im capabilities and architecture
TRANSCRIPT
-
7/30/2019 Im Capabilities and Architecture
1/20
TECHNOLOGY BRIEF: CA IDENTITY MANAGER
CA Identity Manager:Capabilities andArchitecture
Ehud AmiriCA SE CU RI TY M A N A G E M E NT
-
7/30/2019 Im Capabilities and Architecture
2/20
Copyright 2009 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitteby applicable law, CA provides this document As Is without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or noninfringement. In no event will CA bliable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages.
Table of Contents
Executive Summary
SECTION 1 2
Managing Complexity Created by Volume
and Diversity
Accommodating Changing Compliance and
Regulation Requirements
The Identity Management Payoff
SECTION 2 3
CA Identity Manager Architecture Overview
Application Layers
Data Repositories
Software Development Kit
SECTION 3 5
Designed for Enterprise-Class Scalability
and Security
SECTION 4 6
CA Identity Manager Capabilities
Provisioning/De-Provisioning
User Self-Service
Delegated Administration
Integrated Workflow
Role-Based Access Control
Interface Customization
Password Management
Integration
Reconciliation Services
Auditing and Reporting
SECTION 5 14
The Strength of a Broad Identity Management
Solution
SECTION 6 15
CA Identity Manager Improves Speed,
Efficiency and Security
Improved Operational Execution
Improved Administrative Control
Increased User Satisfaction
Assistance in Compliance Efforts
SECTION 7: CONCLUSIONS 16
-
7/30/2019 Im Capabilities and Architecture
3/20
TECHNOLOGY BRIEF: CA IDENTITY MANAGE
Executive SummaryChallenge
As the distinction between employees, business partners, and customer identities blurs,
organizations must ensure that users get access to the RIGHT applications at the RIGHT
time. Unfortunately, traditional approaches to granting and removing this access, heavily
based on manual processes, are costly and prone to errors. At the same time, external
regulatory oversight and internal governance practices mandate that these interactions be
managed in compliance with corporate access policies, such as ensuring proper
segregation of duties, approval workflow and audit. The challenge is in balancing the
expectation of todays users for immediate access against the organizational need to
secure their applications, data and other resources.
Opportunity
Optimizing and standardizing the processes involved in managing user identities can
result in a variety of business and security benefits. CA Identity Manager provides a
comprehensive identity administration and user provisioning solution that manages all
types of identities and covers a comprehensive set of target systems across the full identity
lifecycle from creation to modification to removal. In addition, CA Identity Manager
improves security by providing an authoritative point of identity administration, enforcing
consistent identity policies and auditing identity-related actions.
Benefits
By automating processes, identity management solutions provide a higher level of
efficiency that improves operational execution, consistent control and user satisfaction
while assisting in compliance efforts. For example, enforcing approval workflows ensures
the proper sign-off before access is granted and auditing each action helps improve
security, decrease risk and address regulatory compliance objectives. CA Identity Manager
is an enterprise-class solution that provides provisioning, user self-service, identity
administration and more. With superior scalability, CA Identity Manager supports the
needs of all your users across all applications from the Web to the mainframe. With the
flexibility to support virtually any workflow process, implement delegated administrationfor a range of management models, enact a variety of policy-based controls and embed
identity management functions into your existing applications, CA Identity Manager
supports the unique needs of your business.
-
7/30/2019 Im Capabilities and Architecture
4/20
Managing Complexity Created by Volume and DiversityThe typical enterprise supports IT operations on a massive scale. Multiple decades of deployin
technology has resulted in literally hundreds of applications needed by an exponentially largeset of users. Application access must be provisioned not only for employees, but increasingly
for others including business partners, contractors and customers. As a result, a large
enterprise may have millions of separate entitlements to manage.
Compounding this issue, many businesses have followed the path of cutting edge technolog
migrating from mainframes, through client-server systems, to early groupware, Internet-base
computing, and now to network-based services that operate in the cloud. Yet, with every
major technology transition, old applications and infrastructures stay in place, requiring
ongoing maintenance and investment. Thus, the resulting enterprise IT landscape is more
heterogeneous and more complex.
In light of this complexity, processes for managing user accounts, entitlements, credentials anaccess can no longer be done in an ad hoc, decentralized or manual fashion. These types of
management models introduce the potential for human error and improperly configured
systems and applications. Furthermore, this approach presents costly overhead and creates
inconsistencies in how corporate policies are enforced, if at all. Ultimately all of these issues
increase risk, both to your data and customer relationships.
Accommodating Changing Compliance and Regulation Requirements
In addition to this operational complexity, virtually every organization is directly or indirectly
impacted by regulatory and industry initiatives such as Sarbanes-Oxley Act (SOX), Health
Insurance Portability and Accountability Act (HIPAA), European Union Privacy Directive or
Payment Card Industry Data Security Standard (PCI DSS).
