DirX Identity Overview

User management includes all the activities related to the creation, consolidation, maintenance and use of user accounts, user attributes, roles, entitlements and other data encompassing the different directories, user databases, and application-specific repositories that make up the fragmented, heterogeneous IT environment relevant for the lifecycle management of users.DirX Identity supports user management with three types of objects:

User management consists of two main tasks: maintaining an accurate and up-to-date directory of users to be provisioned and assigning users to roles.User directory consistency can be handled by request processes initiated from the users themselves and/or their managers (user self-service and delegated administration) and by data synchronization workflows (for example, with the enterprise HR system) provided by the metadirectory.These processes and workflows can automatically generate global unique identifiers (GUIDs) during user creation, which are essential for maintaining data consistency in large identity databases.

In DirX Identity, user management tasks include:

To reflect an enterprise’s Human Resource management process, DirX Identity allows for the maintenance of a user’s lifetime with:

To ensure consistency throughout the user update process, DirX Identity provides a mechanism called a “user LDAP lock” to prevent two or more applications, programs, or threads from updating the same user in parallel.The use case document DirX Identity Java Programming provides more information about this mechanism.

The user object’s lifetime comprises the lifetime of all its associated persona objects.A user facet or a persona object’s lifetime can be shorter than the user’s lifetime.For a user facet, this provides a way to model different positions within an organization, where each position may have a different lifetime.A user facet might be the right model to apply if the user works in different jobs for one organization and can login under the same accounts for these jobs.For a persona, this provides a way to model different contracts for a user who, for example, works in the same company but for several different organizational units.

A user facet or a persona object usually changes its status with the corresponding user object, and is not reassigned to another user.A functional user, however, can survive the user object and must be re-assigned to another sponsor (user) if the user is removed or is no longer responsible for the resource that the functional user represents.

In DirX Identity, user facet management tasks include:

Persona management tasks include:

Functional user management tasks include:

DirX Identity uses a standards-based role management model that supports parameterization for granting different types of access according to parameterized input, provides approval and re-approval workflows for role authorization and re-authorization, and enforces segregation of duties (SoD) policies for regulatory compliance.

The role model used in DirX Identity is based on American National Standards 359-2004, the information technology industry consensus standard for RBAC (ANSI/INCITS 359).The ANSI RBAC reference model organizes the elements of RBAC into four groups of incrementally increasing functionality: core RBAC, hierarchical RBAC, static separation of duty (SSD) relations and dynamic separation of duty DSD) relations.DirX Identity supports level 3 RBAC, which consists of RBAC with SSD.However, while ANSI RBAC includes system resources in its access control model, DirX Identity leaves the management of the individual resources to the local administration of the target systems.The following figure illustrates the relationship between DirX Identity’s role model and the access control systems of the IT systems.

As shown in the figure:

DirX Identity’s role model can manage access control for all IT systems that allow for group-based or attribute-based administration of access rights.DirX Identity can also manage roles that are not associated with a physical IT system.The corresponding groups, called virtual lists, are used to support different business processes, for example, lists for facility access.

DirX Identity’s role model supports parameterized RBAC, where the access rights modeled by a generic role or permission can be customized on assignment to a specific user based on the value of role or permission parameters.A role parameter is a variable whose value is provided at role assignment time.For example, one generic role "Project Member" can be assigned multiple times to the same user for several different projects.Each time the role is assigned to the user, a specific project name is given for the role parameter.Like roles, role parameter values can be organized into a hierarchical tree.

A permission parameter is an attribute in a user entry whose values influences the permission’s resolution into groups.For example, suppose a user in the Sales department of an organization is assigned the permission "Departmental File Server".If the permission is parameterized by the "Department" user attribute, DirX Identity can use the "Sales" value of the user’s "Department" attribute to resolve the permission into specific target systems and groups that are relevant for the Sales Department File Server.The permission "Departmental File Server" is the same for all employees of the organization, but its resolution to a specific target system depends on the employee’s actual department.Role and permission parameters greatly reduce the number of permissions and roles that need to be defined and make role management and assignment based on high-level business roles appealing and manageable in the enterprise.

A user-role assignment can require initial approval and can also require re-approval after a specified period of time (for example, every 6 months) or on a specified date and time (November 3, 2011 at 5PM). Approval and re-approval workflows can be defined for these roles to carry out the approval and/or re-approval process automatically.The approval process supports a variety of models for calculating participants in the approval process, including single individual approver, static and dynamic approver groups, policy-driven and even programmed approver calculation.

