 Okay, our next talk about the Identity Governance and Dating Projects with Newpoint, and I'm turning to Radavan and Katharina. Thanks, welcome. Thank you. So, today we would like to talk about Meetpoint, which is an identity management and governance product. My name is Katharina Abadkuva. And my name is Radavan Semenci, and we are part of the Meetpoint Corridor of my team. So, it is quite difficult to explain identity management governance and data protection in 30 minutes. So, we have figured out that the best way how to do it is to show the examples and demos. So, that would be the fastest way to explain the things. So, we have prepared an example of a new university environment, academic environment, which is quite magical obviously. But also a traditional environment, so it has traditional problems. Like, there is HR system, and data from HR system is to be synchronized to other directory, but there is no direct path. There are applications that are based on the database, need work on database records and so on. There are legacy systems that we would not like to see anymore, but it's difficult to remove them. So, it's typical environment in universities, enterprises, and actually almost any bigger organizations. So, the usual solution to this is to put identity management system there. So, identity management system can take the data from HR system, student records, employee records, all the workers and volunteers and so on, and then synchronize the data to all the systems that the data are needed. And that's exactly what we want to like to show you in the first demonstration. First, if we see we have chosen just two systems, one HR system, the midpoint and then the lab as a target system. So, let's see. The resources here, one of them is HR system, representing our third resource system. We will hold the data from the system, transfer the data, and then we will push the data, approach the data to the target system, which is represented in the open LDAP. If you look into the details of the HR system, you can see that the first single, for this demo, we use the SKISD connector. And if you look into the data, in our inter-system, we show about users that are not interested there. Log in there in the first day, last day, then we have also information about membership. So, to reach an organization, we need user films and also we have information if someone managed an organizational unit or if he's a leader of some team. So, let's go back to the midpoint. Here we can see the accounts from the HR system in midpoint, as we can see in more structured way. So, let's start with the important account and all the organizational unit in midpoint, going back to the infest. Now we can see that our infest is running, and here we can see the progress. So, how many accounts have been processed and also if there are some errors or anything else. If you look here, you can see that our organizational structure is growing and we can also see that the users are creating ZW. Here we can see our structure, which we pulled from the HR system and we can see the members of the organizational unit and also we can see the manager of the organization. So, here we can also see that there are some management which are also represented by organizational structure and we can also see that also the members are... If you look into the profile of some users, for example, we can see our calendar. We can see the basic information of our calendar were also pulled from the HR system and assignments were also created according to HR procedures. So, we can see that our calendar is part of the processor organizational unit and also the manager of the organization of the processor organizational unit. On the type version, you can see that our calendar has two accounts. First account is in their account in the address where you see the path and open held up account which is the type hold which is the account which was created during this new part in the open held up. We can also see that the open calendar is a member of the processor and the organizational unit who also added to the rules in the open. So, what we have done here is that we have all the data from the HR synchronized through the midpoint to the hold up directory. This was actually quite easy to do, wasn't it? It was very easy. There are a few things that you haven't seen so far. One of the things that you haven't seen is what is not there and what is not there is the programming. This is accomplished in a declarative way how to synchronize the data except for maybe one line of scripts to transfer something like a first name and last name to a full name. Things like that construct VM and so on. So, there's a whole new programming here that means that adding new target systems like these are this. It's quite easy. It has connectors to connect to these systems that make protocol adaptation and a configuration that set up the way how the attributes here are created or managed or synchronized through PDR. So, this is identity commandment. And when you think about it well if you have something like a very smart Python script it can actually do almost the same thing like here. Maybe not that well as midpoint but what you cannot do with a simple script is to actually do the management stuff to manage the identities. And that's what's called identity governance and we will see that next. So, the first thing that we need to know before we start the identity governance is the role. The role in the role is basically the implementation of role-based access control. So, you can specify in the role which privileges and accesses and moves the users they will get after assigning the role to you. So, let's speak to the definition of this role-based access control in any of the identity commandment. And here we can see that assigning the role of transfiguration features to some users the user will get the account and all that will be used in the more details of this configuration. We can see that the users will also be a member of the transfiguration control group. So, now what we are going to do we are going to hire one new professor which is you know, they are all hard, everyone is stable. So, what we need to do to hire a new professor is obviously to have it in HR system but the complete organizational structure will be defined completely by HR system. So, builder and work hard will ask for a professor role and the policy is to configure policy in which point is that there needs to be two accruers to try the professor role. First, it needs to be accrued by a manager which is Dumbledore in this case and then it also needs to be accrued by the minister of magic. So, let's see the process. Okay, now we are going to end the work hard and I am going to apply for role defense against a dark art teacher and the other class. Here I can just review my after looking at the starting and I am waiting for approving the whole role. So, I can see that there are two stages of approvals or two models of approvals and here if I look into the process details I can see that Dumbledore mentioned there are two approvers one of them is my manager Dumbledore and one second one is the minister of magic and this is my role. If I look into my profile now I can look into Dumbledore so now I am looking at the Dumbledore and I can see that there are two requests after looking I can see who asked for what and also I can see that also there are two stages and I can also look into the details behind the first approver and there is also the second approver so there are two different things not mine but we are going to decide on this one so I will remember but we can also see that now who asked for what and we can also see also the same and we can in addition we can see the first approval related to any governance of course this is not everything so now I want to say that I am the member of Dumbledore as I am a member of Slytherin in Dumbledore it is quite difficult to be a member of so yes I switch the password this scenario so there are all the roles which can be assigned in the meantime who professed for what had an accident it was all of his memory but due to some legislation in the magical world he cannot really remove him from the HR system because he is a long-term signal so he is probably dead but on the other hand we do not want some kind of lunatic to have teaching privileges especially so now