Each of these regulations address various aspects of business risk which have a profound
impact on data security and IT controls. For example, SOX is focused on ensuring the security
integrity and reliability of corporate financial reports. As such it established direct involvemen
and accountability for company's "principal officers to validate the security and accuracy of
financial statements. Similarly, the HIPAA Privacy Rule regulates the use and disclosure of
protected health information, while PCI DSS focuses on enhancing the protection of credit ca
holder information both of which have ranging security implications regarding how persons
gain access to this information.
Many organizations look to frameworks such as Committee of Sponsoring Organizations
of the Treadway Commission (COSO) and Control Objectives for Information and related
Technology (COBIT) for best practice guidance on which security aspects they need to accoufor. The benefit of these frameworks is that they provide a standard mapping of regulatory
requirements into specific IT security controls including how organizations should manage
their identities, entitlements and the relationships between them. The key is leveraging
cost-effective solutions with the ability to enforce these IT security controls across the
entire enterprise.
SECTION 1
2 TECHNOLOGY BRIEF: CA IDENTITY MANAGER
-
7/30/2019 Im Capabilities and Architecture
5/20
The Identity Management Payoff
Identity Management solutions provide consistency by automating the management of
relationships between people (e.g. employees, partners and customers), their credentials
(e.g. Active Directory, mailbox and ERP accounts) and their access rights on each system. Indoing so, Identity Management solutions enable enterprises to address previously stated
challenges by:
REDUCING ADMINISTRATIVE COSTS Offloading labor from IT teams by automating many
day-to-day administrative tasks such as creating accounts on target systems for new
employees. Identity Management also enables IT to decentralize certain responsibilities
using robust, controlled delegation and self-service capabilities including password resets.
SUPPORTING COMPLIANCE INITIATIVES Enforcing security controls mandated by regulation
compliance frameworks and internal/external auditors. For example, implementing sign-off
processes for granting sensitive resource access, limiting excessive rights, eliminating orph
accounts and enforcing password management policies.
INCREASING ACCOUNTABILITY Implementing centralized identity administration processes
across systems with consistent approval workflow and detailed audit trails gives enterprise
the ability to answer fundamental questions such as Who has access to what?, Why wa
that granted? and Who approved it?
MANAGING THE ENTERPRISE SCALE Realizing each of these benefits is predicated on the
ability to support enterprise scalability and distribution requirements which can involve
millions of resources over thousands of applications. Identity Management solutions that a
architected to address these scalability requirements will enable a successful implementatio
of their product capabilities.
The rest of this document provides deeper insight into CAs approach to Identity Managemen
by describing CA Identity Managers architecture and key capabilities.
CA Identity Manager Architecture OverviewCA Identity Manager is architected in a layered fashion to logically separate front-end
components from the back-end provisioning engine. This enables tremendous scalability
capable of supporting the requirements of even the largest enterprises. This distributed
computing approach enables you to implement high availability and disaster recovery at each
layer as requirements dictate. It also provides deployment flexibility, allowing you to start wit
a basic implementation and add capacity and functionality over time.
TECHNOLOGY BRIEF: CA IDENTITY MANAGE
SECTION 2
-
7/30/2019 Im Capabilities and Architecture
6/20
4 TECHNOLOGY BRIEF: CA IDENTITY MANAGER
CA IDENTITY MANAGER ARCHITECTURE
Application LayersEach application layer represents a logically independent function within CA Identity Manage
which interfaces with other application layers. Layers are sometimes deployed separately
to meet customers security or scalability requirements. CA Identity Managers application
layers include:
IDENTITY MANAGER APPLICATION This standards-based J2EE application serves as the
user interface and business logic layer. It includes the web user interface, delegated
administration framework and workflow, policy evaluation, audit and reporting services.
PROVISIONING SERVER Provides IT logic services including translation between business
and IT terminology and mapping users with their target system credentials. It also provides
synchronization and reconciliation services to push necessary changes to endpoint systems
and identify changes made outside of CA Identity Manager.
CONNECTOR SERVER Interfaces with target systems and applications via connectors to
support provisioning tasks. Depending on the load, network topology and network security
requirements of your environment, one or more Connector Servers may be deployed. Thes
can be co-located with the Provisioning Server or distributed on remote machines. CA
Identity Manager includes a large set of out-of-the-box connectors for commonly used
business applications and IT systems. In addition, custom connectors can be developed to
support provisioning to home-grown applications.
FIGURE A
CA Identity Managers layered
architecture is optimal for supporting
the flexibility and scalability requiredby todays enterprises.
