ITIM.ppt

KFC CAB Conference



June 10th – 11th

-1-

Objective:

Provide an overview of Identity

Management and User

Provisioning through ITIM







-2-

Agenda

Identity and Access Management at FMS

How FMS Manages Identities

On-Boarding and Off Boarding Employees,

Contractors and External Users

Self Registration

Key Features of ITIM

What FMS Managers Need to Know

ESAAS Migration

Upcoming ITIM Training



-3-

What is Identity and Access

Management?

At FMS, Identity and Access Management (IAM) involves a framework

through which identities and related user access are managed through a

user provisioning tool. Once an identity is created and access is granted

to a specific IT resource, users accessing these resources can be

authenticated through a variety of authentication methods (PKI, SecurID,

Mainframe, etc).



The ultimate goal of FMS’ IAM Framework is to provide the right people

with the right access across internal and external application systems at

the right time.



At FMS, IAM components are classified into 4 major categories:

authorization, user management, authentication, and central user

repository.



Our discussion today will focus on authorization and user management.







-4-

IAM at FMS



Access Management (SiteMinder)

(SiteMinder) (Application or ITIM)

Authentication Authorization

• Single Sign-On • Role-based

• Session Management • Rule-based

• Password Service • Attribute-based

• Strong Authentication • Remote Authorization

(ITIM)

(FSLDAP)

User Management Central User Repository

• Delegated Administration

• Directory

• User and Role Management

• Data Synchronization

• Provisioning

• Meta-directory

• Password Management

• Virtual directory

• Self Service



Identity Management (ITIM)

-5-

What is ITIM?

IBM Tivoli Identity Manager (ITIM) is FMS’ Enterprise provisioning tool for

user account and identity management



ITIM uses adapters to provision to endpoints (systems)



Web friendly interface for easy access to ITIM



Self-service feature that allows users to reset passwords, change personal

information, request additional access to IT resources



Integrated workflow engine



Life Cycle Rules and Policy enforcement



Recertification….. and much more!





-6-

A Few Out-of-the-box

ITIM End-point (systems) Agents

Applications and Messaging Operating Systems Authentication & Security

Amdocs ClarifyCRM 12.0 on AIX HP/Compaq Tru64 IBM RACF zOS*

using DB2*

Documentum eServer * Unix IBM Tivoli Access

Lotus Notes/Domino HP-UX Manager

Windows AD/ Exchange

Novell e-Directory (NDS) HP-UX NIS CA ACF2

Novell GroupWise IBM AIX CA Top Secret

Oracle E-Business Suite

PeopleSoft (People Tools) IBM i5/OS Entrust PKI

SAP UME 6 *

SAP R/3

OpenVMM RSA ACE/Server

Siebel RedHat Enterprise CA SiteMinder

Peregrine Service Center

Remedy

Linux Cisco ACS

Quickplace Sun Solaris

LDAP-based Applications (IBM Relational Database

TDS, Sun One)

Sun Solaris NIS

Command Line-based Applications SuSE Linux IBM DB2/UDB

Universal Provisioning

Enterprise Server Informix Dynamic Server

JDEdwards Oracle

Tandem Windows Local Microsoft SQL Server

IBM Rational Clearcase

2000, 2003, XP Sybase

RDBMS Based Apps





-7-

On-Boarding Internal FMS

Employees and Contractors

On-Boarding User Account Administration with ITIM

HR Sponsors, COTR’s, and other defined Enrollment Officials (i.e., security personnel)

now interface with ITIM in conjunction with their existing business functions. ITIM now

facilitates the FMS “On-Boarding” process of establishing identities (commonly referred

to as Enterprise IDs) for new FMS Employees and Contractors who require access to

FMS IT resources.



The high level business process of on-boarding a new Staff (employee) or Contractor

person is as follows:

– HR Sponsor or COTR sends security package to candidate

– Candidate returns paper work to security office

– Enrollment Official initiates background check

– Offer of employment is extended

– Candidate comes on site and accepts position



There are 3 primary roles in ITIM pertaining to on-boarding and new account creation:



– HR Sponsor – Human Resources Division

– COTR – Contracting Officers Technical Representatives

– Enrollment Official – Security Division

-8-

-9-

On-Boarding External

FMS Users









- 10 -

Self Enrollment



Self-Registration is a process whereby an external end-user accesses

ITIM to create an identity by entering required information about their self.

Once an identity is created, the user can use the ITIM Self-Service

interface to request access to one or more applications.



FMS currently has not implemented self-registration in 4.6 however the

requirements gathering process has begun



Benefits of Self-Registration:

Automation of manual paper processes

Allows end-users to create application requests at their convenience

Information provided is directly from the end-user, thus improves the identity

information gathering process

Alleviates helpdesk calls









- 11 -

Exit Clearance Process

Exit Clearance and De-provisioning - User Account Administration

The Exit Clearance process is still initiated through HRD.

Through the exit clearance process, DACD receives notification of the

user’s transfer within or departure from FMS and takes appropriate

steps to de-provision access (often referred to as “Off-boarding”).

ITIM 4.6 provides DACD with a graphic user interface (GUI) that

streamlines de-provisioning processes and provides a workflow that

reduces manual processes and the time it takes to terminate logical

access.

