Im Capabilities and Architecture

7/30/2019 Im Capabilities and Architecture

1/20

TECHNOLOGY BRIEF: CA IDENTITY MANAGER

CA Identity Manager:Capabilities andArchitecture

Ehud AmiriCA SE CU RI TY M A N A G E M E NT


2/20

Copyright 2009 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitteby applicable law, CA provides this document As Is without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or noninfringement. In no event will CA bliable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages.

Table of Contents

Executive Summary

SECTION 1 2

Managing Complexity Created by Volume

and Diversity

Accommodating Changing Compliance and

Regulation Requirements

The Identity Management Payoff

SECTION 2 3

CA Identity Manager Architecture Overview

Application Layers

Data Repositories

Software Development Kit

SECTION 3 5

Designed for Enterprise-Class Scalability

and Security

SECTION 4 6

CA Identity Manager Capabilities

Provisioning/De-Provisioning

User Self-Service

Delegated Administration

Integrated Workflow

Role-Based Access Control

Interface Customization

Password Management

Integration

Reconciliation Services

Auditing and Reporting

SECTION 5 14

The Strength of a Broad Identity Management

Solution

SECTION 6 15

CA Identity Manager Improves Speed,

Efficiency and Security

Improved Operational Execution

Improved Administrative Control

Increased User Satisfaction

Assistance in Compliance Efforts

SECTION 7: CONCLUSIONS 16


3/20

TECHNOLOGY BRIEF: CA IDENTITY MANAGE

Executive SummaryChallenge

As the distinction between employees, business partners, and customer identities blurs,

organizations must ensure that users get access to the RIGHT applications at the RIGHT

time. Unfortunately, traditional approaches to granting and removing this access, heavily

based on manual processes, are costly and prone to errors. At the same time, external

regulatory oversight and internal governance practices mandate that these interactions be

managed in compliance with corporate access policies, such as ensuring proper

segregation of duties, approval workflow and audit. The challenge is in balancing the

expectation of todays users for immediate access against the organizational need to

secure their applications, data and other resources.

Opportunity

Optimizing and standardizing the processes involved in managing user identities can

result in a variety of business and security benefits. CA Identity Manager provides a

comprehensive identity administration and user provisioning solution that manages all

types of identities and covers a comprehensive set of target systems across the full identity

lifecycle from creation to modification to removal. In addition, CA Identity Manager

improves security by providing an authoritative point of identity administration, enforcing

consistent identity policies and auditing identity-related actions.

Benefits

By automating processes, identity management solutions provide a higher level of

efficiency that improves operational execution, consistent control and user satisfaction

while assisting in compliance efforts. For example, enforcing approval workflows ensures

the proper sign-off before access is granted and auditing each action helps improve

security, decrease risk and address regulatory compliance objectives. CA Identity Manager

is an enterprise-class solution that provides provisioning, user self-service, identity

administration and more. With superior scalability, CA Identity Manager supports the

needs of all your users across all applications from the Web to the mainframe. With the

flexibility to support virtually any workflow process, implement delegated administrationfor a range of management models, enact a variety of policy-based controls and embed

identity management functions into your existing applications, CA Identity Manager

supports the unique needs of your business.


4/20

Managing Complexity Created by Volume and DiversityThe typical enterprise supports IT operations on a massive scale. Multiple decades of deployin

technology has resulted in literally hundreds of applications needed by an exponentially largeset of users. Application access must be provisioned not only for employees, but increasingly

for others including business partners, contractors and customers. As a result, a large

enterprise may have millions of separate entitlements to manage.

Compounding this issue, many businesses have followed the path of cutting edge technolog

migrating from mainframes, through client-server systems, to early groupware, Internet-base

computing, and now to network-based services that operate in the cloud. Yet, with every

major technology transition, old applications and infrastructures stay in place, requiring

ongoing maintenance and investment. Thus, the resulting enterprise IT landscape is more

heterogeneous and more complex.

In light of this complexity, processes for managing user accounts, entitlements, credentials anaccess can no longer be done in an ad hoc, decentralized or manual fashion. These types of

management models introduce the potential for human error and improperly configured

systems and applications. Furthermore, this approach presents costly overhead and creates

inconsistencies in how corporate policies are enforced, if at all. Ultimately all of these issues

increase risk, both to your data and customer relationships.

