Identity Management is an integrated mixture of business processes, policies and technologies that enable organizations to manage the life-cycle of identities in their organization. Identities could be employees, contractors, partners, vendors, customers or recipients of a service.
The life-cycle of identities is divided in to three high-level processes; provisioning, change propagation and de-provisioning
Provisioning refers to the creation of user objects and user attributes, as they exist in one or more systems, directories or applications, in response to automated or interactive business processes.
Change propagation is the process of propagating changes to identity data. Change propagation could be as simple as synchronizing a telephone number change from a user object in one system to another or it could be changing a users access control across a multitude of systems due to a change of the users role within the Human Resource system.
De-provisioning refers to the removal of the user objects created in the provisioning process. De-provisioning could be initiated from an employee leaving the company or a recipient of an online service de-registering from a web site.
Identity Management facilitates the control of users' access to critical applications and resources, while protecting confidential personal and business information from unauthorized users.
The Identity Management products CosmosKey deploys can all performs the following tasks:
- Account provisioning and de-provisioning
- Directory synchronization/Change propagation
- Identity integration and management
- Password synchronization
How Account Provisioning/De-provisioning Works
Provisioning and deprovisioning refer to automatically creating and removing user accounts. For example, when a new employee is hired, information on the person is entered into the personnel department's database. With an Identity Management solution, this information can be used to automatically create accounts in other connected databases for the person. Similarly, if the personnel department marks an employee as terminated, his logon account, e-mail account and other accounts on databases throughout the organization can be automatically disabled or deleted.
Directory Synchronization
Directory synchronization involves ensuring that particular information about an individual (for example, his e-mail address or his social security number) is the same across the different databases in which that piece of information is entered. This is accomplished by ensuring that the information in the meta-directory is accurate and flowing that information to the other directories.
Identity Integration and Management
A key aspect of managing identity information that resides in many disparate databases involves determining which source is authoritative. That is, if there is conflicting information in two or more of the databases, which one is presumed to be accurate?
Different databases might be best designated as authoritative for different pieces of information. Thus identity information is divided into separate attributes; for example, two of the attributes associated with a user might include the user's e-mail address and job title. The LDAP database used by the personnel department might be considered authoritative as to job title, since that department is likely to have the most up-to-date information as employees are promoted or make lateral moves within the company. On the other hand, the e-mail address information in the personnel database might well be out of date, since it was probably entered when the employee first joined the organization. The company's mail server would be the most logical authoritative source for that piece of information.
Identity Management solutions allows selected attributes to be extracted from the connected databases, with conflicts resolved according to which is considered authoritative for that attribute, then those attributes are consolidated in the meta-directory. Then the Identity Management solution can recognize when changes are made to one of its connected databases and (based on rules you define) propagate the change to other databases. These rules determine whether, when and how the changes will be propagated throughout the organization's databases.
Password synchronization
Password Synchronization is major benefit of an Identity Management solution. The Identity Management solution would be notified by any password changes on a user object in a connected system. The password would then be synchronized to the corresponding user object in all the other connected systems.
