omada identity suite -...

Identity management is an essential discipline in today’s increasingly complex IT environments. Organizations must efficiently provide secure and compliant access to large num-bers of users across more applications than ever - and at the same time be able to state accurately who had access to which systems and who granted that access. Omada Iden-tity Suite helps organizations to meet the access demands of the business and ensure secure, efficient, and compliant identity management.

OMADA IDENTITY SUITE - for Microsoft Forefront Identity Manager 2010

[email protected] | www.omada.net

OMADA IDENTITY SUITE - Solution in Detail

Omada Identity Suite - Solution in Detail

OMADA IDENTITY SUITE Omada Identity Suite

OMADA IDENTITY SUITE

IDENTITY MANAGEMENT CHALLENGES 3

APPROACHING IDENTITY MANAGEMENT 4

CONTROL OF IDENTITY DATA 5

IDENTITY AND ACCESS GOVERNANCE 6

IDENTITY AND ACCESS MANAGEMENT 7

OMADA’S UNIQUE STEP BY STEP APPROACH 8

Omada’s Step-by-Step Approach to Business-Driven Identity Management 8

OMADA’S IDENTITY AND ACCESS GOVERNANCE SOLUTION 11

Validation Against Policy 11

Dashboards and Reporting 11

Attestation of Access 11

Mitigate Findings 11

OMADA’S IDENTITY AND ACCESS MANAGEMENT SOLUTION 12

Automated HR Lifecycle Management 12

Self-Service 12

Delegated Admin 12

Reconciliation 12

Role-Based Access Control 13

Approval 13

Provisioning 13

Confirmation 13

Audit Trail 13

PRODUCT OVERVIEW 14

Omada Identity Suite Modules 14

Omada Identity and Access Data Warehouse 14

Recertification / Attestation 15

Compliance Reporting and Auditing 16

Policy / SoD Management 19

Role Lifecycle Management 20

Omada Business Process Engine 21

ABOUT OMADA 23

2


OMADA IDENTITY SUITE Solution in Detail

IDENTITY MANAGEMENT CHALLENGES

Many businesses today are operating in a climate of strict compliance and experience an increased need for enterprise effectiveness. However, managing access rights for the employees, consultants, and business partners across com-plex IT environments with multiple systems, applications, and platforms is a cost-ly and resource intensive task for the IT administration without a comprehensive and scalable identity management solution.

Time Consuming Manual ProcessesHandled manually, managing identities and access rights is a time-consuming and complex task that is often carried out with a high degree of randomization - making it difficult to maintain an overview of ‘who has access to what’, ‘who did what and when’, and to track and document activities.

Reduced Organizational EfficiencyRequesting and approving access to IT systems is a burden to the helpdesk, business users, and IT administra-tors. The consequences organizations face are reduced effectiveness, high administration costs, security and compliance deficiencies, and the risk of failing audits.

Complex Identity DataGetting the big picture of who has access to what across the entire IT platform with hundreds of applications and thousands of users is a complicated task. For many organizations, identity and access information is fragmented in application silos. And, with high levels of employees and contractors onboarding, transferring, or off-boarding, it is difficult to keep up with changes to the identity related information.

Difficult to Ensure ComplianceLack of control and visibility of identities and access rights makes it difficult to ensure consistent compliance to business policies and legislative regulations, and to keep control of users’ access rights to sensitive data and applications.

3


OMADA IDENTITY SUITE Omada Identity Suite

APPROACHING IDENTITY MANAGEMENT

The Value of Identity ManagementIdentity management solutions improve efficiency, security, and compliance. Automated processes reduce the need for manual tasks, and when access is assigned based on business policies, compliance is improved. With an identity management solution that also facilitates attestation and reporting, organizations gain full control and overview of access rights ensuring that users have correct and valid access.

Solution FocusDepending on the most pressing issue to solve in the organization, it is important to focus on selecting the right approach. If the organization wishes to improve the efficiency the most beneficial approach is to select an identity and access management solution to automate user provisioning and administration processes. If on the other hand, compliance and risk mitigation is the driving factor, the most beneficial approach is to focus on identity governance. Whichever perspective, the first step is to gain control of identity and access data across the entire IT platform.

Organizational benefits:

• Ongoing sustainable compliance by applying governance and compliance controls and policies across all identity management processes; preventing issues instead of reacting to them

• Consistency and policy enforcement by applying automated provisioning as an integrated part of the iden-tity management processes. Automation is ideally used when cost-effectiveness or enforcement is vital

Figure 1: Automation versus compliance

Depending on the business drivers, organizations can focus either on achieving automation benefits and enforce-ment of policies first or on achieving compliance and governance.

