Neues von der Oracle Identity Governance Suite Dr. Stephan Hausmann
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. 2
Agenda Oracle Identity Governance Access Reviews Privileged Account Management Q & A 3
Overview Oracle Identity Governance 4
Complete Identity Governance Collaborative Access Certification Automated Provisioning Common Governance Infrastructure Secure Privileged Account Management Enhanced Performance Approvals Workflow Role Management Websphere Certification Intuitive Access Request IDENTITY GOVERNANCE Privileged Account Management 5
Oracle Identity Governance Governance Platform Manage Access Monitor Access Access Request Privileged Account Request Role Lifecycle Management Check-in/ Checkout Identity Certifications IT Audit Monitoring Rogue Detection & Reconciliation Reporting & Privileged Access Monitoring Roles Access Catalog Entitlements Ownership, Risk & Audit Objectives Accounts Catalog Management Glossaries 6
Oracle Identity Governance 11gR2 PS1 Overall Goals, Themes & Features Single Catalog Enable Access Request, Access Review & Provisioning on a common data model and eliminate the need for synchronization of common identity data Converged Identity Certification, called Identity Auditor Enable Identity Certification features on the Common Data Model, while harnessing the power of Oracle technologies such as ADF, OES, SOA and other technologies to make it consistent with OIM Enable non-technical end users with ADF tools to perform business-friendly, patch-safe UI customizations Business-IT Collaboration in Certifications Further innovate the Certification feature to introduce workflow based sign-off and delegation capabilities for both business & technical reviewers, by leveraging the power of SOA 7
Business User Friendliness Identity Auditor in 11gR2PS1 Usability Enhancements Universal SOA Inbox for organizing governance related tasks Customization/Personalization of Certification UI Inline Certification Analytics Cert History, Action History and Risk Analytics using ADF Charts Further Assistance to deal with Massive Data MS Excel Export/Import Filter/Search/Sort on a consolidated table of all users and their access data Workflow Enhancements Workflow Support to allow Business and IT to collaborate on same certification campaign Delegation Support at all levels Full Certification, Subset of Users, Subset of Access Escalations, Notifications & Proxies using SOA 8
Oracle Identity Governance Platform Suite Oracle Identity Manager Access Certification Reconciliation Provision Identity Administration Access Request Oracle Identity Analytics ERP, DB and Mainframes Fusion Applications Oracle Privileged Account Manager Role Lifecycle Monitoring Dashboards Segregation of Duties Access Certification Cloud Applications Policy Management Password Check-in/ Check-out 9
Access Reviews 10
Oracle Identity Governance Risk-based Certification Applications Identity Warehouse Identity Data Sources Risk Factors DB Mainframe Roles Certification History Entitlements Provisioning Events Resources Policy Violations Risk Aggregation Low Risk User High Risk User Bulk Certify Cert360 Approve Reject Focused Sign-off 11
Certification Process Business User Friendliness Enhanced Usability and Business User Friendliness Universal SOA Inbox for organizing governance related tasks Customization / Personalization of Certification UI Inline Certification Analytics Cert History, Action History and Risk Analytics using ADF Charts Further Assistance to deal with Massive Data MS Excel Export/Import Filter/Search/Sort on a consolidated table of all users and their access data Business-IT Collaboration in Certifications Workflow Support to allow Business and IT to collaborate on same certification campaign Delegation Support at all levels Full Certification, Subset of Users, Subset of Access Escalations, Notifications & Proxies using SOA 12
Oracle Identity Manager 11g R2 Identity Auditor Certification Configuration Familiar OIM interface for configuring certification campaigns Additional controls optional 2-phase (business, IT / data owners) review, final challenge stage and final sign-off Fine-grained control over entitlement certifications e.g. privileged accounts! 13
Certification Configuration Define Name for the certification Define Type of Certification User Application Instance Role Entitlement 14
Certification Configuration Select the Base selection Select the constraints which dictates which entity s are included in certification 15
Certification Configuration Select if you want to include users with no accounts. This will help identify orphan account Select Roles Select App Instances Select Entitlements 16
Certification Configuration Displays the global definition first You can modify the definition as you need. Notice Prevent self certification. Can enable multi phase review 17
Certification Configuration Select Phase 1 reviewer Business Certification Enable Phase 2 (Optional) IT Certification Enable Final Review (Optional) Business Certification Has view on both Phase 1 &2 Can Override Phase 2 decision. 18
Certification Configuration Enable incremental certification Allows you to certify only changed items based on Date Range Show Previous Values Enabling allows all the current values that existed in previous certifications are displayed with the last decisions taken for those access. 19
Certification Multi-Phased Review Business and IT collaborative access review for User certification. o allows to combine within a single certification the perspectives of businessoriented and technical reviewers. o allows a certifier to retain overall responsibility while delegating decisions to others. o Phases are optional. 20
Certification Multi-Phased Review Business Review o Required first phase of review. o Typically the manager of each user. Technical Review o Optional second phase of review. o Typically the owner or an authorizer of each privilege. Final Review o Optional final phase of review. o Primary reviewer from the first phase. o Can override decisions made in technical review. 21
Certification Phase 1 Manager Review 22
Certification Phase 2 Technical Review 23
Certification Final Review 24
Certification Offline Mode 25
Privileged Account Management 26
With Great Power Comes Great Risks Root Access Databases Directory Servers Unix Servers Privileged accounts are a key entry point for fraud Difficult to monitor shared accounts across multiple administrators Excessive access privileges is the number one attack vector against databases 27
Two Big Management Problems IDENTIFYING PRIVILEGED ACCOUNTS TRACKING PRIVILEGED ACCOUNTS 28
Introducing Oracle Privileged Account Manager Secure vault to centrally manage passwords for privileged (exclusive or shared) accounts Targets include Databases, Operating Systems and LDAP Directories, Oracle FMW applications Multiple access points for OPAM users and administrator Automatic password change using Identity Connector Framework Policy based password check-out and check-in Flexible usage policies Customizable audit reports through BI Publisher and real time status Extension to Identity Governance OIM and OIA integration for complete governance 29
A Typical Use Case User logs in as DBA Adds Table to DB System out of space Return DBA password HR Application Database Set DBA password for HR App Database based on password policy for HR App Database Request DBA password Return UNIX password Request UNIX password Verify OPAM User in HR DBA Role User checks in passwords DBA Oracle Privileged Account Manager LDAP Server User logs in as superuser Adds disk space Unix Server 30
User Check-Out Password Screen 31
OPAM Benefits Enforce internal security policies and eliminate potential security threats from privileged users Cost-effectively enforce and attest to regulatory requirements Reduce IT costs through efficient self service and common security infrastructure Real time usage reports Customizable audit reports with BI Publisher 32
www.oracle.com/identity www.facebook.com/oracleidm www.twitter.com/oracleidm blogs.oracle.com/oracleidm 33
34
35