by Rex Thexton, Nishidhdha Shah, and Harish Gaur
Published January 2011
Part of the Oracle Fusion Middleware Patterns article series
Oracle Fusion Middleware
Customers, partners, and employees all need access to enterprise data. But as IT enterprises grow more complex with new systems, interfaces, and applications, it becomes increasingly challenging to control and monitor who can access what IT resources.
The risks of ineffective permissions are substantial. Unauthorized users could gain access to IT resources and wreak havoc on applications and data. Companies could risk not meeting rigorous security and privacy compliance requirements. And the IT help desk could spend countless hours mitigating these risks.
There are typically two areas in which an IT department feels the most heat. First is in the process of how a user is provisioned (or de-provisioned) when the user joins (or leaves) the organization. If the provisioning process is not automated, new-hires could spend numerous unproductive hours or days waiting to get access to key applications and resources. On the other hand, if users are not de-provisioned accurately, they could gain unauthorized access to applications and data after they leave the company, posing a serious security risk.
And that's not all. Unauthorized end users also could gain access to the company's intranet (or extranet) portal, exposing sensitive data. It is imperative that the intranet/extranet portal be able to leverage user identities to authenticate and authorize users, eliminate unauthorized access, and personalize the look and feel of the portal.
So, how does one go about automating a provisioning platform and building a secure portal? Application protocols such as LDAP directories lack the architectural flexibility to capture and maintain detailed information about people and complex organizational relationships. An LDAP directory could capture that Jean is a manager, for instance, but it cannot know details such as her business role, who she manages, or what applications she should have access to according to her business role. This is why the business context of a user is critical when automating provisioning or building a portal.
In this article we will demonstrate how an organization can take a role-based approach to automate provisioning and personalize a portal. We will review how a reference architecture is built using portal, role manager, and provisioning tools. We will then explore how Schneider National, a multinational trucking company, successfully automated employee on-boarding and personalized its intranet portal using Oracle Identity Management Suite (Oracle Identity Manager, Oracle Role Manager, and Oracle Access Manager) and the Oracle WebCenter Suite Spaces feature.
Any organization that implements a role-based platform for automated provisioning and a personalized portal must first implement an integrated identity-management platform to manage risk, protect sensitive information assets, and improve business performance. An identity management suite also can be used to integrate information portals, providing a sophisticated solution for access management, provisioning, and role management.
The solution should include four key components:
Figure 1: Four Key Technology Components for Role-Based Provisioning and Portal Access
The provisioning platform pulls identities from a trusted source (often an HR system) and facilitates provisioning by automatically creating accounts on a target system. It is responsible for synchronizing user data between the HR system and target systems where there are changes to user data, such as new-hires, job role changes, or employee termination. When a user is removed from a role and no longer requires access, the provisioning platform automatically deletes the user privileges from the target system.
The provisioning platform extracts user attributes, such as role and relationship data, from Oracle Role Manager through application programming interfaces (APIs). The provisioning platform maintains a comprehensive, time-stamped audit trail of all user-provisioning activities.
The importance of role-based management is a relatively new component of Identity and Access Management (IAM) that is quickly gaining acceptance. Based on 2009 field research, for instance, the Burton Group highlighted the importance of role management, stating that role-based initiatives benefit a business by improving compliance and reducing risk and expenses associated with excessive privileges.
Many organizations are adopting role-management technology to speed the provisioning process. Role management organizes user-access rights based on similar responsibilities across the enterprise. For instance, a company might formalize job codes or responsibilities into particular roles that carry their own specific system-access rights and security levels. As a user's role changes, so do the user's access permissions. Oracle Identity Manager pushes these changes to the role manager, which derives user role membership and access information based on the user profile sent from the trusted resource. The provisioning platform and role manager should work in tandem to ensure that provisioning events are based on roles.
An access management platform allows users of applications or IT systems to log in once and gain access to IT resources across the enterprise. This allows the organization to create a centralized and automated single sign-on (SSO) solution for managing who has access to what information across the IT infrastructure.
Portals provide unified access to enterprise information in a personalized fashion. Portals can leverage the access-management platform to authenticate and authorize users. Once the user is authenticated and authorized, the portal presents an interface that can be personalized for each user to display only the data and applications that user has access to.
To understand how these different components work together, let's review the architecture shown in Figure 2. (Also see the June 2009 white paper Oracle Role Manager.)
Figure 2: Reference Architecture for Role-Based Provisioning and Portal Access
Now that we have seen how a reference solution works, we can examine how Schneider National, a trucking company, automated employee on-boarding and personalized portal access to employees based on their roles.
Schneider National, based in Green Bay, Wisconsin, is a multinational provider of transportation services and logistics solutions that recently updated its IAM solution. The 75-year-old company and its wholly owned subsidiaries employ a complex IT infrastructure that supports a range of user types, including employees, associates, customers, and vendors. Although Schneider is not a publicly traded company, internal directives require that it adhere to compliance standards, such as Sarbanes-Oxley.
In recent years, Schneider's homegrown provisioning solution proved unable to handle the growing compliance requirements and increasing complexity of the business environment. The existing solution could centrally manage accounts on multiple target systems, but it required considerable IT resources to manage connectivity with the target systems.
