What's new in PS2? Many enhancements to Identity Governance
By Darin_Pendergraft_Oracle on Mar 19, 2014
As you might know, our official IDM 11gR2 PS2 webcast will be held on April 10, 2014 @ 10:00 am PST
#OracleIDMPS2 is our offical twitter handle for all things PS2!
In the run up to the webcast, I have asked the PM team to put together a series of blogs to help outline the big changes and new features that were introduced as a part of the PS2 webcast. This week, the Identity Governance team has put together a post all about Identity Governance
Oracle Identity Governance is a suite of highly flexible and scalable enterprise identity administration solutions that provides operational and business efficiency by providing centralized administration & complete automation of identity and user provisioning events across enterprise as well as extranet applications. It provides role lifecycle management and privileged account management, ensuring consistent enforcement of identity based controls thereby reducing ongoing operational and compliance costs. New features introduced in the Oracle Identity Governance 11gR2 PS2 release are focused on customer success and improving overall reliability and reducing TCO of existing deployments. Highlights include:
Dynamic Organization Membership
In a typical enterprise or extranet use case scenario, a user will be associated to their home organization but would require membership to other organization entities to perform related functions. For example, a global help desk user who belongs to the Support organization would require access to view and perform certain functions (like password reset) on other organizations like Finance, Sales etc. The solution has the capability to manually assign the help desk user to an Organization Viewer admin role, which is restrictive and more applicable to permission grants.
Dynamic Organization Membership provides a way to specify a rule that would drive the membership of the user to one or more organizations based on their user attributes. The feature introduces the ability to specify a membership rule for organizations similar to how roles are handled. Once the user is dynamically associated to other organizations, they get implicit viewer privileges to view users, roles and privileges made available to those organizations as well. If certain users are needed to perform certain functions, like the help desk example above, they can still be associated to the corresponding admin role manually. Note that this is dynamic rule based organization membership (not virtual organization) that has to be associated with a physical organization in the solution.
Simplified Request Management
Oracle Identity Governance provides a centralized catalog of access rights, including enterprise and application roles, standard and privileged accounts and entitlements. The solution enables customers to create multiple views of the centralized catalog, like catalog by location, by department or a hierarchical catalog showing all applications along with associated entitlements etc., tailored to their needs. A list of beneficiaries can also be programmatically sent to the catalog enabling customers to integrate with other request initiating systems like a ticketing system.
Oracle Identity Governance provides a business user friendly catalog to request account entitlements. However it required the business user to know any entitlement related dependencies. For example, the user needed to know that they needed an e-Business account before they can request for an entitlement that grants them privileges to raise a purchase order in e-Business. OIG can now automatically request the account for a user when a related entitlement is requested, thereby reducing the burden of the business users to know the account-entitlement relationship.
Business users, requesters, approvers or access certifiers, often require detailed information on what a particular entitlement maps to in the target system. For example, granting an e-Business role or responsibility would grant a user a set of menu/button privileges. OIG now supports such critical hierarchical entitlement metadata to be imported and made available during request, approval and certification processes. Users typically would have more than one account in a target system and OIG supported multiple accounts to be associated with a user.
The solution now supports specifying to which account a specific entitlement in a request needs to be associated with during the request checkout process. In many cases, requesters are required to provide additional information during access request for each item requested. For example, in a request that involves multiple entitlements, the requester might be required to specify the start date and end date for each of the entitlements requested. OIG enables requesters to provide such information during request that can be carried all the way to approval and provisioning processes. OIG also provides an out-of-the-box scheduled task for entitlement grant and revoke based on the start and end dates specified.
Oracle Identity Governance also enables requesters to save the request cart enabling them to validate and submit requests at a later time.
Collaborative Certification Processes with Identity Auditor
Oracle Identity Governance introduces the capability of specifying additional levels of reviews in the certification workflow process. For example, OIG can now launch a certification review process whereby the business manager reviews the users that report to him/her, but is then followed by the managers' manager also reviewing the same access rights, while viewing the decisions made by their subordinate. In addition, collaborative Certification workflows with involvement from representatives from both Business lines and IT can also be launched for improved accountability and remediation.
Oracle Identity Governance introduces a new operational console in Oracle Enterprise Manager that enables administrators a complete view of all the defined OIG operations, out-of-the-box and customer defined event handlers, child processes, workflow processes their state and error information without requiring to mine different server logs. This tool does not replace the larger IDM management pack in Enterprise Manager that provides a suite wide monitoring capability but serves as a useful diagnostic tool specifically for OIG.
Privileged Account Session Management
Recent front-page security breaches have emphasized the fact that access control and monitoring of privileged accounts is critical. In some cases, privileged account password management alone is not enough. The OPAM solution in the OIG suite additionally provides session management and auditing capabilities to address extreme use cases. By creating a single access point to the target resources, OPAM’s Oracle Privileged Session Manager (OPSM) helps administrators to control and monitor all the activities within a privileged session.
For more information on OPAM, read our blog here: New Session Management in OPAM