In a role-based system, conflicts of interest can occur as the result of a user receiving access rights associated with conflicting roles.The ANSI RBAC SSD component prevents this type of conflict by enforcing constraints on the assignment of users to roles.DirX Identity implements this model of separation of duties - also called segregation of duties (SoD).Enterprise SoD policies defined in DirX Identity specify which user-role assignments constitute conflicts of interest or pose unacceptable security risks.DirX Identity enforces these policies during user-role assignment and will not make a user-role assignment that it determines is in violation unless special approval has been performed.

DirX Identity provides a comprehensive role model for controlling access rights to resources in connected target systems.Features such as access policies, SoD and approval workflows help to secure the assignment of access rights.However, compliance requirements can mandate certification or re-certification of assignments on a regular basis when they are made explicitly by managers or administrators instead of through business objects or rules.DirX Identity provides several mechanisms to support these compliance processes:

DirX Identity provides several types of request workflow that support user self-service and delegated administration activities:

Each of these workflows can contain optional approval steps that manage the authorization requirements for the request.

DirX Identity allows requesters and approvers to sign their requests and approvals digitally; the digital signature is stored with the request workflow audit trail in the central audit store, and this audit information, including the signed requests, can optionally be protected by system digital signature for compliance purposes.

DirX Identity provides template request workflows.Customers can make copies of these templates and then use DirX Identity’s graphical workflow editor to tailor them to their requirements.The following figure illustrates the "create user" request workflow template.

The management of request workflows is protected by access policies and comprises start, stop, suspend and resume operations as well as a "change participant" feature to react to real-life situations in which approvers are temporarily unavailable (or permanently unavailable because they have left the company) or are incorrectly assigned to the approval task at hand.Users can approve with DirX Identity’s Business User Interface or with DirX Identity’s Web Center interface.

DirX Identity makes a number of tasks available for self-service through its Web Center user interface.User-oriented self-service tasks include:

Access policies are used to make sure that a user has access at least to his own data. Access policies are discussed in more detail in the "Policy Management" section.

Delegated administration in DirX Identity is the process of assigning the access rights you have within DirX Identity, or a subset of your access rights, to someone else, optionally for a specified period of time. These access rights include the rights to manage users and roles, assign roles to users or approve requests for such assignments. For example, a project leader who is away for two weeks can delegate the access rights that allow him to assign project-related roles to the members of his team to another person in his group who will then be able to assign roles to these users during these two weeks. And, instead of allowing his substitute to assign all of the available project roles, the project leader can permit his substitute to assign only one or two basic roles; he specifies the roles that can be assigned when he makes the delegation.

Delegated administration tasks in Web Center include:

Delegated administration tasks in the Business User Interface include:

Access policies are used to control which of these administrative tasks a given administrator can perform and on what users and/or roles he is allowed to perform them.Access policies are described in more detail in the "Policy Management" section.

Business objects are collections of business-related data that can be used to automate user-role assignment and reduce the redundancy of user data in the identity store.DirX Identity provides a default set of business objects that can be used to build organizational business structures, project structures, and other kinds of structures.Customers can create their own business objects for complete flexibility.

In DirX Identity, business objects are commonly used to:

Business object management includes all the activities related to the creation, maintenance and use of business objects, business object attributes and relationships to other objects.Business objects include organizations, organizational units, locations, cost locations and projects.

In DirX Identity, business object management tasks include:

Provisioning is the dynamic process of establishing the target system-specific access rights to which a user-to-role assignment ultimately resolves.Provisioning makes use of all the processes of user, role and policy management discussed in earlier topics.Provisioning is a two-step process:

User-to-role assignments that require approval are not provisioned until every approval has been received.

Note that it is the administrator of the target system who assigns access rights to the resources on the system for a given group.This process is outside of DirX Identity and is accomplished using the target system’s administrative tools and enforced by the access control components of the target system.The enterprise needs to have an organizational process in place that controls both the set-up of policies and the role structure and the assignment of access rights to groups in target systems.

When there is a change in the user’s roles, permission parameters, or role parameters, or when there is a change in a user’s attribute that controls a provisioning policy, DirX Identity automatically and immediately performs a new role resolution and re-provisions (or de-provisions) the target systems.

DirX Identity’s provisioning services provide centralized, consistent, single-point and fully automated administration of users and their access rights within the enterprise IT infrastructure.However, integrating a target system completely with these provisioning services does not always make sense - for example, when the system’s user population is small or frequent user or role maintenance is not an issue.These types of systems can be loosely integrated via DirX Identity’s manual provisioning feature, allowing them to remain "offline" to its full set of provisioning processes but still benefit from DirX Identity processes that monitor provisioning events to the offline systems and dispatch them to the responsible administrators for manual implementation.

