Features Consolidated and Delegated User Administration

Consolidated and Delegated User Administration

Consolidated User Administration

ID-Synch® includes a consolidated user administration console, allowing global security administrators to look up the enterprise-wide access profile of any existing user and make cross-system updates, such as:

• Create new and delete existing accounts for a user.
• Check enabled/disabled status of existing accounts.
• Set enabled/disabled status of existing accounts.
• Change the login ID of an existing account (rename user).
• Read and set attributes of existing user accounts.
• Modify the membership of existing accounts in security groups -- for example, attach to / detach from group.
• Change the context of a user in a structured directory -- for example, move in LDAP or NDS.

The ID-Synch user interface is purely web-based. It draws "current state" information about each user from the built-in identity cache, which in turn may either contain data from the previous night's auto-discovery process or it may be configured to pull this information from an existing, external directory (typically LDAP or an database) in real-time.

All change requests are entered into this interface via HTML forms. Use of standards-compliant HTML means that the UI is accessible by users without client software, using any web browser (including PDAs, cell phone browsers, browsers for visually impaired users, etc.).

ID-Synch administrators may get limited access to the security administration console. First, their ID-Synch application profiles contain access control lists, which determine the operations they are allowed to run. Using this facility, it is easy to define different types of administrators, with different job functions, such as routine user management, urgent terminations and reporting.

Next, ID-Synch uses a plug-in architecture to allow organizations to define business rules that map users and their accounts to specific administrators. These plug-ins limit the user profiles, specific accounts\idsOnly{, templates, and account groups} that any given security administrator can bring up in the ID-Synch console.

These plug-ins make it possible to create delegated user administration structures, where decisions about who is, in fact, a delegated security administrator, what users that administrator can manage, and which of their accounts can be updated, are made dynamically. These access-control decisions are normally made by applying business logic (for example, does this person belong to the security administrators group? is the user in question in the same department as the administrator?) with an existing data source such as LDAP, AD or an HR system.

The advantage of making delegation decisions in this way is that only the basic decision-making logic need be specified. Detailed information supporting delegation decisions does not have to be managed explicitly in ID-Synch, but is instead drawn from an existing data source.

Delegated User Administration

Local managers and IT resources can be assigned limited administrative privileges and will subsequently be able to directly manage some users, on some systems, with some types of updates. Delegated administration is implemented by allowing local administrators to sign into the global, consolidated user administration web interface, but limiting their access to user objects, target systems and operations using both ACLs and plug-in programs that act as data filters.

Users and managers can also submit change requests to the ID-Synch workflow system, which are subsequently authorized by appropriate business users and applied to target systems.

© Hitachi ID Systems, Inc. 2008. All rights reserved.