General FAQ

Identity Manager allows customers to automate the process of creating, updating, and deleting user accounts across multiple IT systems. Collectively, this process is known as provisioning (e.g., creating, updating) and deprovisioning (e.g., deleting). For example, when a new employee joins a company, Identity Manager will automatically run a workflow retrieving the necessary approvals to grant the new employee access. Once these approvals are obtained, Identity Manager will automatically create user accounts allowing the new employee to do his or her job. This may include creating the user account for the new employee in the company's HR systems (PeopleSoft), giving him or her access to ERP applications (SAP) and/or creating an email account (Microsoft Exchange). If the employee changes roles in the company, Identity Manager will update the user account and provide access to the necessary resources required in that new role. When an employee leaves the company, Identity Manager automatically removes his or her user accounts to prevent access. By using Identity Manager, the entire provisioning and deprovisioning process can be automated--saving the customer both time and money.

Identity Manager allows customers to enforce audit policies. An audit policy specifies what types of access a user may or may not have. For example, it is a violation of Sarbanes-Oxley (SOX) for the same user to have access to both the Accounts Payable and Accounts Receivable systems; this is known as a separation of duties violation. Identity Manager allows customers to conduct audit scanning to check for a variety of these types of violations. Identity Manager can be configured to automatically remove access or send a notification to an administrator when a violation is detected; this process is known as remediation. Using Identity Manager enables organizations to save time and money by automating both audit scanning and the remediation process.

Identity Manager 7.0 combines the functionality of Identity Manager, Identity Auditor, and Identity Manager SPE into one converged provisioning and identity auditing product. This means that business rules, roles and audit policies will all be synchronized and shared across the provisioning and auditing processes. For example, when a user changes jobs within the company, automated identity auditing can detect whether a segregation of duties violation will occur as a result--even before the user is ever provisioned for the new role, thus preventing the violation from occurring in the first place. Automated identity auditing can also detect whether a violation is already taking place and instantly remediate it through automated provisioning. The result is that the company can evaluate and enforce appropriate access in a repeatable, sustainable way, dramatically reducing the risk of non-compliance with company audit policies and government regulations.

Identity Manager and Access Manager are completely complementary to one another, each serving a key role in an identity management infrastructure. Access Manager provides authentication (validates identity), authorization (enforces access policies on network resources), web single sign-on (SSO), and identity federation capabilities for applications. Identity Manager provides identity provisioning (including account creation, deletion, modification, access rights modification via a workflow) and auditing capabilities. Identity Manager can also provision accounts for users within Access Manager.

Waveset was acquired by Sun Microsystems in December 2003. The company's flagship product, Waveset Lighthouse, was comprised of two component products, Provisioning Manager and Password Manager. These products provide the basis for the Identity Manager product.

Sun understands that most organizations have established practices and processes for provisioning -- and that most are manually driven. With Identity Manager, these processes continue to be supported, yet automated to the furthest extent possible. The Identity Manager automation engine is specifically designed to fit customers' existing business processes. Whether approval processes require serial approvals, parallel approvals or some combination, Identity Manager can fit within an organization's existing environment.

One of Sun's guiding principles for its identity management strategy is to ensure that all three component products within the identity management product line are highly integratable. We recognize that some enterprises have made prior investments in identity management technologies - whether they are access management products or other directories. For this reason, Sun's strategy is to deliver open identity management solutions and a broad suite of resource adapters that quickly and easily integrate with third party products. Sun will continue to invest in partnerships and integration efforts with platform vendors, database vendors, enterprise software vendors and other identity management solution vendors in order to give customers maximum flexibility in deploying Sun solutions. This approach reduces the integration burden, reduces deployment times, and maximizes the value of prior technology investments.

Yes. Identity Manager can provision both digital and non-digital resources. Identity Manager can provision your digital systems automatically, creating the accounts as soon as a request is made from your authoritative source. Identity Manager can also provision your non-digital resources by using existing resource adapters or via workflow and e-mail requests. In the case of Card Management Systems (CMS) such as ActivIdentity, Sun Identity Manager can send a request directly to the CMS using an out-of-the-box resource adapter. In other cases when provisioning requires manual intervention such as issuing a computer or notebook, Identity Manager can be configured to send an e-mail request to the IT department for fulfillment.

Yes. Most companies have a need to extend coverage to custom or highly verticalized applications. During formal surveys of Fortune 500 companies, the vast majority (>80%) of Security Directors, Chief Security Officers and IT Directors interviewed indicated that they would need support for custom or proprietary applications from an identity management solution. Sun's Resource Adapter Wizard provides a complete development toolkit in which end-users can develop fully functional custom resource adapters for systems that are not supported out-of-the- box. Sun provides this toolkit free of charge to customers and partners so they can use it when needed to extend coverage to these applications. Sun Identity Manager also offers a set of generic scriptable adapters that allow customers to create resource adapters by utilizing popular operating or database (SQL) scripts. In some cases, customers may reuse existing provisioning scripts, thereby preserving their existing investment and reducing the cost of implementation.