IDM vs IDHub

Identity Administration Functions

• Identity Life-Cycle Management
• Connectors for Data Collection and Fulfillment
• Access Request Workflows
• Automated Provisioning
• Application Entitlement Management
• Password Management

Identity Governance Functions

• Access Reviews (Certifications)
• Access Policies and Segregation of Duties
• Application Entitlement Discovery
• Role Discovery and Engineering
• Role Management
• Logging, Analytics and Reporting

Identity Life-Cycle Management: IDM Standard

Identity Governance Systems should house primary features such as:

• Create/fetch user identities

• Modify user identity information

• Retire someone on terminations

An IDM System manages user information and stores it from the time an employee or contractor enters an organization, and well past the time they exit.

Identity Life-Cycle Management: IDHub

IDHub has multiple Identity Life-Cycle features:

• Creation/Fetching - Here are two simple ways of on-boarding users into IDHub:

  • Direct registrations using a form - IDHub acts as a source of truth for user repository

  • Reconciliation based registrations - This function is used for organizations who wish to obtain user information from an existing application(s)

    • Note: continuous synchronizations can be used to auto-update user information

• Modifying and Retiring:

  • IDHub has a user-friendly Service Request feature, which is available to anyone in the organization, and used for managing users

• Proxy Delegations:

  • When a user is out of the office, our Proxy feature automatically redirects tasks to another chosen user

Connectors: IDM Standard

Connectors are integrations with other systems to fetch, view, and modify information. The information to be ascertained is very specific to Identity management, which are:

• Identity Information

• Attribute Information

• Access Information

The complexity of these connections can be very subjective and/or complicated.

Connectors: IDHub

IDHub's connector system is capable of connecting more than 95% of the industries applications. We use SCIM based connector bridges, allowing for connections to other systems.IDHub currently provides several included connectors, which establish the connection, and are included with a license.

• LDAP

• Database

• Text File

Upon establishing connection to the connectors, IDHub's advanced application synchronizations, fetch attributes and entitlements, within the application. Our IDHub team can build custom connectors for organizations who need them.

Access Request Workflows: IDM Standard

Workflows, also known as Target Systems, are customizable, which allow for a specific path a requester must take to gain access to an application. Organizations and applications may have different methods for requesting access, and the process they follow must be present within the IDM System. Workflows generally have:

• Beneficiary - the individual who requests access

• Approver(s) or Approver Group(s) - people or groups who approve a request to the beneficiary

• Fulfiller or Fulfiller Group - people or groups who provide access to the beneficiary

Efficient IDM Systems will integrate this flow with an email system, which will notify the beneficiary throughout the request life-cycle process.

Custom Workflows: IDHub

Custom Workflows are critical for fluctuating environments. It's important to offer organizations more than the simple 3 step process to provide access: Requesting → Approving → Fulfilling. Our Custom Workflows provide:

• Custom steps with parallel task approvals to fulfill requests

• Custom forms attached to workflows, which are completed to obtain applicable information

• Email Integrations with custom email templates, allowing for personalized automatic emails sent to beneficiaries

This IDHub feature aims to revolutionize the concept of using custom workflows in IDM Systems.

Automated Provisioning: IDM Standard

Automated Provisioning is directly linked to connectors. After a beneficiary is granted access to an application, there are two ways the request can be fulfilled:

• Manual Fulfillment - manually on-boarding the application to the beneficiaries profile
• Automated Fulfillment - automatically on-boarding the application to the beneficiaries profile

Once fulfillment is complete, the industry standard states the account is provisioned (or provided) to the user.

Automatic & Manual Provisioning: IDHub

IDHub allows both manual and automatic fulfillment, for both the application and entitlements within that application.

• Manual Fulfillment - completed by an individual or a group, typically a member(s) in the IT Department
• Automatic Fulfillment - performed instantly when the connection to the system has been established

IDHub provides a Role Management function, which can perform automatic and manual fulfillment in parallel with each other. This works well when the role contains both connected and disconnected applications. We discuss this in detail, later in this document.

Application Entitlement Management: IDM Standard

Entitlements are defined as a set of privileges within an application which govern user access. They are a set of permissions which determine what a user can or cannot do. Every IDM System should:

• Store and manage entitlements within applications
• Provide easy requesting for entitlements within applications
• Provide easy removals for entitlements within applications

Application Entitlement Management: IDHub

IDHub Entitlements are added either manually or automatically, both using our Application On-Boarding Wizard.

• Disconnected Applications - entitlements within applications would be manually on-boarded
• Connected Applications - entitlements within applications would be automatically on-boarded

IDHub also provides:

• Bulk on-boarding and off-boarding of applications, and entitlements within those applications
• Enable/disable feature for temporary discontinuing applications, and entitlements within those applications

Password Management: IDM Standard

Most IDM Systems cater to storing user passwords, to synchronize with all applications within the organization. This feature is mostly used for reducing the time it takes users to login to various applications.

