quest one identity manager 6support-public.cfm.quest.com/3b85befa-151b-4b27-98f6-23a...7 figure 4:...
Post on 19-Jun-2018
216 Views
Preview:
TRANSCRIPT
2
© 2012 Quest Software, Inc.
ALL RIGHTS RESERVED.
This document contains proprietary information protected by copyright. No part of this document may be
reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and
recording for any purpose without the written permission of Quest Software, Inc. (“Quest”).
The information in this document is provided in connection with Quest products. No license, express or implied,
by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the
sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN
THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND
DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY
DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING,
WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST
HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or
warranties with respect to the accuracy or completeness of the contents of this document and reserves the right
to make changes to specifications and product descriptions at any time without notice. Quest does not make any
commitment to update the information contained in this document.
If you have any questions regarding your potential use of this material, contact:
Quest Software World Headquarters
LEGAL Dept
5 Polaris Way
Aliso Viejo, CA 92656
www.quest.com
email: legal@quest.com
Refer to our Web site for regional and international office information.
Trademarks
Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, AppAssure,
Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight,
ChangeAuditor, ChangeManager, Defender, DeployDirector, Desktop Authority, DirectoryAnalyzer,
DirectoryTroubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin, Help Desk Authority, Imceda,
IntelliProfile, InTrust, Invirtus, iToken, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg,
LogADmin, MessageStats, Monosphere, MultSess, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo,
PerformaSure, Point,Click,Done!, PowerGUI, Quest Central, Quest vToolkit, Quest vWorkSpace, ReportADmin,
RestoreADmin, ScriptLogic, Security Lifecycle Map, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm,
Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad,
T.O.A.D., Toad World, vAutomator, vControl, vConverter, vFoglight, vOptimizer, vRanger, Vintela, Virtual DBA,
VizionCore, Vizioncore vAutomation Suite, Vizioncore vBackup, Vizioncore vEssentials, Vizioncore vMigrator,
Vizioncore vReplicator, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of
Quest Software, Inc in the United States of America and other countries. Other trademarks and registered
trademarks used in this guide are property of their respective owners.
Updated August 2012
3
Table of Contents Table of Contents .................................................................................................................................................... 3
1 New standalone offerings................................................................................................................................. 4
1.1 Identity Manager Specific Features ....................................................................................................... 4
1.1.1 Oracle E-Business Suite 12 .............................................................................................................. 4
1.1.2 Account to Identity Mapping Wizard .................................................................................................. 7
1.1.3 Quest One Quick Connect Integration ............................................................................................... 8
1.1.4 Automated creation of service items for Active Directory groups .................................................... 10
1.1.5 Automated creation of service items for SharePoint Groups ........................................................... 10
1.1.6 New corporate user interface style guide ........................................................................................ 10
1.1.7 Enhanced risk assessment function ................................................................................................ 11
1.1.8 Copy attestation policy .................................................................................................................... 12
1.1.9 Extend attestation cases due date .................................................................................................. 12
1.1.10 Maintenance of business owners .................................................................................................... 13
1.1.11 Challenge loss of role membership ................................................................................................. 13
1.1.12 Out-of-the-box attestation policies ................................................................................................... 13
1.1.13 New Dashboards ............................................................................................................................. 15
1.1.14 Enhancements to Analyzer ............................................................................................................. 15
2 Active Directory Edition Specific Features ..................................................................................................... 17
2.1.1 ActiveRoles virtual attributes ........................................................................................................... 17
2.1.2 Default approval workflow for group memberships.......................................................................... 17
2.1.3 Default approval workflow for group management .......................................................................... 17
3 Data Governance Edition Features ................................................................................................................ 18
3.1.1 Data Governance functions ............................................................................................................. 18
3.1.2 Integration of data governance user interface into Identity Manager ............................................... 18
3.1.3 Workflows ........................................................................................................................................ 19
3.1.4 Dashboards ..................................................................................................................................... 19
3.1.5 Reports ............................................................................................................................................ 20
3.1.6 Out of the box subscription reports .................................................................................................. 22
3.1.7 Web User Interface Views ............................................................................................................... 22
4
1 New standalone offerings With this release we now ship with three separate offerings:
1. Active Directory Edition - Empowers end-users and managers to fulfill Active Directory group
management and attestation through a simple and customizable request in a simple deployment –
integrating with ActiveRoles Server or Active Directory natively
2. Data Governance Edition - Protects the business by giving the people who actually know who should
access sensitive data the power to analyze, approve, and fulfill unstructured data access requests.
