Identity Manager enables automated, self-service and policy-driven management of users and entitlements with:
Identity Manager can monitor one or more systems of record (typically HR applications) and detect changes, such as new hires and terminations. It can make matching updates to other systems when it detects changes, such as creating login accounts for new employees and deactivating access for departed staff.
Identity Manager can combine identity information from different sources -- HR, corporate directory, e-mail system and more into a master profile that captures all of the key information about every user in an organization. It can then write updates back to integrated systems, to ensure that identity attributes are consistent. This feature is used to automatically propagate updates to data such as names, phone numbers and addresses from one system to another.
Users can sign into the Identity Manager web portal and make updates to their own profiles. This includes changes to their contact information and requests for new access to applications, shares, folders, etc.
Business stake-holders, such as managers, application owners and data owners can sign into the Identity Manager web portal and request changes to security entitlements. For example, a manager might ask for application access for an employee or schedule deactivation of a contractor's profile.
Business stake-holders may be periodically invited to review the users and security entitlements within their scope of authority. They must then either certify that each user or entitlement remains appropriate or flag it for removal. Access certification is an effective strategy for removing security entitlements that are no longer needed.
All change requests processed by Identity Manager, regardless of whether they originated with the auto-provisioning engine, the identity synchronization engine, with self-service profile updates or with the delegated administration module may be subject to an authorization process before being completed. The built-in workflow engine is designed to get quick and reliable feedback from groups of business users, who may be individually unreliable. It supports:
Identity Manager can be used to enforce a variety of policies regarding the assignment of security entitlements to users, including:
Policies are often linked to identity attributes, which may be read from other systems (HR), user-entered or calculated (for example, risk scores).
Identity Manager includes a rich set of built-in reports, designed to answer a variety of questions, such as:
Identity Manager can be integrated with existing systems and applications using a rich set of over 120 included connectors. This allows it to automatically provision, update and deprovision access across commonly available systems and applications.
Organizations may opt to integrate custom and vertical-market applications with Identity Manager by using the included flexible connectors. Alternately, the built-in "implementers" workflow can be used to invite human administrators to make approved changes to users and entitlements on those systems.
Identity Manager includes an inventory tracking system, making it suitable for managing requests for physical assets as well as logical access. For example, types and inventories of building access badges, laptops, phones and other devices can be tracked, requested, authorized and delivered using Identity Manager.