Quest One Identity Manager 6.0

What’s new

2

© 2012 Quest Software, Inc.

ALL RIGHTS RESERVED.

This document contains proprietary information protected by copyright. No part of this document may be

reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and

recording for any purpose without the written permission of Quest Software, Inc. (“Quest”).

The information in this document is provided in connection with Quest products. No license, express or implied,

by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the

sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN

THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND

DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS

INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A

PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY

DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING,

WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF

INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST

HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or

warranties with respect to the accuracy or completeness of the contents of this document and reserves the right

to make changes to specifications and product descriptions at any time without notice. Quest does not make any

commitment to update the information contained in this document.

If you have any questions regarding your potential use of this material, contact:

Quest Software World Headquarters

LEGAL Dept

5 Polaris Way

Aliso Viejo, CA 92656

www.quest.com

email: legal@quest.com

Refer to our Web site for regional and international office information.

Trademarks

Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, AppAssure,

Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight,

ChangeAuditor, ChangeManager, Defender, DeployDirector, Desktop Authority, DirectoryAnalyzer,

DirectoryTroubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin, Help Desk Authority, Imceda,

IntelliProfile, InTrust, Invirtus, iToken, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg,

LogADmin, MessageStats, Monosphere, MultSess, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo,

PerformaSure, Point,Click,Done!, PowerGUI, Quest Central, Quest vToolkit, Quest vWorkSpace, ReportADmin,

RestoreADmin, ScriptLogic, Security Lifecycle Map, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm,

Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad,

T.O.A.D., Toad World, vAutomator, vControl, vConverter, vFoglight, vOptimizer, vRanger, Vintela, Virtual DBA,

VizionCore, Vizioncore vAutomation Suite, Vizioncore vBackup, Vizioncore vEssentials, Vizioncore vMigrator,

Vizioncore vReplicator, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of

Quest Software, Inc in the United States of America and other countries. Other trademarks and registered

trademarks used in this guide are property of their respective owners.

Updated August 2012

3

Table of Contents Table of Contents .................................................................................................................................................... 3

1 New standalone offerings................................................................................................................................. 4

1.1 Identity Manager Specific Features ....................................................................................................... 4

1.1.1 Oracle E-Business Suite 12 .............................................................................................................. 4

1.1.2 Account to Identity Mapping Wizard .................................................................................................. 7

1.1.3 Quest One Quick Connect Integration ............................................................................................... 8

1.1.4 Automated creation of service items for Active Directory groups .................................................... 10

1.1.5 Automated creation of service items for SharePoint Groups ........................................................... 10

1.1.6 New corporate user interface style guide ........................................................................................ 10

1.1.7 Enhanced risk assessment function ................................................................................................ 11

1.1.8 Copy attestation policy .................................................................................................................... 12

1.1.9 Extend attestation cases due date .................................................................................................. 12

1.1.10 Maintenance of business owners .................................................................................................... 13

1.1.11 Challenge loss of role membership ................................................................................................. 13

1.1.12 Out-of-the-box attestation policies ................................................................................................... 13

1.1.13 New Dashboards ............................................................................................................................. 15

1.1.14 Enhancements to Analyzer ............................................................................................................. 15

2 Active Directory Edition Specific Features ..................................................................................................... 17

2.1.1 ActiveRoles virtual attributes ........................................................................................................... 17

2.1.2 Default approval workflow for group memberships.......................................................................... 17

2.1.3 Default approval workflow for group management .......................................................................... 17

3 Data Governance Edition Features ................................................................................................................ 18

3.1.1 Data Governance functions ............................................................................................................. 18

3.1.2 Integration of data governance user interface into Identity Manager ............................................... 18

3.1.3 Workflows ........................................................................................................................................ 19

3.1.4 Dashboards ..................................................................................................................................... 19

3.1.5 Reports ............................................................................................................................................ 20

3.1.6 Out of the box subscription reports .................................................................................................. 22

3.1.7 Web User Interface Views ............................................................................................................... 22

4

1 New standalone offerings With this release we now ship with three separate offerings:

1. Active Directory Edition - Empowers end-users and managers to fulfill Active Directory group

management and attestation through a simple and customizable request in a simple deployment –

integrating with ActiveRoles Server or Active Directory natively

2. Data Governance Edition - Protects the business by giving the people who actually know who should

access sensitive data the power to analyze, approve, and fulfill unstructured data access requests.

