 So, hello everybody and welcome to our presentation about how to govern and maintain compliance using open source identity management components. My name is Katarina Valykova and today's session objective is to learn the rationale for identity governance and demo some common use cases using open source identity management system called midpoint. Through the session, we will go through the terminology, benefits, we will explain what the governance is, then we will explain our architecture and demo use cases. If you have any question also during the presentation, don't hesitate to ask. First of all, what is the identity management? Everybody works for some company. Every company has the employees which we need to manage. We need to manage the access rights, permissions for them, so we need to create an identity for them. These users or employees are usually organized in some organizational structures. They belong to some department, so we need to manage also this organizational structure. We need to do it in the secure way using some security policies. As the companies usually have many systems, we need to do the provisioning of access rights for the users to different systems and we need to keep the records of the users synchronized between all the systems. First of all, when the new employee is hired, there is HR department and there is some HR system. First record about the new employee is usually created in this HR system. Following the data from the HR system, we can then create and assign the appropriate access rights for the new employee so he can then perform his work. For this, it's always good to have some centralized point or it's good to have some identity management system which will do it for you. The identity management system will automate all the processes related to the onboarding of new users, also the onboarding of new users. It will ensure that the users have only the rights they have to have and it will ensure that there is only these accounts which should exist. It's common that many times there are situations when you don't know many about the accounts. For example, you don't know who is the owner of the account or who created the account who approved this account and so on. This is what this identity management is for. Yeah, and I didn't mention it's great, we got one and it does some things for us but there are some problems with it, right? And so some of those problems are listed here on the screen that are sort of common problems that we have in our enterprise. For example, there are some roles that are more important than others. They're highly sensitive and so they deserve special handling and so how do you do that in a way that's compliant and that keeps you from having bad things happen from the wrong people having those sensitive roles or we'll have situations where maybe too many people have assignment to that role or too few people have assignment to that role. Perhaps there are situations where there's a violation of the principle of lease privilege where we've given too many people this powerful role or we have problems where say the manager goes on leave that's responsible for setting those roles up with their direct reports and then while they're on leave then that creates sort of a gap in the process and then people are waiting around for things to happen while that manager's on leave and how does that happen or maybe there are situations where perhaps some adjudication has to happen which is to say maybe it's not just one person who has to approve a role, one person has to sign it, maybe there's two, three, four people and they have to get together and decide whether this person should have access to this system or there could be situations where people are accessing the system directly bypassing the identity management system and adding groups and users directly to that system that then falls outside of areas of compliance so I mean and that's just a sampling of things that can go wrong I'm sure that you guys know plenty of other reasons or you wouldn't be sitting in this room right now. Yes Sean you're right this happens very often and probably what you need is to have access certification, approvals, notifications, then escalation or deputies and other features which all build the identity governance as the Gartner says combines with identity management functions to meet audit and compliance obligations. Wait a minute, wait a minute. Gartner, Katka, seriously, Gartner the lapdog for the vendors you're going to pull out a buzzword for me, identity governance, I mean does that really mean anything or is that just something that the vendors use to sell software to me that you know that it doesn't really do anything at all so. Yes Sean also Gartner but there are also other definitions like this one that identity governance is the mix of high level business processes with low level identity management processes as you can also see on this picture there are two parts governance and identity management but there is no exact line where the governance ends and where the identity management start they pre-aluminated each other and there is very thin line between them but what you can see on this picture is that the governance is more business oriented and identity management is more technology and it's all achieved by role-based access control. Do you know what role-based access control is? Do I know what role-based access control is Katka? Do I know so I've spent 20 years of my career down in role-based access control so I mean that's a well-known standard in the access management circles, been in use for decades. I mean I've got enough gray hair on my head to know that I've been in this space for a long time so yeah I know what role-based access control is and so this slide is kind of giving you an example there's a specification that governs it ANSI in site 359 and so it's more than just use and roles you've got things like user's roles permissions and sessions there's various ways of applying these controls as you can see on this slide you've got RBAC 1 which is hierarchical roles RBAC 2 static separation of duties which is mutual exclusion constraints between