3. Identity Manager Bundle – Streamlines and automates the management of user identities, access
privileges, and security enterprise wide
These new offerings differ from each other and utilize specific features of the Quest One Identity Manager
framework selectable during installation. These offerings are sold together or standalone so please consult
your sales representative for more information.
1.1 Identity Manager Specific Features
1.1.1 Oracle E-Business Suite 12
New native Oracle E-Business Suite 12 connector provides user account management of employee data.
Functional Overview:
A) User account management functions (new Q1IM namespace tables for Oracle EBS)
- user accounts (target table APPLSYS.FND_USER):
o CRUD (Create, Read, Update, Delete) operations (Delete by activation and deactivation as required
by Oracle EBS)
o CRUD operations of account preferences (target table APPLSYS.FND_USER_PREFERENCES)
o set and modify password
o assign and remove responsibilities
o read responsibility memberships and assignments of attributes and attribute values
o read references to HR and TCA objects (contacts, supplier, vendors , employees, managers,
locations)
- Responsibility (target table APPLSYS.FND_RESPONSIBILITY):
o direct and indirect memberships
o read explicitly excluded Menus and attributes
o read assignments of attributes and their values
B) HR import functions (target table person)
- HR - Persons (target table HR.PER_ALL_PEOPLE_F):
o read attributes of persons
5
o read assignments to locations
o read assignments to job groups (target table HR.PER_ROLES)
o read manager relations
Figure 1: Overview of an Oracle E-Business Suite system
6
Figure 2: Overview of an Oracle E-Business Suite application within a system
Figure 3: An Oracle E-Business Suite responsibility representation
7
Figure 4: An Oracle E-Business Suite user account
As a differentiator to SAP R/3, the Oracle connector also implements the HR import into Q1IM consuming the
information contained in the HR module of the Oracle E-Business Suite. Additionally each person receives
additional information about the source of the record. If the record is the HR system, it cannot be deleted in Quest
One Identity Manager.
1.1.2 Account to Identity Mapping Wizard
Using the administrative console administrators can define mapping rules for mapping employees and user
accounts. A mapping is defined per target system. The mapping can be executed manually (immediately) or
automated, as the mapping rules are stored in the database and evaluated after reading new objects from a
target system into Quest One Identity Manager. This wizard is available conveniently in the UI for all target
systems.
8
Figure 5: The mapping wizard for an Active Directory domain
1.1.3 Quest One Quick Connect Integration
Provides the ability to synchronize and (de)provision target systems using the Quest One Quick Connect
Universal connector API.
Highlights:
- Read lists of connectors, connections, and workflows from Quick Connect in a consolidated UI.
- Automated creation of synchronization and provisioning processes in Quest One Identity Manager
administrative console for custom target systems based on information read from Quick Connect.
- Available as part of a licensing bundle or on a per connector basis.
9
Figure 6: Overview of a registered Quick Connect service
Figure 7: Representation of a Quick Connect workflow
10
Figure 8: A “QCAOperation” to link processes to Quick Connect workflow steps
1.1.4 Automated creation of service items for Active Directory groups
Synchronized Active Directory groups will automatically be assigned to a default IT Shop and the group owners
will be calculated from the primary manager attribute set in Active Directory. The assignment of a service
category is defined by the group type (security group, distribution list).
1.1.5 Automated creation of service items for SharePoint Groups
Synchronized SharePoint groups will automatically be assigned to a default IT Shop and the group owners will be
calculated from the primary manager attribute set in Active Directory. The assignment of a service category is
automatically defined by the site collection.
1.1.6 New corporate user interface style guide
The web interface now fully adopts Quest’s style guide for user interfaces.
11
Figure 9: The new GUI style
1.1.7 Enhanced risk assessment function
Within the web interface users can now see the details of the assigned risks and its composition as well as a
“high risk employees” dashboard.
- Completely redesigned
- User Friendly, with selectable and sortable fields
- Tabular layout and data returned allows for quick and easy sorting – highlighting risk requirements quickly
Figure 10: Overview of the risk origin of an object
12
Figure 11: High risk overview
1.1.8 Copy attestation policy
Within the web user interface, an existing attestation policy can be copied for ease of use. This functionality was
created to support a high volume use case from the field.
1.1.9 Extend attestation cases due date
Within the web user interface, the due date for all attestation cases of an attestation policy creation run can be
extended.
