Identity Manager allows customers to automate the process of creating, updating, and deleting user accounts across multiple IT systems. Collectively, this process is known as provisioning (e.g., creating, updating) and deprovisioning (e.g., deleting). For example, when a new employee joins a company, Identity Manager will automatically run a workflow retrieving the necessary approvals to grant the new employee access. Once these approvals are obtained, Identity Manager will automatically create user accounts allowing the new employee to do his or her job. This may include creating the user account for the new employee in the company's HR systems (PeopleSoft), giving him or her access to ERP applications (SAP) and/or creating an email account (Microsoft Exchange). If the employee changes roles in the company, Identity Manager will update the user account and provide access to the necessary resources required in that new role. When an employee leaves the company, Identity Manager automatically removes his or her user accounts to prevent access. By using Identity Manager, the entire provisioning and deprovisioning process can be automated--saving the customer both time and money.

How does Identity Manager help with legislative compliance and auditing?

Identity Manager allows customers to enforce audit policies. An audit policy specifies what types of access a user may or may not have. For example, it is a violation of Sarbanes-Oxley (SOX) for the same user to have access to both the Accounts Payable and Accounts Receivable systems; this is known as a separation of duties violation. Identity Manager allows customers to conduct audit scanning to check for a variety of these types of violations. Identity Manager can be configured to automatically remove access or send a notification to an administrator when a violation is detected; this process is known as remediation. Using Identity Manager enables organizations to save time and money by automating both audit scanning and the remediation process.

How is Identity Manager related to Sun Identity Auditor and Sun Identity Manager Service Provider Edition?

Identity Manager combines the functionality of Identity Manager, Identity Auditor, and Identity Manager SPE into one converged provisioning and identity auditing product. This means that business rules, roles and audit policies will all be synchronized and shared across the provisioning and auditing processes. For example, when a user changes jobs within the company, automated identity auditing can detect whether a segregation of duties violation will occur as a result--even before the user is ever provisioned for the new role, thus preventing the violation from occurring in the first place. Automated identity auditing can also detect whether a violation is already taking place and instantly remediate it through automated provisioning. The result is that the company can evaluate and enforce appropriate access in a repeatable, sustainable way, dramatically reducing the risk of non-compliance with company audit policies and government regulations.

How do Identity Manager and Sun Access Manager work together?

Identity Manager and Access Manager are completely complementary to one another, each serving a key role in an identity management infrastructure. Access Manager provides authentication (validates identity), authorization (enforces access policies on network resources), web single sign-on (SSO), and identity federation capabilities for applications. Identity Manager provides identity provisioning (including account creation, deletion, modification, access rights modification via a workflow) and auditing capabilities. Identity Manager can also provision accounts for users within Access Manager.

How is Identity Manager related to Waveset Lighthouse?

Waveset was acquired by Sun Microsystems in December 2003. The company's flagship product, Waveset Lighthouse, was comprised of two component products, Provisioning Manager and Password Manager. These products provide the basis for the Identity Manager product.

Will implementing an identity management solution mean reworking all of our business processes?

Sun understands that most organizations have established practices and processes for provisioning -- and that most are manually driven. With Identity Manager, these processes continue to be supported, yet automated to the furthest extent possible. The Identity Manager automation engine is specifically designed to fit customers' existing business processes. Whether approval processes require serial approvals, parallel approvals or some combination, Identity Manager can fit within an organization's existing environment.

Does Identity Manager integrate within an existing infrastructure?

One of Sun's guiding principles for its identity management strategy is to ensure that all three component products within the identity management product line are highly integratable. We recognize that some enterprises have made prior investments in identity management technologies - whether they are access management products or other directories. For this reason, Sun's strategy is to deliver open identity management solutions and a broad suite of resource adapters that quickly and easily integrate with third party products. Sun will continue to invest in partnerships and integration efforts with platform vendors, database vendors, enterprise software vendors and other identity management solution vendors in order to give customers maximum flexibility in deploying Sun solutions. This approach reduces the integration burden, reduces deployment times, and maximizes the value of prior technology investments.