-
7/30/2019 Im Capabilities and Architecture
7/20
SECTION 3
Data Repositories
Each data repository represents a logical, permanent store for certain types of data elements
required by CA Identity Manager such as user records, audit records and configuration data.
CA Identity Managers data repositories include:
CORPORATE IDENTITY STORE This serves as a centralized, authoritative repository for users
groups and organizational units. For enterprises which already have a centralized repository
serving this purpose, CA Identity Manager can leverage this data source without replicatin
any existing data. Commonly used commercial LDAP and RDBMS servers are supported.
PROVISIONING STORE This is an internal repository which maintains a mapping between
users in the Corporate Identity Store and their associated accounts on managed systems
and applications. Endpoint metadata is also stored in this repository.
RUNTIME DATABASE This internal repository maintains runtime information, such as audit
trails, detailed transaction history, transient workflow status and configuration data about
roles, policies and workflow definitions.
Software Development Kit
The CA Identity Manager Software Development Kit (SDK) includes a set of documented
application programming interfaces (APIs) that let you integrate and extend CA Identity
Manager capabilities for your specific environment.
TASK EXECUTION WEB SERVICES (TEWS) Web Services API that enables third-party
applications to remotely submit CA Identity Manager tasks for execution. This capability
is used by organizations to embed Identity Management services into their existing
applications that their users are already using and comfortable with.
BUSINESS LOGIC SDK Set of Java based APIs that can be used for embedding custom
business logic inside Identity Management policies. This includes both customization ofpresentation logic (e.g. Logical Attribute Handlers and Business Logic Task Handlers) as
well as backend logic (e.g. Event Handlers and Workflow APIs).
JAVA CONNECTOR SERVER SDK Used to develop custom connectors which support
provisioning to home-grown applications. These custom connectors may include
provisioning of accounts and groups, association of group memberships and validation logi
Designed for Enterprise-Class Scalability and SecurityCA Identity Manager is deployed by some of the largest enterprises in the world, including
those which require the highest degrees of scalability and around-the-clock availability. Thissame level of service benefits not only large enterprises, but customers of various sizes, acros
various industries. CA Identity Managers flexible, layered architecture has been designed to
support enterprise needs, including:
LAYERED CLUSTERING Clustering is supported at every CA Identity Manager infrastructure
layer, including the Identity Manager Application, Provisioning Server, Connector Server
and repositories. Clustering support addresses high availability as well as load balancing
requirements.
TECHNOLOGY BRIEF: CA IDENTITY MANAGE
-
7/30/2019 Im Capabilities and Architecture
8/20
COMPONENT DISTRIBUTION Depending on customers specific load requirements,
CA Identity Manager can be extended horizontally by adding additional machines in a
mirrored fashion. Alternatively, the deployment can be extended vertically, by dedicating
machines to handling specific functions which carry the highest loads. For example,customers expecting a massive propagation of endpoint changes can deploy additional
temporary provisioning servers to be used as batch servers.
SCALABILITY USING CA DIRECTORY Optionally, CA Identity Manager can leverage
CA Directory as the corporate identity store. CA Directory supports both LDAP and X.500,
and meets the toughest scalability and performance requirements and hardware constraint
as demonstrated in a recent 100 million user scalability test conducted by an external
testing laboratory.
Recognizing that CA Identity Manager often maintains highly sensitive information, CA make
continuous investments to ensure the highest levels of internal product security. This enables
the management of users and their access rights across the entire enterprise, while
maintaining the highest product security disciplines in accordance with industry best practice
CRYPTOGRAPHY CA Identity Manager uses the Advanced Encryption Standard (AES),
incorporating proven cryptographic libraries Crypto-J v3.5 and Crypto-C ME v2.0. These
cryptographic requirements include encryption algorithms, key sizes and implementation
for handling sensitive data.
FIPS 140-2 SUPPORT Federal Information Processing Standards (FIPS) 140-2 is a security
standard for the cryptographic libraries and encryption algorithms which ensure high
standards of data security.
DATA SECURITY CA Identity Manager secures data at rest and in transit by using secured
protocols over all communication channels between components and endpoints. In the
majority of cases, this includes usage of standard protocols over SSL, such as HTTP overSSL (HTTPS) and LDAP over SSL (LDAPS).
CA Identity Manager CapabilitiesCA Identity Manager provides a comprehensive set of functionalities which enable you to
automate the various identity management processes in your organization. These capabilities
provide added value when used in conjunction with one another, but can often be implement
in a standalone fashion, enabling phased deployments. This section discusses the various
capabilities of CA Identity Manager.
Provisioning/De-Provisioning
Provisioning involves automating the process of adding, modifying and deleting users and the
attributes. This includes managing users profile attributes, including their role memberships
and their associated access rights. CA Identity Manager supports these operations and goes
beyond the traditional boundaries of organizations to automate these processes across the
extended enterprise.
