Introduction
Oracle Xellerate Identity Provisioning is a powerful and flexible enterprise identity management system that automatically manages users’ access privileges within enterprise IT resources. Its flexible architecture easily handles the most uncompromising and rigorous IT and business requirements—without requiring changes to existing infrastructure, policies or procedures.
Today, enterprises need to deploy identity management solutions based on the latest identity management technology, which provides functionality to support strategic initiatives. Oracle Xellerate Identity Provisioning is designed from the ground up to manage user access privileges across all of a firm’s resources, throughout the entire identity management lifecycle—from initial creation of access privileges to dynamically adapting to changes in business requirements. Because of Xellerate’s innovative design, enterprises can elegantly incorporate necessary business changes at minimal cost, while avoiding enforced customization that might be necessary with other provisioning systems.
Oracle Xellerate Identity Provisioning is production-proven and is the most advanced enterprise identity management solution available. It manages the industry’s largest provisioning implementation – of more than 450 enterprise resources under management.
Key Benefits of Oracle Xellerate Identity Provisioning
- Increased security: Enforce internal security policies and eliminate potential security threats from rogue, expired and unauthorized accounts and privileges
- Enhanced regulatory compliance: Cost-effectively enforce and attest to regulatory requirements (e.g. Sarbanes-Oxley, 21 CFR Part 11, Gramm-Leach-Bliley, HIPAA) associated with identifying who has access privileges to sensitive data
- Streamlined operations: Reduce inefficiency and improve service levels by automating repeatable user administration tasks
- Improved business responsiveness: Get users productive faster through immediate access to key applications and systems
- Reduced costs: Reduce IT costs through efficient staff usage and common security infrastructure.
Overview of Oracle Xellerate Identity Provisioning Features and Functionality
- Self-service Identity Management Drives User Productivity, Increases User Satisfaction and Optimizes IT Efficiency
- Delegated Administration Enhances Security and Reduces Costs
- Workflow & Policy Management Improves IT Efficiency, Enhances Security and Enables Compliance
- Password Management Reduces IT HelpDesk Costs, and Improves Service Levels
- Audit & Compliance Management Minimizes IT Risk and Reduces the Cost of Compliance
- Adapter Factory® Yields Fastest Time-to-Provisioning Lowest Total Cost of Ownership
Self-service Identity Management Drives User Productivity, Increases User Satisfaction and Optimizes IT Efficiency Profile Management
Using Oracle Xellerate Identity Provisioning’s self-service interface, end users can view, manage and update their own profile data. This reduces administrative overhead and provides users with control over their identity profiles. Request Management
The Oracle Xellerate Identity Provisioning self-service interface also allows end users to create provisioning requests for resources and fine-grained entitlements. Business approvers (e.g. team leaders, line managers, department heads, etc.) can use the same web-based interface to examine and approve incoming requests. By placing the request and approval process closer to the business, enterprises realize better service levels and reduced costs.
Delegated Administration Enhances Security and Reduces Costs
Delegated Administration
Oracle Xellerate Identity Provisioning provides a Workflow Visualizer that offers a graphical representation of even the most complex workflow processes. This allows business users and administrators to picture task sequence, dependencies, etc. to understand the process flow. It enables the delegation of select administrative functions to groups and users within and beyond the enterprise to provide tighter control, better security and increased productivity. Oracle Xellerate Identity Provisioning’s unique Deployment Manager supports the packaging and import/export of processes, policies and integration meta-data between Xellerate environments ensuring maximum re-use of all intellectual property created within Xellerate. In addition, a delegated administration wizard is also provided to help administrators quickly define the delegation model they wish to implement.
Group, Organization and Resource Management
With Oracle Xellerate Identity Provisioning’s web-based interface, administrators can create and manage groups, organizations and resources. This enables fast and easy administration of the entire enterprise in an extremely convenient and cost-effective manner.
Workflow & Policy Management Improves IT Efficiency, Enhances Security and Enables Compliance
Policy Management
Oracle Xellerate Identity Provisioning enables policy-based automated provisioning of resources (e.g. mySAP R/3) and fine-grained entitlements within resources (e.g. mySAP R/3 Activity Groups); administrators may define specific access levels within a provisioned resource for a set of users. This is important, as different user groups typically need access to the same set of resources, but with varying privilege levels. An intuitive, web-based interface enables administrators to quickly define and manage these policies. In addition to the traditional approach of role-based determination of user access privileges, Xellerate supports the notion of rules, which can automatically determine user privileges from any attribute within the user’s identity. This enables enterprises to benefit from further refinement and additional flexibility.