3. Identity Manager Bundle – Streamlines and automates the management of user identities, access

privileges, and security enterprise wide

These new offerings differ from each other and utilize specific features of the Quest One Identity Manager

framework selectable during installation. These offerings are sold together or standalone so please consult

your sales representative for more information.

1.1 Identity Manager Specific Features

1.1.1 Oracle E-Business Suite 12

New native Oracle E-Business Suite 12 connector provides user account management of employee data.

Functional Overview:

A) User account management functions (new Q1IM namespace tables for Oracle EBS)

- user accounts (target table APPLSYS.FND_USER):

o CRUD (Create, Read, Update, Delete) operations (Delete by activation and deactivation as required

by Oracle EBS)

o CRUD operations of account preferences (target table APPLSYS.FND_USER_PREFERENCES)

o set and modify password

o assign and remove responsibilities

o read responsibility memberships and assignments of attributes and attribute values

o read references to HR and TCA objects (contacts, supplier, vendors , employees, managers,

locations)

- Responsibility (target table APPLSYS.FND_RESPONSIBILITY):

o direct and indirect memberships

o read explicitly excluded Menus and attributes

o read assignments of attributes and their values

B) HR import functions (target table person)

- HR - Persons (target table HR.PER_ALL_PEOPLE_F):

o read attributes of persons

5

o read assignments to locations

o read assignments to job groups (target table HR.PER_ROLES)

o read manager relations

Figure 1: Overview of an Oracle E-Business Suite system

6

Figure 2: Overview of an Oracle E-Business Suite application within a system

Figure 3: An Oracle E-Business Suite responsibility representation

7

Figure 4: An Oracle E-Business Suite user account

As a differentiator to SAP R/3, the Oracle connector also implements the HR import into Q1IM consuming the

information contained in the HR module of the Oracle E-Business Suite. Additionally each person receives

additional information about the source of the record. If the record is the HR system, it cannot be deleted in Quest

One Identity Manager.

1.1.2 Account to Identity Mapping Wizard

Using the administrative console administrators can define mapping rules for mapping employees and user

accounts. A mapping is defined per target system. The mapping can be executed manually (immediately) or

automated, as the mapping rules are stored in the database and evaluated after reading new objects from a

target system into Quest One Identity Manager. This wizard is available conveniently in the UI for all target

systems.

8

Figure 5: The mapping wizard for an Active Directory domain

1.1.3 Quest One Quick Connect Integration

Provides the ability to synchronize and (de)provision target systems using the Quest One Quick Connect

Universal connector API.

Highlights:

- Read lists of connectors, connections, and workflows from Quick Connect in a consolidated UI.

- Automated creation of synchronization and provisioning processes in Quest One Identity Manager

administrative console for custom target systems based on information read from Quick Connect.

- Available as part of a licensing bundle or on a per connector basis.

9

Figure 6: Overview of a registered Quick Connect service

Figure 7: Representation of a Quick Connect workflow

10

Figure 8: A “QCAOperation” to link processes to Quick Connect workflow steps

1.1.4 Automated creation of service items for Active Directory groups

Synchronized Active Directory groups will automatically be assigned to a default IT Shop and the group owners

will be calculated from the primary manager attribute set in Active Directory. The assignment of a service

category is defined by the group type (security group, distribution list).

1.1.5 Automated creation of service items for SharePoint Groups

Synchronized SharePoint groups will automatically be assigned to a default IT Shop and the group owners will be

calculated from the primary manager attribute set in Active Directory. The assignment of a service category is

automatically defined by the site collection.

1.1.6 New corporate user interface style guide

The web interface now fully adopts Quest’s style guide for user interfaces.

11

Figure 9: The new GUI style

1.1.7 Enhanced risk assessment function

Within the web interface users can now see the details of the assigned risks and its composition as well as a

“high risk employees” dashboard.

- Completely redesigned

- User Friendly, with selectable and sortable fields

- Tabular layout and data returned allows for quick and easy sorting – highlighting risk requirements quickly

Figure 10: Overview of the risk origin of an object

12

Figure 11: High risk overview

1.1.8 Copy attestation policy

Within the web user interface, an existing attestation policy can be copied for ease of use. This functionality was

created to support a high volume use case from the field.

1.1.9 Extend attestation cases due date

Within the web user interface, the due date for all attestation cases of an attestation policy creation run can be

extended.

Figure 12: Extending the due dates of attestations

13

1.1.10 Maintenance of business owners

Within the web interface administrators of target systems or functional areas like role management can now

assign business owners to roles, entitlements, and resources for items that have no assigned owner.

