The OpenIAM Identity Manager provides a flexible provisioning and de-provisioning solution that enables the following functionality:
- Provisioning and de-provisioning of accounts based on rules or job roles
- Maintain detailed audit information
- Incrementally provisioning account entitlements after an account has been created
- Updating the account with new policies based on changes in the business, job codes, and other requirements
The provisioning module consists of the following modules:
- Process engine with a graphical designer
- Provisioning services
- Audit Logging
OpenIAM is continually expanding its list of supported connectors. Currently the following connectors are available:
- Active Directory
- Google Apps
- Databases (Oracle, MYSQL, SQLSERVER)
- Script Connector
- Application Tables
- Powershell Connectors
Request - Approval
While provisioning processes may be triggered through a variety of applications, such as an HR system, the OpenIAM Identity Manager provides a number of customizable forms in the self-service application to address common tasks. These include:
- New Hire
- Requests for Access
- Changes in Department, Supervisor, etc.
These forms are usually used within an approval process. Upon approval, the identities and relevant entitlement information will be provisioned into the target system.
While OpenIAM allows you to quickly configure common approval workflows, the process engine allows you to define processes that are unique to each organization. These processes can be designed using the graphical processor designer that runs as a plug-in to the Eclipse IDE. Unlike some solutions, which provide a proprietary home-grown "identity workflow" designer, OpenIAM supports a full featured workflow engine. This allows OpenIAM to have greater flexibility in the type of processes that can be created and the systems that it can be integrated with. To simplify the integration effort, OpenIAM includes several processes that can be viewed as a template to further enable rapid customization. These processes include:
- New Hire
- Self Registration
- Request access with single approval workflow
- Request access with multi-step approval
- Approval with escalation
- Correction workflows for attestation
The synchronization functionality allows you to synchronize data from one or more authoritative sources to a set of managed systems. OpenIAM supports synchronization based on:
- Events: Event based synchronization allows real time synchronization since the source system will place a message on the Identity Manager Bus to triggers synchronization
- Scheduled Intervals: The time interval in which synchronization should occur can be configured. The interval may be as short as 1 min, enabling near real time synchronization, or at larger intervals.
When a new employee is added to the HR system, the synchronization process is triggered to detect this new record and initiate the synchronization process. During the process, it can be configured to look at a number of factors such as job code to determine which applications they should have access to.
Where synchronization is used to detect changes in the source system, Reconciliation is used to detect changes in the managed systems. For example, if Active Directory is one of the managed systems, then changes made directly on Active Directory can be detected and then synchronized back into OpenIAM and the systems that it manages based on the rules that are in place.