Identity management delivers a set of business processes that facilitates and provides user provisioning and administration, according to business policies. Governance and compliance processes apply across all identity management processes, ensuring that defined security and compliance policies are automatically adhered to.

4


Challenge Scenarios:Solution in Detail

CONTROL OF IDENTITY DATA

Compliant organizations want the ability to control identity and access across multiple domains, and create on-demand reporting on identity intelligence. Yet, comprehensive reporting and analysis is difficult to generate if identity data is scattered across cloud and on-premise systems with lack of overview or insight into authoritative data. When identity data is scattered across several systems it is difficult to define policies and isolate critical systems. Also, tracing access rights of individual employees across all systems becomes a very time consuming task. If reporting is hand-led differently in each system, the gathered data will be difficult to compare and analyze since it does not contain comparable information or dimensions.

Identity Data WarehouseTo gain control of identity and access data, the data must first be gathered in one place in a data warehouse, col-lecting the identity and access related information from systems, directories and databases like Active Directory, SharePoint, MS SQL Server, SAP, and RACF.

Cross system reporting and analysis is enabled by implementing a central data warehouse, that imports identity and access data from the systems and applications used across the enterprise - using specified extensible data collectors. Collecting the identity data in a data warehouse makes the data available for historical preservation, reports, attestation, and validation against policy.

Data CleaningThe collection of data provides an opportunity to clean the data in the process. Collecting data and analyzing it discovering duplicate accounts and accounts without owners improves the data quality.

Even without implementing any further identity management or governance processes to the data, simply getting the big picture of identities and access rights will increase security. The collected data can be mined to identify cri-tical systems and uncover security risks. Based on the identity information it is possible to identify the areas to prioritize in the next phase of an identity management program.

Key benefits:

• Gain insight into current state of data

• Generate reports for data analysis

• Provide basis for development of compliance and management processes and policies

• Achieve savings to license and subscriptions fees when unused accounts are removed

Challenge Scenarios:

• Incomplete or incorrect identity and access data

• Accumulation of access rights over time

• Difficultiesinprovidinganalyticsandreporting

5


Challenge Scenarios:Omada Identity Suite

IDENTITY AND ACCESS GOVERNANCE

In today’s increasingly complex IT environments organiza-tions require solutions that ensure continuous compliance across audited IT systems and data. Compliant organizations must be able to demonstrate control and overview of identi-ties and access across scattered cloud and on-premise systems.

CIOs and CISOs are accountable for compliance fulfillment although systems and data are increasingly outsourced. Such outsourcing is not only initiated by the IT organization, but also indirectly by the line of business as they increasingly use cloud applications outside the direct control of the IT organization.

Defined Policies and Automated AttestationFrom the outset of developing an identity management strategy it is important to define the business policies. With an identity management solution the policies are strengthened by automated processes and reporting fea-tures. Organization will gain the most benefit by initially defining which processes include the most business criti-cal access policies in systems and applications, and proceed by including additional systems when the identity management solution is in place.

On-Demand ReportingIdentity and access governance increases security across the enterprise as each account and identity will have current and valid approval that is periodically reviewed and attested.

On-demand reporting on identity intelligence reduces security risks by immediately detecting policy violations and toxic combinations of access rights.

Key benefits:

• Comprehensive reporting is readily available to auditors and business users, to facilitate compliance and process improvements

• Efficient validation of accounts, users, and access rights – minimizing security risks

• Consistent compliance with business policies and legislative regulations


• Preparingforsecurityauditsistime-consuming

• Notransparencyofenterprise-wideaccessrights

• Monitoringwrongfullyaccumulatedaccessrightsisdifficult

6



IDENTITY AND ACCESS MANAGEMENT

Without a centralized system, handling of processes for on-boarding, transferring, and off-boarding employees, dealing with requests for access rights, and adapting access rights to organizational changes is time-consuming and error prone.

Lack of defined and enforced processes related to the identity lifecycle often results in employees not having access rights removed promptly when they leave the organization, and the ‘Least Privilege’ principle may not be applied consistently.

Improve Organizational EfficiencyOrganizations can improve the efficiency of the user administration quickly by addressing the identity manage-ment challenges in three main areas:

• Implementing business processes driven by changes to HR data, for example triggering tasks for the manager when a new employee is entered in the HR system. Having automated approval processes in pla-ce lowers administrative efforts while maintaining a high security level.

