how to govern and maintain compliance using open source ......oracle hcm 3. ldap apachecon na, miami...
TRANSCRIPT
![Page 1: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/1.jpg)
How to Govern and Maintain Compliance Using Open Source
Identity Management Components
May 17, 2017
ApacheCon NA, Miami
![Page 2: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/2.jpg)
Introductions
ApacheCon NA, Miami 2017
2
• Katarina Valalikova – @KValalikova
• Shawn McKinney – @shawnmckinney
![Page 3: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/3.jpg)
Session Objective
Learn about identity governance and demo common use cases w/ open source infrastructure.
ApacheCon NA, Miami 2017
3
![Page 4: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/4.jpg)
Session Agenda
ApacheCon NA, Miami 2017
4
• Terminology
• Benefits • Scenarios • Solution
• Demo
• Questions
Image from: HTTP://EVENTS.LINUXFOUNDATION.ORG/EVENTS/APACHECON-NORTH-AMERICA
![Page 5: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/5.jpg)
Terminology
ApacheCon NA, Miami 2017
5
![Page 6: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/6.jpg)
Terminology
ApacheCon NA, Miami 2017
6
![Page 7: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/7.jpg)
Terminology
ApacheCon NA, Miami 2017
7
![Page 8: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/8.jpg)
Terminology
ApacheCon NA, Miami 2017
8
![Page 9: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/9.jpg)
Terminology
ApacheCon NA, Miami 2017
9
![Page 10: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/10.jpg)
Terminology
ApacheCon NA, Miami 2017
10
![Page 11: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/11.jpg)
What can possibly go wrong here?
1. Too many accounts 2. Too few accounts 3. Don’t know many accounts
ApacheCon NA, Miami 2017
![Page 12: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/12.jpg)
What can possibly go wrong here?
1. Improper account retention policies 2. Violation of principle of least privileges 3. Sharing credentials instead of accounts
4. No account approval process. 5. Non-determinant assignments 6. Violation of privacy.
ApacheCon NA, Miami 2017
![Page 13: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/13.jpg)
In other words, we need
1. Access certification
2. Approvals 3. Notifications 4. Escalation
5. Deputy
6. ….
ApacheCon NA, Miami 2017
![Page 14: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/14.jpg)
What is Identity Governance?
• Combines with IAM functions to meet audit and compliance obligations.
ApacheCon NA, Miami 2017
Gartner says:
![Page 15: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/15.jpg)
What is Identity Governance?
• Policy-based centralized orchestration of user identity management and access control.
• Helps support enterprise IT security and regulatory compliance.
• Margaret Rouse, WhatIs.com
ApacheCon NA, Miami 2017
WhatIs calls it:
![Page 16: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/16.jpg)
What is Identity Governance?
• High-level business processes, business rules, policies, organizational structures
• Combines with low-level identity management processes like data synchronization, system integration, data formats, data transformation, network protocols
• Radovan Semancik, wiki.evolveum.com
ApacheCon NA, Miami 2017
Radovan says:
![Page 17: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/17.jpg)
What is Identity Governance?