DirX Identity supports a complete password management solution that allows users to maintain a single password that will be automatically synchronized to all relevant IT systems in the enterprise.Password management functions allow users to change and reset their password in one or more systems (for example, in an LDAP directory or in a Windows domain), notify users when they need to change their passwords to comply with password policies established for the enterprise (for example, expiration of a password’s lifetime), and synchronize in real time the password changes to all the relevant IT systems.Users can reset forgotten passwords themselves through a challenge-response procedure or request that an administrator reset them.

Through the Web Center interface, users can:

From the Web Center interface, administrators can:

Through the Business User Interface, users can:

Administrators can also:

With the Atos Password Reset Client (APRC), users can reset their Active Directory password from their Windows login dialog.They authenticate with their certificate, with a challenge-response procedure, or with a one-time password (OTP) that is sent via SMS.

DirX Identity provides an event-driven password synchronization service that ensures that password changes made from the Web Center interface in the identity store, or from the Windows system in the domain controller, are immediately synchronized to the users' accounts in the appropriate target systems.The service can audit password changes and output the audit information into XML format or provide the data directly to DirX Audit.

A policy is a high-level directive that helps to govern, automate and control identity management processes according to business practices, policies and processes.Policies are composed of one or more rules; each rule implements a part of the policy.

DirX Identity supports the creation of identity management policies for governing access to enterprise resources, for ensuring the integrity of DirX Identity user, role and target system data and for acquiring intelligence on DirX Identity data and operations for compliance and continuous process improvement initiatives.These policies include:

DirX Identity processes policies either dynamically or periodically, depending on the kind of policy.

DirX Identity metadirectory is the set of services that integrates the disparate directories, user databases, and application-specific information repositories in the enterprise IT network into a centralized data store and provides the connectivity, management and interoperability functions that unify the user data (“join”) and ensure the bidirectional attribute flow (synchronization) in this fragmented environment.The metadirectory provides:

Integration services that collect and integrate user data from multiple authoritative sources - human resources directories, enterprise resource planning (ERP) systems, customer relation management (CRM) and Supply Chain Management (SCM) databases - into a single, unique digital identity that represents the user to be provisioned in the IT systems.

Synchronization services that maintain an accurate and up-to-date identity store of these identities and synchronize identity data from the identity store back into the authoritative sources.

For both integration and synchronization services:

Multi-tenant support is provided through the concept of DirX Identity domains.A DirX Identity domain is a high-level separation of DirX Identity data that can be used to establish different policies and role models in a single DirX Identity system.Users and administrators from one domain cannot see and handle objects from another domain, and all roles, rules, policies and workflows are completely separated.You can use domain specific set-up parameters to define different behavior for different domains.

DirX Identity delivers several sample domains – for example, a sample domain for a company that provides software and hardware products and a sample domain for a healthcare organization - that illustrate the typical ways to work with DirX Identity in a customer environment and show most of the features that DirX Identity provides.These domains can be automatically installed on request during DirX Identity installation.

A target system is any system that DirX Identity is to control.Examples of target system types are Active Directory (AD), databases or applications that contain their own user management with integrated access control.You can define any number of target system instances for one type, for example, you can model the domains of an AD forest as different AD target systems.Administrators can set specific set-up parameters according to each target system type and instance.

Target systems typically contain accounts and groups that are kept synchronized between the connected system and the target system.Target systems usually have a small number of privileged accounts that allow users to perform high-risk, security-critical operations on the target systems and can be used by different users in parallel.DirX Identity allows privileged accounts to be modeled as roles so that they can be controlled and audited as identity management elements.Privileged accounts then become eligible for assignment to users and for the application of SoD, re-approval, and other role-related policies.DirX Identity also applies automatic controls to privileged account passwords, such as automatically enforcing a password change when a user assignment is removed from the role and automatically changing expired privileged account passwords.

Service-oriented architecture (SOA) is a methodology for structuring functional elements as modular, interoperable services.SOA can be an effective way for an enterprise to bring its internal assets online as re-usable, interoperable business services that can be quickly and easily integrated and re-integrated to respond to changing business processes and new market opportunities.Web Services is one way to implement an SOA, and it has become a popular technology for connecting the business services deployed in enterprise SOA environments

The Identity Web Services can be used to integrate DirX Identity’s provisioning features into SOA-compliant application environments.The Identity Web Services interface can handle users, roles, permissions, groups, accounts, target systems and business objects.The Identity Web Services implement the OASIS Service Provisioning Markup Language (SPML) standard and support the standard SPML operations add, modify, delete, lookup and search.Depending on the object type, additional capabilities may be offered; for example, assignment of roles to users or password changes.