6 TECHNOLOGY BRIEF: CA IDENTITY MANAGER
SECTION 4
-
7/30/2019 Im Capabilities and Architecture
9/20
ALL IDENTITY TYPES IT organizations are being increasingly asked to manage identities
across the enterprise, whether that includes internal users (e.g. employees), external users
(e.g. customers or partners) or identities not directly owned by a single person (e.g. root
accounts). CA Identity Manager provides a single solution with the ability to manage alltypes of identities, providing greater consistency across the entire enterprise.
FINER-GRAINED ENTITLEMENT MANAGEMENT CA Identity Manager can manage entitlemen
at a range of depths, from coarse- to finer-grained entitlements. For example, customers w
invested in developing detailed SAP role models can automate provisioning down to the SA
role level. Unlike traditional identity management systems, CA Identity Manager leverages
these roles directly out of target systems instead of requiring redundant definition of each
SAP role in CA Identity Manager. These application roles can be augmented by CA Identity
Manager business roles in defining workflows and business processes. This flexibility is
important in leveraging existing investments, reducing replication of data and driving down
the cost of maintaining the deployment over time.
POLICY MODELING Policy Xpress lets you configure policies that execute your unique, complebusiness processes. Traditional approaches generally acheive this through custom code
development, but this wizard-based tool lets you build policies in-house within hours, rathe
than requiring weeks of programming. This helps reduce the costs of internal development
and ongoing maintenance, and you will no longer be locked into unsupported, aging
software. With Policy Xpress, you can quickly and easily respond to organizational change
without having to manage an entire software development effort.
MASS UPDATES Organizations often need to support massive entitlement changes as a
result of enterprise structure changes, such as the merging of business units or acquisition
new companies. CA Identity Manager supports these types of mass changes using a bulk
loader service. Changes can be initiated by feeding in an information file where each text lin
represents a requested change. CA Identity Manager can also apply a common change tomany users which match certain criteria, such as applying the same change to all current
employees at a certain site.
TASK SCHEDULING Provides the ability to set transactions for future execution based on
date/time criteria. For example, an administrator can instruct CA Identity Manager to creat
a new employee profile upon their hire at the beginning of next month or set up a tempora
identity for contractors who have known start and end dates.
User Self-Service
CA Identity Manager enables organizations to reduce IT and help desk workloads by
empowering users to resolve identity-related issues on their own. Through an easy-to-use we
interface, users can manage many aspects of their identity through various functions includin SELF-REGISTRATION Enables users to register for web applications through a publicly
available web page. The user interface can be easily configured to request the specific
information required by the organization depending on the type of user. This capability is
frequently used for the purpose of managing external users of consumer-based application
FORGOTTEN PASSWORD AND PASSWORD RESETS Instead of calling the help desk to reset a
forgotten password, users can identify themselves via alternative means of authentication
TECHNOLOGY BRIEF: CA IDENTITY MANAGE
-
7/30/2019 Im Capabilities and Architecture
10/20
such as a series of custom questions. Upon proper authentication, they can set a new
password for their global account or for any of their application accounts.
ACCESS REQUESTSAllows users to request additional access via the CA Identity Managerweb interface or your existing web portal. This greatly decreases costs by reducing the
requirement for administrators to process and manually manage the workflow associated
with providing additional access.
SELF-ADMINISTRATION Enables users to maintain certain elements of their identity profiles
while administrators retain granular control over what attributes can be changed or not. Th
enhances the user experience by providing an alternative to relying on the help desk for
simple identity changes such as their home address or phone number.
Delegated Administration
CA Identity Manager includes a comprehensive set of capabilities that enable you to define
what business operations each user can perform, and under which business restrictions. This
enables you to regulate who can do what, to whom. Delegation models are based on
combinations of roles and rules and can include custom logic for modeling unique delegation
logic as needed.
WORKFLOW-BASED DELEGATION CA Identity Manager provides the ability to easily create
and apply approval processes so users can feel confident their actions will be appropriately
delegated. Each approval can, in turn, be subject to delegation, allowing approvers to furthe
delegate or transfer approval authority if it was improperly assigned.
GRANULARITY OF DELEGATION Delegation of capabilities (e.g. create user, approve access
request, view system report) can be defined based on user or organizational attributes or a
combination of both, including:
User attributes such as job title or location.
Organizational structure, including explicitly identified organizations or dynamic groups
such as "users in organizations that match a filter criteria.
Groups containing the user, including explicitly identified groups or sets of groups that
match filter requirements.
Participation in roles including membership, administration or ownership of admin, acces
or provisioning roles.
