1 / 31

Converged Access Management to Service Management

Converged Access Management to Service Management. Amol R Bhandarkar │Technology Specialist – Identity & Access. Agenda. What is Identity Management Introduction to FIM 2010 Overview of FIM 2010 Physical Access Management using FIM 2010 Convergence of Physical & logical Access Management

reganne
Download Presentation

Converged Access Management to Service Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Converged Access Management to Service Management Amol R Bhandarkar│Technology Specialist – Identity & Access

  2. Agenda • What is Identity Management • Introduction to FIM 2010 • Overview of FIM 2010 • Physical Access Management using FIM 2010 • Convergence of Physical & logical Access Management • Service Management • FIM role in Service Management • Various Scenarios FIM 2010 can be used in Service Management

  3. What is identity management?

  4. What is Identity Management Identity Management is a integration of people, processes & Technology enabling organizations to - • manage the user’s life cycle in the organization based on the roles • maintain the passwords of users • facilitate the creation / population of attributes that are critical from business perspective.

  5. What is Identity Management Identity Management should provide you the capabilities to manage - • creation, deletion and management of users. • the access rights a.k.a authorization • the access restrictions i.e. when can the user access, which time of day, date, time etc. • the account profiles i.e. the users home address, mobile number, telephone etc. • passwords; and • any other attribute the business applications could need.

  6. Business Needs and IT Challenges Provide secure access to applications from anywhere Multiple locations and devices Simplify user experience for collaboration Difficulty in extending business resources Provide seamless movement between applications Disparate systems to manage Reduce cost of account management Complex account lifecycle management BUSINESS Needs IT Needs AgilityandFlexibility Control

  7. Introduction of FIM 2010

  8. Simplify Identity Management • Empower Business • Self-service profile, credential, and group management • Password and PIN reset from Windows login • Group management from within Microsoft Office • Single identity across heterogeneous applications • Empower IT • End-to-end, workflow-driven user provisioning • Policy-controlled self-service capabilities • Automatic, attribute-based group membership for simplified resource access • GOVERNED SELF-SERVICE AND AUTOMATION GROUP MANAGEMENT IDENTITY MANAGEMENT • CREDENTIAL • MANAGEMENT “ If you wanted to access a file share in your network, previously you might have had to call your service desk and get approval. Now it is all workflow based. You go to a portal. There is no manual labor. - Brian Desmond, Microsoft MVP Source: Windows identity management tools move closer to completion. Tech Target, November 2008. http://searchwinit.techtarget.com/news/article/0,289142,sid1_gci1337386,00.html

  9. Identity ManagementUser provisioning • Policy-based identity lifecycle management system • Built-in workflow for identity management • Automatically synchronize all user information to different directories across the enterprise • Automates the process of on-boarding users ActiveDirectory LotusDomino • Workflow • User Enrollment LDAP • FIM SQLServer • HR System • Approval Oracle DB • Manager FIM CM User provisioned on all allowed systems

  10. Identity ManagementUser de-provisioning Simplify security, manage compliance • Automated user de-provisioning • Built-in workflow for identity management • Real-time de-provisioning from all systems to prevent unauthorized access and information leakage ActiveDirectory LotusDomino • Workflow • User de-provisioned LDAP • FIM SQLServer • HR System Oracle DB FIM CM User de-provisioned or disabled on all systems

  11. Strong Authentication—Certificate Authority Simplify security, manage compliance • Increase access security beyond username and password solutions • Streamline deployment by enrolling user and computer certificates without user intervention • Simplify certificate and SmartCard management using Forefront Identity Manager (FIM) • Enhance remote access security through certificates with Network Access Protection • Stronger authentication through certificates for administrative access and management • User is validated using multi-factor authentication • FIM policy triggers request for FIM CM to issue certificate or SmartCard SmartCard • Certificate is issued to user and written to either machine or smart card • End User • End User • FIM CM • Active Directory Certificate Services (AD CS) • FIM SmartCard User ID andPassword Multi-Factor Authentication • FIM Certificate Management (CM) requests certificate creation from AD CS • HR System • User Enrollment and Authentication request sent by HR System

  12. GivenName Samantha sn Dearing title Coordinator mail someone@example.com employeeID 007 telephone 555-0129 givenName sn title mail employeeID telephone Identity Synchronization and ConsistencyIdentity synchronization across multiple directories Simplify security, manage compliance AttributeOwnership HR System FIM Samantha givenName Samantha sn Dearing Dearing title FirstName LastName EmployeeID mail employeeID 007 007 telephone SQL Server DB givenName Samara sn Darling title Coordinator Coordinator Title mail employeeID 007 telephone Identity Data Aggregation Active Directory/ Exchange givenName Sam sn Dearing title Intern E-Mail mail someone@example.com • someone@example.com employeeID 007 telephone LDAP givenName Sammy sn Dearling title Telephone mail employeeID 008 555-0129 telephone 555-0129

  13. Identity Synchronization and ConsistencyIdentity consistency across multiple directories Simplify security, manage compliance Attribute Ownership HR System FIM givenName Samantha sn Dearing title FirstName LastName EmployeeID mail employeeID 007 telephone givenName Samantha Samantha Samantha Bob sn Dearing Dearing Dearing title Coordinator Coordinator Coordinator Coordinator SQL Server DB givenName Samara mail someone@example.com someone@example.com someone@example.com someone@example.com sn Darling employeeID 007 title Coordinator telephone 555-0129 555-0129 555-0129 555-0129 Title mail Incorrect or Missing Information employeeID 007 telephone Identity Data Brokering (Convergence) Active Directory / Exchange givenName Sam sn Dearing title Intern E-Mail mail someone@example.com employeeID 007 telephone LDAP givenName Sammy sn Dearling title Telephone mail employeeID 007 telephone 555-0129