• Implementing role lifecycle management, where access rights are granted based on an identity’s position in one or more hierarchies (such as organizational unit or project), removes the need for requests for eve-ry access, as most are granted automatically based on the job profile of the identity.

• For access that is not covered in the role model, a centralized access request process allows end users to request access in a single portal that also triggers workflows for approval and provisioning.

These three areas improve the efficiency of identity management, and at the same time provide an audit trail so it is possible to track each access request made, whether initiated by HR changes, self-service requests, or assigned by a role model.

With a solution that also supports automatic provisioning and de-provisioning to target systems, identity manage-ment is highly time- and cost-effective, and automatically enforces a high level of security.

Key benefits:

• Reduced work load and IT costs by implementing business processes and self-service access requests

• Automated and secure granting of birth rights with role lifecycle management

• On-demand audit trail of all access requests, facilitating process analysis and optimization


• Managingidentitiesistime-consumingandcostly

• Accessrequestsmanagementisinefficientforboth end-users and IT personnel

• Noaudittrailofgrantedaccess

7



OMADA’S UNIQUE STEP BY STEP APPROACH

Omada’s approach to identity management is designed to improve both compliance and efficiency in the organiza-tion, regardless of where in the process the identity management project is initiated. With Omada’s step by step approach the identity management solution focuses on business needs. Organizations may choose to implement a governance solution for one system, but introduce self-management or role lifecycle management in another, letting the most pressing concern drive the project, one step at a time until you have identity management under control.

Figure 2: Omada’s approach includes multiple value adding process steps

Key benefits:

One of the key benefits of Omada’s approach is that all aspects of identity management is part of an iterative process where each element is repeated step by step, system by system, project by project to improve complian-ce and data quality.

Omada’s Step by Step Approach to Business-Driven Identity Management

Omada Identity Suite is a collaborative platform that unifies business and IT related identity needs towards greater compliance and more efficient identity management.

Improve identity data from day one

The solution supports a step by step approach which ensures that it is fast to get to a point where every access has current and valid approval. The solution enables easy import of data from relevant systems, processing chan-ges to data. During the process system owners are automatically presented with relevant access information, so improvements to data can be dealt with appropriately and timely. The solution continuously monitors whether the changes have taken place in the actual systems. The result is a complete overview of the quality of data and how it is improved from day one.

8



Achieve control and compliance of users and access

Compliant organizations must be able to demonstrate control and overview of identities and access rights across scattered cloud and on-premise systems - either managed in-house or by hosting vendors. With Omada’s solution organizations will have the flexibility of outsourcing and taking in cloud applications without compromising compli-ance and security.

Gain easy adoption – regardless of provisioning method

The solution provides deep access intelligence across all connected or non-connected systems, regardless of which fulfillment solution is applied. For example if a hosting partner uses one or several user provisioning tools to manage the hosted systems, Omada’s solution will tap into those systems, collect and store relevant data to pro-vide a complete and continuous overview and control of the identity data.

Achieve organizational efficiency

The solution streamlines user administration processes with a self-service access request portal and automated user lifecycle processes for access requests and approvals. Access control is achieved by ensuring current and valid approval of all users, accounts, and access across any system – outsourced or self-managed, on-premise, hosted, or in the cloud.

Automated granting of birth rights and other privileges, when employees onboard the organization or change job roles, eliminates manual routine work.

Get on-demand actual and historical overview of access data

The solution provides on-demand actual and historical overview of access data for analysis, reporting, attestation, and data clean-up to ensure consistent fulfillment of regulatory compliance requirements.

Achieve easy technology adoption

The solution is built on the Microsoft platform which is well adopted in most IT organizations. Manual provisioning tasks can be created automatically as a ticket in the existing helpdesk system or as a workflow task in the Omada Identity Suite.

The unique architecture enables organizations to achieve true compliance. Not just delivered as a ‘rubber stamp’ but by providing real deep access intelligence required for complete insight and overview of ‘who has access to what and who approved it’.

The Steps in Detail

Control of identity data

Gathering of business intelligence is the first step in any identity management project. The gathered data provides the foundation to define policies, processes, and to be able to determine the next step whether the focus is com-pliance or automation.

Figure 3: The steps to get control of your identity data Data gathering

Data is collected using a standard connectivity platform detecting changes to all relevant data in a dynamic environment. The powerful extension model allows you to import custom data that can be used to improve pro-cesses, and perform attestations on it.