The company's on-boarding process relied on manual requests and manual provisioning. The solution employed a "model after" approach to request access for new employees. Over time, the security team discovered the system was granting more access than the user required, which put the company in danger of compliance violations.
In an effort to correct the access rights, access requests were adjusted multiple times, which complicated accurate tracking of users' access rights. The confusion led to delays in assigning access rights to new-hires and internal transfers, which resulted in a loss of productivity.
Similarly, suspending access of terminated employees was a manual process that required managers to request termination. Suspended accounts were not automatically registered in the system, however, which impeded the security team's efforts to provide accurate internal audits of active accounts.
Schneider's existing solution also lacked a central authorized source for user profile attributes, and the company's target systems did not automatically sync user profile attributes. Accordingly, Schneider's security team often did not know which user had access to what applications.
Lastly, Schneider struggled with inconsistent interfaces and applications for customers, truckers, and employees. The company's applications not only were dissimilar in interface, but also required a separate Web browser session to run.
Schneider, with the guidance of PricewaterhouseCoopers, decided to address these deficiencies by replacing all legacy and home-grown solutions with packaged applications, part of a strategy to help reduce costs and standardize the IT infrastructure.
The company selected Oracle Identity Management Suite (Oracle Identity Manager, Oracle Role Manager, and Oracle Access Manager) and Oracle WebCenter Suite Spaces for its new infrastructure. Schneider chose Oracle Identity Manager, in particular, for its off-the-shelf connectors and ability to automatically manage accounts on various target systems.
Note: Oracle Role Manager has since been replaced with Oracle Identity Analytics 11g, which is now the strategic product for role administration and role lifecycle management. Oracle Identity Analytics 11g contains a superset of the features in Oracle Role Manager 10g, but adds comprehensive support for access certification and identity audit. The combination of Oracle Identity Analytics and Oracle Identity Manager delivers a powerful, flexible solution for enterprise identity administration and governance.
Figure 3: Schneider's Reference Architecture Using Oracle Identity Manager, Oracle Role Manager, Oracle Access Manager, and Oracle WebCenter Suite Spaces
Because the Oracle identity management components are integrated out of the box, Schneider didn't have to build its own modules and interfaces, which saved in development costs and implementation time.
To understand how these pieces fit together, let's review how the technology fully automates Schneider's on-boarding process for new-hires.
Schneider employs the Oracle iRecruitment application for finding, recruiting, and hiring new employees. Using a self-service Web interface, a job applicant creates an account and enters personal information to apply for the position. When a candidate is hired, the personal data from the application is flowed into the Oracle E-Business Suite system and becomes the new-hire's personnel data.
Figure 4: The New Employee Record Is Created in Oracle E-Business Suite
Once the employee account is created, Oracle Identity Manager pulls user information from Oracle E-Business Suite at regular intervals to manage the user on other target systems as well as in its own repository. This task is achieved with Oracle E-Business Suite Employee Reconciliation Connector.
Figure 5: Integration of Oracle Identity Manager with Oracle E-Business Suite HRMS Using Employee Reconciliation Connector
Oracle E-Business Suite Employee Reconciliation Connector retrieves employee records from the Oracle E-Business Suite HR store and creates identities based on them in Oracle Identity Manager, using a process known as trusted source reconciliation. (It uses the Oracle E-Business Suite User Management Connector when Oracle E-Business Suite is a target resource for Oracle Identity Manager.) For more details, see About the Connector.
Figure 6: The User Is Created in Oracle Identity Manager
Oracle Identity Manager also uses Oracle E-Business User Manager connector to create users on Oracle E-Business Suite and assign responsibilities based on their roles. Using Oracle E-Business Suite integration with Oracle Identity Manager, Schneider electronically enrolled 100% of its employees during the annual benefit enrollment, which saved significant costs because employees did not have to print, distribute, and process paper-based forms.
In the event of employee termination, Oracle Identity Manager uses data from the HR system to determine the employee's last day of employment. On the last working day, the Oracle Identity Manager system automatically removes the user's access from all target systems. For forced terminations, Schneider has established an emergency team that can remove the user account directly from Oracle Identity Manager. When user accounts are removed from Oracle Identity Manager, Oracle Identity Manager then automatically removes all target system accounts attached to the deleted user.
Schneider also configured Oracle Identity Manager to recertify all accounts from target applications on a regular interval. This enabled the company to detect all orphaned accounts on all target systems and override any changes made directly on the target systems. Schneider also leveraged Oracle Identity Manager to manage and synchronize passwords on all target systems, and Schneider employed the self-service password-reset functionality in Oracle Identity Manager to provide self-service capability to end users.
Oracle Role Manager acts as a supplier of role and role-grant information to Oracle Identity Manager, which in turn uses this information to provision various applications. When Oracle Role Manager is deployed with Oracle Identity Manager, the integration between components is bundled and preconfigured.
Dynamic business roles in Oracle Role Manager automate role membership based on job codes (such as Executive Sales account in Figure 6) or other business relationships. Previously, role definitions were manually tracked in far-flung spreadsheets. The new system enables Schneider to manage employees across the role lifecycle in a centralized, automated repository.
