Identity and Access Management
IDAM is IDentity and
Access Management.
IDAM helps
in Providing the right people with right access at the right time
Identity
In general terms
Identity is nothing but an object or person identified by a unique Id.
For example each
employee is an organization is an identity.
Each employee has a
Employee ID which is unique. So employee Id is the unique ID which
differentiates the Identity Employee
Each Identity(employee)
have multiple attributes some of which may be unique.
Identity Management:
Identity Management
is the process of managing each identity.
This area is comprised
of user management, password management, role/group management and user/group
provisioning.
Some of the user
management functions should be centralized while others should be delegated to
end-users. Delegated administration allows an enterprise to directly distribute
workload to user departmental units.
Self-service is another
key concept within user management. Through self-profile management service an
enterprise benefits from timely update and accurate maintenance of identity
data.
User management requires
an integrated workflow capability to approve some user actions such as user
account provisioning and de-provisioning.
Access Management:
Access management deals
with the access rights of each identity.
It verifies if the user
validity and also the access right of the identity on a resource.
- Authentication:
Authentication is the
module through which a user provides sufficient credentials to gain initial
access to an application system or a particular resource.
- Authorization:
Authorization is the
module that determines whether a user is permitted to access a particular
resource.
Terminologies:
Provisioning:
Provisioning is the
process of creating an user account into the target system.
In provisioning data
flow is from IDM system to Target system.(Pushing of data from IDM).
Example: Whenever any
user is created in IDM system, we create the same user in Active directory.
(i.e. The user is provisioned in Active Directory).
Reconciliation:
Reconciliation is the
process of creating user accounts in IDM system from other system.
In reconciliation data
flow is from some other resource or system to IDM system.(Pulling of data
towards IDM system).
Example: Whenever a user
is on boarded into an organization his/her data is initially loaded into HR
database. IDM system pulls the user records from HR database and updates its
own repository. (i.e. The user is reconciled into IDM system from HR system)
Types of reconciliation:
There are two types of
reconciliation:
- Trusted Reconciliation
In trusted
reconciliation a user is created/updated in IDM system.
While reconciliation if
the user is not present it creates the user in IDM system. If he is already
present it updates the attributes of the user.
Example: If we run a
trusted reconciliation from HR system, the user present in HR system is created
in IDM system. If he is already present his attribute such as E-mail, phone,
address etc., may get updated if there is any changes.
Also called as Authoritative reconciliation.
- Target Reconciliation
In Target Reconciliation
the user account is created in IDM system and not the user itself.
Example: If we run a
target reconciliation against Active directory the user's Resource profile gets
updated in IDM system. So after reconciliation he resource profile gets updated
with Active Directory resource.
If the user is present
in target system and not present in IDM system we call those accounts as Orphan
Accounts.
Also called as Non-Authoritative reconciliation.
No comments:
Post a Comment