“Nazdar Karle, Jarda, prosím tě, zejtra mi nastoupí ten brigádník. Potřebuju, aby měl všude přístup, dík“. Karel pak jde, do Active Directory založí nový účet. Přidělí mu emailovou schránku v MS Exchage. Vygeneruje heslo a pošle ho mailem Jardovi. Atributy účtu, případně AD skupiny nastaví dle svého nejlepšího vědomí a svědomí. I takhle může vypadat správa účtů (Identity Management) a do určité míry je i funkční, ale:
- Přijde audit a bude chtít vědět, na základě čeho dostal uživatel účet v AD? Kdo o to požádal a kde je o tom záznam? Existuje nějaká standardní matice práv pro zaměstnance?
- Proč má Karlův účet atributy, takové, jaké má?
- Kdo schválil jeho práva v AD?
- Jarda odchází, musíte řešit předání “know how” rutinních operací v IT systémech – založ účet, smaž, archivuj, blokuj schránku, obnov…
- Jak se předává heslo, kdo všechno ho měl v ruce?
Jde to i jinak.
We proudly introduce our new version of identity manager CzechIdM called Hematite. The new version comes with a huge improvement of the event processing, so we decided to raise the major version of our software even though the API of modules and thus the compatibility has not changed.
Of course, event processing is not the only feature we improved. We also added a new workflow that takes care of the automatic roles definition approvement. Moreover, we did a great job in localization. From now on, all task names can be localized into other languages than English, as the rest of the CzechIdM.
Since MS AD is the major directory service spread across the enterprise environment, connecting it to our identity manager CzechIdM is one of the most frequent task we come across. This text is a short tutorial of how to manage accounts of users in AD via an identity manager CzechIdM. It will guide you through all the steps from the connector setup to the system provisioning configuration.
This tutorial will show you how to connect AD as target system for users (their accounts) from CzechIdM. We will use AD bundle connector from connId framework.
Before you start
First of all, you need to download the connector from Connid (e.g. Connid AD bundle 1.3.4 jar file). Then import the jar file into your application server library classpath. In case you installed CzechIdM into tomcat, then it can be placed there. If your CzechIdM is running, refresh web browser window (e.g. ctrl+F5).
Workflow is a magic word almost like MAC, both has several meanings. Which meaning is the right one in case of workflow? What does it represent in the identity management context, you will find out in the article.
Three weeks after the Diamond was released, here comes a new stable version of CzechIdM called Emerald. It provides many interesting new features as well as some bugfixes. Check out the post to see what brings the latest version of our identity manager.
If you have a system connected to CzechIdM, e.g. MS Active Directory, on which you want to control provisioning operations (create, update, delete) the provisioning brake is the right choice. With provisioning brake you have control over how many operations for a specified system is done over a defined period of time. It is also possible to set a warning or disable limit for each operation. After exceeding the each limit administrators are notified by email.
Identity manager helps on the field of privileges management. It can solve tasks like roles evidence and distribution or role assignment to users. Another benefit of identity manager is that role assignment can usually be driven by workflow and user tasks. How does it work in CzechIdM, you will find out in the article.
Everyone knows that an identity manager automatically handles access rights of users in connected systems. But how does it do that? CzechIdM 7 comes with a set of default processes that do the job. What are they about you will find out in the article.
You installed CzechIdM and then connected systems to it. You prepared provisioning and synchronization definitions with attributes mapping. Well done, now you can automatically distribute information about identities, roles and other object between connected systems. But what to do, if there is some attribute value transformation required? You will find you in the following text.
Reg module servers as a registration point for new users to access CzechIdM. To be a registered user, one has to go through several validation steps before he can log in to CzechIdM. In the article we will describe, how the reg module can save administrator’s time. Continue reading
New version of CzechIdM brings new approach to the application configuration. We can use easy static configuration or define configuration properties in the application itself and do some advanced magic. In the article we will go through the application configuration and show the reader how easily activate installed modules. Continue reading