For example, a role administrator can assign business owners to roles that have no assigned owner. The same

function is available for all other objects that can have a business owner (for example, business roles, system

roles and entitlements).

This functionality is excellent for cleanup and management of these roles and function as an important part of the

identity lifecycle.

Figure 13: Assigning business owners

1.1.11 Challenge loss of role membership

When a primary assignment of an organizational membership or business role memberships is deleted by an

import (or any process providing a defined runtime variable) the following process is triggered:

- create a request for a secondary assignment of this memberships

- auto approve this request with a given due date (number of days can be defined as configuration parameter)

- create the assignment

- remove / change the primary ownership

1.1.12 Out-of-the-box attestation policies

A complete set of predefined attestation policies, including schedules and workflows, is provided out of the box:

- Group membership attestation: Attests user account memberships in system entitlements. Attestors can be

system entitlement product owners, managers or approvers assigned to the attestation policy.

- System entitlement attestation: Attests all entitlements of a group based on a report. Attestors can be group

product owners or approvers assigned to the attestation policy.

- Primary cost center attestation: A primary cost center attestation allows for someone to attest to the primary

cost center assignment to a given employee.

14

- Primary department attestation: A primary department attestation allows for someone to attest to the primary

department assignment to a given employee.

- Primary location attestation: A primary location attestation allows for someone to attest to the primary

location assignment to a given employee.

- Secondary cost center attestation: A secondary cost centers attestation allows for someone to attest to the

secondary cost center assignments to a given employee.

- Secondary department attestation: A secondary department attestation allows for someone to attest to the

secondary department assignments to a given employee.

- Secondary location attestation: A secondary locations attestation allows for someone to attest to the

secondary location assignments to a given employee.

- Application role membership attestation : Attests application role memberships. Attestors can be approvers

assigned to the attestation policy.

- Business role membership attestation: Attests memberships in business roles. Attestors can be business

role managers or approvers assigned to the attestation policy.

- System role membership attestation: Attests system role assignments to employees. Attestors can be

system role supervisors or approvers assigned to the attestation policy.

- Application role attestation: Attests application role properties. Attestors can be approvers assigned to the

attestation policy.

- Business role attestation: Attests business role properties. Attestors can be business role managers or

approvers assigned to the attestation policy.

- New business role certification: A new business role is added as the result of data analysis in the Analyzer.

The manager attests that the business role is correct (including the manager assignment). If attestation

approval is granted, the option "Employees do not inherit" is removed from the business role and inheritance

is enabled. This attestation policy is predefined by Quest.

- Cost center attestation: Attests cost center properties. Attestors can be cost center managers or approvers

assigned to the attestation policy.

- Department attestation: Attests department properties. Attestors can be department managers or approvers

assigned to the attestation policy.

- Location attestation: Attests location properties. Attestors can be location managers or approvers assigned

to the attestation policy.

- System role attestation: Attests system role properties. Attestors can be system role supervisors or

approvers assigned to the attestation policy.

Only available when using Data Governance Edition:

- Data Governance: Resource Ownership Attestation: A resource ownership attestation allows for someone to

attest to the ownership of selected resources.

- Data Governance: Resource Security Attestation: A resource security attestation allows for someone to

attest to the configuration of the security of selected resources and their children, if they have in some way

materially deviated from that of the parent.

- Data Governance: Accounts with Direct Access Attestation : The employee marked as "responsible" for an

account in some way (either as a manager, or as the person responsible for a particular privileged account),

should be called to attest to the entitlements of these "managed" accounts.

15

- Data Governance: Groups with Direct Access Attestation: Attests single group entitlements. Attestors can

be group product owners or approvers assigned to the attestation policy.

1.1.13 New Dashboards

- Last approvals granted (policy violations): Finds the number of policy violation approvals granted with a

processing time of 1, 2, 5, 10 and > 10 days.

- New policy violations in the last month: Finds new policy violations from the previous month grouped by

importance.

- Policy violation approval rates: Finds the number of approved and denied policy violations on a weekly basis.

- Overdue policy violations: Policy violations not processed for more than 2 days.

- Pending policy violations: Finds the number of all pending policy violations on a daily basis.

- Last approvals (policy violations): Finds the number of policy violations decided with a processing time of 1,

2, 5, 10 and > 10 days.

- New policy violations: Finds the number of policy violations from the previous day.

1.1.14 Enhancements to Analyzer

The Analyzer role mining capabilities has been enhanced to include the following:

- Upon loading a new configuration parameter, if the configuration parameters are inactive, “Analyzer” will stop

loading as role mining is not licensed.

