While User Provisioning forms the basis of an Identity Management (IDM) system, the concept of Role Governance and Compliance is becoming increasingly important to ensure that business rules are being followed during the identity provisioning process.
Lighthouse Gateway’s IDM services will help your business take control over organizational roles, providing effective governance that enforces your company policies. Powerful role governance capabilities within the Gateway’s IDM services include the following:
Dynamic Role Provisioning
At the heart of your Gateway IDM services lives a powerful engine that constantly evaluates the state of your user identities. This engine is continually inspecting your identities and determining whether an action is required to bring them into compliance with your role membership policies. By specifying business rules to govern your organization’s roles, the Gateway will monitor identities for changes that require user provisioning or de-provisioning from associated roles.
Because Gateway’s role provisioning can be automated based on your business rules, only users with the appropriate entitlements and characteristics are granted specific role memberships. Likewise, when user characteristics change and no longer fit the governing business rule for an organizational role, the Gateway will de-provision that membership. This ensures that rogue users and stray memberships never become a problem, and users with appropriate entitlements are immediately provisioned and kept current.
Role Modeling and Simulation
Crafting a role provisioning policy may take a few attempts. You may want to enforce a business rule that manages membership to a critical role, but you’re unsure what the results will be; Gateway’s Role Modeling and Simulation capabilities will allow you to test out hypothetical business rules without altering any identity data in your production environment.
Think you’ve got a new business rule that will govern membership to your ERP application? The rule can be written and taken for a test drive within the Gateway – all without risking unintentional results. Gateway’s simulation capabilities can allow you to dry-run a policy against a single user, a community of users, or your entire organization. Results of your simulations may even be exported for further analysis in 3rd party tools.
Separation of Duties
Preventing employees from gathering conflicting entitlements is a common challenge. For instance, users who have the ability to both place and approve purchase orders may be seen as having conflicting entitlements. Gateway’s dynamic provisioning engine can write separation of duties rules, ensuring that employees do not obtain conflicting entitlements that put your company’s compliance at-risk.
Reconciliation and Recertification
Although Identity Management systems are designed to prevent issues with provisioned applications, defects can sometimes arise. Take for example the Active Directory administrator who decides to give his buddies super administrator rights.
With Lighthouse Gateway’s reconciliation capabilities, you can schedule full “sweeps” of managed applications, cleaning up differences that may have occurred along the way. The reconciliation process will also recertify role memberships and existence of accounts on provisioned systems by comparing the current state of these systems to your intended business rules. Automated reconciliation allows your organization to streamline the recertification process and keep your provisioned applications from straying!