Contractors are de-provisioned in the same fashion as employees

except that the COTR initiates the process.



Enhanced automation of off-boarding processes is planned for future

implementation





- 12 -

Application Workflows



ITIM Workflows



Workflows automate the submission and approval of user access. You can

create, approve, modify, and delete access. Workflows send email notifications

and work orders as well. Currently there are 2 types of Workflows in ITIM.









There are 3 primary roles for Application Workflows:



1. Data Entry Operators

2. Approvers

3. Application System Administrators



Process Integration requires a DACD staff to complete provisioning.

- 13 -

Application Workflow Lifecycle









- 14 -

ITIM Workflows



Workflows in ITIM

ITIM currently has (10 application) Technical Integrated Workflows (LDAP):

– JFAuthWeb

– JFIC

– TRS (Issuance of EUID Only)

– TCIS – For internal users only

– DCC TOP

– PAM

– FedDebt

– Debt Check

– Portal

– SID

ITIM currently has three (3) Enterprise Technical Integrated Workflows (Notes, AD, Unix, Solaris):

– On-boarding

– Unix –Human and Custodian/System Accounts

– TWAI Solaris – Human and Custodian/System Accounts





ITIM currently has (2) Process Integrated Workflows:

– Facts II

– Pacer

- 15 -

Challenge Response and

Forgotten Password





Challenge Response is the application used to assist in

retrieving a forgotten password, assist if your account

gets locked (due to inactivity or expiration) and/or in the

event of exceeding maximum login attempts.



You access this feature by selecting “Forgot Password”

on the SSO page of FMS web applications supported by

ITIM.









- 16 -

Challenge Response and

Forgotten Password









- 17 -

Self-Service



Function End User



Change Password Changes passwords of one’s own accounts





Manage Accounts Requests new accounts, modifies existing accounts,

and deletes existing accounts







Manage Profile Manages certain attributes of one’s own user profile





View Requests Views the status of requests submitted to the ITIM

system



Approve/Review Reviews and approves/rejects requests of which the

Requests end user is a participant



Respond to Actions Responds to recertification requests and participate

Needed in workflow activities.



- 18 -

Self-Service Homepage







Screenshot









- 19 -

Life Cycle Rules & Policies



ITIM Manages FMS Policies and Life Cycle Rules

Polices and life cycle rules allow ITIM to enforce defined business logic



ITIM

- Monitors who has what access against privileged rules and policies

- Knows when access rights are violated

- Takes action:

• Flag

• Notify

• Correct non-compliance

• Suspend accounts



Provisioning Policies Examples:

• Flag unused accounts for deletion

• Trigger recertification

• Expire contractor identities



Password Policies Examples:

• Force password change

• Number or characters

• Require special characters

• Enforce password repeats





- 20 -

Recertification



Recertification with ITIM

ITIM recertification simplifies and automates the process of periodically re-validating user accounts.

The recertification process validates that each user account is still required for a valid business

purpose. The process sends recertification notification and approval events to the participants.



ITIM uses FMS’ defined policies to determine how frequently users must certify their need for

account access. Additionally, the policy defines the operation that occurs if the recipient declines or

does not respond to the recertification request. During the recertification process, email notifications

are sent out to participants, and recertification workflow activities are initiated.



A Recertification workflow must be scheduled and configured for each application. The recertification

process is triggered by the ITIM System with enough time to allow accounts to be recertified before

the end of the period.



Currently ITIM will only recertify applications with Technical Integrated Workflows (LDAP).



Recertification is available on an ad-hoc basis



Recertification is verifiable and auditable and supports many types of reports







- 21 -

What Managers Need to Know



ITIM will send emails to Managers for Action





– When access to a FMS Unix machine is requested,



– When access to a privileged group is requested



– When a new employee is on-boarded by HR, Managers will be

required to provide EUID and Password to new employee



– When access recertification is required



– Managers will be required to log into ITIM and give approval



– Manager have the ability to delegate this responsibility when out of the

office for extended periods of time



- 22 -

ESAAS Migration Schedule



Completion Applications

Date

June 30 SPS, Security Admin, Service Desk, CM, Windows

2003, Web Admin LDAP, CAG, FIWA, COMBO,

Websphere Portal Project

August 3 GOALS II, FACTS I, GWA CAFÉ IDM, IFCS,

Parking, TCIS, GFRS

October 5 STAR, TOP, TRACS, Connect Direct, Connect

Mailbox, FCAS, PAM Mainframe, DBMS, CTS,

UNIX System Services, TCS, HROC Computer

November 30 FEDDEBT, FASDAS, PM Security



December 31 DBMS, Cash Track, Check Issue Audit, Bundle,

Judge Fund, OATS, CSIRC, EFT







- 23 -

ITIM Training Schedule



Training Classes Held at PGMC. Available by Video and audio for

remote locations



“Getting to Know ITIM“

6/17 9am-12pm



"On-Boarding New Employees & Contractors”

6/17 1pm-4pm

7/14 1pm-4pm

8/13 9am-12pm



The below courses will be available on CBT starting July 2009



Getting Started with ITIM

TWAI Solaris



Schedule and registration details posted on ITIM Application Web Page









- 24 -

Questions & Answers









- 25 -