Identity Managment



People have the highest value in each system. Identity management of individuals identified in the system and controls access to resources. Managing user rights optimize the use of the most important assets.







Common requirements for centralized identity management and centralized management of user rights:

  • Management of central database of certified licenses that are authentic, can be checked, auditable
  • Confirmation of compliance with regulations
  • Defined operating procedures for access requests and approvals
  • Support for performance management functions
  • Automated creation of user accounts and granting of rights
  • Automated user rights termination at the end of the employment relationship
  • Establishing a management interface for easy administration
  • Establishment of clearly defined and transparent process
  • Establishment of a unified identification system for all corporate applications
  • Establishment of a system that fully meets the requirements mentioned above includes a few technical requirements and challenges for the management.

Some of these requirements are specific in light of the users needs, while the others are general.

Generally, use the best methods and procedures known in the market provides users with a fast return on investment.

Implementation of the solution can be divided into two phases.

The first phase

In the first phase it is necessary to create a so-called Identity Vault. The Identity Vault must contain stored information about all users, permanent and temporary employees and the associates. In addition to the Identity Vault keeps the information and access rights for all IT systems. Identity Vault, created by the principle of access rights verifies users and user rights from the perspective of IT systems. Records kept by Identity Vault can be changed with respect to pre-set procedures, ie. workflows.Through the workflows the user information and access rights could be entered, modifyed or deleted. Workflow helps the processes, but does not automate them completely.

There are pre-set solution for implementing the first phase of the project ('of-the-shelf') with a predetermined process of allocation of user rights. Using this method, the implementation can be done in a short time with little risk.

If there is no clearly defined and documented management procedurer, it needs to be produced at the beginning of the project.

The second phase

The second phase relates to issues of integration and distribution of certified coupled systems. Integration with third-party applications is possible using existing software elements (connectors). For applications made 'in house' the creation of new connectors is needed. When producing the connectors for these applications it is desirable to use standard interfaces, if possible. Non-standard methods may require the engagement of development teams, and may have implications for the rights of use the intellectual property. It is very important to implement a module for the routine comparison and adjustment to the current access rights of data from the Identity vault. This process is required for regulatory compliance and to prevent conflicts of interest.

The second phase typically involves the development of custom components. During the development phase of the components are connected into a production environment is therefore necessary to develop precise and carefully testing new components. Customized components must be thoroughly documented as this will change in an integrated system, reflected in the custom modules.

Steps in the project

Precise determination of the scope of the project is the foundation of the project's success. The proposed project consists of the following steps:

  • Detection and documentation of existing control procedures
  • Collecting information on the structure of user licenses in the applications and hierarchical structures
  • Making the Identity Vault
  • Creating the administrator user interface
  • Development of management systems and operating procedures (granting of rights, deprivation of rights, a change of law)
  • Creating unique scripts for access (ESSO Enterprise Single Sign-On)
  • Establishment of infrastructure for auditing and reporting (with a connection to an existing Novell Sentinel)
  • automatic synchronization with third-party systems (Microsoft, IBM, Cisco, SAP, EMC Documentum ,...)
  • Automatic synchronization with specific applications (in house app.)
  • Automatic synchronization with OpenLDAP systems

These tasks are precisely defined and can be successfully implemented. Upon execution of these tasks, the user will achieve:

  • Tightly controlled and automated system for managing user rights
  • Transparent and flexible working procedures
  • Critical systems will have automated the administration of access rights
  • Reduces administrator workload of staff
  • Users will feel a significant difference in accessing the system using a unique password (Windows login), or using smart cards

The system will be built on the basis of these specifications will enable the foundation for further development:

  • Integration subsequently added subsystem
  • Integration of additional group identity (Federated Identity)
  • Making SIEM systems (Security Information and Event Management System)