Accommodating Changing Compliance and Regulation Requirements

In addition to this operational complexity, virtually every organization is directly or indirectly

impacted by regulatory and industry initiatives such as Sarbanes-Oxley Act (SOX), Health

Insurance Portability and Accountability Act (HIPAA), European Union Privacy Directive or

Payment Card Industry Data Security Standard (PCI DSS).

Each of these regulations address various aspects of business risk which have a profound

impact on data security and IT controls. For example, SOX is focused on ensuring the security

integrity and reliability of corporate financial reports. As such it established direct involvemen

and accountability for company's "principal officers to validate the security and accuracy of

financial statements. Similarly, the HIPAA Privacy Rule regulates the use and disclosure of

protected health information, while PCI DSS focuses on enhancing the protection of credit ca

holder information both of which have ranging security implications regarding how persons

gain access to this information.

Many organizations look to frameworks such as Committee of Sponsoring Organizations

of the Treadway Commission (COSO) and Control Objectives for Information and related

Technology (COBIT) for best practice guidance on which security aspects they need to accoufor. The benefit of these frameworks is that they provide a standard mapping of regulatory

requirements into specific IT security controls including how organizations should manage

their identities, entitlements and the relationships between them. The key is leveraging

cost-effective solutions with the ability to enforce these IT security controls across the

entire enterprise.

SECTION 1

2 TECHNOLOGY BRIEF: CA IDENTITY MANAGER


5/20

The Identity Management Payoff

Identity Management solutions provide consistency by automating the management of

relationships between people (e.g. employees, partners and customers), their credentials

(e.g. Active Directory, mailbox and ERP accounts) and their access rights on each system. Indoing so, Identity Management solutions enable enterprises to address previously stated

challenges by:

REDUCING ADMINISTRATIVE COSTS Offloading labor from IT teams by automating many

day-to-day administrative tasks such as creating accounts on target systems for new

employees. Identity Management also enables IT to decentralize certain responsibilities

using robust, controlled delegation and self-service capabilities including password resets.

SUPPORTING COMPLIANCE INITIATIVES Enforcing security controls mandated by regulation

compliance frameworks and internal/external auditors. For example, implementing sign-off

processes for granting sensitive resource access, limiting excessive rights, eliminating orph

accounts and enforcing password management policies.

INCREASING ACCOUNTABILITY Implementing centralized identity administration processes

across systems with consistent approval workflow and detailed audit trails gives enterprise

the ability to answer fundamental questions such as Who has access to what?, Why wa

that granted? and Who approved it?

MANAGING THE ENTERPRISE SCALE Realizing each of these benefits is predicated on the

ability to support enterprise scalability and distribution requirements which can involve

millions of resources over thousands of applications. Identity Management solutions that a

architected to address these scalability requirements will enable a successful implementatio

of their product capabilities.

The rest of this document provides deeper insight into CAs approach to Identity Managemen

by describing CA Identity Managers architecture and key capabilities.

CA Identity Manager Architecture OverviewCA Identity Manager is architected in a layered fashion to logically separate front-end

components from the back-end provisioning engine. This enables tremendous scalability

capable of supporting the requirements of even the largest enterprises. This distributed

computing approach enables you to implement high availability and disaster recovery at each

layer as requirements dictate. It also provides deployment flexibility, allowing you to start wit

a basic implementation and add capacity and functionality over time.


SECTION 2


6/20


CA IDENTITY MANAGER ARCHITECTURE

Application LayersEach application layer represents a logically independent function within CA Identity Manage

which interfaces with other application layers. Layers are sometimes deployed separately

to meet customers security or scalability requirements. CA Identity Managers application

layers include:

IDENTITY MANAGER APPLICATION This standards-based J2EE application serves as the

user interface and business logic layer. It includes the web user interface, delegated

administration framework and workflow, policy evaluation, audit and reporting services.

PROVISIONING SERVER Provides IT logic services including translation between business

and IT terminology and mapping users with their target system credentials. It also provides

synchronization and reconciliation services to push necessary changes to endpoint systems

and identify changes made outside of CA Identity Manager.

CONNECTOR SERVER Interfaces with target systems and applications via connectors to

support provisioning tasks. Depending on the load, network topology and network security

requirements of your environment, one or more Connector Servers may be deployed. Thes

can be co-located with the Provisioning Server or distributed on remote machines. CA

Identity Manager includes a large set of out-of-the-box connectors for commonly used

business applications and IT systems. In addition, custom connectors can be developed to

support provisioning to home-grown applications.

FIGURE A

CA Identity Managers layered

architecture is optimal for supporting

the flexibility and scalability requiredby todays enterprises.