SCOPING Defining the scope on which subjects one can take action follows the same
model as above, but also includes the ability to define dynamic, instance-specific rules. For
example, a user can have scope over "all users in Sales" or "all users at my location.
TEMPORARY DELEGATION Users (the delegator) can specify that another user or
combination of users have the authority to approve tasks or work items during periods
when the delegator is "out of the office."
Integrated Workflow
CA Identity Managers embedded workflow engine allows organizations to implement busine
processes which provide control over delegated administration capabilities. This workflow is
highly flexible and capable of supporting varying business requirements through template
definition, escalation, parallel approvals, serial approvals and multi-step approvals. Workflow
integration includes:
8 TECHNOLOGY BRIEF: CA IDENTITY MANAGER
-
7/30/2019 Im Capabilities and Architecture
11/20
WORKFLOW TEMPLATES These allow you to generically define workflow processes once
using a drag and drop user interface and reuse them across specific processes. Separatin
the definition of the process flow from the process data enables you to reuse logic and
minimizes the cost associated with repeatedly changing processes. CA Identity Managerprovides a set of out-of-the-box workflow templates and supports creation of custom
workflow templates.
APPROVALS Workflow can be established to require a person to approve an event, such
as modification to a user profile, before CA Identity Manager updates a user store.
Approvers are administrators who have been assigned rights within the approver role
for a particular task.
NOTIFICATIONS The workflow engine can notify users of an events status at different stag
of a process, for example when a user initiates an event or when an event is approved.
WORK LIST GENERATION Work lists specify the tasks that a particular user must perform.
The workflow engine updates administrators work lists automatically.
WORKFLOW DESIGNER
Role-Based Access Control
Roles simplify identity management by aggregating similar users and their common privilegeassignments into abstracted, business-relevant groupings. In doing so, roles reduce the numb
of relationships that must be managed, provide better business representation of these
relationships and enable more efficient identity management. For example, an organization
with 20,000 users and 100 applications may need to manage several millions of individual
privileges. Building a role model of several hundred roles to represent most of these individua
privileges greatly simplifies and reduces the cost of ensuring appropriate access is granted to
those users. CA Identity Manager supports the following types of roles:
TECHNOLOGY BRIEF: CA IDENTITY MANAGE
FIGURE B
Customization of workflow processes
can be accomplished using an intuitive
drag and drop user interface.
-
7/30/2019 Im Capabilities and Architecture
12/20
PROVISIONING ROLES These roles are used to grant users with access to target system
accounts (e.g. SAP, Active Directory, email) and the appropriate level of privileges within
these accounts (e.g. membership to SAP Roles). Provisioning Roles include a collection of
Account Templates which are a description of rules required for creating new target systemaccount with associated permissions. These rules can leverage user profile data, other
account attributes or constant values. Provisioning Roles are fundamental to CA Identity
Managers robust automation of administrative activities such as creation and modification
of user accounts.
ADMIN ROLES Admin Roles grant privileges within the CA Identity Manager web user
interface. Admin Roles support fine-grained controls over the actions a user that can
perform (What can a user do?) and across the scope these actions can be performed
(On which subjects can these actions be performed?). Similar to Provisioning Roles, Adm
Roles support rule-based membership policies that provide the flexible foundation for the
delegation of duties within CA Identity Manager.
Interface Customization
The effectiveness of Identity Management systems is often predicated on the rate of adoptio
from users and administrators. CA Identity Managers web user interface is highly configurab
allowing you to provide the right user experience and level of detail for each user in the
organization. The user interface can be customized in the following ways:
APPEARANCE The look and feel of the CA Identity Manager web user interface can be
configured to match the organizational standard in terms of logos, color palettes, font type
and other visual characteristics. In addition, terminology used within the interface can be
customized to improve the user experience.
FORMS AND ATTRIBUTES Each screen in the web interface is composed of visual forms
through which users can input information or make appropriate selections. These forms cabe configured down to the level of the user schema or can include custom attributes. CA
Identity Manager includes a point and click form designer which allows you to designate
field layout and configuration.
CUSTOM LOGIC The user experience and flow of activities can be further customized by
leveraging CA Identity Managers Java SDK to develop custom logic snippets. Hooks are
available for delivering calling plug-ins before and after a task screen is displayed (called
Business Logic Task Execution), before and after an attribute is displayed (called Logical
Attribute Handler) and based on specific task processing events (called Event Handler).
WEB SERVICE INTEGRATION In addition to allowing you to customize components within th
web user interface, you can completely remove identity management capabilities from CA
Identity Manager and embed them into your own custom interfaces. This is possible becauCA Identity Manager exposes all user interface tasks as web services including self-service
delegated administration and system administration tasks.