ApacheCon NA, Miami 2017
![Page 18: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/18.jpg)
Role Based Access Control
ApacheCon NA, Miami 2017
18
![Page 19: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/19.jpg)
RBAC and Policy Rules
ApacheCon NA, Miami 2017
19
• Constraints • Actions • Situations
![Page 20: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/20.jpg)
Identity Management and Governance
ApacheCon NA, Miami 2017
20
![Page 21: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/21.jpg)
Architectural Overview
![Page 22: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/22.jpg)
Architectural Overview
Requires • Java version 8
• Java servlet container
• Relational database
Uses • Spring Framework
– component wiring
• Apache Wicket – user interface
• ConnId – common connectors
ApacheCon NA, Miami 2017
(any)
![Page 23: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/23.jpg)
Architectural Overview
ApacheCon NA, Miami 2017
IdM services, security and User-account
mappings
resource and account
management
Common data model, libs and low-level utils
data storage and task management
User interface
components
high-level components
don’t connect with low-level components
1
3
2
4
5
![Page 24: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/24.jpg)
Demo
ApacheCon NA, Miami 2017
![Page 25: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/25.jpg)
Resource / Connectors at Play
1. Google Apps 2. Oracle HCM
3. LDAP
ApacheCon NA, Miami 2017
![Page 26: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/26.jpg)
Demo Environment
Google Apps
connector
HCM connector (peoplesoft)
Open
26
ApacheCon NA, Miami 2017
![Page 27: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/27.jpg)
Use Cases
• UC 1 – Onboarding New Identity, Account activation
• UC2 – Role assignment • UC3 – Self service
• UC4 – Deputy
• UC5 – Account Certification / Recertification •
ApacheCon NA, Miami 2017
27
![Page 28: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/28.jpg)
UC 1 Onboarding new Identity
1. User is imported from HCM
2. Activation link is sent to the user 3. User activate his account 4. Basic roles are assigned to the user after
activation
ApacheCon NA, Miami 2017
28
![Page 29: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/29.jpg)
UC 2 Role assignment
1. Manager assigns roles to onboarded user 2. Manager selects conflicting roles 3. Roles are not assigned because of SoD
violation
ApacheCon NA, Miami 2017
29
![Page 30: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/30.jpg)
UC 3 Self service
1. User selects roles he needs to have assigned
2. Request is send to approval 3. Approval starts
ApacheCon NA, Miami 2017
30
![Page 31: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/31.jpg)
UC 3 Self service
1. User selects roles he needs to have assigned
2. Request is send to approval 3. Approval starts 4. Approval from manager is needed
ApacheCon NA, Miami 2017
31
![Page 32: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/32.jpg)
UC 3 Self service
1. User selects roles he needs to have assigned
2. Request is send to approval 3. Approval starts 4. Approval from manager is needed
5. Approval from security officer is needed
ApacheCon NA, Miami 2017
32
![Page 33: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/33.jpg)
UC 3 Self service
1. User selects roles he needs to have assigned
2. Request is send to approval 3. Approval starts 4. Approval from manager is needed
5. Approval from security officer is needed
6. Approval from application owner is needed
ApacheCon NA, Miami 2017
33
![Page 34: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/34.jpg)
UC 3 Self service 1. User selects roles he needs to have assigned
2. Request is send to approval 3. Approval starts 4. Approval from manager is needed
5. Approval from security officer is needed
6. Approval from application owner is needed
7. App owner is on the vacation – escalation
ApacheCon NA, Miami 2017
34
![Page 35: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/35.jpg)
UC 4 Deputy
1. Manager is going on vacation
2. Manager delegates his work
ApacheCon NA, Miami 2017
35
![Page 36: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/36.jpg)
UC 5 Access certification
1. New campaign for access certification starts
2. Manager decides which accounts are legal
ApacheCon NA, Miami 2017
36
![Page 37: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/37.jpg)
Benefits of Governance Controls
• Advanced role lifecycle management • Audit and reporting interfaces • Enhanced regulatory compliance
• Improved business responsiveness • Privileged account management • Self-service interfaces
ApacheCon NA, Miami 2017
37
![Page 38: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/38.jpg)
Governance simply • Notifications • Recertification
• (Multi-level) approvals • Escalation
• Delegation
• Deputy
• Role lifecycle
• Audit trail ... ApacheCon NA, Miami 2017
38
![Page 39: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/39.jpg)
Questions
ApacheCon NA, Miami 2017
39
![Page 40: How to Govern and Maintain Compliance Using Open Source ......Oracle HCM 3. LDAP ApacheCon NA, Miami 2017 Demo Environment Google Apps connector HCM connector (peoplesoft) Open 26](https://reader033.vdocuments.us/reader033/viewer/2022051913/6003a58934c37129573d1a2d/html5/thumbnails/40.jpg)
Contact
ApacheCon NA, Miami 2017
40
• Katarina Valalikova – @KValalikova
• Shawn McKinney – @shawnmckinney