One Identity Manager supports the implementation of Identity and Access Governance demands in IT environments, which are often a mix of traditional, on-premise applications and modern cloud applications. Users and entitlements from cloud applications can be mapped in One Identity Manager.
Data protection policies, such as the General Data Protection Regulation, require agreement as to which employee data can be stored in cloud applications. If the system environment is configured appropriately, One Identity Manager guarantees that cloud applications and their administrators have no access to any employee main data or Identity and Access Governance processes respectively. For this reason, cloud applications are managed in two separate modules, which can be installed in separate databases if necessary.
The Universal Cloud Interface Module provides the interface through which users and permissions can be transferred from cloud applications to a One Identity Manager database. Synchronization with the cloud applications is configured and run at this stage. Each cloud application is mapped as its own base object in One Identity Manager. The user data is saved as user accounts, groups, system entitlements, and permissions controls and can be organized into containers. They cannot be edited in One Identity Manager. There is no connection to identities (employees).
The connection to the identities is established in the Cloud Systems Management Module; user accounts, groups, system entitlements, and permissions controls can be created and edited. Data is exchanged between the Universal Cloud Interface and Cloud System Management modules by synchronization. Provisioning processes ensure that object changes are transferred from the Cloud Systems Management Module to the Universal Cloud Interface Module.
Automated interfaces for provisioning changes from the Universal Cloud Interface Module to the cloud application can (on technical grounds) or should (due to too few changes) not be applied to certain cloud applications. In this case, changes can be manually provisioned.
Since only data that must be available in the cloud application is saved in the Universal Cloud Interface Module, the module can be installed in a separate database. This database may be outside the company's infrastructure.
The One Identity Starling Connect cloud solution provides a simple and comprehensive solution for integrating cloud applications and for meeting the requirements of hybrid solution scenarios.
One Identity Manager knows two methods for exchanging data with a cloud application.
- Automatic synchronization and provisioning
The synchronization of a cloud application with the One Identity Manager database and the provisioning of object changes from the One Identity Manager database to the cloud application is performed by the SCIM connector of One Identity Manager. This default method ensures that target system and database data is regularly compared and therefore remains consistent.
- Manual provisioning
For certain cloud applications, automated interfaces for provisioning changes should not be implemented. Changes can be manually provisioned for cloud application like this. To transfer data from the cloud application to the One Identity Manager database, synchronization can be configured with the SCIM connector. If One Identity Manager cannot obtain read access to the cloud application, you can set up data exchange through the CSV connector, for example.
With the method, you carry the risk of inconsistent data and loss of data if manual processes are not carried out. This method is therefore not recommended.
Figure 1: Architecture for synchronization
To access cloud applications, the SCIM connector is installed on a synchronization server. The SCIM connector can communicate with cloud applications that understand the System for Cross-Domain Identity Management (SCIM) specification. The synchronization server ensures data is compared between the One Identity Manager database and the cloud application.
Figure 2: Synchronization topology
Detailed information about this topic
The following users are used for setting up and administration of cloud applications.
Table 1: Users
Cloud administrators |
Cloud administrators must be assigned to the Universal Cloud Interface | Administrators application role or a child application role.
Users with this application role:
-
Manage application roles for the Universal Cloud Interface.
-
Set up other application roles as required.
-
Configure synchronization in the Synchronization Editor and define the mapping for comparing cloud applications and One Identity Manager.
-
Edit cloud application in the Manager.
-
Edit pending, manual provisioning processes in the Web Portal and obtain statistics.
-
Obtain information about the cloud objects in the Web Portal and the Manager. |
Cloud operators |
The cloud operators must be assigned to the Universal Cloud Interface | Operators application role or a child application role.
Users with this application role:
|
Cloud auditors |
The cloud auditors must be assigned to the Universal Cloud Interface | Auditors application role or a child application role.
Users with this application role:
|
One Identity Manager administrators |
administrator and administrative system users Administrative system users are not added to application roles.
administrators:
-
Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.
-
Create system users and permissions groups for non role-based login to administration tools in the Designer as required.
-
Enable or disable additional configuration parameters in the Designer as required.
-
Create custom processes in the Designer as required.
-
Create and configure schedules as required. |
One Identity Manager supports synchronization with cloud applications that understand the System for Cross-domain Identity Management (SCIM) in the version 2.0 specification. The requirements of RFC 7643 (System for Cross-domain Identity Management: Core Schema) and RFC 7644 (System for Cross-domain Identity Management: Protocol) must be guaranteed.
This sections explains how to:
- Set up synchronization to import initial data from cloud applications into the One Identity Manager database.
- Adapt a synchronization configuration to synchronize, for example, different cloud applications with the same synchronization project.
- Start and deactivate the synchronization.
- Evaluate the synchronization results.
TIP: Before you set up synchronization with a cloud application, familiarize yourself with the Synchronization Editor. For more information about this tool, see the One Identity Manager Target System Synchronization Reference Guide.
Detailed information about this topic