Identity Management manages person data and associated access rights for the IT infrastructure. Master data for the different target systems is provided. It manages the individual persons, enriches them with data and makes them available for the IT environment. In addition, Identity Management offers user interfaces for making personal configurations such as applying for access rights, changing passwords or modifying specific data.
The verification of user rights requires the existence of clear identities. But Identity Management offers more than just security functions. It offers a uniform platform for the integration of different applications and directories, for the provision of cross-platform personal data of employees, customers, suppliers, etc.
Every company has to manage identities, authorizations and user accounts, whether this is maintained manual or highly automated - the reality is often in the middle.
Authorizations of target systems, mostly groups or roles, are managed by the Identity Manager. The Identity Manager assigns access rights based on user requests, often in conjunction with approval workflows. Authorizations can also be assigned automatically based on underlying role concepts and rules. Whether individual accesses are assigned by request or by a set of rules is subjected to case-specific needs, a combination is possible, but increases the complexity considerably.
The segregation of duty is a core task of IT governance. It ensures the integrity of operational responsibilities. This can be used in a forced or alarming way, while the latter is usually given preference due to business continuity. The most common use is in the separation of the executing and controlling instance. The point is, for example, that the role of the purchaser and the corresponding controller is not assigned to the same person. In practice, however, even such cases cannot be completely ruled out, especially when it comes to substitution plans in smaller company units.
Role concepts are the assembling together of multiple authorizations, usually across different target systems. Job roles make authorization concepts for certain positions more manageable. This makes handling and clarity simpler and allows simple abstraction of complex authorizations so that they become manageable for employees.
This is a concept to gain temporary additional authorization rights. You authenticate to the Identity Manager with your personal user credentials and thus gain access rights to an account with elevated rights. The Privileged IAM can be built directly into the authentication mechanism to achieve a seamless login, or it can simply provide a user interface to receive a temporary password for a specific account. The variety of benefits Privileged IAM offers is rarely recognized in its whole bandwidth. The following use cases are worth mentioning:
- Central overview of when exactly which user has logged in to what kind of system.
- Rights used sporadically are allocated for a clearly defined period of time. A practical example is the external auditor, who needs comprehensive ERP rights for three days, or an IT specialist, who updates all server systems quarterly.
- The central saving of passwords becomes obsolete. The user either never sees the actual password or it is automatically changed again after use.
- The users work only with the necessary rights, which protects them against incorrect manipulation of uninvolved systems. Not to think of what a global administrator can do when accidentally activating a virus.
- Sporadic users work with shared user accounts, which can be interesting from a licensing point of view or reduces the configurational effort of user administration. Despite the account sharing, you know exactly when which person used the corresponding account.
Privileged Identity Management can be combined with proactive information, e. g. info in case of login occurrence to critical systems. Monitoring is also often set up on the target systems so that the activities on the servers can be traced exactly. This is done by video recording, which is normally combined with plain text search. A feature that is often appreciated by administrators after initial suspiciousness, as you can follow your own steps and save them for documentation purposes.
