What's New In IdM 7.1 Con't. - Security - New End User Group

One of the new features that adds to the flexibility of setting up roles, organizations, and users is the addition of a new End User Group Object in Sun Java System Identity Manager 7.1.

The purpose of this new group, which automatically is assigned as a member to the TOP organization node, allows the administrator more flexibility in insuring basic privileges are given to all users, or at least, rules are tested on each user IdM handles.

Before, say all employees get access to an email account and a building security card; there are two locations they can be assigned (Campus East or Campus West).  Before, the administrator would create two organizations under TOP (Campus A and Campus B) and had to write policies to assign emails account and security accounts and assign the right one to the right organization. If any changes were made, they had to insure both organization rules and policies were corrected for the new change.  And what about the new "work from home policy" where employees get a different security account at either one of the two campuses.  Makes for some creative account writing.

Now, the administrator can write just one set of rules and policies and assign them to this new End User Group.  It is a catch all group that theoretically every employee account will be tested against after they have been run through all other org based tests and assignments.  Once the employee is placed in their correct organization and the rules and policies are applied to the user account, they are then run through the End User Group for final determination of end user privileges.

This is very similar to the "Default User" account in Windows. When a user logs in, they are given not only their own account privileges, but are also given additional access based on the "Default User" account.  Now a policy (for determining campus security access) can be written once and applied to the End User Organization.  The user accounts will be processed according to traditional organization assignments (Campus A, Campus B, and WorkFromHome) and then the end user will run through the End User Group to determine final account privileges.

Now when the end user logs into the end user interface, they will be automatically evaluated against the built-in End User Controlled Organizations rule, which can return one or more organizations the user can control. The centralizes some of the tasks in determining the end user capabilities and should be considered a best practice going forward for assigning Roles, Resources, and Tasks.

To manage this new capability around end users assignments, a new End User Administrator capability has been added to the system and is initially assigned to Configurator. Note that this is assigned during user log in, so any changes in assigning this capability will not affect current users logged into the system; they would have to log out and back in to gain the capability.


Powered by ScribeFire.

Comments:

Post a Comment:
Comments are closed for this entry.
About

Sean ONeill

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today