Identity and directory synchronization

Posted by Edward Killeen on Tue, Sep 25, 2012

Identity information is stored in directories; so it would stand to reason that directory synchronization is the key to identity and access management (IAM).  But that igores the Access in IAM.  Shuttling identity attributes between directories, databases and applications helps but isn't full Identity and Access Management.

Of course, directory synchronization is a great place to start.  You want your access to be granted dynamically based on who and what your user is.  An HR manager in Topeka needs a different set of access than a sales director on the Skynet account.  In fact, those two users need to be synchronized to a completely different set of directories; this is handled with role based provisioning, where only that particular role gets a user account and access in that directory/application.

EmpowerID puts a metadirectory in the middle of your identity ecosystem that will create "person accounts".  Each "person" will have joined user accounts in every system, database or directory.  If they are supposed to have an account in any application based on their role, they will be provisioned.  Once provisioned, attribute flow rules are defined to make either side authoritative or last change wins.  Constant inventorying of directories keeps them synchronized.

identity and directory synchronization

All of this constant change is sort of the engine for the rest of IAM.  Your directory changes are reflections of your user changes.  The person directory knows that you got promoted, knows that you changed phone numbers or have a new account.  This drives your dynamic role assignments that provision new user accounts, give an elevated level of access in salesforce.com or grant you admin rights in SharePoint.

The directory synchronization drives your identity...your rights, your permissions, your accounts.  You have to have this capability but you cannot let this capability be your only method of managing identities.

In the past, I have seen some of the largest organizations in the world get overwhelmed just keeping their directories accurate.  This back and forth and constant change (up to 20% internal turnover on top of 5% external turnover) takes too much time to have a chance of keeping on top of the finer more intricate IAM tasks.

But it doesn't have to be that hard.  Take a look at that graphic above, it's that simple.  Rules can be inserted to transform or edit values (one directory has first and last in one attribute, while AD has it separate for example).  Getting the correct attributes flowing throughout the organization is the fastest and simplest part of EmpowerID.

Once you are there, a corporate metadirectory becomes immensely valuable in identity management.

Schedule a demo of directory synchronization!

Tags: Identity and Access Management (IAM)