Functionality

Identity Administration

Accelerate your IAM projects with a proven process framework

An ongoing component of any Identity Security program is to ensure that as business requirements change – as new applications are introduced and new identities are created – that they are continuously secured. As new applications are introduced it is critical to integrate them into Omada so that identity access and provisioning can be automated and managed centrally.

Administration processes provide workflows to allow organizations to effectively onboard new business systems and applications. They also provide the ability to tag applications with meaningful descriptions. This enables end users to find the resources they need when making self-service requests and administrators to know what they are granting access to. The Administration processes allow for the efficient onboarding of new business applications into Omada, ensuring that new applications are governed by global policies and making password reset management and password policies easier to enforce.

As part of Omada IdentityPROCESS+, an identity governance framework focusing on best practice processes, there are several key components to Administration that are critical to follow best practices to ensure that business efficiency is optimized, security is tight, and compliance is met.

 

Managing Administration

When a new business application – referred to as the target system – is deployed by an organization, it is integrated into the IGA system using the administration processes.

Before managers and end users can start to request access to resources via self-service processes or approve access requests, the resources are given a meaningful name to make it easier for users to find relevant business systems and for managers to know what they are granting access to. Once the setup is complete, administrators use the password management administration processes to set up password reset enrollment and authentication as well as overall password policies.

 

Why Identity Administration is important

Why identity administration is important

Administration processes provide administrators with workflows to modify the target system resource or even terminate a resource no longer used by the organization.

The Administration process area includes the following process groups and sub-processes:

  1. Managing target systems
    • Create, modify, or terminate target system resources
    • Onboard applications
  2. Password management
    • Password policy
    • Unauthenticated password reset
    • Password reset enrollment
    • Authenticated password reset

The two process groups are further explained below.

Process Group: Managing Target Systems

Manages the connection of the IGA system to the target business systems so that the IGA system can centrally manage user access provisioning, changes, and deprovisioning.

Create, Modify, or Terminate Target Sustem Resources

Information about the business systems, also referred to as ‘target systems’, needs to be imported into and managed in the IGA system so it can manage user access.

Process description. The target system resource processes allow administrators to connect the IGA system to the business systems, so they can read information such as user access rights from them and write new access rights to target systems.

This initial information is enriched so that the IGA system can function more effectively when implementing processes and rules. Once target system resources are retired from operation, they can be removed from the IGA system.

Best practice IGA system functionality. The target system resources are read into the IGA identity and access data system from the connected systems via data collector interfaces. All resources are then created in the IGA server.

Each of the target resources requires enrichment to include data related to ownership, show/hide request access, status and validity, attributes, approval levels, delegation, exclusive management, and post validity. Once this enrichment has been completed, the target system resource can be managed by the IGA system.

Technical process flow:

1.  Target system resources are read from connected systems into the IGA system
2.  Resources are loaded into the data repository
3.  Resources are created in the server or the onboard application process is used to create target system resources in the server
4.  The administrator or system and resource owners enrich the data in the IGA system

 

Onboard Application

Enables business applications to be defined in terms of multiple target systems to hide complexity from users requesting access and managers approving or refusing requests.

Business applications often need access to multiple resources which will be unknown to end users. The definition of an end user application needs to be simplified so that all the background complexity is hidden. This allows the user to quickly and simply select a single application they need without any understanding of the technical details which not only reduces the time it takes to request access but reduces the likelihood of errors in approvals by managers.

Process description. Each application may consist of multiple target systems, for example – an application that uses Active Directory for access control would consist of the application itself and Active Directory.

The systems that make up an application are defined, and the application is given a meaningful name and description. These names and descriptions are intended to make it easier for end users to find the applications they want to request access to, and for their managers to understand what they are approving.

Best practice IGA system functionality. The administrator defines the applications in the IGA system based on the multiple target systems it requires.

Once defined, the application roles are enriched with meaningful business descriptions and other attributes that enable end users to find them during self-service access requests.

The application’s description and data are verified and approved by an onboarding administrator and are then made available to the access request process by the IGA system.

Technical process flow:

1.  IT owner of the application starts the process and chooses the system
2.  IT owner defines the related physical systems
3.  IT owner can define other owners if necessary
4.  IT owner selects the business systems from the IGA server or data warehouse to be used in the application
5.  The business owner models application roles
6.  The business owner can define other business owners if necessary
7.  An application onboarding admin approves the modification to the application and related roles

Webinar

The Strategic Importance of Integrating Identity Governance with IT Service Management

Watch this on-demand webinar to hear from industry experts why it is strategically important to integrate IGA with ITSM, to get a single, unified platform where business users can go for all their access requests whilst remaining compliant.

