One Identity Manager supports the implementation of Identity and Access Governance demands in IT environments, which are often a mix of traditional, internally hosted applications and modern cloud applications. Users and entitlements from cloud applications can be mapped in One Identity Manager.
Data protection policies, such as the General Data Protection Regulation, require agreement as to which employee data can be stored in cloud applications. If the system environment is configured appropriately, One Identity Manager guarantees that cloud applications and their administrators have no access to any employee master data or Identity and Access Governance processes respectively. For this reason, cloud applications are managed in two separate modules, which can be installed in separate databases if necessary.
The Universal Cloud Interface Module provides the interface through which users and permissions can be transferred from cloud applications to a One Identity Manager database. Synchronization with the cloud applications is configured and executed at this stage. Each cloud application is mapped as its own base object in One Identity Manager. The user data is saved as user accounts, groups, and permissions controls and can be organized into containers. They cannot be edited in One Identity Manager. There is no connection made to identities (employees).
Identities are connected in the Cloud Systems Management Module; user accounts, groups, and permissions controls can be created and edited. Data is exchanged between the Universal Cloud Interface and Cloud System Management modules by synchronization. Provisioning processes ensure that object changes are transferred from the Cloud Systems Management Module to the Universal Cloud Interface Module.
Automated interfaces for provisioning changes from the Universal Cloud Interface Module to the cloud application can (on technical grounds) or should (due to too few changes) not be applied to certain cloud applications. In this case, changes can be manually provisioned.
Because only data that must be available in the cloud application is saved in the Universal Cloud Interface Module, the module can be installed in a separate database. This database may be outside the company's infrastructure.
The One Identity Starling Connect cloud solution provides a simple and comprehensive solution for integrating cloud applications and for meeting the requirements of hybrid solution scenarios.
One Identity Manager knows two methods for exchanging data with a cloud application.
- Automatic synchronization and provisioning
The synchronization of a cloud application with the One Identity Manager database and the provisioning of object changes from the One Identity Manager database to the cloud application is performed by the SCIM connector of One Identity Manager. This default method ensures that target system and database data is regularly compared and therefore remains consistent.
- Manual provisioning
For certain cloud applications, automated interfaces for provisioning changes should not be implemented. Changes can be manually provisioned for cloud application like this. For database transfer from the cloud application to the One Identity Manager database, the synchronization can be configured with the SCIM connector. If One Identity Manager cannot obtain read access to the cloud application, you can set up data exchange through the CSV connector, for example.
With the method, you carry the risk of inconsistent data and loss of data if manual processes are not carried out. This method is therefore not recommended.
Figure 1: Architecture for synchronization
To access cloud applications, the SCIM connector is installed on a synchronization server. The SCIM connector can communicate with cloud applications that understand the System for Cross-Domain Identity Management (SCIM) specification. The synchronization server ensures data is compared between the One Identity Manager database and the cloud application.
Figure 2: Synchronization topology
Detailed information about this topic
The following users are used for setting up and administration of cloud applications.
Table 1: Users
Administrators |
Administrators must be assigned to the Universal Cloud Interface | Administrators application role or a child application role.
Users with this application role:
- Manage application roles for the Universal Cloud Interface.
- Set up other application roles as required.
- Configure synchronization in the Synchronization Editor and define the mapping for comparing cloud applications and One Identity Manager.
- Edit cloud application in the Manager.
- Edit pending, manual provisioning processes in the Web Portal and obtain statistics.
- Obtain information about the cloud objects in the Web Portal and the Manager.
|
Operators |
Operators must be assigned to the Universal Cloud Interface | Operators application role or a child application role.
Users with this application role:
- Edit pending, manual provisioning processes in the Web Portal and obtain statistics.
|
Auditors |
Auditors must be assigned to the Universal Cloud Interface | Auditors application role or a child application role.
Users with this application role:
- Can view manual provisioning processes in the Web Portal and obtain statistics.
|
One Identity Manager administrators |
-
Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.
-
Create system users and permissions groups for non role-based login to administration tools in the Designer as required.
-
Enable or disable additional configuration parameters in the Designer as required.
-
Create custom processes in the Designer as required.
-
Create and configure schedules as required.
-
Create and configure password policies as required. |
One Identity Manager supports synchronization with cloud applications that understand the System for Cross-domain Identity Management (SCIM) in the version 2.0 specification. One Identity Manager provides a project template that you can use to set up synchronization for the cloud applications.
To load cloud application objects into the One Identity Manager database for the first time.
- Supply a user with sufficient permissions for accessing the cloud application.
- Install and configure a synchronization server and declare the server as Job server in One Identity Manager.
- Create a synchronization project with the Synchronization Editor.
Detailed information about this topic