oracle role management business level
DESCRIPTION
Why role management can be a benefit to existing IDM installations. Presented by Carl TerrantroyTRANSCRIPT
<Insert Picture Here>
Oracle Role Manager
Carl TerrantroyDirector Market Initiatives ANZ
2
Roles In The Real World
Org=Corporate
Org=Finance
Org=APAC
Org=Sales
Org=Marketing
Org=EMEA
Org=Americas
Part Of Reports Into Matrix Into Job Sharing Head Of Pays For
Ps=John
Ps=AR Clerk
Ps=Jane
Ps=Ian
Ps=Raj
Ps=Clark
Ps=Wang
Ps=Irene
Ps=Kelly
Ps=AmitPs=Vladimir
3
Challenges With HR & LDAP
• Functional roles usually do not match org. hierarchy• Contractor management is complex• Limited out-of-the-box integration
4
<Insert Picture Here>
Agenda
• Why Role Manager• IDM Integration• Role Concepts
5
The Evolution of Identity ManagementThen We Added Provisioning Tool …..
ApplicationsUser
TheIT Dude
TheHelpdesk
Guy
The CatWho MakesThe Rules The Boss
Resolving policies into WHO is not trivial
Rules and polices are constantly changing
But Provisioning Tools Are Not “Business Smart” …..
Provisioning helpswith self service& administration
Provisioning helpswith automation & audit
6
The Evolution of Identity ManagementEnterprise Role Management Completes The Puzzle
Applications
Provisioning helpswith self service& administration
Provisioning helpswith automation & audit
Role Management helps define who has
to do what
Role Management helps define who should have
access to what
UserThe
IT Dude
TheHelpdesk
Guy
The CatWho MakesThe Rules The Boss
7
Required Bolt-OnComponentsProvisioning Platform
Open ArchitectureSun, IBM, CA, Novell
User & PolicyRepository
LDAP
Workflow &Other Meta DataDatabase & File
Transaction &Audit LogsDB & File
HR-LDAPSynchronization
Workflow
RoleManagement
Reporting &Attestation
SEMLog Correlation
MessagingBus
Store key onlyNo provisioning historyNo reconciliation history
CustomIntegration
No historyorUser Profile History Log
No rogue entitlementDetection
ReportingDB
Real-time scan reporting
Manually configured event logging
8
Role Lifecycle Manager
Polyarchy Manager
Logical Architecture
Services
User Interfaces RoleAdmin
Mining
ReportingAuditing
DataLoading
RoleProvider
TemporalEngine
Security
Permissions
Views
• Organization Hierarchies • Cross Hierarchy Relationships• Life Cycle Management
• Business And IT roles• Approver Roles• Privileges• Role Mappings• Dynamic Membership Rules• Membership Rule Simulation• Sphere of Influence• Event Driven Role Recalculation
Mining Engine
• Role And Rule Mining• Role And Rule Export• Role Clean Up• Rogue Access Detection• Role Cleansing For Seg. of Duties
API
9
Role & Rule Mining
• Role mining• Rule mining• Exports roles and members for ongoing
role management
ApplicationsApplications
Mining EngineMining Engine
Role ManagementRole Management
Accounts,Attributes,
Entitlements
RecommendedRoles
& Rules
10
Polyarchy With Relationship Resolution
Ps=JohnVP Sales
Ps=VladimirGM, EMEA
Ps=AmitGM, APAC
Ps=KellyGM, Americas
Ps=JaneAccount Manager
Ps=IanAccount Manger
Ps=RajAccount Manager
ORM Polyarchy
Engine
Show sales team grouped
by geographical business unit
hierarchy
11
Approver Role
• Relationship based roles that capture approval policies• Role membership resolved in real time for any service
12
Role Administration
• Centralized enterprise role management• Support for complex rules• Ease of use for business users• Real-time integration
System Privileges
IT Roles
BizRoles
13
Business Rules ERM Can Cope With
• Compliance manager is the financial analyst assigned to the division
• Level-up manager is manager’s manager and at least one grade higher
• Risk manager cannot approve his own transactions• When approver position is empty find the level-up
manager within cost center• In catastrophic events, approver changes from regional
general manager to line-of-business manager• Branch manager delegates must have series 9 – 10
certifications
Role Consolidation through Role Mining
15
Summary
• Missing link between binary IT systems and adaptable organisation structures
• Copes with loose structures like dotted line reporting• Extend the capability of your existing IDM investment
16