Watch now

Process Group: Password Management

Enables organizations to manage password policies for each business system as well enabling users to securely reset their own passwords.

Password Policy

Password policies for each target business system being managed need to be enforced based on each system’s required password strength. Password policies need to be created to ensure that minimum strength policies are enforced to ensure system security across all systems.

Process description. This process ensures that password generation within the IGA system creates passwords that are equal to or stronger than the requirements for the business systems.

Best practice IGA system functionality. The password policy for each business system is described in terms that end users understand so they know, for example, which characters need to be included and how long the password should be. The data administrators create password policies in the IGA system to enforce the minimum strength policies. If necessary, a system owner can make changes to the password policy for the target systems they are responsible for, in order to maintain system security.

Technical process flow:

1.  Examine the existing password policies for systems where passwords will be generated
2.  For each system, define a password policy that matches or exceeds that of the target system
3.  Create password policy descriptions to help users when they are creating passwords
4.  Data administrators can create and maintain password policies in the IGA system
5.  System owners can assign the correct password policy to their target systems

 

Unauthenticated Password Reset

Users need a quick, efficient, and secure way to reset forgotten passwords without having to contact the helpdesk.

Process description. Users that have forgotten their passwords can reset them using a self-service process without having to contact the company helpdesk. This process relies on having the user answer pre-defined questions that they have set up in advance. If they answer the questions correctly then they are allowed to create a new password.

Best practice IGA system functionality. Once the user has entered a username into the self-service password portal, the IGA system checks to ensure that it is an active identity. The user is then presented with several challenge questions, which they must answer correctly. If these steps are completed successfully, the user enters a password.

The IGA system checks that the new password satisfies the password policies of all the systems that are enabled for password reset and then creates sync provisioning requests to perform the resets.

Technical process flow:

1.  A user that is unable to log in as he/she has forgotten the password, logs in to the self-service password portal and enters a username. This username must be an active identity
2.  The user answers a predefined number of challenge questions selected during the enrollment process
3.  The user enters a new password, which must match or exceed the strength of the password policy
4.  The password is reset in the target systems which have been enabled for reset
5.  The owner of the technical identity is informed whether the process was successful or generated an error

 

Password Reset Enrollment

Challenge questions are used to ensure that self-service password resets are secure by verifying that the user is who they claim to be.

Process description. The password reset enrollment process allows the administrator to edit the challenge questions available to the user when they are wanting to reset their password. These questions could include questions like “What is your mother’s maiden name?” or “What was the color of your first car?”

The IGA system uses these predefined challenge questions during an unauthenticated password reset to verify that the user is genuine.

Best practice IGA system functionality. The administrator selects the challenge questions within the IGA interface and then can edit those available to end users. The administrator can also set up other parameters, such as the number of questions to be shown, the number of reset failures before the identity is locked, and notification parameters.

If the end user has enrolled for self-service password reset, then he/she will be presented with a set number of challenge questions that can be authenticated during an unauthorized password reset.

Technical process flow:

1.  The administrator selects which challenge questions they want users to answer
2.  The administrator creates new challenge questions if required
3.  The administrator defines parameters, such as the number of questions that need to be answered and the number of reset failures that will cause the identity to be locked

 

Authenticated Password Reset

As it is good practice to use different passwords on a regular basis, users need a quick, efficient and secure way to change an existing password without having to contact the helpdesk. Managers or administrators may also determine that users should change their passwords if, for example, they suspect a password has been compromised.

Process description. This process allows users to perform self-service password resets without contacting the helpdesk.

Best practice IGA system functionality. Managers or operation administrators select whose password should be reset in the IGA system and the user is presented with the list of identities grouped by password policy where the underlying system is enabled for password reset.

The IGA system asks the user to enter their current and new password. The IGA system checks that the new password satisfies the password policy and creates a provisioning request to perform a synchronization.