7/20

SECTION 3

Data Repositories

Each data repository represents a logical, permanent store for certain types of data elements

required by CA Identity Manager such as user records, audit records and configuration data.

CA Identity Managers data repositories include:

CORPORATE IDENTITY STORE This serves as a centralized, authoritative repository for users

groups and organizational units. For enterprises which already have a centralized repository

serving this purpose, CA Identity Manager can leverage this data source without replicatin

any existing data. Commonly used commercial LDAP and RDBMS servers are supported.

PROVISIONING STORE This is an internal repository which maintains a mapping between

users in the Corporate Identity Store and their associated accounts on managed systems

and applications. Endpoint metadata is also stored in this repository.

RUNTIME DATABASE This internal repository maintains runtime information, such as audit

trails, detailed transaction history, transient workflow status and configuration data about

roles, policies and workflow definitions.

Software Development Kit

The CA Identity Manager Software Development Kit (SDK) includes a set of documented

application programming interfaces (APIs) that let you integrate and extend CA Identity

Manager capabilities for your specific environment.

TASK EXECUTION WEB SERVICES (TEWS) Web Services API that enables third-party

applications to remotely submit CA Identity Manager tasks for execution. This capability

is used by organizations to embed Identity Management services into their existing

applications that their users are already using and comfortable with.

BUSINESS LOGIC SDK Set of Java based APIs that can be used for embedding custom

business logic inside Identity Management policies. This includes both customization ofpresentation logic (e.g. Logical Attribute Handlers and Business Logic Task Handlers) as

well as backend logic (e.g. Event Handlers and Workflow APIs).

JAVA CONNECTOR SERVER SDK Used to develop custom connectors which support

provisioning to home-grown applications. These custom connectors may include

provisioning of accounts and groups, association of group memberships and validation logi

Designed for Enterprise-Class Scalability and SecurityCA Identity Manager is deployed by some of the largest enterprises in the world, including

those which require the highest degrees of scalability and around-the-clock availability. Thissame level of service benefits not only large enterprises, but customers of various sizes, acros

various industries. CA Identity Managers flexible, layered architecture has been designed to

support enterprise needs, including:

LAYERED CLUSTERING Clustering is supported at every CA Identity Manager infrastructure

layer, including the Identity Manager Application, Provisioning Server, Connector Server

and repositories. Clustering support addresses high availability as well as load balancing

requirements.



8/20

COMPONENT DISTRIBUTION Depending on customers specific load requirements,

CA Identity Manager can be extended horizontally by adding additional machines in a

mirrored fashion. Alternatively, the deployment can be extended vertically, by dedicating

machines to handling specific functions which carry the highest loads. For example,customers expecting a massive propagation of endpoint changes can deploy additional

temporary provisioning servers to be used as batch servers.

SCALABILITY USING CA DIRECTORY Optionally, CA Identity Manager can leverage

CA Directory as the corporate identity store. CA Directory supports both LDAP and X.500,

and meets the toughest scalability and performance requirements and hardware constraint

as demonstrated in a recent 100 million user scalability test conducted by an external

testing laboratory.

Recognizing that CA Identity Manager often maintains highly sensitive information, CA make

continuous investments to ensure the highest levels of internal product security. This enables

the management of users and their access rights across the entire enterprise, while

maintaining the highest product security disciplines in accordance with industry best practice

CRYPTOGRAPHY CA Identity Manager uses the Advanced Encryption Standard (AES),

incorporating proven cryptographic libraries Crypto-J v3.5 and Crypto-C ME v2.0. These

cryptographic requirements include encryption algorithms, key sizes and implementation

for handling sensitive data.

FIPS 140-2 SUPPORT Federal Information Processing Standards (FIPS) 140-2 is a security

standard for the cryptographic libraries and encryption algorithms which ensure high

standards of data security.

DATA SECURITY CA Identity Manager secures data at rest and in transit by using secured

protocols over all communication channels between components and endpoints. In the

majority of cases, this includes usage of standard protocols over SSL, such as HTTP overSSL (HTTPS) and LDAP over SSL (LDAPS).

CA Identity Manager CapabilitiesCA Identity Manager provides a comprehensive set of functionalities which enable you to

automate the various identity management processes in your organization. These capabilities

provide added value when used in conjunction with one another, but can often be implement

in a standalone fashion, enabling phased deployments. This section discusses the various

capabilities of CA Identity Manager.