Figure 12: Extending the due dates of attestations
13
1.1.10 Maintenance of business owners
Within the web interface administrators of target systems or functional areas like role management can now
assign business owners to roles, entitlements, and resources for items that have no assigned owner.
For example, a role administrator can assign business owners to roles that have no assigned owner. The same
function is available for all other objects that can have a business owner (for example, business roles, system
roles and entitlements).
This functionality is excellent for cleanup and management of these roles and function as an important part of the
identity lifecycle.
Figure 13: Assigning business owners
1.1.11 Challenge loss of role membership
When a primary assignment of an organizational membership or business role memberships is deleted by an
import (or any process providing a defined runtime variable) the following process is triggered:
- create a request for a secondary assignment of this memberships
- auto approve this request with a given due date (number of days can be defined as configuration parameter)
- create the assignment
- remove / change the primary ownership
1.1.12 Out-of-the-box attestation policies
A complete set of predefined attestation policies, including schedules and workflows, is provided out of the box:
- Group membership attestation: Attests user account memberships in system entitlements. Attestors can be
system entitlement product owners, managers or approvers assigned to the attestation policy.
- System entitlement attestation: Attests all entitlements of a group based on a report. Attestors can be group
product owners or approvers assigned to the attestation policy.
- Primary cost center attestation: A primary cost center attestation allows for someone to attest to the primary
cost center assignment to a given employee.
14
- Primary department attestation: A primary department attestation allows for someone to attest to the primary
department assignment to a given employee.
- Primary location attestation: A primary location attestation allows for someone to attest to the primary
location assignment to a given employee.
- Secondary cost center attestation: A secondary cost centers attestation allows for someone to attest to the
secondary cost center assignments to a given employee.
- Secondary department attestation: A secondary department attestation allows for someone to attest to the
secondary department assignments to a given employee.
- Secondary location attestation: A secondary locations attestation allows for someone to attest to the
secondary location assignments to a given employee.
- Application role membership attestation : Attests application role memberships. Attestors can be approvers
assigned to the attestation policy.
- Business role membership attestation: Attests memberships in business roles. Attestors can be business
role managers or approvers assigned to the attestation policy.
- System role membership attestation: Attests system role assignments to employees. Attestors can be
system role supervisors or approvers assigned to the attestation policy.
- Application role attestation: Attests application role properties. Attestors can be approvers assigned to the
attestation policy.
- Business role attestation: Attests business role properties. Attestors can be business role managers or
approvers assigned to the attestation policy.
- New business role certification: A new business role is added as the result of data analysis in the Analyzer.
The manager attests that the business role is correct (including the manager assignment). If attestation
approval is granted, the option "Employees do not inherit" is removed from the business role and inheritance
is enabled. This attestation policy is predefined by Quest.
- Cost center attestation: Attests cost center properties. Attestors can be cost center managers or approvers
assigned to the attestation policy.
- Department attestation: Attests department properties. Attestors can be department managers or approvers
assigned to the attestation policy.
- Location attestation: Attests location properties. Attestors can be location managers or approvers assigned
to the attestation policy.
- System role attestation: Attests system role properties. Attestors can be system role supervisors or
approvers assigned to the attestation policy.
Only available when using Data Governance Edition:
- Data Governance: Resource Ownership Attestation: A resource ownership attestation allows for someone to
attest to the ownership of selected resources.
- Data Governance: Resource Security Attestation: A resource security attestation allows for someone to
attest to the configuration of the security of selected resources and their children, if they have in some way
materially deviated from that of the parent.
- Data Governance: Accounts with Direct Access Attestation : The employee marked as "responsible" for an
account in some way (either as a manager, or as the person responsible for a particular privileged account),
should be called to attest to the entitlements of these "managed" accounts.
15
- Data Governance: Groups with Direct Access Attestation: Attests single group entitlements. Attestors can
be group product owners or approvers assigned to the attestation policy.
1.1.13 New Dashboards
- Last approvals granted (policy violations): Finds the number of policy violation approvals granted with a
processing time of 1, 2, 5, 10 and > 10 days.
- New policy violations in the last month: Finds new policy violations from the previous month grouped by
importance.
- Policy violation approval rates: Finds the number of approved and denied policy violations on a weekly basis.
- Overdue policy violations: Policy violations not processed for more than 2 days.
- Pending policy violations: Finds the number of all pending policy violations on a daily basis.
- Last approvals (policy violations): Finds the number of policy violations decided with a processing time of 1,
2, 5, 10 and > 10 days.
- New policy violations: Finds the number of policy violations from the previous day.