Password Management: IDHub

Since passwords are becoming obsolete, IDHub does not store user passwords. We believe it's best to dedicate password management to the applications and identity providers such as Google, LDAP, etc. IDHub uses Keycloak, an open source platform, leading the market, for password management, used to assist with user login.

Access Reviews (Certifications): IDM Standard

Reviewing access for individuals and/or groups within an organization is critical. Well thought through IDM Systems should easily check applications and accesses within them. Below are a few ways traditional IDM systems do this:

• Basic spreadsheets and screenshots based access checks
• Archiving old access information
• Auto-provisioning for removing access

Many newer IDM Systems provide user interfaces to perform these operations.

Certification Process: IDHub

IDHub's Certification Process is more advanced than traditional access review. IDHub provides two types of certifications:

• User-Based Certifications
• Resource-Based Certifications - resources are defined as applications, entitlements, roles etc.

Other Certification features include:

• Query-based User and Resource Mapping - this can be configured during certification setup
  • Example: Applications are checked every 2 months by John's subordinates in the billing department, by means of a single query-based certification within IDHub.
• Trigger-based Certification Request Initiation - any update, either in an application, user identity, or within a specific attribute, like location, certifications can be triggered
• Custom Scheduler - certifications can run singly or on a timely repeated schedule 

Access Policies & Segregation of Duties: IDM Standard

The main purpose for adding "Segregation of Duties" within an IDM System, would be to prevent unwanted actions from a specific individual and/or a group. Examples would be:

• Restrict self-certifications for "High Risk" applications
• Restrict administrator permissions for all users within certain applications

Some IDM Systems may perform automated notifications, in the event an anomaly is found, based on access requests with certain conditions.

Authorization Engine: IDHub

IDHub's Authorization Engine caters to Segregation of Duties:

• IDHub is a SaaS solution and customer information is stored in a secure space with stringent security norms, that do not overlap with other customers.
• Our Authorization Engine supports basic and advanced predefined rules for access and task management.
• IDHub will offer a robust trigger function, available in an upcoming version, which will allow for triggers in custom workflows, based on user defined rules.

Application Entitlement Discovery: IDM Standard

Applications can house many entitlements. A complicated application may offer more than 10000+ entitlements. Thus, managing entitlements and assisting with searching for the correct entitlement is a challenge.

Many IDM Systems provide:

• Ease of use in discovering entitlements via groups, or roles
• Discovering entitlements from within the application itself

Search Engine: IDHub

IDHub's centralized Search Engine assists users with searching for needed applications, entitlements, or roles, in a timely manner.

• Tag-Based Search - tags can be attached to applications, entitlements, and roles, allowing for a swift search process during requests.
• User-Based Search - searching for users and requesting on their behalf becomes a breeze with out Search Engine capabilities.
• Save and Share - this feature allows users to save and/or share applications, entitlements, and roles, with themselves and/or other users within the organization, making for a quick and efficient requesting process.

Role Discovery and Engineering: IDM Standard

The concept of a "Role" is fairly easy when understood in layman's terms.

A Role is a set which has predefined mapping of application(s) and entitlement(s) within. It helps manage a large quantity of entitlements and applications, as well as a large quantity of access requests.

Many IDM Systems provide:

• Create Roles
• Adding entitlements and applications to Roles
• Role modelling & simulations - To assess affect of Role on overall access
  
  

Roles: IDHub

IDHub provides a Role creation feature as well. In IDHub you can:

• Create Single Role using Role wizard
• Create Bulk Roles using Bulk Upload feature (using xls, csv files)

Role creation has 3 major elements:

• Birthright provisioning - Adding Roles to users as soon as they enter IDHub
• Condition based Role - Custom query based on which Roles will get assigned to users if they satisfy the condition
• Application & Entitlement mapping - Easy mapping of Role with existing applications and entitlements

Role Management: IDM Standard

Managing Roles can be challenging and a well thought through IDM System should be capable of:

• Adding or removing users from Role access
  
• Adding and removing Roles from applications and entitlements
  
• Role modification

Role Management: IDHub

IDHub allows for easy Role management by means of:

• Automatic Role on-boarding to users based on specific conditions
• Automatic Role removal to existing users based on account changes
• Automatic Role mapping when changes are made within applications and connected entitlements

Logging, Analytics and Reporting: IDM Standard

IDM Systems should allow for efficient logging, analytics, and reporting, with the ability to:

• Log all user activity made within an application
  
• Perform analytics on existing data in system
• Provide actionable information on analytics performed

Logging, Analytics and Reporting: IDHub

IDHub records and stores all data in a repository. Organizations can perform actions like:

• Scheduled backups and restoration of data and configurations
• Easy transfer of data from one environment to another: for on-premise users
  
• Provide custom reports in IDHub via JS Scripts
• Customized dashboards for end-users and administrators