print Printer View e-mail E-mail this page Bookmark Bookmark

Oracle Identity Manager

April 2007

Introduction

Today’s enterprises are under ever greater pressure to shore up security, and meet regulatory and governance requirements, resulting in greater urgency to deploy identity management solutions based on the latest identity management technologies.  Oracle Identity Manager, formerly named Oracle Xellerate Identity Provisioning, is a highly flexible and scalable enterprise identity management system that manages users’ access privileges within enterprise IT resources.  It helps to answer the critical compliance questions of "Who has access to What, When, How, and Why?"  Its flexible architecture can handle the most complex IT and business requirements without requiring changes to existing infrastructure, policies or procedures.  This hallmark flexibility also enables Oracle Identity Manager to excel at handling the constant flow of business changes that impact real-world identity management deployments.  This flexibility is derived from the product’s architecture, which elegantly abstracts core provisioning functions into discrete layers.  Changes to workflow, policy, data flow, or integration technology are isolated within the respective functional layers, thus minimizing application-wide impact.  In addition, Oracle Identity Manager is flexible because all configurations are done via its powerful user interface.  The product does not rely on any scripting language for setup, configuration, or process modeling.  These are some of the many reasons why Oracle Identity Manager is considered the most advanced enterprise identity management solution available.

Oracle Identity Manager’s market-leading flexibility and scalability has been well documented in competitive shootouts such as the one featured in InfoWorld’s October 10, 2005 issue. Oracle Identity Manager is managing one of the industry’s largest provisioning implementation today, an implementation with more than 650 enterprise resources under management. This award winning deployment has received recognition by ComputerWorld, Digital ID World, Gartner, InforWorld, NetworkWorld, SC Magazine.

Key Benefits of Oracle Identity Manager

  • Increased security: Enforce internal security policies and eliminate potential security threats from rogue, expired and unauthorized accounts and privileges
  • Enhanced regulatory compliance: Cost-effectively enforce and attest to regulatory requirements (e.g. Sarbanes-Oxley, 21 CFR Part 11, Gramm-Leach-Bliley, HIPAA) associated with identifying who has access privileges to sensitive data
  • Streamlined operations: Reduce inefficiency and improve service levels by automating repeatable user administration tasks
  • Improved business responsiveness: Get users productive faster through immediate access to key applications and systems
  • Reduced costs: Reduce IT costs through efficient staff usage and utilization of a common security infrastructure

Overview of Oracle Identity Manager Features and Functionality

  • Self-service identity management drives user productivity, increases user satisfaction and optimizes IT efficiency
  • Delegated administration enhances security and reduces costs
  • Workflow & policy management improves IT efficiency, enhances security and enables compliance
  • Password management reduces IT help desk costs, and improves service levels
  • Audit & compliance management minimizes IT risk and reduces the cost of compliance
  • Integration solutions featuring Adapter Factory and pre-configured connectors enables quick and low cost system integration

 

Oracle Identity Manager Architecture 

Oracle Identity Manager’s architecture provides a number of compelling technical benefits when deploying a provisioning solution as part of an identity and access management architecture.

  • Ease of Deployment: Deployment Manager assists in the migration of integration and configuration between environments. 
  • Flexible and Resilient: Oracle Identity Manager can be deployed in single or multiple server instances.  Multiple server instances provide optimal configuration options, fault tolerance, redundancy, fail-over and system load balancing. 
  • Maximum Reuse of Incumbent Infrastructure: Oracle Identity Manager is built on an open architecture to integrate with and leverage existing software and middleware already implemented within an organization’s IT infrastructure. 
  • Modular Architecture: Oracle Identity Manager is made up of abstraction layers, which allows the execution logic to be changed and refined without affecting logic or definitions that still apply. 
  • Standards-based: Oracle Identity Manager incorporates leading industry standards, such as J2EE and Organization for the Advancement of Structured Information Standards (OASIS).
  • Built-in Audit and Compliance: Oracle Identity Manager is a fully integrated platform for identity provisioning and identity audit and compliance. 

Identity and Role Administration
Oracle Identity Manager offers a comprehensive range of user identity and role lifecycle administration features. User identities can be managed centrally, by delegated administrators, or though user self-administration.

Delegated Administration
Oracle Identity Manager features a highly flexible security framework that supports delegation of most administrative functions to any group and/or user.  By moving administration points as close to the user as possible, an enterprise can achieve tighter control and better security, all the while increasing productivity.  Delegated administration plays an increasingly important role as the already extended enterprise becomes more virtual and the service provider delivery model becomes more prevalent.

User Configurable Proxy
In addition to administrator defined delegation, Oracle Identity Manager also provides each user the ability to temporarily delegate approval tasks to a defined proxy.  This user-defined proxy capability reduces the need for system reconfiguration and ensures continuity of business processes, uninterrupted by user’s time away from the office.