1.1.14 Enhancements to Analyzer
The Analyzer role mining capabilities has been enhanced to include the following:
- Upon loading a new configuration parameter, if the configuration parameters are inactive, “Analyzer” will stop
loading as role mining is not licensed.
- Save run configuration: After using the wizard and performing an analysis, the analysis configuration can be
stored for later use.
Figure 14: Saving a role mining run configuration
16
Figure 15: Loading a saved run configuration
- As a role is mined, a business owner for it can be assigned when you are saving it to the Quest One Identity
Manager database.
Figure 16: Assigning an owner on saving a mined role to Q1IM
17
2 Active Directory Edition Specific Features
2.1.1 ActiveRoles virtual attributes
Attributes available in ActiveRoles Server are now able to be reflected in the Quest One Identity Manager Active
Directory Edition (ADE) system on a synchronized basis. This means that existing investments in managing
primary/secondary owners of groups and their published state using ActiveRoles Server can seamlessly be used
in ADE.
This is made possible by extending the synchronization of attributes from ActiveRoles Server to Quest One
Identity Manager:
- edsvaAppByPrimaryOwnerReq: Approval by the primary owner (manager) of the group is required.
- edsvaAppBySecondaryOwnerReq: Approval by a secondary owner of the group is required.
- edsvaPublished: Group is published to Self-Service Manager. When a group is published, users can request
self-membership in that group through ActiveRoles Server Self-Service Manager.
- edsvaSecondaryOwners: Contains a list of secondary owners (distinguished name or SID), possible are
Active Directory groups or user accounts.
2.1.2 Default approval workflow for group memberships
The default approval workflow for group memberships in ADE was extended to reflect settings of the additionally
synchronized ActiveRoles virtual attributes for Primary and Secondary owners.
2.1.3 Default approval workflow for group management
The following request and approval workflows are available out of the box (Previously this required specific
configuration):
- New Active Directory distribution list
- New Active Directory security group
- Delete Active Directory group
- Modify Active Directory group
o Modification of group scope (global, local, universal) and type (security, distribution).
- Remove group membership
18
3 Data Governance Edition Features 3.1.1 Data Governance functions
Data Governance provides content owners with tools and workflows to manage and govern their unstructured
data,
Through the Manager/Identity Manager, IT Administrators can:
- Identify who can and who is accessing NTFS-based systems (Windows Server, NAS Devices) and
SharePoint 2010 resources through a detailed security view.
- Perform “What If” access modeling.
- Manage access and edit data security settings.
- Identify and assign business owner for data.
- Secure unstructured data through placing it under governance and publishing it to the IT Shop.
Through the Web Portal, users have access to:
- Self-service access requests to the data they need.
- Attestations reviews to ensure proper allocations and use of data.
- Views, dashboards, and reports that enable the business owners/compliance officers/auditors to see
data access and activity.
3.1.2 Integration of data governance user interface into Identity Manager
You can browse through the resources on the hosts in your managed domains to:
- Examine a file system or SharePoint farm to see what users and groups have access to it, and modify
the access if required.
- Compare account access and simulate group membership changes.
- Calculate perceived owners for data.
- Place data under governance and publish it to the IT Shop.
Figure 17: Sample of Data Governance integration into the Manager user interface
19
3.1.3 Workflows
The following request and approval workflows are now available:
- Default approval workflow for resource access.
Requests follow a defined approval process that determines whether access to the data can be assigned or not.
Authorized persons, in this case the business owner and group owner, can approve or deny IT Shop requests.
Once the business owner approves a request, it is forwarded on to the “best fit” group owner to complete the
workflow. (The group is retrieved from the Data Governance Service through the WCF Web Service.)
Escalations for resources not having an assigned business owner (CISO role) or group owner (escalation to
target system owner role) is integrated in the process.
Note: There are separate definitions for file system resources and SharePoint resources.
Figure 18: Sample request access to a file system object
- Change resource security.
A business owner of a resource can request a change of the ACL of the resource. The request will be sent to the
IT Administrator to execute.
- Reject resource ownership.
An assigned business owner for a resource can reject this ownership if it is not appropriate. The rejection is
forwarded to the IT Manager who can assign a new business owner.
3.1.4 Dashboards
The following dashboards are provided out of box:
- Top 10 active users of my owned resource: Displays most active users for owned resources sorted by
descending number of activities.
- Top 10 active resources across all governed resources: Displays most active resources across all governed
resources by descending number of activities.
- Policy violations by owner (current).