Provisioning/De-Provisioning

Provisioning involves automating the process of adding, modifying and deleting users and the

attributes. This includes managing users profile attributes, including their role memberships

and their associated access rights. CA Identity Manager supports these operations and goes

beyond the traditional boundaries of organizations to automate these processes across the

extended enterprise.


SECTION 4


9/20

ALL IDENTITY TYPES IT organizations are being increasingly asked to manage identities

across the enterprise, whether that includes internal users (e.g. employees), external users

(e.g. customers or partners) or identities not directly owned by a single person (e.g. root

accounts). CA Identity Manager provides a single solution with the ability to manage alltypes of identities, providing greater consistency across the entire enterprise.

FINER-GRAINED ENTITLEMENT MANAGEMENT CA Identity Manager can manage entitlemen

at a range of depths, from coarse- to finer-grained entitlements. For example, customers w

invested in developing detailed SAP role models can automate provisioning down to the SA

role level. Unlike traditional identity management systems, CA Identity Manager leverages

these roles directly out of target systems instead of requiring redundant definition of each

SAP role in CA Identity Manager. These application roles can be augmented by CA Identity

Manager business roles in defining workflows and business processes. This flexibility is

important in leveraging existing investments, reducing replication of data and driving down

the cost of maintaining the deployment over time.

POLICY MODELING Policy Xpress lets you configure policies that execute your unique, complebusiness processes. Traditional approaches generally acheive this through custom code

development, but this wizard-based tool lets you build policies in-house within hours, rathe

than requiring weeks of programming. This helps reduce the costs of internal development

and ongoing maintenance, and you will no longer be locked into unsupported, aging

software. With Policy Xpress, you can quickly and easily respond to organizational change

without having to manage an entire software development effort.

MASS UPDATES Organizations often need to support massive entitlement changes as a

result of enterprise structure changes, such as the merging of business units or acquisition

new companies. CA Identity Manager supports these types of mass changes using a bulk

loader service. Changes can be initiated by feeding in an information file where each text lin

represents a requested change. CA Identity Manager can also apply a common change tomany users which match certain criteria, such as applying the same change to all current

employees at a certain site.

TASK SCHEDULING Provides the ability to set transactions for future execution based on

date/time criteria. For example, an administrator can instruct CA Identity Manager to creat

a new employee profile upon their hire at the beginning of next month or set up a tempora

identity for contractors who have known start and end dates.

User Self-Service

CA Identity Manager enables organizations to reduce IT and help desk workloads by

empowering users to resolve identity-related issues on their own. Through an easy-to-use we

interface, users can manage many aspects of their identity through various functions includin SELF-REGISTRATION Enables users to register for web applications through a publicly

available web page. The user interface can be easily configured to request the specific

information required by the organization depending on the type of user. This capability is

frequently used for the purpose of managing external users of consumer-based application

FORGOTTEN PASSWORD AND PASSWORD RESETS Instead of calling the help desk to reset a

forgotten password, users can identify themselves via alternative means of authentication



10/20

such as a series of custom questions. Upon proper authentication, they can set a new

password for their global account or for any of their application accounts.

ACCESS REQUESTSAllows users to request additional access via the CA Identity Managerweb interface or your existing web portal. This greatly decreases costs by reducing the

requirement for administrators to process and manually manage the workflow associated

with providing additional access.

SELF-ADMINISTRATION Enables users to maintain certain elements of their identity profiles

while administrators retain granular control over what attributes can be changed or not. Th

enhances the user experience by providing an alternative to relying on the help desk for

simple identity changes such as their home address or phone number.

Delegated Administration

CA Identity Manager includes a comprehensive set of capabilities that enable you to define

what business operations each user can perform, and under which business restrictions. This

enables you to regulate who can do what, to whom. Delegation models are based on

combinations of roles and rules and can include custom logic for modeling unique delegation

logic as needed.

WORKFLOW-BASED DELEGATION CA Identity Manager provides the ability to easily create

and apply approval processes so users can feel confident their actions will be appropriately

delegated. Each approval can, in turn, be subject to delegation, allowing approvers to furthe

delegate or transfer approval authority if it was improperly assigned.

GRANULARITY OF DELEGATION Delegation of capabilities (e.g. create user, approve access

request, view system report) can be defined based on user or organizational attributes or a

combination of both, including:

User attributes such as job title or location.

Organizational structure, including explicitly identified organizations or dynamic groups

such as "users in organizations that match a filter criteria.

Groups containing the user, including explicitly identified groups or sets of groups that

match filter requirements.

