug-InEnforcer PlugEnforcer Plug--InIn

Admin ServerAdmin ServerAdmin Server

Directory ServerDirectory ServerDirectory Server

Web Server

Portal

Java App Server

Application

Web Services

Web ServerWeb Server

PortalPortal

Java App ServerJava App Server

ApplicationApplication

Web ServicesWeb Services

Autentykacja

• Supports all leading Authentication mechanisms

− Allows multiple different types of Authentication across all applications

− Allows extension of Authentication mechanisms to other applications

− Improved ROI of Existing Authentication systems

• The Adaptive Policy can require different levels of Authentication using different techniques for different levels of access to resources independent of the application

− E.g. require a PKI certificate for transactions over $10,000 dollars

�Password

�X.509 Certificates

(CDPs, CRLs, & OCSP)

�User self-registration

�RSA SecurID

�RADIUS

�Challenge/response tokens

�Smart cards

�Security Assertions Mark-up

Language (SAML)

� Integrated Windows

�NTLM and Kerberos

�Custom methods

(through APIs) e.g.

Biometrics

�Password

�X.509 Certificates

(CDPs, CRLs, & OCSP)

�User self-registration

�RSA SecurID

�RADIUS

�Challenge/response tokens

�Smart cards

�Security Assertions Mark-up

Language (SAML)

� Integrated Windows

�NTLM and Kerberos

�Custom methods

(through APIs) e.g.

Biometrics

Access Table T1Intent = “Marketing”

(SELECT * FROM T1)

SA Data Enforcer

Allow Access

T1:<B,C> &

consent

SA Validator

<T1,Marketing>

ActualRetrievedData

Table T1 with PII Data and Customers’ Consent

Enterprise Privacy Policies &Customers’ Consent

If role==“empl.” and intent == “Marketing” ThenAllow Access (T1.Condition,T1.Diagnosis) & Enforce (Consent)

Else If intent == “Research” ThenAllow Access (T1.Diagnosis) & Enforce (Consent)

Else Deny Access2

3

1

ResearchMarketingConsent

xx x


HepatitisContagious Illness

Julie3

CirrhosisAlcoholisAlice1


Enforcement: Filter data---2





Przykładowa architektura systemu #1

Intranet Applications

Co

rpo

rate

firew

alls

Intranet applications and Web Infrastructure

Select Access Components*

Validator*ValidatorValidator**

SAML Server*SAML Server*SAML Server*

Secure Audit Server*Secure Audit Server*Secure Audit Server*

Enforcer Plug-In*Enforcer PlugEnforcer Plug--In*In*

Admin Server*Admin Server*Admin Server*

Corporate Directory ServerCorporate Directory ServerCorporate Directory Server

Partner with Supply Chain

Direct B2B partner

Delegated

Administration

down the supply

chain

Policy

Controlled

Access to

information

Browser Based

Policy Build GUI*

Browser BasedBrowser Based

Policy Build GUI*Policy Build GUI*

Central Policy

Admin

Central

Audit

Federated Partnership

SAML Enabled

Partner Site

• Reliable single sign-on across a heterogeneous mix of applications, servers and Internet domains

− HTTP is a stateless protocol, transient cookies are used to maintain state between HTTP requests

− Cookies are not persistent, they are not stored on the client disk and are only active during a browser session

− Configurable idle session timeout (default10 min)

• Seamless SSO even across multiple domains− Transparent to the user

− No changes to Web server configurations or content

Single Sign On

Delegacja uprawnień

• Customizable self-registration allows users to enrol themselves

−Increases speed and reduces deployment effort

• SelectAccess allows users to manage their own attributes

• Administrators can define which attributes the user can manage

−Password, mail address, personal preferences, etc.

Automatyczne wykrywanie zasobów

• Automatically populates the directory with network services and resource information

− Detects all running network services (HTTP, FTP, etc)

− HTTP discovery plug-in populates resources by following links and directories

− Resource data is discovered, enumerated and hierarchically added to the directory

− Less opportunity for administrative errors

• Discovery plug-ins can be added for new services

• Resource data can be imported from text file

Interfejs administratora

Elementy do budowy polis

• Source IP Address

• Time-of-Day

• Encryption Level

• Attribute Values

• Authentication − Personalization

• Port Limitation

• XML Attribute Values

• Included API to Extend – Adapt to your own IT needs

• Alerts

• SubRule

• Allow with additional Information *

• Log off *

• URL Redirect *

• Self Profile Management *

• Allow *

• Deny *

* Termination Points

Przykładowa polisa

Employee?Call the employee

access sub-rule

Else deny access

Allow access

Else logoff user

Authenticate by certificate

Check levelof encryption

Check users’LDAP profile

No cert? Use password

Limit ports and source addresses

Możliwości rozwoju

• XML provides a common data exchange format, encapsulating both meta-data and data

− Different applications and databases exchanging information without having to know each others format

• XML and Open APIs− Overall framework is fully extensible

− Developer API suite in C/C++ and Java

− Policy API for customizing users view of resources

− Plug-ins for new services/applications, decision criteria, authentication types, discovery & GUI extensions

− Current features implemented using the products own APIs and plug-in ability

Dostępne API

Directory Server

Admin ServerSecure Audit Server

Audit Logs(File, JDBC, syslog, event log, email)

Validator

Cac

he

Enforcer Plug-In

Web Server

Portal

Java App Server

Application

SAML Server

Lista dostępnych APIPolicy Validator Plugin API

Enforcer Plugin API

C++ XML Manipulation API

User Data Management API

The Logging API

Exception Handling API

String Manipulation API

The Java Enforcer API

The Policy Builder API

The Java XML Manipulation API

The COM API

Resource Discovery API (crude but it exists)

User Properties API (new in 6.0)

Customizing Audit Reports (loose API)

Forms based User Admin API (new in 6.0)

Wyróżniki rozwiązania

• Unlike other identity management products, Select Access is an adaptive and accountable solution

− Fastest time to deployment

− Easiest to manage

− Built on standards supporting the most heterogeneous environments, diverse users, and Web services models

− One-of-a-kind secured audit and visual change management

Ocena produktu z 2002

Ocena produktu z 2004

Select Federation

Federation and Identity-enabled Web ServicesHP OpenView Select Federation

Federation and Identity-enabled Web ServicesSelect Federation

Select FederationWspierane protokoły

Federation and Identity-enabled Web ServicesSelect FederationSelect FederationWspierane protokoły

Select FederationKluczowe funkcjonalności

Federation and Identity-enabled Web ServicesSelect FederationSelect FederationWspierane protokoły

Select FederationKluczowe funkcjonalności

Select FederationŁatwość administracji



DEMO



Dziękuje za uwagę

Identity Management · Peoplesoft Database SAP R&D Apps Employees Employee Purchase Select Identity...

Documents

Transcript of Identity Management · Peoplesoft Database SAP R&D Apps Employees Employee Purchase Select Identity...