10 TECHNOLOGY BRIEF: CA IDENTITY MANAGER
-
7/30/2019 Im Capabilities and Architecture
13/20
CUSTOMIZED VERSIONS OF THE WEB USER INTERFACE
Password Management
CA Identity Manager includes a comprehensive set of password management services which
increase security by enforcing consistent password policies across the organization. These als
combine with self-service password reset capabilities to reduce the cost of password-related
help desk calls.
PASSWORD P OLICIES Enforce different password strength requirements for different users,
ensuring that sufficiently strong passwords are used to protect critical applications and
accounts. Password restrictions include: minimum password length, maximum repeating
characters, upper-/lower-case letter requirements, combination requirements (of letters,
digits, punctuation, non-printable and non-alphanumeric character sets), custom dictionar
tests and comparison against user profile attributes.
PASSWORD SYNCHRONIZATION CA Identity Manager can propagate passwords across
target systems, including synchronizing operating system-level password changes back to
CA Identity Manager across Windows, Unix and mainframe environments.
NATIVE WINDOWS LOGON CA Identity Manager has the ability to enhance the native
Windows Vista Credential Provider and Windows Graphical Identification and
Authentication (GINA) interfaces to add forgotten password functionality within thestandard Windows logon dialog.
TECHNOLOGY BRIEF: CA IDENTITY MANAGER
FIGURE C
The CA Identity Manager web
interface look and feel can assume
be customized to accommodate theorganizations requirements.
-
7/30/2019 Im Capabilities and Architecture
14/20
Integration
Identity Management benefits often depend on the ability to integrate with the existing IT
infrastructure and applications in a fast, scalable and non-intrusive fashion. CA Identity
Manager addresses these needs by providing a combination of rich, out-of-the-box connectoand tools that easily facilitate integration with custom infrastructure and applications.
OUT-OF-THE-BOX CONNECTORS CA Identity Manager includes a broad set of pre-built
connectors that provide provisioning integration with many popular web, client-server and
mainframe applications. These include major computing platforms, enterprise applications
databases, collaboration environments and industry-standard interfaces.
CONNECTOR XPRESS This wizard-driven utility allows you to generate custom connectors
via a graphical user interface without coding. Connector Xpress greatly reduces the level of
technical expertise which is generally required for creating connectors with other identity
management solutions. This enables the creation of custom connectors within hours rathe
than days or weeks.
CONNECTOR SDK CA Identity Manager provides an SDK for developing Java-based custom
connectors. This is the same SDK used by CA in developing our out-of-the-box provisioning
connectors.
CA IDENTITY MANAGER CONNECTORS
*Native connection
12 TECHNOLOGY BRIEF: CA IDENTITY MANAGER
Mainframe Systems
IBM RACF CA ACF2 CA Top Secret DB2 for z/OS
ERP Systems
Oracle Applications PeopleSoft SAP Siebel CRM
Groupware
Exchange 2000/2003 Exchange 2007 Lotus Notes Domino Server
Authentication Servers
RSA SecurID ActivIdentity CMS Entrust PKI
Host/Servers
Windows NT Windows 2000 Windows 2003 Windows 2008 Active Directory Sun Solaris HP-UX IBM AIX HP Tru64 Red Hat Linux SuSE Linux AS/400 OpenVMS Novell NDS/Binderies HP NSK Safeguard NCR MP-RAS SGI IRIX
General Interfaces
JDBC/JNDI LDAP ODBC SPML SDK Web Service/WSDL Connector Xpress
CA Solutions
CA Single Sign-On CA Access Control CA Embedded Entitlements
Manager
CA SiteMinder Web AccessManager*
Databases
IBM DB/2 Oracle MS SQL Server
FIGURE D
CA Identity Manager delivers
out-of-the-box connectors for many
commonly used business applications
and IT platforms.
-
7/30/2019 Im Capabilities and Architecture
15/20
Reconciliation Services
Synchronizing identities and access rights across the enterprise requires bi-directional
connectivity with managed systems. In previous sections, we focused on the propagation
of changes from CA Identity Manager to endpoint systems. Reconciliation services, calledReverse Synchronization in CA Identity Manager, recognize changes made directly on endpoi
systems, determine if they are within policy and synchronize them across other systems
as appropriate.
SYSTEM ACQUISITION Once a new managed system is defined, the reconciliation service
discovers the list of existing accounts and automatically maps these accounts to users bas
on correlation rules. Accounts that do not satisfy correlation rules are flagged as orphan
accounts for manual review. The system owner can either associate accounts to users, ma
them as System Accounts, disable accounts or delete accounts.
