To begin and before determining if IDHub is a good fit for you and your organization, reading through this document will help you understand what Identity Governance & Administration is, as well as the basic working concepts. Identity Governance & Administration is also referred to as an Identity Management System or IDM for short. This document will enhance your understanding of IDM systems, and help facilitate your decision to use IDHub in your organization.
Identity Administration Functions
- Identity Life-Cycle Management
- Connectors for Data Collection and Fulfillment
- Access Request Workflows
- Automated Provisioning
- Application Entitlement Management
- Password Management
Identity Governance Functions
- Access Reviews (Certifications)
- Access Policies and Segregation of Duties
- Application Entitlement Discovery
- Role Discovery and Engineering
- Role Management
- Logging, Analytics and Reporting
Above stated are both Identity Governance and Identity Administration functions. Together, they make a comprehensive Identity Governance & Administration System, also known as an IDM System.
In the next section, we will discuss IDM terms in detail, and how IDHub uses these functions to enhance the User experience.
IDM vs IDHub: Identity Administration System
Identity Life-Cycle Management: IDM Standard
Identity Governance Systems should house primary features such as:
Create/fetch user identities
Modify user identity information
Retire someone on terminations
An IDM System manages user information and stores it from the time an employee or contractor enters an organization, and well past the time they exit.
Identity Life-Cycle Management: IDHub
IDHub has multiple Identity Life-Cycle features:
Creation/Fetching - Here are two simple ways of on-boarding users into IDHub:
Direct registrations using a form - IDHub acts as a source of truth for user repository
Reconciliation based registrations - This function is used for organizations who wish to obtain user information from an existing application(s)
Note: continuous synchronizations can be used to auto-update user information
Modifying and Retiring:
IDHub has a user-friendly Service Request feature, which is available to anyone in the organization, and used for managing users
When a user is out of the office, our Proxy feature automatically redirects tasks to another chosen user
Connectors: IDM Standard
Connectors are integrations with other systems to fetch, view, and modify information. The information to be ascertained is very specific to Identity management, which are:
The complexity of these connections can be very subjective and/or complicated.
IDHub's connector system is capable of connecting more than 95% of the industries applications. We use SCIM based connector bridges, allowing for connections to other systems.IDHub currently provides several included connectors, which establish the connection, and are included with a license.
Upon establishing connection to the connectors, IDHub's advanced application synchronizations, fetch attributes and entitlements, within the application. Our IDHub team can build custom connectors for organizations who need them.
Access Request Workflows: IDM Standard
Workflows, also known as Target Systems, are customizable, which allow for a specific path a requester must take to gain access to an application. Organizations and applications may have different methods for requesting access, and the process they follow must be present within the IDM System. Workflows generally have:
Beneficiary - the individual who requests access
Approver(s) or Approver Group(s) - people or groups who approve a request to the beneficiary
Fulfiller or Fulfiller Group - people or groups who provide access to the beneficiary
Efficient IDM Systems will integrate this flow with an email system, which will notify the beneficiary throughout the request life-cycle process.
Custom Workflows: IDHub
Custom Workflows are critical for fluctuating environments. It's important to offer organizations more than the simple 3 step process to provide access: Requesting → Approving → Fulfilling. Our Custom Workflows provide:
Custom steps with parallel task approvals to fulfill requests
Custom forms attached to workflows, which are completed to obtain applicable information
Email Integrations with custom email templates, allowing for personalized automatic emails sent to beneficiaries
This IDHub feature aims to revolutionize the concept of using custom workflows in IDM Systems.
Automated Provisioning: IDM Standard
Automated Provisioning is directly linked to connectors. After a beneficiary is granted access to an application, there are two ways the request can be fulfilled:
- Manual Fulfillment - manually on-boarding the application to the beneficiaries profile
- Automated Fulfillment - automatically on-boarding the application to the beneficiaries profile
Once fulfillment is complete, the industry standard states the account is provisioned (or provided) to the user.
Automatic & Manual Provisioning: IDHub
IDHub allows both manual and automatic fulfillment, for both the application and entitlements within that application.
- Manual Fulfillment - completed by an individual or a group, typically a member(s) in the IT Department
- Automatic Fulfillment - performed instantly when the connection to the system has been established
IDHub provides a Role Management function, which can perform automatic and manual fulfillment in parallel with each other. This works well when the role contains both connected and disconnected applications. We discuss this in detail, later in this document.
Application Entitlement Management: IDM Standard
Entitlements are defined as a set of privileges within an application which govern user access. They are a set of permissions which determine what a user can or cannot do. Every IDM System should:
- Store and manage entitlements within applications
- Provide easy requesting for entitlements within applications
- Provide easy removals for entitlements within applications
Application Entitlement Management: IDHub
IDHub Entitlements are added either manually or automatically, both using our Application On-Boarding Wizard.
- Disconnected Applications - entitlements within applications would be manually on-boarded
- Connected Applications - entitlements within applications would be automatically on-boarded
IDHub also provides:
- Bulk on-boarding and off-boarding of applications, and entitlements within those applications
- Enable/disable feature for temporary discontinuing applications, and entitlements within those applications
Password Management: IDM Standard
Most IDM Systems cater to storing user passwords, to synchronize with all applications within the organization. This feature is mostly used for reducing the time it takes users to login to various applications.