Participation in roles including membership, administration or ownership of admin, acces

or provisioning roles.

SCOPING Defining the scope on which subjects one can take action follows the same

model as above, but also includes the ability to define dynamic, instance-specific rules. For

example, a user can have scope over "all users in Sales" or "all users at my location.

TEMPORARY DELEGATION Users (the delegator) can specify that another user or

combination of users have the authority to approve tasks or work items during periods

when the delegator is "out of the office."

Integrated Workflow

CA Identity Managers embedded workflow engine allows organizations to implement busine

processes which provide control over delegated administration capabilities. This workflow is

highly flexible and capable of supporting varying business requirements through template

definition, escalation, parallel approvals, serial approvals and multi-step approvals. Workflow

integration includes:



11/20

WORKFLOW TEMPLATES These allow you to generically define workflow processes once

using a drag and drop user interface and reuse them across specific processes. Separatin

the definition of the process flow from the process data enables you to reuse logic and

minimizes the cost associated with repeatedly changing processes. CA Identity Managerprovides a set of out-of-the-box workflow templates and supports creation of custom

workflow templates.

APPROVALS Workflow can be established to require a person to approve an event, such

as modification to a user profile, before CA Identity Manager updates a user store.

Approvers are administrators who have been assigned rights within the approver role

for a particular task.

NOTIFICATIONS The workflow engine can notify users of an events status at different stag

of a process, for example when a user initiates an event or when an event is approved.

WORK LIST GENERATION Work lists specify the tasks that a particular user must perform.

The workflow engine updates administrators work lists automatically.

WORKFLOW DESIGNER

Role-Based Access Control

Roles simplify identity management by aggregating similar users and their common privilegeassignments into abstracted, business-relevant groupings. In doing so, roles reduce the numb

of relationships that must be managed, provide better business representation of these

relationships and enable more efficient identity management. For example, an organization

with 20,000 users and 100 applications may need to manage several millions of individual

privileges. Building a role model of several hundred roles to represent most of these individua

privileges greatly simplifies and reduces the cost of ensuring appropriate access is granted to

those users. CA Identity Manager supports the following types of roles:


FIGURE B

Customization of workflow processes

can be accomplished using an intuitive

drag and drop user interface.


12/20

PROVISIONING ROLES These roles are used to grant users with access to target system

accounts (e.g. SAP, Active Directory, email) and the appropriate level of privileges within

these accounts (e.g. membership to SAP Roles). Provisioning Roles include a collection of

Account Templates which are a description of rules required for creating new target systemaccount with associated permissions. These rules can leverage user profile data, other

account attributes or constant values. Provisioning Roles are fundamental to CA Identity

Managers robust automation of administrative activities such as creation and modification

of user accounts.

ADMIN ROLES Admin Roles grant privileges within the CA Identity Manager web user

interface. Admin Roles support fine-grained controls over the actions a user that can

perform (What can a user do?) and across the scope these actions can be performed

(On which subjects can these actions be performed?). Similar to Provisioning Roles, Adm

Roles support rule-based membership policies that provide the flexible foundation for the

delegation of duties within CA Identity Manager.

Interface Customization

The effectiveness of Identity Management systems is often predicated on the rate of adoptio

from users and administrators. CA Identity Managers web user interface is highly configurab

allowing you to provide the right user experience and level of detail for each user in the

organization. The user interface can be customized in the following ways:

APPEARANCE The look and feel of the CA Identity Manager web user interface can be

configured to match the organizational standard in terms of logos, color palettes, font type

and other visual characteristics. In addition, terminology used within the interface can be

customized to improve the user experience.

FORMS AND ATTRIBUTES Each screen in the web interface is composed of visual forms

through which users can input information or make appropriate selections. These forms cabe configured down to the level of the user schema or can include custom attributes. CA

Identity Manager includes a point and click form designer which allows you to designate

field layout and configuration.

CUSTOM LOGIC The user experience and flow of activities can be further customized by

leveraging CA Identity Managers Java SDK to develop custom logic snippets. Hooks are

available for delivering calling plug-ins before and after a task screen is displayed (called

Business Logic Task Execution), before and after an attribute is displayed (called Logical

Attribute Handler) and based on specific task processing events (called Event Handler).

WEB SERVICE INTEGRATION In addition to allowing you to customize components within th

web user interface, you can completely remove identity management capabilities from CA

Identity Manager and embed them into your own custom interfaces. This is possible becauCA Identity Manager exposes all user interface tasks as web services including self-service

delegated administration and system administration tasks.