Self-Service Password Management
Oracle Identity Manager’s self-service capabilities allow users to manage their own passwords across managed resources.  In case a user forgets his password, Oracle Identity Manager can present customizable challenge questions to enable self-service identity verification and password retrieval.  Research shows the bulk of help desk calls are related to password reset and lockout.  This self-service capability easily pays for itself may times over through reduced help desk calls.

Advanced Password Policy Management and Password Syncrhonization
Oracle Identity Manager features very rich password policy management capabilities.  Most best-practice password policies are supported out-of-the-box and are configurable via an intuitive user interface.  Supported password complexity requirements include: password length, alphanumeric and special characters usage, upper and lower case usage, full or partial exclusion of username and historical passwords.  Furthermore, Oracle Identity Manager allows the application of multiple policies per resource. For instance, less-privileged users may be subjected to a more relaxed password policy, whereas privileged administrators may be subject to a more stringent policy. In addition, Oracle Identity Manager can synchronize or map passwords across managed resources and enforce differences in password policies among these resources.  Bi-directional password synchronization capability is offered in most Oracle Identity Manager Connectors for directory servers and mainframes.

Approval and Request Management
With Oracle Identity Manager, account request and approval processes can be automated to meet every organization’s needs. Companies start by modeling their existing or best-practice business processes for resource request and approval. In deployment, administrators, peers, or users themselves can initiate requests for access to resources, and track the status of their requests through web applications and email notifications. The approval workflows are highly configurable to allow for variations in a company’s approval processes based on organization, user, application and other entity attributes and supports features such as approver proxies and request escalations out-of-the-box.

Profile Management
Using Oracle Identity Manager’s self-service interface, end users can view, manage and update their own profile data. This reduces administrative overhead and provides users with control over their identity profiles.

Request Management
Oracle Identity Manager’s self-service interface allows end users to create provisioning requests for resources with fine-grained entitlements. Business approvers (e.g. team leaders, line managers, department heads, etc.) can use the same web-based interface to examine and approve incoming requests. By placing the request and approval process closer to the business, enterprises realize better service levels and reduced costs.

Policy-Based Entitlement Management
Oracle Identity Manager’s policy engine manages the fine-grained entitlements across managed applications, automating IT processes and enforcing security and compliance requirements such as segregation of duties. Policy-based management of entitlements allows multiple request and approval processes to be implemented and refined over time in parallel, reducing the total cost of implementation.

Policy Management
Oracle Identity Manager enables policy-based automated provisioning of resources with fine-grained entitlements.  For any set of users, administrators may specify access levels for each resource to be provisioned, granting each user only the exact level of access required to perform his job, no more and no less.  These policies can be driven by user roles or attributes, enabling implementation of role based access control (RBAC), as well as attribute based access control.  Effective blending of role and attribute based policies is key to a scalable and manageable enterprise provisioning solution.  In addition to an automated provisioning policy, Oracle Identity Manager also supports a denial policy.  Denial policy is used to explicitly deny user access to specific resources, thereby enforcing security or governance policies such as segregation of duties.

Workflow Management
Oracle Identity Manager supports separation of approval and provisioning workflows.  Approval workflow enables an enterprise to model its preferred or best-practice approval processes for managing resource access requests.  Provisioning workflow enables an enterprise to orchestrate and automate IT tasks for provisioning resources with even the most complex provisioning procedures.  Separation of the two types of workflow empowers business and IT process owners to manage most efficiently with minimum cross-process interferences.  It also enables an enterprise to leverage existing workflows already deployed in systems such as help desk and HRMS.  Oracle Identity Manager provides a workflow visualizer that offers a graphical representation of even the most complex workflow processes. This allows business users, administrators, and auditors to visualize task sequences, dependencies, etc. to understand the process flow.

Dynamic Error Handling
Oracle Identity Manager’s error-handling capability provides IT staff with the ability to handle any exceptions that occur during the provisioning process.  Everyday problems such as unavailable or offline resources no longer stop the provisioning transaction or cause it to fail.  Business logic defined within the provisioning workflow offers customized failsafe capabilities within an Oracle Identity Manager implementation.

Guaranteed De-provisioning
When a user leaves the organization or her access is no longer required or valid due to a job change, Oracle Identity Manager revokes access on demand or automatically, as dictated by role or attribute based access policies. This ensures that a user’s access is promptly terminated across all no-longer-required resources to minimize security risks, as well as to prevent paying for access to costly resources, such as data services.

Transaction Integrity
Provisioning automates a very important part of an enterprise’s daily business.  Based on embedded state management capabilities, Oracle Identity Manager provides the same level of transaction integrity required by other mission-critical enterprise systems. Oracle Identity Manager features a state engine with rollback and recovery capabilities. When a provisioning transaction fails or is stopped, the system is able to recover and rollback to the last successful state or reroute to a different path, in accordance with pre-defined rules.

Real Time Request Tracking
In order to maintain better control over and provide improved visibility into all provisioning processes, end users and administrators can track request status in real time, at any point during a provisioning transaction.