- Top 10 active resources that I own: Displays most active resources that I own sorted by descending number
of activities.
20
- Compliance rule violations by owner (current).
- Resource publishing and ownership statistics: Displays key numbers for resources, such as the total number
of resources, resources published in IT shop, and those with ownership assigned.
- Resources with and without policies: Displays the total number of resources with and without policies
defined against them.
- Resource publishing and ownership activity (7 days): Displays changes on key numbers for resources, such
as the total number of resources, resources published in IT shop, and those with ownership assigned.
- Policy violations by owner (12 months).
- Compliance rule violations by owner (12 months).
3.1.5 Reports
New report providers have been added to the Quest One Identity Manager reporting engine. Reports can use
data from the Identity Manager database and also retrieve real-time data from the Data Governance server.
New reports include the following:
- Resource Activity: Displays all activity on a specified File System or SharePoint resource (by one or more
users over a specified period of time).
- Account Activity: Identifies a user’s activity for the specified period on a specified list of resources to locate
unauthorized activity.
- Interesting Resources: Highlights data that has a high level of activity but does not have an owner. The
report includes the perceived owner for resources.
- Local Rights and Service Identities: Helps you understand who has local rights on a managed host and what
identities are being used to run Windows services.
- Resource Access: Displays a comprehensive list of all users and groups that have direct or indirect access
to the specified resource.
- Account Access: Details a user’s direct and indirect access (through group memberships) to file system
and/or SharePoint resources on the managed hosts.
- Data Ownership Over Time: Identifies how data ownership has changed over time for better control over
data access.
- Perceived Owners for Data Under Governance: Displays the perceived owner for data marked for
governance.
- Data Owners vs. Perceived Owners: Identifies whether the perceived owners should be the designated
business owners based on responsibilities.
- Unused Groups: Identifies groups that are not used in any ACLs on file system or SharePoint resources.
- Empty Groups: Identifies groups without any members to help in security group cleanup efforts.
- Group Members Comparison: Highlights where group membership differs between two or more groups.
- Member Of Comparison: Identifies access differences between two or more accounts due to memberships in
different security groups.
- Member Of: Provides a complete picture of a user’s membership in a group including those acquired
because of any nested group membership.
22
3.1.6 Out of the box subscription reports
The following report subscriptions are available:
- Interesting Resources without Owner: Highlights data that has a high level of activity but does not have an
owner. The report includes the perceived owner for resources.
- Local Rights and Service Identities: Helps you understand who has local rights on a managed host and what
identities are being used to run Windows services.
- Data Ownership Over Time: Displays how ownership of resources has changed over time for better control
over access to data.
- Resource Access: Provides a comprehensive view of all users and groups that have direct or indirect access
to the specified resources.
- Unused Groups: Identifies groups that are not used in any ACLs on file system or SharePoint resources.
- Account Activity: Identifies a user’s activity for the specified period on a specified list of resources to identify
any unauthorized activity.
- Account Access: Details a user’s direct and indirect access (through group memberships) to file system
and/or SharePoint resources on the managed hosts.
- Resource Activity: Identifies all activity that is occurring on a specific file system or SharePoint resource (by
one or more users in a specific period of interest).
- Member Of Comparison: Identifies access differences between two or more accounts due to memberships in
different security groups.
- Member Of: Provides a complete picture of a user’s membership in a group including those acquired
because of any nested group membership.
- Group Members Comparison: Highlights where group membership differs between two or more groups.
- Perceived Owners for Data Under Governance: Identifies the probable business owners for the data that is
marked for governance.
- Data Owners vs. Perceived Owners: Displays if the probable business owners should be the designated
business owners due to change of responsibilities.
- Group Members: Lists the members in a security group.
- Empty Groups: Identifies groups without any members to help in security group cleanup efforts.
- My Empty Groups: Displays any groups that do not have members. This helps determine groups that are
candidates for removal.
3.1.7 Web User Interface Views
3.1.7.1 Business Owners
- File system and SharePoint: The Web Portal provides information on owned governed resources. This
includes activity, associated policies, resource details (including associated reports), and requests and
attestations they are involved with.
23
Figure 19: File system resource overview for a business owner
- Security settings and activity: The business owner can drill into resources for detailed information and
reports.
Figure 20: File system resource detail overview
3.1.7.2 Compliance & Security Officer
- Attestation policies: The Compliance/Security Officer can define “resource ownership” and “resource
security” attestation policies to ensure compliance rules for unstructured data are being met.
top related