Académique Documents
Professionnel Documents
Culture Documents
workflow
A Bull Evidian White Paper
Version 1.0
May 2006
Summary
2006 Evidian
The information contained in this document represents the view of Evidian on the issues discussed at the date of
publication. Because Evidian must respond to changing market conditions, it should not be interpreted as a
commitment on the part of Evidian, and Evidian cannot guarantee the accuracy of any information presented after
the date of publication.
This is for informational purposes only. EVIDIAN MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
IN THIS DOCUMENT.
We acknowledge the rights of the proprietors of trademarks mentioned in this book.
Contents
ACME uses workflow to manage identities
and authorizations ..................................... 4
A single, centralized identity-management directory .....5
Administration fully based on a web interface ...........5
The 3 major events in an employee's "lifecycle" .........6
Scenario 1: Recruiting a new employee ...................7
Scenario 2: A change in an employees function ..........9
Scenario 3: Departure of an employee ...................10
39 A2 60LT Rev00
39 A2 60LT Rev00
Employee identities and the associated attributes are now managed from a single
1
point and trigger all the associated provisioning operations.
39 A2 60LT Rev00
39 A2 60LT Rev00
His function entitles him to an Active Directory resources and Oracle resources
(accounting applications) account.
Previously, the accounts and associated rights creation request had to be submitted in
paper form to the Active Directory resources administrator and to the professional
applications administrator.
39 A2 60LT Rev00
- WORKFLOW -
Registration validation
by the ISSM
- WORKFLOW -
Creating the
Oracle account
The new solution implemented by the IT Department is first used to create a valid user
identity then, in a second phase, to create user accounts on the target systems and
applications, while respecting the control procedures for the most sensitive
applications.
After validation, George Martin's accounts are automatically created in the Active
Directory resources directory and in the professional application used to manage
customer accounts.
The user's identity and all his authorizations were managed via a web interface. The
process followed an approval and notification workflow that ensured compliance with
security standards and request follow-up.
Thus, George Martin can access his applications and become operational very
quickly.
39 A2 60LT Rev00
- WORKFLOW -
Modification of job
profile
Validation of the new
profile by management
Application of the
Policy
Deleting the Oracle
account associated
with the old profile
Notifying the
ISSM
- WORKFLOW -
Validation of the
registration
by the ISSM
- WORKFLOW -
Creating the
Oracle account
The resources associated with the Active Directory account are modified. On the other
hand, the modifications in Oracle correspond to a change of job: the initial Oracle
account is deleted, and a new one created and then validated by the ISSM.
George Martin can access his work environment for his new assignment. Furthermore,
all the accesses to the resources of the previous assignment are automatically
deleted.
39 A2 60LT Rev00
The process associated with an employees departure is used to delete his or her
resources access rights.
Figure 5. George Martin leaves the company
Report from the HRM
about the user's
departure
- WORKFLOW -
39 A2 60LT Rev00
10
When an employee leaves, his/her accounts are first disabled. They are then
present in the system but are unusable. Then, after a configurable period, they are
deleted. This mechanism allows traces of user accounts to be kept for a legally
specified period of time, for example.
39 A2 60LT Rev00
11
AccessMaster offers a workflow environment in order to automate the accessauthorization approval circuit.
Figure 6. Architecture
Provisioning
AccessMaster
server
HTTP
Windows
Systems
Web
Interface
Unix
Systems
Administrators
via
web interface
Administration
console
Mainframes
User
directory
This solution can handle the 3 scenarios associated with the major events in a user's
lifecycle. It also enables you, among other things, to:
39 A2 60LT Rev00
12
39 A2 60LT Rev00
13
39 A2 60LT Rev00
14
39 A2 60LT Rev00
15
39 A2 60LT Rev00
16
39 A2 60LT Rev00
17
The AccessMaster administrator has a view of all user authorizations, especially those
of George Martin.
Creating or modifying accounts on the target applications
At the end of the process, the Provisioning Manager module will create, modify,
disable or delete the users accounts on the target systems. This provisioning module
provides status reports that, in a case of success, can be used to close an
authorization-management process and, in case of failure, can be used to notify the
different players (administrator, ISSM, users, etc.).
39 A2 60LT Rev00
18
Through secure SSO, which enables the user to use these logins and
passwords without knowing them, thanks to the enterprise SSO "WiseGuard"
and "SAM SE", web SSO "SAM Web"-, or SAML management "SAM J2EE"
modules.
The use of these solutions depends on the company's security policy and the level of
security required for the target applications.
39 A2 60LT Rev00
19
Departure of an employee
The departure of an employee is a particularly sensitive issue that MUST be handled
within the framework of authorization management. When a user leaves the company,
all his/her application-access rights must be suspended on all the target systems.
The AccessMaster "Provisioning Manager" module automatically deactivates all the
user's rights for the target applications once it detects the deletion of his/her reference
in the company directory.
Figure 15. Departure of a user
39 A2 60LT Rev00
20
For example, once the user George Martin no longer exists in the LDAP directory, his
accounts on the different systems are suspended. There are no longer any risks of the
use of dormant accounts, and the procedure has only taken a few minutes.
39 A2 60LT Rev00
21
Potential annual
savings: 80,000
Potential annual
savings: 172,500
Help desk
Potential annual
savings: 63,300
System
administrators
Potential annual
savings: 160,000
5
The total potential annual savings were estimated at 475,800. This return on
investment calculation was validated by the company's finance department and was a
key factor in the decision to launch the project.
39 A2 60LT Rev00
22
The efficiency of the company's employees has been improved thanks to the
decrease in the time spent waiting to obtain user rights or user right modifications.
The time has dropped from several days to just a few minutes.
39 A2 60LT Rev00
23