13/20

CUSTOMIZED VERSIONS OF THE WEB USER INTERFACE

Password Management

CA Identity Manager includes a comprehensive set of password management services which

increase security by enforcing consistent password policies across the organization. These als

combine with self-service password reset capabilities to reduce the cost of password-related

help desk calls.

PASSWORD P OLICIES Enforce different password strength requirements for different users,

ensuring that sufficiently strong passwords are used to protect critical applications and

accounts. Password restrictions include: minimum password length, maximum repeating

characters, upper-/lower-case letter requirements, combination requirements (of letters,

digits, punctuation, non-printable and non-alphanumeric character sets), custom dictionar

tests and comparison against user profile attributes.

PASSWORD SYNCHRONIZATION CA Identity Manager can propagate passwords across

target systems, including synchronizing operating system-level password changes back to

CA Identity Manager across Windows, Unix and mainframe environments.

NATIVE WINDOWS LOGON CA Identity Manager has the ability to enhance the native

Windows Vista Credential Provider and Windows Graphical Identification and

Authentication (GINA) interfaces to add forgotten password functionality within thestandard Windows logon dialog.


FIGURE C

The CA Identity Manager web

interface look and feel can assume

be customized to accommodate theorganizations requirements.


14/20

Integration

Identity Management benefits often depend on the ability to integrate with the existing IT

infrastructure and applications in a fast, scalable and non-intrusive fashion. CA Identity

Manager addresses these needs by providing a combination of rich, out-of-the-box connectoand tools that easily facilitate integration with custom infrastructure and applications.

OUT-OF-THE-BOX CONNECTORS CA Identity Manager includes a broad set of pre-built

connectors that provide provisioning integration with many popular web, client-server and

mainframe applications. These include major computing platforms, enterprise applications

databases, collaboration environments and industry-standard interfaces.

CONNECTOR XPRESS This wizard-driven utility allows you to generate custom connectors

via a graphical user interface without coding. Connector Xpress greatly reduces the level of

technical expertise which is generally required for creating connectors with other identity

management solutions. This enables the creation of custom connectors within hours rathe

than days or weeks.

CONNECTOR SDK CA Identity Manager provides an SDK for developing Java-based custom

connectors. This is the same SDK used by CA in developing our out-of-the-box provisioning

connectors.

CA IDENTITY MANAGER CONNECTORS

*Native connection


Mainframe Systems

IBM RACF CA ACF2 CA Top Secret DB2 for z/OS

ERP Systems

Oracle Applications PeopleSoft SAP Siebel CRM

Groupware

Exchange 2000/2003 Exchange 2007 Lotus Notes Domino Server

Authentication Servers

RSA SecurID ActivIdentity CMS Entrust PKI

Host/Servers

Windows NT Windows 2000 Windows 2003 Windows 2008 Active Directory Sun Solaris HP-UX IBM AIX HP Tru64 Red Hat Linux SuSE Linux AS/400 OpenVMS Novell NDS/Binderies HP NSK Safeguard NCR MP-RAS SGI IRIX

General Interfaces

JDBC/JNDI LDAP ODBC SPML SDK Web Service/WSDL Connector Xpress

CA Solutions

CA Single Sign-On CA Access Control CA Embedded Entitlements

Manager

CA SiteMinder Web AccessManager*

Databases

IBM DB/2 Oracle MS SQL Server

FIGURE D

CA Identity Manager delivers

out-of-the-box connectors for many

commonly used business applications

and IT platforms.


15/20

Reconciliation Services

Synchronizing identities and access rights across the enterprise requires bi-directional

connectivity with managed systems. In previous sections, we focused on the propagation

of changes from CA Identity Manager to endpoint systems. Reconciliation services, calledReverse Synchronization in CA Identity Manager, recognize changes made directly on endpoi

systems, determine if they are within policy and synchronize them across other systems

as appropriate.

SYSTEM ACQUISITION Once a new managed system is defined, the reconciliation service

discovers the list of existing accounts and automatically maps these accounts to users bas

on correlation rules. Accounts that do not satisfy correlation rules are flagged as orphan

accounts for manual review. The system owner can either associate accounts to users, ma

them as System Accounts, disable accounts or delete accounts.