we are going to remove the privileges for Dark Knight's teacher but now there is some feeling that we have forgotten something haven't we so it is quite easy to request the role of the approval but it is quite difficult to remember what to remove in the end so there is a special process to check that everything that should be removed was actually really removed and the process is called access verification how the process works is that it asks all the manager area typically once per year whether these particular users still need to have these particular privileges so let's see after looking into the details of the campaign you can see that there are many reviewers for different users and roles so let's look into one of them one of the reviewers which is our editor as he is the manager for the summary and also see that there are 22 items for how to download after the download even we now need an illustrator who will stop the campaign a renovation process which we will apply and execute all the decisions so a human organization process we can see that some information has started and we can see that there was a lot of items in the process and we can see that after looking into the roles so that was quite a light preview of what identity governance really is so what actually identity governance is is something like identity based on total identity management it's quite closer to the business so one could say that identity governance is putting management back to identity management so that's what identity governance is what you have seen in the demo so far is quite a few functionality what identity governance is and there is much much more that cannot be done in 30 minutes time slot so for anyone interested in representation and so on but there is still one very exciting functionality that you would like to show you and that's data protection functionality so what data protection actually is simply speaking data protection is the proper management of the data by proper I mean proper both from the point of view of the university or employer and proper from point of view of students and consumers this means things like the controller should have a reason to process personal data and there is no reason then the personal data needs to be removed that's one of the few principles of data protection data protection is not just the right thing to do it is also a law which may be a little bit scary if GDPR law is a European Union regulation that comes into force this may so there is not much time left but again this is quite a complex topic so to let you understand what it really is we have one more demonstration data at least one assignment we have the little basics so that was the data protection functionality but to be completely honest the data protection function is still quite experimentally midpoint whether it will get into the next release or the following release it is all governed by midpoint subscribers that are setting priorities for midpoint development but we thought that it is very very interesting demonstration so what you have seen here is like a three part of a single product of midpoint what is identity management in a classical way and then also data protection functionality so as you can see midpoint is really the only identity governance open source identity governance system available so it is perhaps not too much to say it is also the best law and with that I would like to thank you for your attention I believe we have still some room for corrections my question is do you have a product developed solely by one company behind it or do you have a community of external contributors also most of the development is done by Hebovo which is one company but there are external contributors but to be completely honest not in the product core there are bug fixes coming in some extensions and some examples there is actually community may be even of a company who you think may be even more but the vast majority of development is done by more questions can I use a functionality to use your offer API if midpoint offers so there aren't many ways how to plan functionality from the very simple like this one line of scripts to compose a new team with more full name to the very complex hooks inside this point it opens up so you can just check out modify what you like but yes there is an API most of the API and the rest of the API for example there is some other so the short answer is yes of course first of all we have a special type of object when it's called a service for service for servers, network devices and so on but if you look two years back in the first time presentation two years before this Katarina actually did a presentation for integration of midpoint with Miracle machine management so it was a very good hands-on presentation of how to do it also here you can see that there is an organizational unit in your source any number of sources actually midpoint there is no fundamental difference between source and target and midpoint just the direction of the data so you can have any number of sources and there is a way how to again declaratively define whether two accounts are considered fully matching so they represent the same identity it is quite easy to do actually but something that almost all management systems does so it's not something that is special to you I guess you can customize the approval code for complex setups technically how would you do it is it like a DSL if there is a possibility customize the so yeah of course actually there are several ways to do it first of all midpoint of work flows and the approvals as well are based on the activity in BNNG so that's actually what the engine that does the approvals so there is a way how to modify the workflow process there but we have found an easier way so for now midpoint, recent versions of midpoint is something that is called policy based configuration of approvals so we can actually specify approval policy for each individual role so each role can have a different process and it is completely declarative and maybe a follow-up what kind of score for common workflows if we thought about creating some sort for actually for approval workflow there is probably not too because the workflow is just one it is some one something to approve and something is usually assigned and so on so for the workflow itself it's not what we can do or again what is probably interesting is the policy settings for different things like approval by manager approval by role owner we have examples for that not really a store because again there are not that many options we were talking about data protection where and how do you define which data is sensitive and for instance PRI PHI what kind of thing because we were talking about G because that so where and how do we define which data are sensitive so for now again the data protection is still an experiment also it's very simple so for now what we can define is which data to remove when the user gets to the data in state of information and we define that we have a right to process the information by specially marking the roles that give us that right so that's the current state of the functionality but it can be extended of course and we are actually looking forward to customers that are actually implementing GPR the practical experience and practical requirements to let us guide the functionality ahead last question how do you deal with secrets where many targets it's not the same secrets anywhere how do we deal with secrets well there are no secrets for additive management additive management also everywhere because that's the hobby in the wheel but of course we are trying to protect at least the passwords and several things we cannot actually include everything we probably cannot use that for correlation database will not work if you work on encrypted values so we can actually pick passwords for example because we do not correlate these so we have a special application for encryption for passwords for the rest we are just keeping it with everything in clear so you can realize database not transcription that's some city information of the password there may be but you can use database without encryption there and of course you can use network without encryption there but identity management itself will see the data it has to process so we need to see that and I guess that's it thank you again