Evaluation Guide

Steve Barlow is an employee in the operations department. He is responsible for reviewing the information about the contractors. He does not have technical information about the Identity Management System or role based access control.

James Beers is the manager of operations. His day mostly involves meeting with different stakeholders in the organization. He receives lots of emails and telephone calls everyday therefore he needs lots of discipline to prioritize his tasks. He does not know technical information about the IdM system or the role based access control, but he knows if an employee should have access to some resources or not.

Kevin Klien and Sandra Tsai are both members of the security team. They are responsible for managing access to the resources in the organization and solving problems of different stakeholders. They work in the same office and they are very busy with these tasks.

Larry Gomez is a contractor that needs to work in NeteAuto for one month. He barely knows the structure of the company or other employees.

Scenario 1: Self-serve user registration

Larry Gomez is a contractor for the NeteAuto company and just started his job. To be able to access the Internet, he wants to create a user account in the IdM system. Using company’s intranet, he finds the link to the IdM system and creates a new user account.

His request is directed to the security department. All members of the security team receive the request in their task list, and they can review or edit the user information. Finally they can approve, reject, or reserve the task (reserving the task will remove it from the worklist of other security admins).

Steps for performing the scenario:

Larry Gomez accesses the IdM system. He uses the “create an account” link on the IdM login page and enters the required information.

Kevin Klien receives the request and after reviewing the information approves the request.

Scenario 2: Bulk loader

When an employee is hired by the NeteAuto company, or information about an employee changes, or an employee leaves the company, the first system in which the changes are reflected is the HR (Human Resources) system. The HR system is separate from the IdM system; therefore, the changes in the HR system need to also be applied to the IdM system. Transfering changes from the HR system to the IdM system is performed by the security team.The security team receives a file containing all the changes (additions, modifications, and deletions) from the HR system.

Every morning, Sandra Tsai, a member of the security team, downloads the HR file from the HR website and uploads the file to the IdM system to apply all the changes made in the HR system.

She uses the “Bulk Loader” feature in the IdM system to upload the HR file. Then she configures the system to respond to different actions defined in the HR file. An important step after submitting the changes is to review the result of submission.

She goes through the system logs, finds appropriate records, and identifies and fixes the problems, if any. Based on the organization's policy, if the number of changes in the HR file is more than 500, applying the changes should be postponed until further clarification by HR.

Steps for performing the scenario:

Sandra Tsai should first upload the HR file using the Bulk Loader in the System tab. In the next screen she chooses which field in the HR file describes the action that should be performed for each row in the file (in the example HR file it is the “action” row). Also she chooses which field uniquely identifies each row in the HR file ( in the example HR file it is the “%USER_ID%” row).

In the next screen she identifies the primary object that HR file contains (choose USER as the file contains user information) and the mapping between actions in the HR file and actions in the IdM system (choose “Create User”, “Modify User”, and “Delete User” for any create, modify, and delete actions respectively).

Scenario 3: Requesting a role

Steve Barlow is going on a last minute vacation. He realizes that he does not have the required privileges to delegate his tasks to Jason Halpin, another member of the operations department. He does not have any technical information about the privileges required to perform the delegation. But, he knows that he can generate request for privileges in the identity management system. Therefore, he uses the IdM system to write a request. In the request, he describes that he needs the ability to delegate his role to another employee in his department.

When Steve submits the request, his manager needs to approve it before the request is implemented. The manager uses the IdM system to review and approves the request.

Once the manager approves the request, the request is directed to a member of security team who reviews the request, and, if it does not conflict with the security policy of the organization, tries to implement the request. Implementing the request requires the security admin to understand the content of the request (in this case, learn that Steve wants to delegate his role) and find the appropriate role that corresponds to the request (in this case, the “Delegation Manager” role). Then he can add Steve Barlow as a member of that role.

Steps for performing the scenario:

Steve Barlow: generate the request using the “Users>Manage Users>Create Online Request” and then select himself as the target user. Then he can describe and submit his  request.

James Beers (Steve’s manager):  log into the IdM system. Identify, review, and approve the request.

Kevin Klien (or other members of Security):  log into the IdM system. Identify, review, and implement the request. To implement the request, he needs to modify the user and provision the user with the "Delegation Manager" role.

Scenario 4: Certification

As a part of the organization's policy, the security team should certify the roles of the employees in each department every 6 months. The security team uses a shared calendar to mark the dates that they should perform the certification and the deadline for finishing the certification. Each member in the security team is able to start a “Certification Process” in the IdM system.

When the certification date approaches, a member of the security team (Kevin Klein in this scenario) logs into the IdM system and chooses employees that should be certified.

The managers of each department receives the notification about certification of his employees.  In this scenario, the manager of operations(James Beers) receives an email that he should certify the roles of the employees of operations department. James put the email in his todo list.

After a while, James logs into the IdM system and tries to certify the roles of the employees. For all of the employees, he checks the roles and validates if the employee should posses the role or not.

It is important for the manager to perform the certification before the deadline. If the certification does not happen before the deadline, all the uncertified roles will be revoked from the employees. Therefore, before the deadline, a member of the security team sends reminders to perform the certification.

On the certification deadline, a member of the security team ends the certification process.

Steps for performing the scenario:

Kevin Klein: Login to the IdM system. Go to the certification tab and start the certification process for the employees in the Operations department. Also, send reminders about the certification.

James Beers: Assume you are going to certify users in your department. Login to the IdM system and search for the users that require certification using “Users>Manage Users>Certify Users”. Select users one by one, go to the “Certify Roles” tab, review their roles, and approve them.

Sandra Tsai: Login to the IdM system and end the certification process.