Powerful data collection is the key to generate accurate identity and access data. The capability of collecting data across a heterogeneous system landscape is the first step in providing exact and valuable information on access rights across all systems.

9



Store and normalize dataData is processed and normalized to ensure that the actual access situation is visible regardless of nested groups, loosely coupled object models, and unconnected systems.

Data cleaningThe solution offers features to improve the initial quality of data. The data cleaning identifies incomplete or incor-rect data, and alerts about invalid data. For example, highlight if certain objects or attributes do not adhere to naming convention or format.

Account ownership determination and approval

Managing account ownership in a dynamic environment ensures continuous accountability and transparency.

In addition to direct matching, the Omada Identity Suite provides rules and fuzzy logic algorithms to propose the right owner of accounts. Such proposals can be sent for approval in a collaborative attestation scenario.

Data enrichment

Enrich your data by structuring physical IT systems and access groups into logical business applications with well described roles, simplifying request and attestation processes for the end user.

Business description of resources and other Metadata in systems makes it easier to attest to access. Classification functionality gives a more consistent and complete understanding of the identity data in order to effectively plan future enhancements.

10



OMADA’S IDENTITY AND ACCESS GOVERNANCE SOLUTION

Based on the gathered and enriched identity and access data, next step is to move on to implementing a gover-nance solution. Omada’s step by step approach for identity and access governance integrates seamlessly with both the data gathering and maintenance. Omada’s approach to identity governance has three main elements – valida-tion against policy, a comprehensive reporting platform, and attestation of access.

Figure 4: Identity governance

Validation Against PolicyPolicies such as separation of duties (SoD) can be defined and the system detects any violations to such policies – in one system or across many systems.

Constraint policies are used to detect toxic combinations of resources assigned to the same person. The solution continuously monitors the environment, proactively detects policy violations, and alerts appropriate managers or system owners.

Dashboards and ReportingGraphical dashboards provide the initial overview of data across systems, with details found in a comprehensive set of standard reports. Reports can be customized, and new reports created to further enhance auditing.

Point-in-time reports show data at a specific point in time, log reports show attribute changes for an object, and dashboard reports present the aggregated data.

Attestation of AccessAttestation of access ensures that approval is current. The Omada Identity Suite uses a survey format with tasks assigned to respondents, ensuring an audit trail and supports escalation to the respondent’s manager in case the attestation is not completed within the set time frame.

Attestation surveys are presented in an easy to read format and respondents are only presented with the data that is relevant to them. Attestation surveys can be re-run periodically.

Mitigate FindingsRemediation of detected policy violations is administered seamlessly, using the out of the box built in provisioning processes or any existing provisioning processes or systems the organization has in place.

The solution provides closed loop auditing which automatically presents system owners with information if any system need to be de-provisioned. Based on this information the problematic access can be withdrawn. After this step the solution runs an import that monitors whether the de-provisioning has taken place. The solution supports automatic de-provisioning.

11



OMADA’S IDENTITY AND ACCESS MANAGEMENT SOLUTION

Omada’s identity and access management approach is based on the concept that every identity management action is driven by a request. The request can be an HR driven identity lifecycle management change, a manager or end-user that wishes to make changes to existing access or data, a new access requests, or the result of a reconciliation that initiates the access request process.

Figure 5: Identity management steps

Automated HR Lifecycle ManagementAutomated HR change requests streamline onboarding, transfers, and off-boarding processes by ensuring a consi-stent and efficient management of access changes according to organizational changes.

The processes run either fully automated end-to-end from the access request to confirmation or with built-in approval steps. A job title change for an employee will result in an HR driven access request that assigns new business roles and the current access privileges will be revoked automatically in the process.

Self-ServiceThe Self-Service Access Request Portal allows managers and end users to request new access or modify existing access privileges, within the constraints of pre-defined identity policies and role models, for one or multiple systems - in one process with subsequent approval and either manual or automated provisioning.

The solution provides an efficient and accurate way to view existing access as well as the status of any self-service access requests.

Delegated AdministrationThe solution supports delegated admin enabling access requests initiated on behalf of others; for example, provide a manager with the option to request access on behalf of a team member.

ReconciliationA difference between actual state and desired state is detected, a security incidence occurs and a request process is initiated.

The reconciliation capabilities available in the solution examine and compare actual state versus desired state. If a difference is detected the system automatically initiates a predefined process to address the issue. This action is performed for all systems, connected or unconnected to automated processes such as provisioning.