Workflow Management
Oracle Xellerate Identity Provisioning provides an easy way to build provisioning workflows, the business processes that govern the steps by which provisioning transactions are executed. If applicable business processes already exist elsewhere within the enterprise, Xellerate can utilize them, saving time and reducing IT development and maintenance costs. The Xellerate interface allows business analysts and administrators to model and support even the most complex business processes in very little time, without programming. In addition, users may delegate approval tasks to a defined proxy for certain time periods, via an intuitive, web-based proxy management wizard.
Dynamic Error Handling
Oracle Xellerate Identity Provisioning’s error handling capability provides IT staff with the ability to handle any exceptions that occur during the provisioning process. Everyday problems such as unavailable or offline resources no longer stop the provisioning transaction or cause it to fail. Business logic defined within the provisioning workflow offers customized failsafe capabilities within an Xellerate implementation.
Guaranteed De-provisioning
When users leave the organization or their access is no longer required or valid, Oracle Xellerate Identity Provisioning revokes access through its one button de-provisioning process. This ensures that a particular user’s access is terminated across all managed resources —thus eliminating a major security risk.
Transaction Integrity
Provisioning automates a very important part of an enterprise’s daily business. Based on embedded state management capabilities, Oracle Xellerate Identity Provisioning provides the same level of transaction integrity required by other mission-critical enterprise systems. Xellerate's architecture includes a state engine, which allows the system to support full rollback and recovery. If a failure occurs during a provisioning transaction, the system is able to recover entirely from its last known state. If it becomes necessary to stop a provisioning transaction, Xellerate has the ability to rollback from that point, or take a different path—in accordance with pre-defined rules.
Real Time Request Tracking
In order to maintain better control over and provide improved visibility into all provisioning processes, end users and administrators can track request status in real time—at any point during a provisioning transaction.
Password Management Reduces IT HelpDesk Costs, and Improves Service Levels
Self-Service Password Management
Oracle Xellerate Identity Provisioning’s self-service capabilities also allow users to manage their own passwords across some or all managed resources. In addition, if the user has forgotten his/her password, Xellerate presents customizable challenge questions to enable identity verification. If the responses that the user provides match the information provided during user registration, the user is permitted to reset his/her password. This is a crucial benefit to large enterprises, as it allows users to self-manage all of their passwords, reducing significant workload from the perspective of the corporate help desk.
Advanced Password Policy Management
Oracle Xellerate Identity Provisioning provides some of the richest password policy management capabilities available in the market today. The password policy definition interface supports selective specification of elements and values by which to define a particular policy. Some supported capabilities include min/max length, special characters, numeric and uppercase characters. Other more sophisticated mechanisms, such as disallowing certain words like username, first name and last name are also supported. Furthermore, Xellerate uniquely allows the application of multiple policies to a specific resource. For instance, there may be several password policies that apply to user passwords for RSA ClearTrust. Lower level users may be subjected to a more relaxed policy whereas senior IT administrators (with more sensitive levels of access) may be subject to a much more stringent policy, applied to the same resource.
Password Synchronization with Microsoft Active Directory
Most corporate users consider Microsoft Windows desktop-based password reset as the most convenient mechanism for updating their passwords. In order to fit seamlessly with this popular deployment model, Oracle Xellerate Identity Provisioning provides a mechanism to perform bi-directional password synchronization with Microsoft Active Directory. Thus, if a user updates his/her password via the Windows desktop, Xelleratecaptures it prior to its saving to the Active Directory, internalizes the update and propagates it to other managed resources in accordance with prevalent policy.
Audit & Compliance Management Minimizes IT Risk and Reduces the Cost of Compliance
Identity Reconciliation
One of Oracle Xellerate Identity Provisioning’s most powerful capabilities is the strength of its Reconciliation Engine. Reconciliation refers to the process by which Xellerate“polices” the resources under its management. If it detects any accounts or changes to user access privileges effected outside of Xellerate’s control, it can immediately undo the change or notify an administrator, depending on how it is configured at deployment. The Reconciliation Engine also provides sophisticated features for scheduling intervals for reconciliation with target resources. More sensitive resources can be reconciled frequently whereas those that are lower-risk can be reconciled less frequently.
Rogue/Orphan Account Management
Rogue accounts - accounts created outside of the provisioning system’s control, and orphan accounts - operational accounts for invalid users - represent a very serious security risk to an enterprise. Once a managed resource has been brought under Oracle Xellerate Identity Provisioning’s control, rogue accounts and privileges are immediately detectable. In response, Xellerate executes the requisite corrective actions as defined by the enterprise. These actions could include sending an email alert to an administrator, accepting and linking the account or privilege to Xellerate and deleting the accounts or privileges. Xellerate also features a new capability for managing the lifecycle of service accounts, which are used by external applications to invoke functions within managed resources, thus eliminating another source of potential orphan accounts.
