PDF

swipe to navigate

Scope of automation

Identity Express: Workforce Edition automates best-practice processes for managing identities, security entitlements and credentials in a corporation or similar organization. It is suitable for any organization that fits the following profile:

  1. Its workforce largely consists of employees.
  2. Employees are tracked in one or more human resources (HR) systems.
  3. The workforce also includes other categories of people -- contractors, vendors, etc.
  4. These other types are usually not tracked in HR.
  5. Employees and some contractors are assigned corporate, centrally managed PCs, which are members of an Active Directory domain.
  6. Most users also have a home directory on a file server and an e-mail account / mail folder, typically on Office 365 or Exchange.
  7. Basic access rights (AD, Exchange, home directory) assigned to all users are uniform and predictable based on user type, location, etc.
  8. Additional access rights depend on the user's department, job code, location or projects and may be more difficult to predict.

Identities and security entitlements in these organizations can be managed using the following processes:

  1. Employee access is automatically granted and revoked based on changes detected in one or more systems of record (SoR), typically HR.
  2. Non-employee access is granted and revoked in response to requests entered on the IAM portal.
  3. Access can be deactivated urgently if needed (terminations).
  4. Users may be transferred across locations, departments and between managers, as a result of either requests or changes in an SoR.
  5. User types may change, for example between employee and contractor.
  6. User names may change (marital status, etc.).
  7. Users may take leaves of absence, for example due to maternity.
  8. The system accepts, authorizes and manages fulfillment of requests for access, for example to add login accounts or to add users to security groups.
  9. User access is reviewed and, where it was inappropriate, revoked both on a periodic basis and in response to events such as transfers.

Change management processes are subject to a variety of policies relating to access changes and identity information:

Policy Description
Privacy protection

Who can see what information, about whom?
Data retention

Archive of e-mail folders and home directory contents, post-termination.
Segregation of duties

What rights should not be combined?
Authorization

Who should approve what access?
Identifier management

How to construct unique, persistent login IDs, e-mail addresses, etc.
Resource placement

In what directory OU to create accounts, on what filesystem to create home directories, in what mail database to create a mail folder?

Rehire control

Whether people who have left the organization may return and if so whether to re-activate their old profile or create a new one.
Password complexity

How to compose adequately secure passwords.
Authentication options

How users sign into the IAM system, both under normal circumstances and in the event that they forgot their password.

PDF

Comment via LinkedIn