12



Role-Based Access ControlAutomate provisioning according to enterprise role and rule calculations by implementing role-based administra-tion of access rights to automate the management of changes to identities, systems, and permissions - fast and in compliance with business policies.

Defining and implementing a role model allows organizations to assign roles automatically to users based on iden-tity parameters.

ApprovalThe Omada access request workflow assigns and directs approval tasks automatically to the approver as a result of the performed calculation. Managers can approve access granted to his direct reports.

Automated detected SoD violations result in an approval task being assigned to a security officer or risk manager for evaluation and subsequent approval or rejection.

Where a role model has been implemented there are typically fewer approval tasks required, because many of the access privileges are typically auto approved.

ProvisioningAccess can either be automatically provisioned or de-provisioned on target resources, such as systems/applicati-ons and databases or manually provisioned without connectivity to the identity management solution, as it may not be cost-effective to automate all access changes.

Target resources with a high number of users or access changes are primary candidates for automated provisio-ning. Other candidates are critical target resources that will pose a risk to compliance or security if access is not revoked immediately, for example in the event of a termination of an employment or contract. The automated provisioning ensures policy enforcement and strengthens security

The access request workflow directs and assigns manual provisioning tasks to target resource owners or helpdesk personnel to perform the changes on target resources. Alternatively, a ticket can be automatically created in a helpdesk system for processing of the manual provisioning.

ConfirmationThe solution provides closed loop auditing which automatically presents system owners with information if access in their systems need to be de-provisioned. When manual provisioning is configured for a target system, the system owner needs to manually remove problematic access. After this step the solution runs an import that monitors whether the de-provisioning has taken place - irrespective of provisioning method. The solution supports automatic de-provisioning.

Audit TrailThe solution provides an audit trail that makes it easy to review who submitted an access request and who appro-ved it. On-demand actual and historical overview of access data is readily available for review.

13



PRODUCT OVERVIEW

Omada’s suite of products is used by organizations worldwide, in midsized businesses as well as large multinatio-nal enterprises to provide business-centric identity management and governance across connected and non-con-nected systems on heterogeneous platforms.

The flexibility of the Omada Identity Suite allows a high degree of customization, enabling organizations to meet business specific requirements.

Omada Identity Suite Modules• Recertification / Attestation

• Compliance Reporting and Auditing

• Self-Service Access Request Portal

• Policy/SoD Management

• Role Lifecycle Management

These modules are powered by the Role and Policy Engine, Business Process Engine and Recertification Engine on top of the Omada Identity and Access Data Warehouse.

Figure 6: Omada Identity Suite architecture

Omada Identity and Access Data WarehouseThe Omada Identity and Access Data Warehouse is at the core of the Omada Identity Suite - centrally storing identity and access data across all systems.

Omada Identity and Access Data Warehouse enables you to:

• Centralize visibility and control of identity information including historical data

• Improve strategic decision making by analyzing identity data from sources across the enterprise and the cloud

• Provide a single repository of identity data to support governance, compliance and provisioning activities

• Leverage consistent identity data across all identity management business processes

14



Data is easily gathered from all systems you wish to be in control of – on-premise, cloud-based, hosted, or out-sourced – using predefined extensible data collectors for the collection and import of identity and access data from systems, directories, and databases like Active Directory, SharePoint, MS SQL Server, and SAP.

The data warehouse sources user and access data from systems and applications and matches it with authoritative identity data sourced from an HR system or any other authoritative source. The unique technical architecture behind the data warehouse provides high performance and scalability.

Key values

• Provides identity data for historical preservation, reports, attestation, and validation against policy

• Enables data gathering through extensible data model with custom attributes and information from all systems

Recertification / AttestationOmada Recertification Engine enables organizations to perform attestation for validation and approval of the cur-rent state of identities, account ownership, and resource assignments.

With the Omada Recertification Engine, you can:

• Ensurecomplianceandsecuritybycollectingcurrentandvalidconfirmationofusers,accounts,resources,and access

• Replacetimeconsumingandcostlymanualattestationprocesseswithintuitiveandeasytousesurveys

• UsetheRecertificationEnginetoimprovebusinessdescriptionstobridgethegapbetweenbusinessandIT

Figure 7: Attestation process

An automated attestation survey can cover an entire organization or be limited to specific department or a given period. Built-in workflow processes send out reminders to assist the survey owner getting the survey completed and closed within the designated time frame.

The solution features multiple and configurable survey types such as user access survey, accounts survey, resour-ce assignments survey, resource survey, and business description survey.