Technical process flow:

1.  Manager or operation administrators start the password reset process
2.  The user selects the accounts that they want to reset
3.  The new password, which must m

 

Process Stakeholders

Within IGA processes, it is critical that multiple stakeholders are aligned and working together. For Identity Administration, the following teams must be involved:

Stakeholders in the process of identity administration

  1. IGA Team
    • Manage target system resources in Omada and ensure connections are working properly
    • Create the challenge questions
  2. Business and Application System Owners
    • Ensure that enrichment data is added to target systems
    • Define which target system resources define end user applications
  3. Business Users
    • Interact with Omada to reset passwords

 

Key Best Practice Recommendations

Below are a set of key best practice recommendations that should be taken into consideration when implementing the administration processes in IdentityPROCESS+.

Enrich target system resources

Although the IGA system pulls in information from the target system, system and resource owners should add additional information, so that processes can run effectively. This information includes ownership of the target system, whether access requests should be shown or hidden, the status and validity of the target system, the approval levels required when granting access to the resource, and whether user access can be delegated to others.

Perform regular recertification of definitions of application roles

Applications and their underlying resource requirements change over time as systems are changed and upgraded. To ensure that the application role definitions are accurate, organizations should regularly recertify them to give resource owners the opportunity to update information about the target systems.

Password policies

When creating password policies, complex passwords should be used. As a minimum, the password policy should enforce the use of upper and lowercase letters as well as numbers. If the target systems support special characters, then the password policy should enforce their use as this will increase security by increasing the password strength.

Webinar

Certify Access with Regularity (and Confidence!)

Watch this on-demand webinar to learn how to create successful access certification campaigns and effectively run them across multi-cloud environments.

Watch now

Summary

The administration processes ensure the smooth onboarding of business systems, so they can be brought under the management of the IGA system. They also allow administrators to simplify self-service access requests by allowing them to group target systems into a single application that can be understood by end users requesting access rights to them and by managers approving them.

In addition, the managing of password policies and reset procedures mean that organizations can keep control of their security while providing quick and efficient processes for users to reset their passwords.

Administration Solution Brief Cover

Get a summary of Identity Administration

An ongoing component of any Identity Security program is to ensure that as new applications are introduced and new identities are created they are continuously secured. The Administration processes allow for the efficient onboarding of new business applications, ensuring that they are governed by global policies and making password reset management and password policies easier to enforce.

 

Download PDF

Frequently Asked Questions

Which approval levels are needed to grant user access to each target identity governance and administration (IGA) system?

The approval levels required to grant user access to each target system depend on the organization’s policies and the sensitivity of the systems. Generally, a tiered approach is followed, where lower-level access requests may only require manager approval, while higher-level access requests may need additional approvals from department heads, data owners, or compliance officers. It is important to define and document the specific approval levels for each target system to ensure proper access controls.

Can access rights to each target system be delegated?

Access rights to target systems can be delegated in certain cases based on the organization’s requirements and the nature of the system. Delegation allows authorized individuals, such as managers or team leads, to grant and manage access rights on behalf of the system owner. However, it is crucial to establish clear guidelines and controls for access delegation to prevent unauthorized access or misuse. Delegation should be limited to trusted personnel and regularly audited to maintain accountability and security.

What are the minimum password strength requirements for each target system?

The minimum password strength requirements for each target system should be defined based on industry best practices and the sensitivity of the system’s data. Common password strength requirements include a minimum length, a combination of uppercase and lowercase letters, numbers, and special characters. It is recommended to enforce strong and unique passwords to minimize the risk of unauthorized access. Additionally, organizations can consider implementing password expiration policies and multi-factor authentication for added security. The specific password strength requirements may vary for different target systems based on their risk profiles and compliance requirements.

How does identity administration contribute to compliance efforts?

Identity administration ensures that access controls and policies are in line with regulatory requirements, thus supporting compliance efforts. By centralizing identity and access management, organizations can enforce global policies, manage user access privileges, and track user activity effectively. This aids in demonstrating compliance, generating audit reports, and mitigating the risk of unauthorized access or data breaches.

Can you explain building next-generation identity governance and administration infrastructure with cloud IGA?

Building a next-generation identity governance and administration (IGA) infrastructure with Cloud IGA involves leveraging cloud-based technologies and services to enhance the capabilities, scalability, and flexibility of identity management processes. It includes adopting a cloud-based identity governance and administration platform that offers features for user provisioning, access control, role-based access, identity lifecycle management, and compliance reporting while also enabling seamless integration with both cloud and on-premises applications.

Let's Get
Started

Let us show you how Omada can enable your business.