Automated user life cycle management is a critical part of the OpenIAM identity management solution. This section describes the overall solution and then you through the process of implementing your own automated user life cycle management in your environment.
What is automated user life cycle management
Automated user life cycle management provides organizations with the ability to automatically:
- Create users and grant the right level of access when they join the firm
- Adjust access rights when a person's position in the firm changes
- Terminate / revoke access when a user leaves the firm.
Each of these operations is supported by audit logs to provide visibility into when and why changes have occurred.
Life cycle management overview in OpenIAM
The diagram below provides a high level overview of how automated provisioning works in OpenIAM. The diagram also takes into account that a deployment may have more than one authoritative source. Authoritative source can be segregate based on a variety of factors including: User type, attributes, etc.
Most Human resources (HR) systems can be integrated with OpenIAM using one of the following approaches:
- API / SDK / Database view - OpenIAM can use either the API, SDK or View provided by the HR system to extract user and organizational information at regularly scheduled intervals; every 1 hr, 4hrs, 24 hrs,etc. This approach will require the use of an OpenIAM Connector.
- CSV file - CSV file that is generated from the HR system which can be processed by OpenIAM by picking up the files from a network location at regular intervals.
Under the scenario, OpenIAM will do the follow to implement automated provisioning:
- Query the source system for new information about employees through the connectors
- For each new or modified user that is found, the OpenIAM synchronization service will:
- Map the incoming data to OpenIAM objects
- Determine the level of access that a user should have across applications by determine appropriate birthright access as well other entitlement membership
- Pass the object to the provisioning services
- The provisioning service will perform the following steps:
- From the authorization service, obtain a full list of entitlements based on a person's group or role membership
- For each application that a person should be provisioned to, the service will:
- Determine the value of each attribute by using a policy map associated with a "Managed System"
- Send a message to each connector with the results of the policy map
- Connectors will:
- Communicate with the target system
- Apply the changes to target system based on the message received from the provisioning service
- Send a response back to OpenIAM via the message bus. OpenIAM will update the identity status and save the actions in the audit logs.
Configuring automated life cycle management
As described above, to implement automated provisioning, please follow the details described in each of the following sections
- Install and register the connector
- Connect to your application
- Configure configure your connector
- Integrate with your source system
- Synchronization for the initial data-load
- Import existing entitlements from the target application
- Import existing users and their entitlements
- Role based provisioning
- Birthright access using business rules
- Joiners, movers, and leavers
- Orphan management