Use cases for automated user administration
This section provides use cases to illustrate how automated user administration can be implemented with Bravura Identity .
HR Database
Existing process
Case-1 Company currently uses a manual procedure for login ID additions and changes. When a new employee is hired, Human Resource personnel enter data into a PeopleSoft database. The employee’s manager must then ask individual security administrators to set up access on the following systems:
Windows 2008 Active Directory
Lotus Notes ID files
Lotus Notes Domino/HTTP
Siebel CRM
Oracle database application
Requirements
Case-1 Company needs to continue to use the existing hiring and data input processes, and enhance them by propagating user information and automating the creation of login IDs on target systems.
Solution design
Bravura Identity polls the existing HR system (PeopleSoft) for changes and automates standard administration tasks such as the creation of login IDs.
Case-1 will use its existing process for input, routing and approval. New access request data will be entered into the PeopleSoft application, including:
The systems to which users should have access
Details on the attributes required by other systems to create the new accounts
A process is implemented to extract data from PeopleSoft and propagate it to target systems.
The new process is as follows:
Human Resource personnel enter data for new access request into PeopleSoft.
Bravura Identity periodically checks the database for new access requests, and automatically creates accounts on systems managed by Bravura Identity .
This process is illustrated below:
Account synchronization
Existing process
Case-2 Company currently has manual processes for creating accounts on Active Directory and Solaris 8 systems. The two systems use two different conventions for creating login IDs.
Requirements
Case-2 Company wants to synchronize user login IDs and passwords in Case-2’s Active Directory and Solaris 8 environments. To ease the synchronization for existing users and new users, Case-2 requires a tool that can:
Do a bulk synchronization for users that currently exist in Active Directory, but not Solaris 8.
Monitor new account creation in Active Directory and create an account in the Solaris 8 environment with a synchronized ID on an on-going basis.
Synchronize the users’ passwords after the accounts have been provisioned.
Case-2 wants to combine the Active Directory display name and phone number to create users’ full names on Solaris 8.
Solution design
To resolve the requirements as described above, the company will:
Manually rename existing login IDs on Active Directory to be consistent with the login ID naming standard on Solaris.
Configure Bravura Identity to target:
Windows 2008 Active Directory - 1 domain; specific OU’s only.
Solaris 8 - using standard PAM module “pam_unix_so.1”; in a non-NIS/NIS+ environment.
Configure Bravura Identity to do a one-time bulk creation of accounts that exist on Active Directory, but not on Solaris.
Configure Bravura Identity to monitor Active Directory for new accounts on a configurable schedule:
If a new login ID is detected, then the user’s information is propagated, and a new account is created in the Solaris environment.
The account created on Solaris is initially assigned a random password.
The Solaris user’s full name is formed from the Active Directory display name and phone number (for example: John Doe 555-555-1212).
Inform users who have a new account on Solaris that they must change their password in Active Directory before using their new Solaris account.
Synchronize passwords on Active Directory and Solaris using Bravura Pass ’s transparent password synchronization technology.
Users now have a synchronized login ID and password on Active Directory and Solaris. The process is illustrated below.