The Omada Recertification Engine offers advanced scoping features and attestation on arbitrary data, not just accounts and resource assignments, and updates data immediately based on survey answers, for example, revoke an access that has been rejected. The solutions provide options for scheduling surveys as re-occurring as well as ad-hoc surveys. Survey administra-tors can view the progress of surveys and delegate questions when necessary.

15



Figure 8: Initiate survey screen

Key values

• Prepare for audits successfully by automating the entire attestation process across connected and non-connected systems - from the creation of attestation surveys to the generation of compliance reports

• Avoid manual attestation on printed lists or multiple spreadsheets. The automated recertification process reduces errors, costs, and time spent on manual attestation

Compliance Reporting and AuditingOmada Compliance Reporting and Auditing provides extensive and high performing reporting and management dashboards for identity management and governance scenarios.

The built in analysis and reporting features deliver real identity intelligence insight and efficiently answer the basic questions of ‘who has access to what’, and “who approved that access”.

Figure 9: Management dashboard example

16



With the Compliance Reporting and Auditing you can:

• Get an overview of identity and access data through management dashboards

• View detailed identity and access data across systems, contexts, identities, and resources

• Create custom reports delivering specific data required for auditing and planning purposes

• Perform ad-hoc analysis on the identity and access data using well known business intelligence tools

Compliance dashboards monitor the overall compliance across audited on-premise and cloud-based systems in a unified view. Predefined dashboards provide analytics and reporting for historical development in identities, accounts, access, and systems based on data collected in the data warehouse, and provide a complete overview with compliance relevant statistics.

Report content is dependent on the report viewer’s role such as manager, system owner, resource owner, auditor ensuring that only relevant data is presented to the viewer.

Figure 10: Auditor report example

Compliance Reporting and Auditing supports subscriptions and forwarding to recipients for timely action on findings.

The Compliance Reporting and Auditing solution offers historical reporting functionality. A point-in-time (or snap-shot) report shows current data or data for a specific date in the past. You can also specify “from” and “to” dates to view a slice of historical data. A log report shows when changes were last made to data within a specified time period.

Compliance Reporting and Auditing features reports in these categories:

• Account – account list and detailed reports on account data (an account is an identity’s access to a system or application)

• Identity – identity list and detailed reports on identity data (a person)

• System – system list and detailed reports on system data (system or application)

• Context - context list and detailed reports on context data (for example an organizational unit)

• Resource – resource list and detailed reports on resource data (access right, computer, group of access rights)

• Access – access list and detailed reports on access data (access is an account’s assignment to a resource)

• Attestation - reports on attestations (recertification surveys)

• Data Quality – view the quality of data

• Operation – explore import history and performance

Omada Compliance Reporting and Auditing uses Microsoft SQL Server Reporting Services (SSRS) for reporting purposes. SSRS is a server-based reporting platform that provides extensive reporting functionality and which runs on Microsoft’s business intelligence platform.

17



Ad-hoc analysis of identity and access data can be done using other parts of the Microsoft Business Intelligence platform, like SQL Server Analysis Services and Excel with Power Pivot.

Figure 11: Examples of analysis and reporting features

Key values

• Offers complete overview with details on all identity and access data

• Monitors compliance across the enterprise, and reduces audits and reviews efforts

• Provides foundation for role re-design

Self-Service Access Request PortalSelf-Service Access Request Portal replaces labor intensive and inefficient manual requests by unifying access request processes in a user friendly portal.

With the Self-Service Access Request Portal you can:

• Centralize access requests in one place, simplifying the process for end-users, the business, and IT users

• Track all access requests made, to provide an audit trail of requests, approvals, and provisioning

• Empower users to be in control of their own master data, and track the progress of the submitted access requests

The Omada Access Request Portal is configurable so users can request services on behalf of others, such as a manager requesting for a managed employee.

Figure 12: Self-Service Access Request screen

18



In addition to requesting access users maintain their own master data, and authorized users can maintain hierar-chies, resources, and other master data from the portal. Processes are configured, for example to allow users to request that a service is revoked or for the user to maintain master data.

Figure 13: Web based UI that can be customized to match the look and feel of the organization’s intranet

Access requests can be submitted for specific resources, or submitted as a plain text request sent to a system expert for interpretation. This approach bridges the gap between end user and IT, removing the need to know the technical name of access rights.