Comprehensive Reporting and Auditing
Oracle Xellerate Identity Provisioning provides reporting on both the history and the current state of the provisioning environment. No other provisioning system provides the level of auditing capabilities that Xellerate provides. Comprehensive information can be quickly gathered about users (including their current and historical access privileges) and resources (such as who has access to them now or in the past). In addition, details about any Xellerate provisioning transactions can be reported. Enterprises can now obtain information on all user access privilege information at any time, allowing them to quickly assess the security of their information assets. To meet increasingly stringent regulatory requirements, Xellerate's reporting and auditing capabilities more than satisfy compliance with regulations such as Sarbanes-Oxley, 21 CFR Part 11, Gramm-Leach-Bliley and HIPAA. To produce custom reports, Xellerate supports any standard SQL-based reporting tool.
Adapter Factory® Yields Fastest Time-to-Provisioning Lowest Total Cost of Ownership
Thor’s Adapter Factory simplifies the lengthy, complex integration and workflow processes that companies typically undergo when deploying enterprise provisioning solutions. - Elizabeth Mann, Managing Director, Mycroft, Inc.
Integrating most provisioning systems with managed resources can be a daunting task. Connecting in advance to proprietary systems can often be near impossible. Oracle Xellerate Identity Provisioning solutions are specifically designed to make integration easy. Thor’s patent-pending technology, the Adapter Factory®, eliminates the complexity associated with creating and maintaining these connections.
The Adapter Factory provides rapid integration to commercial or custom systems – without programming. Once adapters have been created, their definitions are maintained within the Xellerate repository, creating self-documenting views. These views make extending, maintaining and upgrading connections a manageable and straightforward process. Oracle Xellerate Identity Provisioning also includes a library of pre-configured adapters that support many common resources, each of which can be reconfigured or extended via the Adapter Factory.
Oracle Xellerate Identity Provisioning Architecture
Oracle Xellerate Identity Provisioning’s underlying architecture provides a number of compelling technical benefits when deploying a provisioning solution as part of an identity and access management architecture.
Easily Deployed
Leveraging its maturity in the provisioning market, Oracle Xellerate Identity Provisioning provides a robust Deployment Utility to assist in the migration of changes from development to QA to production environments. As changes are made, the utility can be used to export those changes as XML-based metadata files. These files are then imported into the destination environment. When modifications are made, Xellerate’s Deployment Utility guarantees the entire provisioning process is placed into production. Enterprises can have complete confidence that the changes they are deploying into production are being rolled out in exactly the same manner that they were developed and tested.
Flexible and Resilient
Oracle Xellerate Identity Provisioning can be deployed in single and multiple server instances. Multiple server instances provide optimal configuration options, in support of geographically dispersed users and resources, for increased flexibility, performance and control. Xellerate's multi-server system implementations also provide fault tolerance, redundancy, fail-over and system load balancing. As deployments grow, moving from a single server to a multi-server implementation is a seamless operation.
Maximum Reuse of Incumbent Infrastructure
To lower cost, minimize complexity and leverage existing investments, Oracle Xellerate Identity Provisioning solutions are built on an open architecture. This allows Xellerate to integrate with and leverage existing software and middleware already implemented within an organization’s IT infrastructure. Xellerate can be easily plugged into such existing infrastructures. For example, if an implementation requires integrating with an existing customer portal, Xellerate’s advanced API offers programmatic access to a comprehensive set of system components. This allows IT staff to customize any part of its Xellerate provisioning implementation to meet the enterprise’s specific needs.
Modular Architecture
Oracle Xellerate Identity Provisioning makes it easy to keep up with the changing needs of a dynamic enterprise. Xellerate’s breakthrough technology separates what “needs” to be done from “how” it is actually done (called “abstraction”). This abstraction layer allows the execution logic to be changed and refined without affecting logic or definitions that still apply. This also provides an iterative provisioning “evolution without revolution” approach that allows IT to implement their provisioning system to fit today’s requirements, without worrying about possible future business needs. As user needs and business policies evolve, outdated execution logic can be “unplugged” from the provisioning instance for new execution logic. This provides the most cost-effective mechanism for handling change management and supporting the enterprise’s ongoing evolution of processes and systems.
Standards-based
Oracle Xellerate Identity Provisioning incorporates leading industry standards. For example, Xellerate components are fully based on J2EE architecture so customers may run them from within their standard application server environments. Complete J2EE support results in performance and scalability benefits while aligning with existing customer environments to leverage in-house expertise. In addition, all inter-component communications within Xellerate are secured using SSL.
Oracle develops all its Xellerate solutions on a foundation of current and emerging standards. For example, Oracle is a Management Board Member of The Liberty Alliance, and incorporates Liberty Alliance developments in its solutions. Oracle is participates in the Provisioning Services Technical Committee (PSTC), which operates under the auspices of the Organization for the Advancement of Structured Information Standards (OASIS).