For all object types, a user hook - an extension made by the customer to DirX Identity common code that is protected from product updates - can intercept requests and responses and perform custom operations such as moving entries and creating or checking unique identifiers.

In the area of access management, the Identity Web Services provide Web single sign-on integration with SAP NetWeaver and leading Web access management products such as DirX Access and Entrust GetAccess.

With the Representational State Transfer (REST) paradigm becoming more and more popular, DirX Identity provides a REST service which is used to integrate DirX Identity into application environments that want to use the standard HTTP protocol and the performance and scalability advantages of RESTful services.In particular, they can be used by modern, HTML5-based Single-Page applications; one example is the new DirX Identity Business User Interface.

The REST services adhere to SCIM 2, the System for Cross-domain Identity Management.They provide the following features with JavaScript Object Notation (JSON) as the data format:

DirX Identity provides configurable, customizable, and comprehensive audit trail, status reporting and query mechanisms to help ensure and document regulatory compliance.

The audit trail mechanism can track all relevant identity management events, recording information such as the date/time the event occurred, the identity that initiated it, the users who approved it, and whether it was carried out by hand or automatically by a policy.DirX Identity supplies a set of pre-configured audit policies and permits customers to define their own audit policies to satisfy individual corporate requirements.Audit logs are archived in XML format to a central audit store for centralized visibility and traceability and can be optionally secured with a system-specific digital signature to make them tamper-proof.

The status reporting mechanism can generate regulation-specific and custom status reports in XML, HTML, or pure text format on all DirX Identity objects on demand or at scheduled intervals.Customers can use DirX Identity reporting to create reports on specific objects or object collections and their attributes, user-role, permission, and group assignments, delegated users and administrators, unused privileges, the entire role catalog, the complete role hierarchy, and provisioning workflow hierarchies.DirX Identity provides pre-configured reports for common regulations and allows customers to use Extensible Stylesheet Language Transformations (XSLT) to customize them or create their own reports to meet specific requirements.Access policies can be applied to reports to safeguard their security.

While a status report typically comprises the content of many related DirX Identity objects and shows them as a whole, a query typically runs on a specific type of object - for example, a user or a role - with a specific search filter and returns a set of objects to examine.A query can be used, for example, to return a list of objects in an error state.An administrator can examine each object, fix the error, then run the query again to make sure the object is no longer returned in the list.

DirX Identity auditing, status reporting and query work in concert with other DirX Identity services to permit fast, cost-effective deployment of regulatory compliance controls:

DirX Identity also offers seamless integration with DirX Audit, the DirX Identity product that provides for centralized, secure storage, analysis, correlation and review of identity-related audit logs in a single user interface.DirX Audit gives auditors, security compliance officers, and audit administrators the answers to the "what, when, where, who and why" of user access and entitlements.

DirX Identity provides risk assessment for identities based on an extensible set of risk factors.

When risk assessment is enabled at the domain and a risk policy is defined, a risk calculation workflow regularly calculates the risk factors for every user in the domain and then aggregates them into a compound risk according to a customizable configuration, thus classifying users into risk categories from low to high.DirX Identity Web Center displays a user’s risk category, while DirX Identity Manager displays a user’s individual risk factors as well.Risk factors include SoD violations, imported accounts and group memberships and total number of group memberships or privileged accounts.

For any requested change in a user’s privilege assignments, a customizable assignment request workflow can compare the compound risk before and after privilege assignment.If the risk category increases as the result of the requested privilege assignment, additional approval steps can be required before the privilege can be assigned.Compliance officers, line managers and administrators can use DirX Identity’s risk assessment feature to monitor the risk values in the domain and plan actions to reduce the number of high risk users; for example, by running appropriate certification campaigns or by enforcing additional approval steps.

Running complex provisioning and request workflows can result in a heavy load on DirX Identity’s servers.You can use DirX Identity’s specially tailored user interfaces to check the state of the system and to observe running processes and threads.You can use this information to optimize the system; for example, you can add or remove threads for specific tasks, or you can change relevant parameters that affect system performance.

