IDM software provides centralized, simple, secure management and synchronization of identities for users, devices, and things.
ForgeRock Identity Governance
Is a centralized solution that allows you to:
- Perform a periodic view of access by users, managers or application or data owners.
- Set policies on access, risk, and Segregation of Duties(SoD) violations so that reviewers can make informed decisions about whether access is valid or not.
- Integrates into workflows within IDM so you can take immediate remediation actions.
Audit and report on this data so that you can address audit requirements
Components of identity governance
Consists of three components:
- Employees require additional access to resources to perform their job
- Employee applies membership to other company facilities.
- Managers request additional roles to be applied to some or all their direct reports.
- Managers need to periodically sign off access for their direct reports:
- All roles
- Sensitive or high-risk roles
- Provisioning roles in IDM that lead to role/group membership on remote systems
- Roles, access, and entitlements on remote systems
- Role owners need to periodically sign of:
- All roles they are responsible for
- Assignments that are given through the roles they maintain
- Process owners need sign off:
- New toxic role combinations of user
- The prolongation of accepted exceptions
- Run any queries against the repository to create reports and statistics for:
- Certification campaigns
- Certification status
- Access request
- chedule reports
- Automatically send reports to the relevant recipients.
- IDM provides a simple, customizable web interface and REST API that lets users register, view, and change their personal information
- Password resets and changes to user profile information can be synchronized across all target user account for consistent data in all relevant systems.
- The self-service feature uses multi-factor authentication to allow your employees to reset their passwords automatically.
- Self-registration lets user create their own accounts on your system with customizable criteria.
- Multiple user self-registration flows are supported if you need to set up different portals for customers and partners.
- IDM leverages standards-based integration with the social networks to register users seamlessly based on the OAuth 2.0 and OpenID Connect 1.0 standards
Synchronization across resources happens when managed resources change or when IDM discovers a change in the system. Within IDM there are two resources types:
1)Managed resources that are stored in the IDM repository.
2)External resources which can be any system that holds identity data
IDM connects to external sources through connectors like MySQL, REST API, CREST(The CREST API is intended for programmatic management of customer and subscription life cycle) API, etc
How IDM synchronizes data
IDM supports various synchronization mechanisms that ensure data consistency
- Set up a connection between the source and target resource.
Connector configurations reference a specific connector type and indicate the connection details of the external resource. Connector configurations are defined in conf/provisioner-*.json files. One provisioner file must be defined for each external resource to which you are connecting.
- Map source objects to target objects.
Mappings are defined in your project’s conf/sync.json file or in individual mapping files. Mappings are synchronized in the order in which they are specified in the sync.json file. If there are multiple mapping files, the sync after property dictates the order in which they are processed.
- Configure any scripts that are required to check the source and target objects, and to manipulate attributes
Enables to choose to map business role and system access required to fulfill the job responsibilities
1)Authorisation roles: Control access to IDM Specify authorization rights of managed objects within IDM
2)Provisioning roles: Define rules for how values are updated on an external system.These rules are configured through assignments that are attached to a provisioning
This tool makes it easier for you to visualize who has access to what, and the relationship between users and devices that they have access to.
If you do not have this information clear in mind, it is easy to assign inaccurate policies and create security gaps.
These tasks can be configured as IDM self-service workflows:
- New user Onboarding
- Account certification
Workflow driven provisioning activities can include:
- Requests for entitlement, roles, or processes
- Running approvals with escalations
- Performing maintenance tasks
Flowable process engine
IDM supports workflow-driven provisioning activities based on the embedded Flowable process engine:
- Compiles with the Business Process Model and Notation 2.0(BPMN 2.0) standard
- Default workflows provided with IDM use the Vue JS framework for display in the end-user.
For custom workflows:
- Use the standard Flowable from properties
- Create a custom form template for more complex functionality.
How to invoke workflows
Any trigger point within IDM can be used to invoke workflows and business processes including:
- Situations discovered during reconciliation
- Directly from the end-user UI
- REST API
- A script
This article covers basic features of Forgerock IDM, In case you want to explore more (Looking for implementation partner/Learning/work ) please feel free to reach out.