assigned roles which is to say hey I can be assigned a manager I can be assigned administrator but I can never be both of them at the same time because there's some toxic relationship there there's RBAC 3 which is dynamic separation of duties which is mutual exclusion constraints between activated roles so I might be assigned both of those roles manager and administrator but I can't activate them in the session at the same time so yeah I've got a pretty good idea about that one. Yes, so you surprised me and I see that you are really excited about the role-based assist control and using the role-based assist control together with the defined policies which tell you about the actions which should happen you can achieve the governance features like for example policy if there is a policy that the role can be assigned only for one user and then someone tries to assign this role to another one there is a situation that you have to resolve the conflict so you have to choose only the one user which will have this role assigned at the end so this is what the governance basically is. The solution we work on together is based on the open source identity management system called midpoint it is implemented and delivered under the Apache software license 2.0. Have you ever heard about the midpoint? Yeah actually my boss told me to look at that a while back so yeah I did an evaluation of it and so you know it's a Java application it uses Java version 8 it runs inside of a servlet container any compliant servlet container will do it uses a relational database it comes embedded it comes with an embedded database but in production you'll want to have a relational database to store the master copy of users and policies that is controlling and then it has you know as far as the way the way it works it uses spring framework you know it's built on top of a bunch of well-known Java principles best practices it uses Apache wicked which is a well thought of UI framework for its UI component and it uses a framework called con ID for its connectors and so that's kind of one of the cool things about midpoint is that the connector framework is is outside of midpoint so the con ID if you build a connector that's compliant with con ID then that connector can be used across different identity management systems so for example maybe you have as a target resource rack F and you know a legacy system running in and so you could build a rack F connector and then it could be used across any identity management system that that's compliant with that framework as far as the architecture it's a well-defined architecture it's comprised of five subsystems at the top is the GUI subsystem which I already said was Apache wicked that's the user interface it sits on top of the model and that's every system that interacts with midpoint will go through that model and that's where the identity management services security and user account mappings reside and and then those two top level components comprise you know what are considered the high level components and those are highly customizable and then that sits on top of the core and the core is the lower components those are low level components they're configured they're considered to be configurable and that's the repository the provisioning subsystem in the infrastructure so yeah I've taken a look at it. I'm impressed Sean you know a lot about the midpoint so before we start with demo I think it's important to make some naming combination resources is resource in the meaning curve and using midpoint is the target system where the accounts will be created so is the target application or target system like Unix system or AD or OpenLDF LDAP or some other application like Google apps and the connector is something what is used to achieve the provisioning to the target system basically it's the protocol translator it is connected to the midpoint and using this connector you can then create accounts and all this stuff in the target system then the second is the users and the accounts user is a term used for the identity which is created in midpoint and account is the name used for the account the existing directly in the target system like active directory or OpenLDF or Linux system or anything else so if you could build a connector for it you can manage it yes exactly then the provisioning this is what we will show in our demo there is a HR system where we create a new account and then pulling the information from HR system we create the user in midpoint and according to the position for which the user was hired we will create the accounts in target applications okay that's that's good so all right we got this stuff running in a demo environment and that was just depicted by this this screen right here and so I already told you that midpoint was java and so it's running inside a web application archive I'm gonna patch you guys so I'm gonna I'm gonna run that in Tomcat you could use whatever your favorite server container is and and so that's the main system and then it's talking already mentioned that it needs a relational database so I like PostgreSQL that's my favorite so that's when I used in this environment it's running natively on that same you know by the way this is on a virtual machine running in infrastructure as a service inside our CenturyLink data center in in New York and so PostgreSQL is is running natively on that same machine it's just a proof of concept environment and but midpoint could use you know it's flexible in terms of what relational database it uses and then you can see off to the left we've got three resources that are being managed and so the two on the bottom you can see at the very bottom we've got OpenLDAP which is running natively on that machine and that's simulating say an Active Directory and then in the middle on the left you've got Google Apps so we've got the Google Apps connector and so with this demo environment we're going to be creating and deleting accounts inside of the cloud with the Google Apps connector and then finally on the top we've got the inbound resource which is a PeopleSoft human resource system it's we're using the Oracle human capital