DirX Identity provides a set of specialized Nagios plugins and commands for the Java-based Nagios Remote Plugin Executor (JNRPE) add-on that can be used in an existing Nagios® Core™ Open Source monitoring environment to monitor the status of DirX Identity service resources and operations and to collect statistics about these items for later analysis.

The DirX Identity Nagios plugins allow for monitoring:

The DirX Identity Nagios plugins provide input parameters for specifying warning and critical thresholds to be monitored for DirX Identity service operations, offering DirX Identity administrators the opportunity to respond to problems detected by the plugins and displayed by the Nagios server before they become severe, and to track their resolution.

DirX Identity provides commands for the JNRPE add-on to check:

The DirX Identity servers attempt to handle each event properly.Nevertheless, errors in messages and events can occur as the result of incorrectly configured server processes.These messages and events are stored in a dead letter queue which DirX Identity’s monitoring interface allows you to examine.You can then correct the configuration and process the event again.You can also delete saved messages or events that you no longer need to track.

You can also use the LDAP session tracking information generated by DirX Identity components in conjunction with DirX Directory’s audit record decoding tools to pinpoint DirX Identity component operation and correlate activities across LDAP servers and clients.

By default, DirX Identity processes updates to its identity management data immediately.For example, when an administrator changes a user’s department attribute, the change is applied right away (or when approval is obtained).In some cases, however, administrators may want to delay the application of a change and schedule it for a future date.For example, suppose a company employee is transferring from Sales to Marketing, but not until the end of the month, which is a few weeks away.The employee’s department information should not change until his transfer is complete, but it should be scheduled to change on the date that coincides with his transfer.

DirX Identity provides a ticketing feature that allows administrators to specify due dates for changes to any DirX Identity object - user, role, policy, and so on - and thus schedule the change to occur on the right date.A ticket process runs on a daily basis to check these due date "tickets", and then automatically initiates the change when a ticket’s due date arrives.In this way, the administrator can schedule the employee’s department attribute change from "Sales" to "Marketing" now, and know that it will be carried out automatically at the end of the month.Administrators can view pending and processed ticket orders made on DirX Identity objects to track the order status and results.

The main components of DirX Identity include:

The following figure illustrates these components and the relationships between them.

Many companies have IT service management systems in place to help manage the company’s assets - for example, hand-held devices, software licenses, computer and printer supplies - and dispatch requests for access to these assets to the appropriate IT service technicians and administrators.Some of these requests involve identity management-related actions, like requesting access to a file share or to a specialized function in a software system like Active Directory or SAP.While these systems can be tightly integrated into DirX Identity’s automatic provisioning process, it is often easier and more cost-effective to integrate these external systems loosely as source or target systems for identity management actions.

In the source configuration, the service management system is connected to DirX Identity - for example, through a Web Services interface - and issues identity management-related requests - for example, to create or change a user, or assign a role to a user - to DirX Identity, which then processes these requests.The service management system can issue status update requests to track the request processing.

In the target configuration, the service management system is connected to DirX Identity through a customer-written connector, and DirX Identity issues identity management requests to the system - specifically, provisioning requests.Administrators for the target service management system process the DirX Identity requests and then confirm the completion of their tasks to DirX Identity.

Sometimes there is no external service management system in place for target system provisioning, but connecting the system tightly to DirX Identity’s automated provisioning feature isn’t a good option.Perhaps the target system has a very small number of users, or requires very little ongoing maintenance.DirX Identity’s manual provisioning process allows these systems to remain "offline" to its automated provisioning process but monitors provisioning events to these systems - add, modify or delete requests - and dispatches them to the responsible system administrators via email notifications sent by request workflows.The administrators perform the indicated synchronizations at the target system by hand and then confirm the completion of their tasks to DirX Identity.

DirX Identity components support several standards for connectivity, storage and data formatting:

DirX Identity delivers a powerful set of default applications that hold ready-to-use examples for typical identity creation, maintenance and synchronization workflows.These applications can easily be tailored to customer solutions.The default applications:

DirX Identity has three deployment phases: the planning phase, the initial phase and the production phase.

In the planning phase, you define your approach to DirX Identity deployment given your IT environment: In this phase, the steps are to:

In the initial phase, you install and configure DirX Identity according to your target deployment architecture.Decentralized security administration is in place: the target systems already have accounts and groups, but security administration is not role-based.In this phase, the steps are to:

In the production phase: (the target system integration section in the DirX Identity Tutorial shows how to get to this phase)

You can add additional target systems step by step using the last two steps for each target system that needs to be connected.