Oracle Xellerate Identity Provisioning Functional Components
Oracle Xellerate Identity Provisioning is built on an enterprise-class, modular architecture that is both open and scalable. Each component plays a critical role in the overall functionality of the system.
Xellerate User Interfaces define and administer the provisioning environment. Oracle Xellerate Identity Provisioning offers three feature-rich user interfaces to satisfy both administrator and user requirements:
• Powerful design console
• Web-based delegated administration
• Web-based user self-service
Xellerate Studio is where the core components that determine the behavior of provisioning transactions are assembled and modified. The ProvisionManager determines the “who”, “what”, “how” and “why” of all provisioning transactions. For example, user profiles, access policies, resources, rules, workflow and resource adapters are all defined through the ProvisionManager. Xellerate Run-Time is Oracle Xellerate Identity Provisioning’s run-time engine, which executes the provision transactions as defined within the ProvisionManager.
Adapter Factory builds and maintains Resource Adapters, the connections between Oracle Xellerate Identity Provisioning and managed resources. The patent-pending Adapter Factory is designed to eliminate the need for hard coding integration with these systems. The Adapter Factory allows administrators and subject matter experts to work at a higher level of abstraction by graphically mapping the Xellerate provisioning process directly to the target application’s configuration requirements. No programming is required. Once mapped, the Adapter Factory automatically generates the necessary integration code. Modifications and extensions to adapters are accomplished by working with the integration map, not with the code.
Reconciliation Engine™ guarantees consistency between Oracle Xellerate Identity Provisioning’s provisioning environment and managed resources within the enterprise. The Reconciliation Engine discovers and flags illegal accounts created outside of Xellerate. This component also synchronizes business rules located inside and outside the provisioning system to guarantee consistency.
Xellerate API enables application and managed systems to communicate with Oracle Xellerate Identity Provisioning, and Xellerate components to be utilized in custom applications. For example, Xellerate user interface components may be incorporated into customer portals. In addition, Xellerate screens and forms can be modified easily to include customer-specific information requirements.
Additional Xellerate Services provide important functionality that enable Oracle Xellerate Identity Provisioning users to perform certain tasks:
- Reporting/Auditing allows real-time and historical information to be collected and presented to IT administrators.
- Password Management supports the definition of password formation and validation rules, and can also synchronize passwords across all applications a user accesses.
- Task Queues provide a personal list of all outstanding provisioning requests for each IT administrator.
- Scheduler allows IT administrators to queue provisioning tasks (such as grant or revoke access) for execution at specified dates and times.
- Security services place encryption on any part of the provisioning implementation that has been defined through ProvisionManager.
- Permissions services grant functional capabilities such as “create user,” “define rules” and “create adapter” to specific individuals within the provisioning environment.
- Views provide specific individuals such as user, approver or delegated administrator with relevant information about the provisioning environment that is relevant only to them.
Supported Resources and Platforms
| Supported Resources |
Supported Platforms |
Directory Servers: Microsoft Active Directory
Novell eDirectory
Oracle Internet Directory Server
Sun Java System Directory Server
Database Servers: IBM UDB
Microsoft SQL Server
MySQL
Oracle
Sybase Adaptive Server
Applications: PeopleSoft HRMS
SAP R/3 Enterprise
Siebel
Oracle E-Business Suite 11i
Help Desk: Remedy ARS (Help Desk)
Messaging / Collaboration Platforms :
IBM Lotus Domino Server
Microsoft Exchange Server
Novell Groupwise
Operating Systems: Microsoft Windows NT
Microsoft Windows 2000, 2003
Novell Netware
Sun Solaris
Microsoft Active Directory Password
Synchronization Agent
Hewlett-Packard UX
IBM AIX
Red Hat Linux
Security Managers : IBM RACF
Cisco Secure ACS
RSA Authentication Manager
Computer Associates ACF2
Computer Associates Top Secret
BEA Aqualogic Enterprise Security
Web Access Control Platforms:
RSA ClearTrust
Presentation Servers: BEA Weblogic Portal Server
Generic Resource Types:
Generic Data Bulk Import / Export
Java APIs (with auto-discovery)
JDBC support
JMS
MQ Series
Web Services
LDAP 3 |
Client Server: Microsoft Windows Server 2003 (Standard Edition)
Microsoft Windows Server 2003 (Enterprise Edition)
Sun Microsystems Solaris 9
Red Hat Enterprise Linux AS
Databases: Oracle 9i
Microsoft SQL Server 2000
Application Servers: BEA Weblogic Server 8.1
JBoss 3.2
IBM WebSphere 5.1
Web Access Control: RSA ClearTrust 5.5
Netegrity SiteMinder 5.5
Browser: Internet Explorer 6
Design Console: Microsoft Windows 2000
Microsoft Windows XP |
|
Bookmark