AUTHORITATIVE SYSTEM SUPPORT Authoritative systems are business applications or IT
platforms designated as the source of certain user or account attributes. For example, in
many enterprises a human resources application is the authoritative source for employeeinformation such as full name, job title and organizational hierarchy. CA Identity Manager
supports the option to have multiple authoritative systems, each with authority over part o
the user population or a subset of attributes. The ability for changes made at authoritative
sources to override existing information in CA Identity Manager can be set at multiple leve
USER Authoritative System records can be mapped to CA Identity Manager user
entities. Changes to these objects trigger tasks, such as Create User, Modify User
and Delete User.
ACCOUNT Authoritative System records are mapped to CA Identity Manager individual
accounts. An individual user may have multiple associated accounts with different
synchronization policies for different user profile and account attributes.
ATTRIBUTE Authoritative Systems can have the ability to make updates on certain
attributes but not authorized to change others.
CHANGE RECOGNITION By comparing the known status of accounts in CA Identity Manage
with the actual assignment of these accounts in the target systems, Reverse Synchronizatio
discovers when unauthorized changes have taken place. Based on this, it can initiate
automated alerts or remediation processes such as triggering of manual review by an
administrator or initiating revert actions for these changes.
Auditing and Reporting
CA Identity Managers audit service captures a complete trail of business changes, provides
ad-hoc query capabilities and optionally integrates with CA Security Information and Event
Management (SIEM) solutions for cross-domain forensic and reporting analysis. In addition,
CA Identity Managers reporting services offer the following capabilities:
ENTERPRISE-CLASS REPORTING CA Identity Manager includes an embedded version of
Business Objects Crystal Reports XI. This scalable approach enables organizations to build
customized reports which support enterprise requirements.
TECHNOLOGY BRIEF: CA IDENTITY MANAGER
-
7/30/2019 Im Capabilities and Architecture
16/20
SECTION 5
SNAPSHOT WAREHOUSE Organizations can periodically schedule capturing of current
organizational access policy and actual entitlements assignments. The recorded informatio
is stored in a relationship database as an individual snapshot, representing the status at a
particular date. Viewing the progression of snapshots stored in the warehouse provides ahistorical view of access assignments. This information can be used in a forensic scenario t
produce reports of assignments at a particular date, or for trending to show the evolution
over time and provide visibility into gradual changes happening in the organization.
OUT-OF-THE-BOX REPORTS CA Identity Manager includes a set of pre-built reports which
provide valuable visibility into the identity management operation and efficiency through
entitlements, policies and workflow insight.
IDENTITY AND ENTITLEMENT REPORTS
The Strength of a Broad Identity Management SolutionOrganizations are increasingly facing a variety of identity related challenges, whether that
involves on-boarding new employees in a timely manner, providing users with self-service
password reset capabilities or ensuring the appropriate approval processes are tracked in aconsistent manner. Identity Management solutions address these challenges while promising
significant efficiencies in operational costs, risk mitigation and regulatory compliance.
CA Identity Manager helps organizations maximize this potential value by covering all types
of users, over the broad range of applications used by your organization and throughout a
lifecycle of identity-related business processes. This is delivered on an architectural foundatio
optimized to address the scalability and agility requirements of your organization in todays
ever demanding business environment.
14 TECHNOLOGY BRIEF: CA IDENTITY MANAGER
FIGURE E
CA Identity Manager provides a robust
enterprise-grade reporting frameworkusing Business Objects Crystal Reports
XI infrastructure.
-
7/30/2019 Im Capabilities and Architecture
17/20
CA Identity Manager provides native integration with CA Role & Compliance Manager to
enable your organization to manage user identities, roles and policies throughout their
lifecycles. Information about user identities and their privileges from CA Identity Manager
can be cleaned-up and used as the basis for an accurate role model and identity compliancepolicies in CA Role & Compliance Manager. This information can be then be fed back into
CA Identity Manager for use in role-based provisioning decisions and enforcement of
appropriate security policies.
CA Identity Manager is also part of the complete and proven Identity and Access Manageme
(IAM) solution from CA that helps you manage users and protect IT assets across all platform
and environments. As such, it contributes to your ability to optimize the performance, reliabil
and efficiency of your overall IT environment. CA Identity Manager provides integration, whic
enables you to provision to and manage users for many of CAs other leading IAM solutions
including CA SiteMinder Web Access Manager, CA Access Control and CA Single Sign-On.
The next step is to tightly integrate the control and management of distinct functions such as
operations, storage and lifecycle and service management, along with IT security.
This higher level of management control is EITM CAs vision for a dynamic and secure
approach that integrates and automates the management of applications, databases, networ
security, storage and systems across departments and disciplines to maximize the full potent
of each. CAs comprehensive portfolio of modular IT management solutions helps you unify
and simplify IT management across the enterprise for greater business results.