management connector that's in midpoint and so the way that we're going to demo this for you today is that we're going to be consuming that XML file and that XML file is in the in the schema of the Oracle HCM system so it's they've defined that schema so the way that the okay so the question is is the inbound resource is it is midpoint querying the HCM so is it interrogating the HCM or is it pushing you know is it pushing in so the answer is it depends on the capabilities of the target system and so connectors you know we talked about connectors and really connectors just a protocol adapter and it's a very simple unintelligent component and so it's it's got say six methods add update delete search and sync and then there's a live sync and so if the resource can do a live sync then this can do a live sync if it can't then it could be just a push where you know it there's like a a task that runs periodically that then pulls that and updates it so in this case for this demo environment we don't have the budget to to pay the license fee to have an Oracle HCM system running live so we're simulating this with this file and then we're going to go in there we already saw us pull it up in the beginning we're going to go in there and we're going to edit it and we're going to we're going to create events say hiring an employee firing an employee things like that so the answer is depends on the resource and in this case i'm not exactly sure if i'm i'm not sure if i'm sure it can do a live sync but usually midpoint squaring the target system yeah that's the best way to do it for sure okay good question all right so so again we've got this xml file we're going to be going in there we're going to be editing it and we're going to be simulating this in the real world no one would ever edit an xml file to hire an employee we're just doing that for this so that we can make these demo scenarios happen we will show different use cases so it will be on onboarding of new identity then we will show the taste of the notifications also approvals escalation delegations and we will show segregation of duty and at the end the certifications like excess who are those guys over to the right three stages are those are employees yeah so the first there are the scenarios so the first is the onboarding of new employee with the account activation then we will show the cell service when the new employee the user will request some roles but as he's he doesn't have appropriated the rights so these roles go through the approval and then when someone doesn't approve the request there is an escalation process then next scenario is role assignment for example some manager needs to assign permissions for the user and on this in this scenario we will show the segregation of duty the next scenario is deputy and last but not least is the access certification so the first scenario is onboarding new identity hire that guy yeah we are going to hire Larry you don't like them let me look at them okay so let's hire Larry can you guys so let's hire Larry we can see this is the XML export from hcm file and we can see that these are personal information about Larry and here are assignments we can see that Larry was hired like developer in cobalt and he was hired also as developer in java wait you're gonna let Larry co java it seems so he's a stooge yes but it was hard like java developer i can't do nothing generated by a yes yes it's in the oracle hcm schema format okay yep so now when we look into our identity management system we can see that there is no Larry and Larry was hired as developer in java and and cobalt and we can see that there is just so development department but no departments for java developer or cobalt developer so let's hire Larry so you're going to construct organizations in the target resource as as part of this import yes okay and here we have the hcm resource which is simulation for the oracle hcm target hr application we can see here all the accounts we can see that three accounts were already created in midpoint and we can see that there is new account which doesn't exist in midpoint so now we can import him okay Larry was imported and we can see that there are some personal information and we can see that Larry was assigned to three roles it's cobalt java and basic role we can but we can see that he has only one account and it's the hcm account from the hr system no other accounts were created yet and it's because Larry needs to activate his account first how's he do that he want this notification mail was sent to the Larry but is that configurable yes okay I wanted to show also that there is the organizational structure which was created during the Larry's import and but we can see that there are no members so he was not assigned to the cobalt and java departments because he didn't have an activate his account yet so let's activate his account so we don't have an smtp server setup so we're going to right now these notifications are going to a file so it's just simulation so we can see that the notification mail was sent to Larry's with the register with activation link and also mail was sent to the system administrator to see that something is happening in his application so let's activate Larry sure you want to do that sorry okay we need to set password to activate his accounts for example so Larry clicks on the link he gets set to the password yes yeah password pause did you not put the like the the bang on the end so there's midpoint enforces password policies both in this in the users that are stored in it in in midpoint itself and in the target resource yes but this is very strange possible okay you probably just missed a character there probably okay now the second mail was sent to the Larry and it's the confirmation mail Larry has to confirm the activation to be able to log into the identity management system okay now his accounts should be activated let's try okay he is now able to log into the midpoint and we can see that he was assigned to cobble and java developer department departments and he got also end user role and basic role if we look into his profile we now see that there are three projections account