Figure 7: Business Role Definition for Non-Driver Employees in Oracle Role Manager
Oracle Role Manager derives a user's access based on role membership, for example, US Employee Self Service (non-driver) in Figure 7, and automatically generates accounts on target applications, which can dramatically speed on-boarding of new employees.
For personnel changes, such as promotions or reassignments, the HR system modifies the user profile to reflect the new job and, based on role definition, Oracle Role Manager instructs Oracle Identity Manager to automatically update the user's access rights and remove unneeded access privileges.
Figure 8: Oracle Role Manager Generates Accounts on Target Applications
The Oracle Resource Profile within Oracle Identity Manager creates a user profile that defines the applications that each employee can access. Using out-of-the-box connection tools, Schneider's IT team configured Oracle Identity Manager to manage automatic provisioning on Oracle E-Business Suite, Siebel, Oracle Internet Directory, Microsoft Active Directory, Microsoft Exchange 2007, and Oracle Database. The company also configured Oracle Identity Manager to manage users on other target systems by leveraging the Oracle Identity Manager adapter factory to enable Java-based integration with other target systems.
Oracle Virtual Directory acts as a proxy between Oracle Access Manager and Oracle Internet Directory and provides real-time, virtual views of identity data from any data store, including directories, databases, and the Web.
Schneider used the Oracle WebCenter Suite Spaces module to build flexible, robust individual and group work environments. The company employed the functionality and flexibility of Oracle WebCenter Suite Spaces to create portals for its employees, and it plans to implement portals for customers and all truck drivers next year. Oracle WebCenter Suite Spaces has enabled Schneider to build a portal that combines various applications into one interface with a common look and feel.
With its previous solution, the company's applications not only were dissimilar in interface, but they also required a separate Web browser session to run. The new employee portals require only one browser session and enable users to more quickly and efficiently complete tasks.
Each Schneider employee has access to an individual portal based on user roles that provides access to appropriate applications and data.
Based on the job responsibility assigned by HR in Oracle E-Business Suite, Oracle Role Manager assigns the proper business role to the user. Using this business role, Oracle Identity Manager automatically creates a user account on Oracle Internet Directory and assigns proper group membership.
Schneider adopted Oracle Internet Directory for its ability to seamlessly integrate with other Oracle products, including Oracle Access Manager, Oracle Collaborative Suite, Oracle E-Business Suite, and Oracle Enterprise Manager. Schneider uses Oracle Internet Directory as a scalable directory to store identity and meta-data information for Oracle Access Manager and Oracle WebCenter Suite Spaces.
At Schneider, Oracle Access Manager authenticates users and enforces the organization's access policy through Web Agents (Oracle WebGates) installed on the Oracle WebLogic server that hosts Oracle WebCenter Suite Spaces.
The first time a user accesses Oracle WebCenter Suite Spaces without authentication, Oracle Access Manager requires the user to log in using single sign-on credentials. After login, Oracle Access Manager pulls user credentials from Oracle Internet Directory and, based on the access policy, allows or rejects access to Oracle WebCenter Suite Spaces.
Figure 9: Oracle WebCenter Suite Spaces Configuration to Authorize Access Information
Based on Oracle Internet Directory Group Membership
After authentication, Oracle WebCenter Suite Spaces presents a portal to the user based on the user's role in the Schneider organization, for example:
The new suite of identity-management solutions enabled Schneider to achieve notable gains in efficiencies, which have had a positive impact on operating costs. Using this solution, the company reduced the total time of on-boarding from several days to 24 hours. This resulted in significant cost savings and efficiencies because new-hires are able to start work on day one.
The ability of Oracle Identity Manager to automatically remove terminated employees significantly improved Schneider's overall security posture, because the company no longer worries about being out of compliance due to orphaned accounts.
Higher availability provided by Oracle Access Manager enables the company to run multiple instances to provide redundancy and efficiency. Since implementing the new system, Schneider has experienced less downtime due to system outages, which has boosted productivity.
The new system also has enabled Schneider to minimize manual processing of certain items. For instance, the company streamlined payroll because it can now handle checks electronically. Similarly, 100 percent of its employees now fill out benefits enrollment online, obviating the need to mail and process paper forms.
Finally, the implementation enables Schneider to quickly generate audit reports to determine user access rights for regulatory compliance reports.
Schneider Transportation's out-of-date infrastructure couldn't keep pace with increasing demands for efficient on-boarding, identity management, certification, role management, and data sharing with business partners. The company implemented a scalable system based on the Oracle Identity Management Suite to standardize its technology and incorporate effective identity and access management with role-based access control. Oracle WebCenter Suite Spaces enabled Schneider to easily create portals for employees (and soon, for all truckers and business partners) for streamlined and secure access to its system, resulting in a solution set that can easily mature and grow with the business.
Rex Thexton is Managing Director at PricewaterhouseCoopers | LinkedIn
Nishidhdha Shah is Sr. Associate at PricewaterhouseCoopers Consulting | LinkedIn
Harish Gaur is Director, Product Management, Oracle Fusion Middleware | LinkedIn