CA Identity Manager Improves Speed, Efficiency and SecurityIdentity management can take many forms depending on the needs of your organization. Eac
element of identity management provides its own benefits, including the following:
Improved Operational Execution
Manually managing users or building user management into individual applications is an
expensive and time-consuming proposition. Between the labor and inevitable mistakes
involved in adding, modifying and removing users, ensuring each user has access that is
consistent with his/her relationship with the firm is typically tremendously expensive.
Automating many of these functions dramatically streamlines an organizations ability to
manage users (regardless of whether they are employees, authorized partners or customers)
CA Identity Manager can greatly reduce the hours of security administration time and help
desk hours spent by an organization. In addition, errors are minimized as automation ensures
that consistent and accurate accounts are created, modified and revoked on each target
system without human intervention. CA Identity Manager delivers what organizations need
timely and error-free provisioning of accounts, credentials and entitlements.
TECHNOLOGY BRIEF: CA IDENTITY MANAGER
SECTION 6
-
7/30/2019 Im Capabilities and Architecture
18/20
Improved Administrative Control
Doing things cost-effectively is not enough anymore. Organizations also need to show they ar
in control of who can access corporate data and their business processes. This task is diffic
enough for static resources, but becomes exponentially more challenging with the proliferatioof additional applications, trading communities and collaborative business processes.
All told, this creates significant security exposure as poorly configured roles or access rights
can provide unauthorized users with access to sensitive information. Control is not just a
watchword; it is a corporate mantra. CA Identity Manager provides the broad platform and
application support to implement administrative consistency across target systems and ensu
the corporate policies are enforced with detailed and tamper-proof audit records.
Increased User Satisfaction
Requiring users to deal with multiple identities for multiple applications stymies their ability
to get things done. There is also a lot to be said about providing positive early impressions for
new users by having everything (key applications, voice mail, email, facilities access) ready
when they need access.
CA Identity Manager provides advanced self-service capabilities and a sophisticated workflow
environment to map to your business processes, not vice-versa. Users that access the right
resources with consistent credentials can focus on their work and be more productive, withou
worrying about their access or privileges.
Assistance in Compliance Efforts
There is no way around it; both internal and external auditors are a factor in all IT operations.
Understanding who has accessed what and why, being able to document this and how someon
received data is a critical aspect of proving compliance with various regulations around theworld. The key requirement of virtually all IT/security-related regulations involves the creation
of strong internal controls. This means that all users must be uniquely identified, their access
protected resources must be tightly controlled based on a defined security policy, and securit
events must be easily auditable.
CA Identity Manager provides the ability to enforce clear segregation of duties, while providin
both system and compliance-specific reports to substantiate the controls during an audit.
Identity management is a function that every organization needs to provide. Employees need
access to applications when they join or change roles within your company. Business partner
need data to perform their upstream processing functions. Customers need assistance when
they forget an account password or need to update their user profile. Your organization still
needs to track when these changes occur if they impact sensitive resources. These processes
are being performed on a daily basis, the question is, what does it cost your organization to
support them in terms of user satisfaction, productivity and security?
16 TECHNOLOGY BRIEF: CA IDENTITY MANAGER
SECTION 7: CONCLUSIONS
-
7/30/2019 Im Capabilities and Architecture
19/20
By automating these processes, CA Identity Manager provides a higher level of consistency
and efficiency that benefit both your organization and your users. On-boarding and off-
boarding employees can be conducted in a timely manner according to user roles and
corporate policies, both increasing security and improving user experience. Approval workfloware enacted as needed to ensure the proper sign-off before a user is provisioned with access t
accounts or physical assets. And each of these actions can be audited to help your
organization address regulatory compliance, privacy or governance objectives.
CA Identity Manager is an enterprise-class solution that provides all of these functions and
more. With superior scalability proven in some of the largest enterprises in the world, CA
Identity Manager has the ability to support the needs of all your users, of any type, across all
applications from the Web to the mainframe. While providing the flexibility to support virtua
any workflow process, enact a variety of policy-based controls and embed function into any
interface, CA Identity Manager supports the unique needs of your business and delivers a
seamless user experience.
To learn more about CA Identity Manager and its ability to help you to unify and simplify IT
management for better business results, visit www.ca.com/us/identity-management.aspx .
TECHNOLOGY BRIEF: CA IDENTITY MANAGER
http://www.ca.com/us/identity-management.aspxhttp://www.ca.com/us/identity-management.aspxhttp://www.ca.com/us/identity-management.aspx -
7/30/2019 Im Capabilities and Architecture
20/20
CA (NASDAQ: CA), one of the worlds leading independent,
enterprise management software companies, unifies and
simplifies complex information technology (IT) managementacross the enterprise for greater business results. With our
Enterprise IT Management vision, solutions and expertise,
we help customers effectively govern, manage and secure IT.
MP343820
Learnmore about howCA canhelpyou