The Access Request Portal also provides the facility to view the progress of current and past requests, to see when/if approval has been given and whether the request is pending provisioning. The look and feel of the portal can be adjusted using themes that adapt to company colors and fonts. To suit the native language of the end user multilingual support for global implementations is built-in.

Key values

• Provides highly customizable identity management portal gathering access requests in one place

• Logs all requests and approvals for an easily accessible audit trail

• Enables a collaborative space for IT and business to streamline access requests across the enterprise

Policy / SoD ManagementThe policy/SoD management module is used to define policies for toxic combinations of access rights assigned to the same person, detect any violations, and evaluate these to determine if the combination of access rights should be allowed or blocked.

With policy/SoD management you can:

• Define enforceable policies for granting access

• Detect policy violations based on defined rules and policies to ensure that critical access combinations (SoD) are not granted without risk evaluation and approval

• Ensure that dispensations to violations are re-evaluated periodically.

The policy/SoD management module allows for fine grained definition of constraints, based on a mutually exclu-sive business process matrix or a mutually exclusive resource matrix. It is possible to evaluate constraints on resource or identity level.

The module supports a mitigation workflow, powered by the Business Process Engine, where a security officer or manager evaluates all violations for an identity with the possibility of overriding selected violations.

Key values

• Constant evaluation to ensure that data matches corporate policies

• Collaborative workflow to evaluate violations and approve dispensations

19



Figure 14: Evaluate violation screen

Role Lifecycle ManagementRole lifecycle management enables granting of access rights according to roles, rules, and policies. The solution enables the implementation of role-based access control, where access is granted based on an identity’s position in one or more hierarchies (such as organizational unit or project).

With Omada Role and Policy Engine you can:

• Manage identities and access automatically across the datacenter and cloud applications

• Automate provisioning according to roles and rules by implementing role-based administration of access across large, heterogeneous environments and automate the management of changes to identities, systems, and access rights fast and in compliance with policies

The role engine provides a scalable model for the set-up and maintenance of roles and rules. The module is powe-red by Omada Business Process Engine to support automated provisioning and de-provisioning of users’ access.

Existing roles can be imported or rules and roles can be identified by role mining achieving a design for a role model that matches your organization and specific requirements.

Figure 15: Examples of Role and Policy Engine hierarchies

20



Key values

• Advanced role-based access control that significantly reduces administration of users’ access

• Compliant access provisioning by automated enforcement of rules and policies

Omada Business Process EngineThe Omada Business Process Engine transforms business processes to workflows, allowing automation of proces-ses such as onboarding and off-boarding of employees and contractors, with tasks automatically assigned to users. The Business Processes Engine connects to any number of target systems to enable automatic provisioning.

With the Omada Business Process Engine you can:

• Enable automated identity lifecycle management based on changes in an authoritative HR system

• Use the built-in workflows to improve and streamline processes related to identity management or define custom workflows

• Configure automated provisioning for all or a selection of connected systems to speed up granting of access rights and minimize risk of human error

The Omada Business Process Engine enables easy integration with prebuilt workflows and orchestrates standardi-zed workflows for; access request, onboarding of employees and contractors, identity changes (organizational, identity data), and off-boarding employees or contractors.

Figure 16: Examples of Role and Policy Engine hierarchies

The graphical drag and drop workflow designer is a simple and intuitive tool to transform business processes to workflows supporting integration with the Omada Role and Policy Engine and Omada Access Request Portal.

Prebuilt workflows powered by the Business Process Engine

Onboard EmployeeThe onboard process is automatically initiated when a new employee is created in the HR system. The process assigns a task to the manager of the employee to let the manager determine the access for the employee.

Onboard ContractorThe onboard process for contractors is started manually by department managers when a new contractor is hired.

Transfer IdentityA transfer process is automatically initiated when an identity is assigned to a new department in the HR system. The manager of the new department reviews the current access and assigns new rights if needed.

21



Approve Resource Assignments (One and Two step) Access requests usually require approval before they are active. This can be done by the manager or the resource owner, or both (in the two step approval process).

Delegate AccessThe process of delegating access allows employees to delegate their access to someone else for a limited period of time, for instance during vacation and leaves of absence.

Manual Provisioning The manual provisioning scenario handles the provisioning needs for systems that are configured to require manu-al provisioning.

Evaluate ViolationEvaluate violation process evaluates detected violations (based on constraints defined in the Omada Role and Poli-cy Engine). A security officer or manager can evaluate all violations for an identity with the possibility of overriding selected violations. The process also allows selecting which resources should be kept active or blocked.