was created in open LDAP and also he was added as a member of group cobble groups cobble and java and he was also created in Google apps so is he really there I mean so so we can good or admin console and Google do a refresh sign in is it admin there see if we got an account form yep there he is Larry so I could do the same thing with the LDAP but I hope you believe me I'm a skeptic yeah I know so in this first use case we show onboarding of new identity where the accounts where was activated where activated after the Larry confirms more said to his password and confirm the activation of his account we show also the notification mechanism which can be used for any other events and we show that the roles were assigned or activated only after the Larry activates his account the next use case is self service it means that now we are logged in as a Larry and Larry needs or he realized that he needs some route access to a machine where his development where he do the develop where he does the development so he needs to request a new role for it so we are a login as a real Larry and we are going to request a role operator to be able to login as a route to the machines what you're giving route to Larry he needs it he thinks he needed okay so he will request it all right okay we can see that the approval started and in the profile we can see that new role was not assigned because it is waiting for the approval in this scenario we have configured the multi-level approval so first the first level is security officer so first the security officer have to has to have to approve the request so the security officer is you Sean so I will login as you and here we can see the board guidance and we can see that you have one approval request from Larry and he is requesting role operator because he thinks he needs a route access so am I the last one who approves this or no there is another level so put in there that I'm skeptical you can put yeah just I'm skeptical that I'm just gonna say I am skeptical that he does that we're gonna give him that but since it's not really me that's the final I'm gonna kick the can down the next guy and let them decide okay I'm not gonna give him a route it's not your responsibility there is another level of approval and it's a approval from application owner as I'm midpoint developer I'm the application owner so I will lock in as me and here I can see that I have one approval item and that you actually approved it but with the comment that you are skeptical yeah I am skeptical so this approval has the deadline and it's set for for the demo use case for one minute so if I miss the deadline it will be escalated so if or if some person who is responsible for the approval is on vacation this approval is escalated so let's look first on the Larry's profile and we can see that even if you approve the role there is no operator role and meanwhile all the my work item is away so it's of the deadline yeah you didn't do it in time so you're I'm very slow okay yeah I'm sorry you had better things to do probably it was it was so escalated to so who's it escalated to administrator it's so yeah in this case it's administrator is it configurable yeah it's like the CEO or yeah so here we can see that originally it was assigned to me to approve but as I'm as I was so lazy and slow it was escalated to the midpoint so this is an example of what happens in the real world right somebody goes on leave or they don't they don't answer the email they go missing and then meanwhile people are sitting around and you know and they're not able to do their job so this is an example of governance word escalated and someone didn't do what they're supposed to do so it escalates automatically yes and now when the administrator approves his access we can see in Larry's profile that there is new assignment for the role operator oh so he does have root yeah he does okay so in this use case we show the self-service requesting a role and then approval process with multi-level approval stages and escalation when someone who should approve is not available or is too lazy it's good when you have someone who is very slow you know you you can can faster your it's quite a scenario yeah you packed a lot in there a couple questions in the back is there a way to get approval from like a group a group of system administrators rather than individual or yes sure uh using organizational for example organizational structure you can you can set that uh anyone from the organizational structure or from the department or managers of the organizational unit uh can approve so the question was is there a way to have approval for a group so that's a good question and the answer is yes you can okay another question in the back okay thanks okay okay does the user interface support two-factor authentication is the question uh not directly but you can have some single science server before it and it will do it for you but this midpoint doesn't now support only LDL that authentication and basic authentication so the third use case is when the manager who is mo are you okay with mo I mean look at him he looks a little irritated mo as Larry's manager needs to assign him uh in some new role because he realized that he needs someone in his team uh who will be responsible for learning to another role yes okay Larry needs uh the audit role so his manager is going to give it to him yeah you can get an auditor yes so mo assigned the auditor role but not for him but for Larry so here we can see that oh it's not possible to request and there are some conflicts uh I think it's uh this uh what the overpoint or back to static separation yeah and also you you told that he cannot be an operator well so we've got we've established the segregation of duty constraint between um operator which would be say rude on a machine and auditor so which is a way of um preventing um you know bad things from happening right of creating a conflict of interest because if you were auditor and admin and you could cover your tracks right and so that's a way you know again it's governance of controlling your identity management system via policies to remain compliant so I think mo