Identity and access management systems, sometimes also called
user provisioning, access governance or identity governance and
administration systems, externalize
the management of users, identity attributes and
security entitlements out of individual systems and applications,
into a shared infrastructure.
IAM systems make the creation, management and deactivation of login
IDs, home directories, mail folders and security entitlements faster,
less costly and more reliable. This is done by automating business
processes for as onboarding, change requests and deactivation for
each user community and by linking these processes to the systems and
applications that have account repositories.
IAM systems generally implement one or more of the following processes:
Detect adds, changes and deletions in a system of record
(SoR, such as HR) and make matching changes -- create accounts,
grant/revoke access, etc. on integrated systems and applications.
- Self-service requests:
Enable users to update their own profiles (e.g., new home phone
number) and to request new entitlements (e.g., access to an
application or folder).
- Delegated administration:
Enable managers, application owners and other stake-holders to
request changes to identities and entitlements within their scope
- Access certification:
Periodically invite managers and application or data owners to review
users and security entitlements within their scope of
authority, flagging inappropriate entries for removal.
- Identity synchronization:
Detect changes to attributes, such as phone numbers or department
codes on one system and automatically copy to others.
- Authorization workflow:
Validate all proposed changes, regardless of their origin and
invite business stake-holders to approve them before they are
IAM systems generate value by applying the identity and entitlement
changes produced by the above processes to account repositories, using
connectors that can:
- List existing accounts and groups.
- Create new and delete existing accounts.
- Read and write identity attributes associated with a user object.
- Read and set flags, such as "account enabled/disabled,"
"account locked," and "intruder lockout."
- Change the login ID of an existing account
- Read a user's group memberships.
- Read a list of a group's member users.
- Add an account to or remove an account from a group.
- Create, delete and set the attributes of a group.
- Move a user between directory organizational units (OUs).
Return to Identity Management Concepts