AUTHORITATIVE SYSTEM SUPPORT Authoritative systems are business applications or IT

platforms designated as the source of certain user or account attributes. For example, in

many enterprises a human resources application is the authoritative source for employeeinformation such as full name, job title and organizational hierarchy. CA Identity Manager

supports the option to have multiple authoritative systems, each with authority over part o

the user population or a subset of attributes. The ability for changes made at authoritative

sources to override existing information in CA Identity Manager can be set at multiple leve

USER Authoritative System records can be mapped to CA Identity Manager user

entities. Changes to these objects trigger tasks, such as Create User, Modify User

and Delete User.

ACCOUNT Authoritative System records are mapped to CA Identity Manager individual

accounts. An individual user may have multiple associated accounts with different

synchronization policies for different user profile and account attributes.

ATTRIBUTE Authoritative Systems can have the ability to make updates on certain

attributes but not authorized to change others.

CHANGE RECOGNITION By comparing the known status of accounts in CA Identity Manage

with the actual assignment of these accounts in the target systems, Reverse Synchronizatio

discovers when unauthorized changes have taken place. Based on this, it can initiate

automated alerts or remediation processes such as triggering of manual review by an

administrator or initiating revert actions for these changes.

Auditing and Reporting

CA Identity Managers audit service captures a complete trail of business changes, provides

ad-hoc query capabilities and optionally integrates with CA Security Information and Event

Management (SIEM) solutions for cross-domain forensic and reporting analysis. In addition,

CA Identity Managers reporting services offer the following capabilities:

ENTERPRISE-CLASS REPORTING CA Identity Manager includes an embedded version of

Business Objects Crystal Reports XI. This scalable approach enables organizations to build

customized reports which support enterprise requirements.



16/20

SECTION 5

SNAPSHOT WAREHOUSE Organizations can periodically schedule capturing of current

organizational access policy and actual entitlements assignments. The recorded informatio

is stored in a relationship database as an individual snapshot, representing the status at a

particular date. Viewing the progression of snapshots stored in the warehouse provides ahistorical view of access assignments. This information can be used in a forensic scenario t

produce reports of assignments at a particular date, or for trending to show the evolution

over time and provide visibility into gradual changes happening in the organization.

OUT-OF-THE-BOX REPORTS CA Identity Manager includes a set of pre-built reports which

provide valuable visibility into the identity management operation and efficiency through

entitlements, policies and workflow insight.

IDENTITY AND ENTITLEMENT REPORTS

The Strength of a Broad Identity Management SolutionOrganizations are increasingly facing a variety of identity related challenges, whether that

involves on-boarding new employees in a timely manner, providing users with self-service

password reset capabilities or ensuring the appropriate approval processes are tracked in aconsistent manner. Identity Management solutions address these challenges while promising

significant efficiencies in operational costs, risk mitigation and regulatory compliance.

CA Identity Manager helps organizations maximize this potential value by covering all types

of users, over the broad range of applications used by your organization and throughout a

lifecycle of identity-related business processes. This is delivered on an architectural foundatio

optimized to address the scalability and agility requirements of your organization in todays

ever demanding business environment.


FIGURE E

CA Identity Manager provides a robust

enterprise-grade reporting frameworkusing Business Objects Crystal Reports

XI infrastructure.


17/20

CA Identity Manager provides native integration with CA Role & Compliance Manager to

enable your organization to manage user identities, roles and policies throughout their

lifecycles. Information about user identities and their privileges from CA Identity Manager

can be cleaned-up and used as the basis for an accurate role model and identity compliancepolicies in CA Role & Compliance Manager. This information can be then be fed back into

CA Identity Manager for use in role-based provisioning decisions and enforcement of

appropriate security policies.

CA Identity Manager is also part of the complete and proven Identity and Access Manageme

(IAM) solution from CA that helps you manage users and protect IT assets across all platform

and environments. As such, it contributes to your ability to optimize the performance, reliabil

and efficiency of your overall IT environment. CA Identity Manager provides integration, whic

enables you to provision to and manage users for many of CAs other leading IAM solutions

including CA SiteMinder Web Access Manager, CA Access Control and CA Single Sign-On.

The next step is to tightly integrate the control and management of distinct functions such as

operations, storage and lifecycle and service management, along with IT security.

This higher level of management control is EITM CAs vision for a dynamic and secure

approach that integrates and automates the management of applications, databases, networ

security, storage and systems across departments and disciplines to maximize the full potent

of each. CAs comprehensive portfolio of modular IT management solutions helps you unify

and simplify IT management across the enterprise for greater business results.