Can Identity Manager provision all of our resources--digital (IT systems) and non-digital (phones, PDAs, badges, office space)?

Yes. Identity Manager can provision both digital and non-digital resources. Identity Manager can provision your digital systems automatically, creating the accounts as soon as a request is made from your authoritative source. Identity Manager can also provision your non-digital resources by using existing resource adapters or via workflow and e-mail requests. In the case of Card Management Systems (CMS) such as ActivIdentity, Sun Identity Manager can send a request directly to the CMS using an out-of-the-box resource adapter. In other cases when provisioning requires manual intervention such as issuing a computer or notebook, Identity Manager can be configured to send an e-mail request to the IT department for fulfillment.

We have custom applications that were built in-house or developed specifically for us. Can Identity Manager extend its coverage to these?

Yes. Most companies have a need to extend coverage to custom or highly verticalized applications. During formal surveys of Fortune 500 companies, the vast majority (>80%) of Security Directors, Chief Security Officers and IT Directors interviewed indicated that they would need support for custom or proprietary applications from an identity management solution. Sun's Resource Adapter Wizard provides a complete development toolkit in which end-users can develop fully functional custom resource adapters for systems that are not supported out-of-the- box. Sun provides this toolkit free of charge to customers and partners so they can use it when needed to extend coverage to these applications. Sun Identity Manager also offers a set of generic scriptable adapters that allow customers to create resource adapters by utilizing popular operating or database (SQL) scripts. In some cases, customers may reuse existing provisioning scripts, thereby preserving their existing investment and reducing the cost of implementation.

Technical Questions

10.

What is a Sun Identity Manager Resource Adapter? How does it work?

The Sun Identity Manager uses the term "adapter" to describe its connector-type technologies. Identity Manager includes more than 60 different out-of-the-box resource adapters, which are used to establish connection to external systems that contain user identity attributes that need to be managed. Because Identity Manager uses an agentless adapter technology, which means no software is deployed on the target resources, the time it takes to deploy a provisioning solution is greatly reduced..

11.

What is SPML? Does Identity Manager support SPML?

The Services Provisioning Markup Language (SPML) is standard way for IT systems to exchange provisioning requests. Identity Manager supports SPML 2.0. For more information on SPML, please visit: www.openspml.org

12.

What is the Identity Manager Virtual Identity Manager?

Virtual Identity Manager is a patent-pending technology that enables the collection of key information on managed accounts without duplicating the entire account on a private, centralized repository. With Virtual Identity Manager, the source data is left where it natively resides and a centralized index to that data is built. This eliminates the need to create yet another repository of user data or duplicate/synchronize organizations from native directories. This data-sparse model also lessens the requirement for constant data synchronization as the data stays where it belongs -- in the native format. The Virtual Identity Manager illustrates that the primary goal of identity management is to gain control of the user management process, not ownership of the underlying identity data.

13.

How does Identity Manager support Workflow?

Identity Manager provides a complete and comprehensive workflow module designed to meet every need relative to approval processing, notification, authorization, security management, and provisioning process control. This module delivers an automated workflow that creates, reads, updates, suspends, and deletes user accounts and resources. Within the workflow, approvals can be marked as required (including additions, modifications and/or deletes). Identity Manager workflow supports multi-layer serial and parallel approvals and allows for definition of the number of approvers and the order in which their approvals should be obtained. In addition, Identity Manager can automatically send notifications and reminders when a task has not been acted on within the specified timeframe. Identity Manager workflow can automatically escalate and forward tasks to other approvers or managers if taction is not taken on a task within the required time, which helps ensure timely response in provisioning or deprovisioning employees, contractors, partners, etc.

14.

What is the difference between rules-based and role-based access control?

Rules provide a very flexible means of assigning permissions based on user attributes such as department, partner level, or location. They provide a means of assigning access rights without having to go through the process of defining formal roles. Role-based access control uses predefined roles that specify which resources a user should get access to when a given role is assigned. In organizations where roles are well-known, this information can be leveraged for provisioning. Identity Manager supports both approaches, giving organizations the flexibility to choose the best solution for their environment.