- Save run configuration: After using the wizard and performing an analysis, the analysis configuration can be

stored for later use.

Figure 14: Saving a role mining run configuration

16

Figure 15: Loading a saved run configuration

- As a role is mined, a business owner for it can be assigned when you are saving it to the Quest One Identity

Manager database.

Figure 16: Assigning an owner on saving a mined role to Q1IM

17

2 Active Directory Edition Specific Features

2.1.1 ActiveRoles virtual attributes

Attributes available in ActiveRoles Server are now able to be reflected in the Quest One Identity Manager Active

Directory Edition (ADE) system on a synchronized basis. This means that existing investments in managing

primary/secondary owners of groups and their published state using ActiveRoles Server can seamlessly be used

in ADE.

This is made possible by extending the synchronization of attributes from ActiveRoles Server to Quest One

Identity Manager:

- edsvaAppByPrimaryOwnerReq: Approval by the primary owner (manager) of the group is required.

- edsvaAppBySecondaryOwnerReq: Approval by a secondary owner of the group is required.

- edsvaPublished: Group is published to Self-Service Manager. When a group is published, users can request

self-membership in that group through ActiveRoles Server Self-Service Manager.

- edsvaSecondaryOwners: Contains a list of secondary owners (distinguished name or SID), possible are

Active Directory groups or user accounts.

2.1.2 Default approval workflow for group memberships

The default approval workflow for group memberships in ADE was extended to reflect settings of the additionally

synchronized ActiveRoles virtual attributes for Primary and Secondary owners.

2.1.3 Default approval workflow for group management

The following request and approval workflows are available out of the box (Previously this required specific

configuration):

- New Active Directory distribution list

- New Active Directory security group

- Delete Active Directory group

- Modify Active Directory group

o Modification of group scope (global, local, universal) and type (security, distribution).

- Remove group membership

18

3 Data Governance Edition Features 3.1.1 Data Governance functions

Data Governance provides content owners with tools and workflows to manage and govern their unstructured

data,

Through the Manager/Identity Manager, IT Administrators can:

- Identify who can and who is accessing NTFS-based systems (Windows Server, NAS Devices) and

SharePoint 2010 resources through a detailed security view.

- Perform “What If” access modeling.

- Manage access and edit data security settings.

- Identify and assign business owner for data.

- Secure unstructured data through placing it under governance and publishing it to the IT Shop.

Through the Web Portal, users have access to:

- Self-service access requests to the data they need.

- Attestations reviews to ensure proper allocations and use of data.

- Views, dashboards, and reports that enable the business owners/compliance officers/auditors to see

data access and activity.

3.1.2 Integration of data governance user interface into Identity Manager

You can browse through the resources on the hosts in your managed domains to:

- Examine a file system or SharePoint farm to see what users and groups have access to it, and modify

the access if required.

- Compare account access and simulate group membership changes.

- Calculate perceived owners for data.

- Place data under governance and publish it to the IT Shop.

Figure 17: Sample of Data Governance integration into the Manager user interface

19

3.1.3 Workflows

The following request and approval workflows are now available:

- Default approval workflow for resource access.

Requests follow a defined approval process that determines whether access to the data can be assigned or not.

Authorized persons, in this case the business owner and group owner, can approve or deny IT Shop requests.

Once the business owner approves a request, it is forwarded on to the “best fit” group owner to complete the

workflow. (The group is retrieved from the Data Governance Service through the WCF Web Service.)

Escalations for resources not having an assigned business owner (CISO role) or group owner (escalation to

target system owner role) is integrated in the process.

Note: There are separate definitions for file system resources and SharePoint resources.

Figure 18: Sample request access to a file system object

- Change resource security.

A business owner of a resource can request a change of the ACL of the resource. The request will be sent to the

IT Administrator to execute.

- Reject resource ownership.

An assigned business owner for a resource can reject this ownership if it is not appropriate. The rejection is

forwarded to the IT Manager who can assign a new business owner.

3.1.4 Dashboards

The following dashboards are provided out of box:

- Top 10 active users of my owned resource: Displays most active users for owned resources sorted by

descending number of activities.

- Top 10 active resources across all governed resources: Displays most active resources across all governed

resources by descending number of activities.

- Policy violations by owner (current).

- Top 10 active resources that I own: Displays most active resources that I own sorted by descending number

of activities.

20

- Compliance rule violations by owner (current).

