User provisioning – manage resources, access control, passwords and security
Scope
User provisioning – this page discusses the components of user provisioning which are connected with security, resources and access control. They include the facility of password synchronization as an alternative to single sign on when used for managing the security of one of more enterprise business applications in the large, multi-user IT service supported by a Unix and Windows infrastructure.
The user provisioning problem
Organizations rely upon their workforces interacting with computers. The proportion of the workforce having access to business critical software continues to increase as does the number of applications to which those individuals must have access.
In the past, user provisioning may have been confined to meeting the needs of users each of whom required access to only one application residing on a single system. Now, every user may have to be registered on many individual servers of different operating system types, various databases and multiple business applications. Registration of each user with each facility is needed to control and prevent unauthorized access.
The problem is made worse by staff moving within the organization, demanding the modification of access rights and the creation of new ones. Factors such as the global distribution of systems, the disabling (closing) of accounts for those leaving the organization and the everyday issues of forgotten passwords, temporary staff, new applications and new systems, and the problem is evident.
Applications consist of several layers - for example an ERP package may require access to a UNIX database server, Windows application servers, an ORACLE database and the ERP package itself. The service is operational only when every layer is available to users and functioning correctly.
Security considerations
So, the problem remains of preventing registered users from accessing facilities to which they have no right, and of preventing any access by non-registered users including those from outside the enterprise.
Most security problems are caused by staff rather than those outside the organization, so this must be addressed first. The ideal solution is a single package which supports the administration of both the user population and their security profiles at the same time.
COSuser is software that squarely meets such demands. It provides user administration capabilities, not only for system login accounts, but also for all application user accounts. It backs this up with the automation which enables them to all be changed with a single command.
When a user leaves the organization, a single click will initiate the process of either deleting or disabling all his/her accounts. If a user changes role, a complete, new administration and security profile can be assigned with single command.
COSuser is built on the idea of using pre-defined roles to specify security profiles, then allow those role titles to be used a the shorthand for allocating profiles to individuals. Once this structure has been established, the task of admitting new users to roles is one that can be delegated to staff who do not need to possess a high level of technical skill.
As a general concept, COSuser provides an infrastructure to automate as far as possible all aspects of user provisioning, then delegate the remaining execution actions to staff of an appropriate level. If it is also of concern that the smaller class of privileged users (commonly system administrators) present their own problems in this ame area (they frequently have unrestricted access to resources and data and, yet more problematic, their activities are neither monitored nor recorded for possible auditing) OSM supplies software products which help in this area. See www.cosduty.com.