Technology Integration and Adapter Factory
Oracle Identity Manager integrates with any application or resource through a highly configurable, agentless interface technology. Oracle provides a growing library of pre-configured connectors to popular applications, user repositories, and technologies. Identity Manager’s integration architecture reduces the overall costs of deployment and maintenance of a provisioning solution.

Adapter Factory
Integrating most provisioning systems with managed resources can be a daunting task.  Connecting to proprietary systems can often be near impossible.  Oracle Identity Manager’s Adapter Factory technology eliminates the complexity associated with creating and maintaining these connections.  Adapter Factory provides rapid integration to commercial or custom systems.  Users can create new, or modify existing integrations using Adapter Factory’s graphical user interface, without programming, or scripting. Once connectors have been created, their definitions are maintained within the Oracle Identity Manager repository, creating self-documenting views.  These views make extending, maintaining and upgrading connectors a manageable and straightforward process.

Pre-configured Connectors
For the most popular commercial applications and interface technologies, Oracle Identity Manager offers an extensive and rapidly expanding library of pre-configured connectors.  With these connectors, an enterprise can get a head start on application integration.  Each connector supports a wide range of identity management functions and uses the most appropriate integration technology recommended for the target resource, whether it’s proprietary or based on open standards.  These connectors enable out-of-the-box integration, but can be further modified using the Adapter Factory to work with each enterprise’s unique integration requirements.

Generic Technology Connector
The Generic Technology Connector framework provides an alternative connector development environment that focuses on data flow instead of process flow. It is a framework with basic building blocks that allows system administrators to design custom connectors quickly and easily. It also allows administrators to create more building blocks and use them independently or in conjunction with the building blocks provided. With its focus on data migration, Generic Technology Connector communicates with any target resource by using standard protocols such as HTTP, SMTP, FTP and Web Services combined with generic message formats such as CSV, SPML and LDIF.

Audit and Compliance
Identity management is a key part of any audit and compliance solution.  Oracle Identity Manager is a fully integrated platform for identity provisioning and audit and compliance. 

Identity Reconciliation
One of Oracle Identity Manager’s most powerful capabilities is the reconciliation engine.  Reconciliation refers to the process by which Oracle Identity Manager “polices” the resources under its management.  If it detects any accounts or changes to user access privileges affected outside of Oracle Identity Manager’s control, it can immediately take corrective action, such as undo the change or notify an administrator.  The reconciliation engine also helps to detect and map existing accounts in target resources, enabling the creation of an enterprise-wide identity and access profile for each employee, partner or customer user.

Rogue/Orphan Account Management
A rogue account is an account created “out of process” or outside of the provisioning system’s control.  An orphan account is an operational account without a valid user.  These accounts represent serious security risks to an enterprise.  Oracle Identity Manager can provide continuous monitoring of rogue and orphan accounts.  By combining denial access policies, workflows and reconciliation, an enterprise can execute the requisite corrective actions when such accounts are discovered, in accordance with security and governance policies.  Oracle Identity Manager can also manage the lifecycle of special service accounts, also known as administrator accounts, which have special life cycle requirements that extend beyond the lifecycle of an assigned user and across the lifecycles of multiple assigned users.  Proper management of service accounts can help to eliminate another source of potential orphan accounts.

Comprehensive Reporting and Auditing
Oracle Identity Manager reports on both the history and the current state of the provisioning environment.  The system captures all necessary data to answer the question “Who has access to What, When, How, and Why?”  Some of the identity data captured includes user identity profile history, user group membership history, user resource access and fine-grained entitlement history.  When combined with the transaction data generated and captured by Oracle Identity Manager’s workflow, policy, and reconciliation engines, an enterprise has all the required data to address any identity and access related audit inquiry.  Oracle Identity Manager's reporting and auditing capabilities enable an enterprise to cost effectively cope with ever increasingly stringent regulatory requirements, such as Sarbanes-Oxley, 21 CFR Part 11, Gramm-Leach-Bliley, HIPAA, and HSPD-12.

Attestation / Recertification Automation
Attestation, also referred to as recertification, is a key part of Sarbanes-Oxley compliance and a highly recommended security best-practice.  Enterprises are meeting these attestation requirements today largely with manual processes based on spreadsheet reports and emails.  These manual processes tend to be fragmented, are difficult and expensive to manage, and have little data integrity and auditability.  Oracle Identity Manager offers a best-in-class attestation feature that can be deployed quickly to enable an enterprise-wide attestation process that features automated report generation, delivery and notification.  Attestation reviewers can review fine-grained access reports within an interactive user interface that supports fine-grained certify, reject, decline, and delegate actions.  All report data and reviewers’ actions are captured for future auditing needs.  Reviewer actions can optionally trigger corrective action by configuring Oracle Identity Manager’s workflow engine.

 Top of Page

E-mail this page
Printer View Printer View
Oracle Is The Information Company About Oracle | Oracle RSS Feeds | Careers | Contact Us | Site Maps | Legal Notices | Terms of Use | Privacy