CA Identity Manager Improves Speed, Efficiency and SecurityIdentity management can take many forms depending on the needs of your organization. Eac

element of identity management provides its own benefits, including the following:

Improved Operational Execution

Manually managing users or building user management into individual applications is an

expensive and time-consuming proposition. Between the labor and inevitable mistakes

involved in adding, modifying and removing users, ensuring each user has access that is

consistent with his/her relationship with the firm is typically tremendously expensive.

Automating many of these functions dramatically streamlines an organizations ability to

manage users (regardless of whether they are employees, authorized partners or customers)

CA Identity Manager can greatly reduce the hours of security administration time and help

desk hours spent by an organization. In addition, errors are minimized as automation ensures

that consistent and accurate accounts are created, modified and revoked on each target

system without human intervention. CA Identity Manager delivers what organizations need

timely and error-free provisioning of accounts, credentials and entitlements.


SECTION 6


18/20

Improved Administrative Control

Doing things cost-effectively is not enough anymore. Organizations also need to show they ar

in control of who can access corporate data and their business processes. This task is diffic

enough for static resources, but becomes exponentially more challenging with the proliferatioof additional applications, trading communities and collaborative business processes.

All told, this creates significant security exposure as poorly configured roles or access rights

can provide unauthorized users with access to sensitive information. Control is not just a

watchword; it is a corporate mantra. CA Identity Manager provides the broad platform and

application support to implement administrative consistency across target systems and ensu

the corporate policies are enforced with detailed and tamper-proof audit records.

Increased User Satisfaction

Requiring users to deal with multiple identities for multiple applications stymies their ability

to get things done. There is also a lot to be said about providing positive early impressions for

new users by having everything (key applications, voice mail, email, facilities access) ready

when they need access.

CA Identity Manager provides advanced self-service capabilities and a sophisticated workflow

environment to map to your business processes, not vice-versa. Users that access the right

resources with consistent credentials can focus on their work and be more productive, withou

worrying about their access or privileges.

Assistance in Compliance Efforts

There is no way around it; both internal and external auditors are a factor in all IT operations.

Understanding who has accessed what and why, being able to document this and how someon

received data is a critical aspect of proving compliance with various regulations around theworld. The key requirement of virtually all IT/security-related regulations involves the creation

of strong internal controls. This means that all users must be uniquely identified, their access

protected resources must be tightly controlled based on a defined security policy, and securit

events must be easily auditable.

CA Identity Manager provides the ability to enforce clear segregation of duties, while providin

both system and compliance-specific reports to substantiate the controls during an audit.

Identity management is a function that every organization needs to provide. Employees need

access to applications when they join or change roles within your company. Business partner

need data to perform their upstream processing functions. Customers need assistance when

they forget an account password or need to update their user profile. Your organization still

needs to track when these changes occur if they impact sensitive resources. These processes

are being performed on a daily basis, the question is, what does it cost your organization to

support them in terms of user satisfaction, productivity and security?


SECTION 7: CONCLUSIONS


19/20

By automating these processes, CA Identity Manager provides a higher level of consistency

and efficiency that benefit both your organization and your users. On-boarding and off-

boarding employees can be conducted in a timely manner according to user roles and

corporate policies, both increasing security and improving user experience. Approval workfloware enacted as needed to ensure the proper sign-off before a user is provisioned with access t

accounts or physical assets. And each of these actions can be audited to help your

organization address regulatory compliance, privacy or governance objectives.

CA Identity Manager is an enterprise-class solution that provides all of these functions and

more. With superior scalability proven in some of the largest enterprises in the world, CA

Identity Manager has the ability to support the needs of all your users, of any type, across all

applications from the Web to the mainframe. While providing the flexibility to support virtua

any workflow process, enact a variety of policy-based controls and embed function into any

interface, CA Identity Manager supports the unique needs of your business and delivers a

seamless user experience.

To learn more about CA Identity Manager and its ability to help you to unify and simplify IT

management for better business results, visit www.ca.com/us/identity-management.aspx .

http://www.ca.com/us/identity-management.aspxhttp://www.ca.com/us/identity-management.aspxhttp://www.ca.com/us/identity-management.aspx


20/20

CA (NASDAQ: CA), one of the worlds leading independent,

enterprise management software companies, unifies and

simplifies complex information technology (IT) managementacross the enterprise for greater business results. With our

Enterprise IT Management vision, solutions and expertise,

we help customers effectively govern, manage and secure IT.

MP343820

Learnmore about howCA canhelpyou

Documents

Im Capabilities and Architecture