Password Management: IDHub
Since passwords are becoming obsolete, IDHub does not store user passwords. We believe it's best to dedicate password management to the applications and identity providers such as Google, LDAP, etc. IDHub uses Keycloak, an open source platform, leading the market, for password management, used to assist with user login.
IDHub can be interpreted as an "Advanced Futuristic Identity Administration Solution", providing ease of use for our current day-to-day needs based on above analysis.
IDM vs IDHub: Identity Governance System
The below features determine whether or not a system is eligible to be named an "Identity Governance System". Continue reading to understand how IDHub compares with traditional IDM Systems.
Access Reviews (Certifications): IDM Standard
Reviewing access for individuals and/or groups within an organization is critical. Well thought through IDM Systems should easily check applications and accesses within them. Below are a few ways traditional IDM systems do this:
- Basic spreadsheets and screenshots based access checks
- Archiving old access information
- Auto-provisioning for removing access
Many newer IDM Systems provide user interfaces to perform these operations.
Certification Process: IDHub
IDHub's Certification Process is more advanced than traditional access review. IDHub provides two types of certifications:
- User-Based Certifications
- Resource-Based Certifications - resources are defined as applications, entitlements, roles etc.
Other Certification features include:
- Query-based User and Resource Mapping - this can be configured during certification setup
- Example: Applications are checked every 2 months by John's subordinates in the billing department, by means of a single query-based certification within IDHub.
- Trigger-based Certification Request Initiation - any update, either in an application, user identity, or within a specific attribute, like location, certifications can be triggered
- Custom Scheduler - certifications can run singly or on a timely repeated schedule
Access Policies & Segregation of Duties: IDM Standard
The main purpose for adding "Segregation of Duties" within an IDM System, would be to prevent unwanted actions from a specific individual and/or a group. Examples would be:
- Restrict self-certifications for "High Risk" applications
- Restrict administrator permissions for all users within certain applications
Some IDM Systems may perform automated notifications, in the event an anomaly is found, based on access requests with certain conditions.
Authorization Engine: IDHub
IDHub's Authorization Engine caters to Segregation of Duties:
- IDHub is a SaaS solution and customer information is stored in a secure space with stringent security norms, that do not overlap with other customers.
- Our Authorization Engine supports basic and advanced predefined rules for access and task management.
- IDHub will offer a robust trigger function, available in an upcoming version, which will allow for triggers in custom workflows, based on user defined rules.
Application Entitlement Discovery: IDM Standard
Applications can house many entitlements. A complicated application may offer more than 10000+ entitlements. Thus, managing entitlements and assisting with searching for the correct entitlement is a challenge.
Many IDM Systems provide:
- Ease of use in discovering entitlements via groups, or roles
- Discovering entitlements from within the application itself
Search Engine: IDHub
IDHub's centralized Search Engine assists users with searching for needed applications, entitlements, or roles, in a timely manner.
- Tag-Based Search - tags can be attached to applications, entitlements, and roles, allowing for a swift search process during requests.
- User-Based Search - searching for users and requesting on their behalf becomes a breeze with out Search Engine capabilities.
- Save and Share - this feature allows users to save and/or share applications, entitlements, and roles, with themselves and/or other users within the organization, making for a quick and efficient requesting process.
Role Discovery and Engineering: IDM Standard
The concept of a "Role" is fairly easy when understood in layman's terms.
A Role is a set which has predefined mapping of application(s) and entitlement(s) within. It helps manage a large quantity of entitlements and applications, as well as a large quantity of access requests.
Many IDM Systems provide:
- Create Roles
- Adding entitlements and applications to Roles
- Role modelling & simulations - To assess affect of Role on overall access
IDHub provides a Role creation feature as well. In IDHub you can:
- Create Single Role using Role wizard
- Create Bulk Roles using Bulk Upload feature (using xls, csv files)
Role creation has 3 major elements:
- Birthright provisioning - Adding Roles to users as soon as they enter IDHub
- Condition based Role - Custom query based on which Roles will get assigned to users if they satisfy the condition
- Application & Entitlement mapping - Easy mapping of Role with existing applications and entitlements
Role Management: IDM Standard
Managing Roles can be challenging and a well thought through IDM System should be capable of:
- Adding or removing users from Role access
- Adding and removing Roles from applications and entitlements
- Role modification
Role Management: IDHub
IDHub allows for easy Role management by means of:
- Automatic Role on-boarding to users based on specific conditions
- Automatic Role removal to existing users based on account changes
- Automatic Role mapping when changes are made within applications and connected entitlements
Logging, Analytics and Reporting: IDM Standard
IDM Systems should allow for efficient logging, analytics, and reporting, with the ability to:
- Log all user activity made within an application
- Perform analytics on existing data in system
- Provide actionable information on analytics performed
Logging, Analytics and Reporting: IDHub
IDHub records and stores all data in a repository. Organizations can perform actions like:
- Scheduled backups and restoration of data and configurations
- Easy transfer of data from one environment to another: for on-premise users
- Provide custom reports in IDHub via JS Scripts
- Customized dashboards for end-users and administrators
Future releases of IDHub will feature:
- Single Pane of Glass: Use IDHub with multiple IDM Systems at a single point in time
- IDHub is capable of layering off existing IDM Systems
- IDHub can be used while migrating from one IDM System to the next
- Custom IDM System Triggers within Workflows:
- IDHub is smart, and can create a custom set of rules with triggers
- Security Hub:
- Ease off compliance adherence: HIPAA, NERC-SIP, SOX, etc.