The pre-defined workflows can be used as is or modified and extended to suit specific requirements, also additio-nal workflows can be built and added.

Figure 17: Examples of the graphical Business Process designer

Key values

• Prebuilt workflows for common business processes enabling easy integration

• Easy customization with the option to extend the prebuilt workflows to suite your organization or define additional workflows

Technology and ArchitectureOmada’s Identity Suite is built on Microsoft technologies, such as SQL and .NET. Omada’s solution can use Mi-crosoft’s Sync Engine FIM 2010 for provisioning users to target applications. The solution provides an extensive range of advanced system integration scenarios including SAP for HR process management, SAP GRC AC for efficientcomplianceofSAPAccesscontrol,MicrosoftSharePointMicrosoftSystemCenterConfigurationManager,and Microsoft AD.

The solution is fully web-based and runs on Microsoft SQL Server, Microsoft Windows Server, and integrates seamlessly with Microsoft SharePoint.

22


The solution is fully web-based and runs on Microsoft SQL Server, Microsoft Windows Server, and integrates seamlessly with Microsoft SharePoint.Solution in Detail

ABOUT OMADA

Omada is a market leading provider of solutions and services for identity and access management and identity and access governance. Omada enables organizations to achieve sustainable compliance, reduce risk exposure, and maximize efficiency. Omada’s solutions efficiently manage and control users’ access rights to applications and data - reducing IT costs and resource intensive administration processes.

Established in 2000, Omada has operations in Europe and North America, delivering solutions via a network of skilled partners and system integrators. Omada is recognized as a trusted advisor and has provided advanced identity solutions for organizations with some of the largest and most complex IT infrastructures in the world.

By providing end-to-end professional services, Omada assists organizations in defining identity management and governance strategies, designing roadmaps, and managing projects from initial scope of the project to solution design and successful go-live.

Awards and RecognitionsOmada has been named IT Company of the Year by IDG Computer World and identified as an “International Growth Comet” by the prestigious Massachusetts Institute of Technology (MIT).

Omada’s extensive work with Microsoft and SAP has earned valuable trust and recognition from these two enter-prises. Omada is a Microsoft Gold Certified Partner as well as a key partner in the identity and access manage-ment space. Furthermore, Omada is a certified SAP Service Partner. Omada is also the winner of the 2008, 2009, and 2011 Microsoft Identity and Security Partner of the Year award.

Omada Identity SuiteThe award winning Omada Identity Suite offers easy integration and provides complete control and visibility of users’ access rights and entitlements across heterogeneous systems and applications - on-premise, hosted, or cloud-based.

Omada’s innovative solutions are built on the Microsoft platform and empower Microsoft technologies. The Omada Identity Suite is one of the most powerful and flexible identity management and governance solutions on the mar-ket. It is the preferred choice by leading organizations worldwide to:

• Provide continuous compliance, deep access intelligence, efficient user administration, and complete con-trol over users, accounts, and access

• Reduce IT costs and support preventive compliance tasks by automating routine tasks through workflows and automation

More information about Omada and Omada Identity Suite:

http://[email protected]

23

[email protected] | www.omada.net Copyright © 2013 Omada Solutions. All rights reserved.

Copyright © 2001-2013 Omada Solutions. All rights reserved.TheinformationandintellectualpropertycontainedhereinisconfidentialbetweenOmadaSolutionsandtheclientandremainstheexclusivepropertyofOmadaSolutions.Ifyoufindanyproblemsinthedocumentation,pleasereport them to us in writing. Omada Solutions does not warrant that this document is error-free.No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior written permission of Omada Solutions.Omada, Omada Identity Suite, Omada Enterprise and Omada Applications are trademarks of Omada Solutions.Microsoft MS-DOS, Windows, Windows NT, Active Directory FrontPage, InfoPath, MSDN, Outlook, PowerPoint and SharePoint are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Omada® is a registered trademark ’Reg. U.S. Pat. & TM Off’ .

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Omadaenablesclientstoachievecompliance,security,andorganizationalefficiencybyprovidingbusiness-centricsolutionswithin Identity and Access Governance and Identity and Access Management. Omada has provided advanced identity solu-tions based on Microsoft technologies to organizations with some of the largest and most complex IT infrastructures in the world.

Established in 2000, Omada has operations in Europe and North America. Omada has won the worldwide Microsoft Partner of the Year award for Security Solutions, Identity, and Secure Access in 2008, 2009, and 2011.

omada identity suite -...

Documents