The OpenIAM Identity Governance platform provides a flexible user lifecycle management solution which provides the following functionality:
- Integration with one or more source systems to automatically initiate provisioning/de-provisioning activities related to joiner, mover and leaver processes.
- Customizable, workflow driven, self-service UI to create and managers
- REST API for user management
- Orphan Management
All life cycle events such as user creation, terminations, or position changes (a person changes their job), can be used in conjunction with Role Based Access Control (RBAC) and approval workflows to improve security, lower operational costs, and improve end user efficiency. Integration with both the authoritative source and target systems for provisioning is performed through the connectors.
The synchronization functionality allows you to:
- Integrate with the authoritative source, like your Human Resources (HR) system, to enable provisioning/de-provisioning
- Import existing data from a system and migrate it into the OpenIAM repository. These types of operations are often necessary when a system is first being deployed and we need to create a consolidated view of the user’s profile.
Regardless of the approach, once the data has been received, the provisioning services will evaluate the information based on the rules and determine:
- Which systems a person should be provisioned to/de-provisioned from
- Which permissions should be set or revoked for the applications that a person is entitled to?
- Whether or not provisioning should be automatic or if a workflow should be triggered for additional processing
Based on the outcome of this process, the connectors will carry out the last steps and automatically provision/de-provision the user and their entitlements. Each step of this process is captured in the audit logs. Organizations deploying OpenIAM also have options in how the integration with the source system should work. These include:
- Polling the source – In this case OpenIAM will query your source system, database, file system, directory (anything for which a connector exists) at regular intervals to get the list of users and their entitlements. Once this data has been obtained, the downstream provisioning process will start.
- Events – In an Event based model, the source system will send a message or file to OpenIAM via the provisioning to API to trigger provisioning/de-provisioning activities in near real time.
Where synchronization is used to detect changes in the source system, reconciliation is used to detect changes in the target system and compare it with the data in OpenIAM. The objective is to ensure that both systems are in synch and if changes in the target system were made outside of OpenIAM, then we can detect those as well. The reconciliation functionality also allows you to configure what should be done when anomalies are uncovered. As an example, assume that your IAM instance is connected with Active Directory (AD) and reconciliation detects that a user was created directly in AD. To address this condition, reconciliation can be configured to either:
- Add the user to OpenIAM
- Remove the user from Active Directory
- Do nothing
Organizations which are not actively using an IAM platform often have orphaned user records in their business applications which are the result of users being given access and not having that access revoked when a person leaves the position or company. The orphan management functionality consolidates all the orphaned records and provides administrators with tools to either clean up these records or link them to the correct user.
OpenIAM provides user administration tools so that Helpdesk users and Admins can centrally manage all users. These features include:
- Unlock accounts and reset password resets
- Changing the user status
- Session management – Visibility to see active users and to kill their session
- Workflow - Monitor all workflows and terminate them if necessary
- Review audit logs
- Manage user profile attributes
- Manage user access rights
Access to the above permissions is based on a person’s access privileges.