- Resource publishing and ownership statistics: Displays key numbers for resources, such as the total number

of resources, resources published in IT shop, and those with ownership assigned.

- Resources with and without policies: Displays the total number of resources with and without policies

defined against them.

- Resource publishing and ownership activity (7 days): Displays changes on key numbers for resources, such

as the total number of resources, resources published in IT shop, and those with ownership assigned.

- Policy violations by owner (12 months).

- Compliance rule violations by owner (12 months).

3.1.5 Reports

New report providers have been added to the Quest One Identity Manager reporting engine. Reports can use

data from the Identity Manager database and also retrieve real-time data from the Data Governance server.

New reports include the following:

- Resource Activity: Displays all activity on a specified File System or SharePoint resource (by one or more

users over a specified period of time).

- Account Activity: Identifies a user’s activity for the specified period on a specified list of resources to locate

unauthorized activity.

- Interesting Resources: Highlights data that has a high level of activity but does not have an owner. The

report includes the perceived owner for resources.

- Local Rights and Service Identities: Helps you understand who has local rights on a managed host and what

identities are being used to run Windows services.

- Resource Access: Displays a comprehensive list of all users and groups that have direct or indirect access

to the specified resource.

- Account Access: Details a user’s direct and indirect access (through group memberships) to file system

and/or SharePoint resources on the managed hosts.

- Data Ownership Over Time: Identifies how data ownership has changed over time for better control over

data access.

- Perceived Owners for Data Under Governance: Displays the perceived owner for data marked for

governance.

- Data Owners vs. Perceived Owners: Identifies whether the perceived owners should be the designated

business owners based on responsibilities.

- Unused Groups: Identifies groups that are not used in any ACLs on file system or SharePoint resources.

- Empty Groups: Identifies groups without any members to help in security group cleanup efforts.

- Group Members Comparison: Highlights where group membership differs between two or more groups.

- Member Of Comparison: Identifies access differences between two or more accounts due to memberships in

different security groups.

- Member Of: Provides a complete picture of a user’s membership in a group including those acquired

because of any nested group membership.

21

- Group Members: Lists the members in a security group.

22

3.1.6 Out of the box subscription reports

The following report subscriptions are available:

- Interesting Resources without Owner: Highlights data that has a high level of activity but does not have an

owner. The report includes the perceived owner for resources.

- Local Rights and Service Identities: Helps you understand who has local rights on a managed host and what

identities are being used to run Windows services.

- Data Ownership Over Time: Displays how ownership of resources has changed over time for better control

over access to data.

- Resource Access: Provides a comprehensive view of all users and groups that have direct or indirect access

to the specified resources.

- Unused Groups: Identifies groups that are not used in any ACLs on file system or SharePoint resources.

- Account Activity: Identifies a user’s activity for the specified period on a specified list of resources to identify

any unauthorized activity.

- Account Access: Details a user’s direct and indirect access (through group memberships) to file system

and/or SharePoint resources on the managed hosts.

- Resource Activity: Identifies all activity that is occurring on a specific file system or SharePoint resource (by

one or more users in a specific period of interest).

- Member Of Comparison: Identifies access differences between two or more accounts due to memberships in

different security groups.

- Member Of: Provides a complete picture of a user’s membership in a group including those acquired

because of any nested group membership.

- Group Members Comparison: Highlights where group membership differs between two or more groups.

- Perceived Owners for Data Under Governance: Identifies the probable business owners for the data that is

marked for governance.

- Data Owners vs. Perceived Owners: Displays if the probable business owners should be the designated

business owners due to change of responsibilities.

- Group Members: Lists the members in a security group.

- Empty Groups: Identifies groups without any members to help in security group cleanup efforts.

- My Empty Groups: Displays any groups that do not have members. This helps determine groups that are

candidates for removal.

3.1.7 Web User Interface Views

3.1.7.1 Business Owners

- File system and SharePoint: The Web Portal provides information on owned governed resources. This

includes activity, associated policies, resource details (including associated reports), and requests and

attestations they are involved with.

23

Figure 19: File system resource overview for a business owner

- Security settings and activity: The business owner can drill into resources for detailed information and

reports.

Figure 20: File system resource detail overview

3.1.7.2 Compliance & Security Officer

- Attestation policies: The Compliance/Security Officer can define “resource ownership” and “resource

security” attestation policies to ensure compliance rules for unstructured data are being met.

24

Figure 21: Data Governance related attestation policies

- Audit the system: Views that provide detailed information on governed resources, overdue attestations, and

policy violations.

Figure 22: Resource access overview