  14. Group Management Simplify security, manage compliance • Self-service group and distribution list management with the FIM 2010 Web portal • Office integration allows users to manage group membership from within Microsoft Office Outlook® for maximum productivity • Enables users to use Outlook to manage approvals while they are offline • Automatically add users to either group based on their employee type at the time they are provisioned to Active Directory • Group and distribution list management, including dynamic membership calculation in these groups and distribution lists based on user’s attributes FIM Add-in for Outlook SharePoint-Based Management Console

  15. Advanced Group Management Simplify security, manage compliance • Integrates with Exchange and Outlook • Manages distribution and security groups Self-service group management Criteria-based group membership Integrated approval

  16. Workflow Management Simplify security, manage compliance • Enables IT to quickly define, automate, and enforce identity management policies • IT can use the integrated workflow in the approval/rejection process • Automatic notifications for request approvals or rejections

  17. Self-Service Password Management Simplify security, manage compliance • Enables users to reset their own passwords through both Windows logon and FIM password reset portal • Controls helpdesk costs by enabling end users to manage certain parts of their own identities • Improves security and compliance with minimal errors while managing multiple identities and passwords ActiveDirectory User requests password reset Oracle • FIM Server Passwords updated SQLServer IBM DS • End User LDAP Reset Password • FIM capabilities integrated with Windows logon • Randomly selects a number of questions

  18. FIM 2010 In Action Self-service smart card provisioning Does userhave permissionto add user to FIM ? FIM managesmanager and dept head approvals New user added in HR app Sync receives request Sync DB Management Agents Delegation& Permissions AuthN & AuthZ Workflows End user downloads certificates onto smart card Approval workflows Card created & printed Certificates requested Self-service notification and One Time Password sent to end user FIM sends welcomeand confirmatione-mails Once approved, changes committed to ILM app store FIM syncs to external identity stores Service DB Sync DB FIM CM Management Agents Action Workflow Identity Stores

  19. Physical Access Management using FIM 2010

  20. What is Physical Access Management • Physical Access System controls access to physical facilities in terms • determines who is allowed to enter or exit, • where they are allowed to exit or enter, and • when they are allowed to enter or exit • Access to – • Data Center • Floor • Lobbies • Based on Proximity Card / Smart Card, Biometric, PIN codes etc. • Physical Access Control has a Centralized Server where the facility administrators provision the access to people. • These Servers can be Geographically centralized or distributed.

  21. Convergence of Physical & logical access • FIM 2010 acts the centralized provisioning server for Physical access • Based on the HR information about location, floor, department etc. • Based on Manager’s inputs • Based on the project etc. • When the user is transferred to different location access is changed in central server • When user leaves the organization, FIM 2010 would de-provision the access to Physical localities.

  22. Convergence of Physical & logical access • FIM 2010 acts the centralized provisioning server for Physical access • Based on the HR information about location, floor, department etc. • Based on Manager’s inputs • Based on the project etc. • When the user is transferred to different location access is changed in central server • When user leaves the organization, FIM 2010 would de-provision the access to Physical localities.

  23. How Physical & Logical Access Convergence looks • Based on HR information FIM picks up user information • Triggers logical ID/Account creation on various applications • Trigger physical access provisioning in Physical Access control server • Various worksflows can be integrated – like approvals by various approvers • De-provisioning works in similar manner. ActiveDirectory LotusDomino • Workflow • User Enrollment Oracle • FIM • HR System Physical Access Location A • Approval • Facilities Admin User provisioned on all allowed systems

  24. Service Management

  25. What is Service Management??? • User cannot log in, she forgot her password. Service Desk/Service Manager creates a incident ticket and resolves it in a first call. Splendid. • User has a problem with his PC. Service Desk/Service Manager assigns a technician on that incident . Technician visits the customer, resolves the incident and SD closes it. These are scenarios of Service Management where the incidents are logged as trouble tickets. • Tickets are updated as the activities happen. Like resolution attempts etc. • Tickets are closed once the resolution is applied. • Ticketing Solution provides the dashboard on SLA, reports on services provided etc.

  26. How FIM plays role here……. 2 HR system Exchange 7 3 6 1 App 1 Service Manager 5 4 HR personnel App 2 Approvers Approvers

  27. How about Application Virtualization?? 2 HR system User provisioned in appropriate OU 3 1 configuration App V Server Group policies assigned to OU, gets enforced. Service Manager New User logs on to AD HR personnel Application gets streamed User

  28. How about Desktop Virtualization?? 2 HR system User provisioned in appropriate OU 3 1 configuration Opalis Service Manager Image gets streamed HR personnel 4 User

  29. Summary • FIM 2010 is a light-weight Identity Management Solution that allows – • User life cycle management • Password Management • Group and DL management • Workflows • User Profile Management • Certificate Lifecycle Management • FIM 2010 can provide convergence of Physical and Logical access by integrating technologies like smart card, proximity cards • FIM 2010 can act as provisioning engine in ITIL Service Management scenarios like – • Integrating with Service Managers for ticket opening, update and closures • Integrating with App-V and VDI for Application and Desktop virtualization respectively.

  30. Additional Resources • Resource : www.microsoft.com/fim

  31. THANK YOU!

More Related