knows better what Larry should be so mo doesn't want Larry to have the operator role he doesn't okay he will make him auditor okay so he unassigned the operator and assigned the auditor yes okay and as the mo is Larry's manager we need we don't need the approval process here because it's fine but manager assigned directly in our scenario so and now we can see in Larry's profile that he is auditor and he doesn't have operator role anymore are you are you okay I'm a little better yeah well he's still got java there in that worrisome yeah okay so bowl's all right but java okay so in this scenario we showed the segregation of duty violation when the user has assigned the role which was in conflict with another role the next scenario is that mo is going to I think to Apache call in Miami mo's here he's at Apache call I heard so where's he at that guy owes me money oh you should find him yeah is he have you guys seen him around okay so he's on the beach so mo as he's attending the Apache con he's not able to perform his work so he needs to make delegation and he will delegate his work to curly but let's try if curly has some rides to curly can't even sign on right now no curly cannot sign on okay so we can we can delegate mo's rides to curly okay and I think we should delegate all rides it's mo's it's his decision I guess okay I mean curly is his right hand man okay so this scenario was about the debut even for example some manager leave for vacation or go to the Apache con and he needs someone to do his job while he's not available during his vacation or during the conference same thing yeah almost the manager the administrator decided to start the certification campaign what's a certification campaign you know for example you have users and they are assigned to some roles and sometimes you need to review these assignments if they have only appropriate roles and that's a way of figuring out what everybody has access to and yeah yeah so we will create a campaign and we will start the campaign and as mo is on the conference curly has to do his work oh he can sign on and now look he's got now he can sign got all of mo's power basically yes and here he can see those are his direct reports yes the assignments in his department or in mo's department right so it's an opportunity to review every assignment and to accept or revoke those assignments individually so do you know who is William Williams no but I I mean why does he got two names that are the same we should get rid of yeah and also here is Larry are you okay with cobalt yeah he can do he can do cobalt okay and you are not okay he should do java okay and why can you can you use a stooge can you yeah just say he's a stooge I mean that's okay so and he's still and user so mo the oh no the mo but currently the decision and now it's up to administrator to start the remediation process so some period of time goes by that elapses and all the managers are able to review the reports and then after that time then then we close it yes here are our campaigns and when we open it we can see that there are more users and more assignments which we need to decide but it is it's according to department and the manager should do the decision show so for us are important only development department and here we can see the decisions so let's close the stage and start the remediation process so remediation is where those policies are pushed down into the target resources yes it's going through the policy and and something happened let's see it was this william williams I thought you did all right I told you we shouldn't that guy it's not suspicious yeah okay he's not doing job anymore okay I feel better all right good he can do cobalt that's all right he can but we will see later so this last use case was about the access certification when we need to recheck the access rights and permission for the users it was said that the manager of department do the decision about his employees what are the benefits of the governance it put more security to your identity management in it improves business responsiveness and also it make the processes more faster and safer and basically the governance is about the notification red certification approvals which can be also multi-leveled and escalation delegation deputy what we can could see also in the demo and the role lifecycle and audit right and more and more are you convinced now looks pretty good if you have any question you got time for questions yeah any questions from we implement it from the scratch we started like seven years ago it's it's got a pretty rich history the the original creators were in the sun IDM workspace yeah and so they were they were well versed in in how all that worked and then they were part of the open IDM 1.0 and then and then there was sort of a split in terms of of how to proceed and so they split and so one went one way and the other went the other way but so midpoint is you know as we said in the beginning it's Apache software 2.0 it's it's there it's fully open source it's you know everything's in github there's nothing no lockdown and you know it's all it's all there all the fixes and bugs public million list it's all done out in the open it's a open source project it's always been Apache it was Apache 2.0 after we work from the ford truck split they went there no it wasn't it wasn't a fork of a forge rock they are they are they're walking it down pseudo open source can't even get in open yeah almost yeah you're right any other questions evolvium so okay so i work for simus and and and katka works for evolvium and so evolvium is there they are the creators and the authors and the main contributors to that project simus we're the we're the open held up guys okay and so we've been around since about 99 and and so open open held up is our is our main we're the corporate sponsors of that and so you know but we've been in the identity management space for a long time so we're now working with evolvium to you know we're providing commercial support for that software yep which is what we do for open held up any other questions all right well thank you very much for coming and enjoy the rest of the show