IBM Security Verify

For account management processes, to integrate an application which utilizes MS Active Directory for authentication and authorization, with IBM Security Identity Manager. Considering the fact that IBM offers an out of the box AD adapter which already have deployed and being used for AD Service for user accounts & service accounts management through ISIM. As mentioned, application has AD groups which are going to be onboarded as Application Accesses on ISIM self-service console so the users could Request Access. Anyone could suggest the best practice on the integration method leveraging the AD adapter? I am exploring such an integration approach where the account management and reconciliation process for application can be automated in ISIM.

Managing AD is not a simple task and is not something I can give any definitive answers to - especially in a forum like this. My recommendation is to partner with IBM Security Expert Labs as we have extensive experience in this kind of integration.

Though I do not want to get into details there ar a couple of high level things to be aware of that I will try to describe briefly here : 

• Managing AD from an external system like ISVG IM means that you want to design you AD structure for this - this could e.g. be to provide an OU setup in AD that puts specific accounts (standard employee, service, RPA , administrative etc.) in separated OUs so that you can handle them as  separate services in ISVG IM.
• It is not realistic to provide a full RBAC setup for managing all groups in the AD - some can be split into separate OUs - but it is probably important that all groups are visible in ISVG IM so what is needed is a "hybrid provisioning" approach - some groups must be mandatory (birthrights and RBAC business/project assigned entitlements) and some allowed (optional) with approval. This is a not simple to build/maintain this
• It is important to establish a Role Governance process to ensure that policies are maintained of time - it is not enough to rely on Identity life cycle management

This is bare scratching the surface - but I hope it gives you a starting point...

For account management processes, to integrate an application which utilizes MS Active Directory for authentication and authorization, with IBM Security Identity Manager. Considering the fact that IBM offers an out of the box AD adapter which already have deployed and being used for AD Service for user accounts & service accounts management through ISIM. As mentioned, application has AD groups which are going to be onboarded as Application Accesses on ISIM self-service console so the users could Request Access. Anyone could suggest the best practice on the integration method leveraging the AD adapter? I am exploring such an integration approach where the account management and reconciliation process for application can be automated in ISIM.

We have implemented a couple hundred AD integrations with other applications by splitting role basing into 'realms' where each realm is essentially treated as a separate service, and they require specific AD Group prefixes, that coupled with some custom provisioning policies we have been able to achieve a great deal of success. The path your going down requires lots of customization but if done properly up front can ease the process with additional applications afterwards.

Managing AD is not a simple task and is not something I can give any definitive answers to - especially in a forum like this. My recommendation is to partner with IBM Security Expert Labs as we have extensive experience in this kind of integration.

Though I do not want to get into details there ar a couple of high level things to be aware of that I will try to describe briefly here : 

• Managing AD from an external system like ISVG IM means that you want to design you AD structure for this - this could e.g. be to provide an OU setup in AD that puts specific accounts (standard employee, service, RPA , administrative etc.) in separated OUs so that you can handle them as  separate services in ISVG IM.
• It is not realistic to provide a full RBAC setup for managing all groups in the AD - some can be split into separate OUs - but it is probably important that all groups are visible in ISVG IM so what is needed is a "hybrid provisioning" approach - some groups must be mandatory (birthrights and RBAC business/project assigned entitlements) and some allowed (optional) with approval. This is a not simple to build/maintain this
• It is important to establish a Role Governance process to ensure that policies are maintained of time - it is not enough to rely on Identity life cycle management

This is bare scratching the surface - but I hope it gives you a starting point...

For account management processes, to integrate an application which utilizes MS Active Directory for authentication and authorization, with IBM Security Identity Manager. Considering the fact that IBM offers an out of the box AD adapter which already have deployed and being used for AD Service for user accounts & service accounts management through ISIM. As mentioned, application has AD groups which are going to be onboarded as Application Accesses on ISIM self-service console so the users could Request Access. Anyone could suggest the best practice on the integration method leveraging the AD adapter? I am exploring such an integration approach where the account management and reconciliation process for application can be automated in ISIM.

This is IMHO a good way to handle AD - the challenge is although that AD people have a tendency not to adhere to the wishes of the IAM functions. But I see more and more places where AD governance is moved from the Windows infrastructure realm into IAM - but there can be a lot of history that cannot easily be handled with this pattern alone - also the group hierarchy in AD (think forest, OU placement) may give some challenges in a setup like this. But this can definitely make a lot of things easier. 

We have implemented a couple hundred AD integrations with other applications by splitting role basing into 'realms' where each realm is essentially treated as a separate service, and they require specific AD Group prefixes, that coupled with some custom provisioning policies we have been able to achieve a great deal of success. The path your going down requires lots of customization but if done properly up front can ease the process with additional applications afterwards.

Managing AD is not a simple task and is not something I can give any definitive answers to - especially in a forum like this. My recommendation is to partner with IBM Security Expert Labs as we have extensive experience in this kind of integration.

Though I do not want to get into details there ar a couple of high level things to be aware of that I will try to describe briefly here : 

• Managing AD from an external system like ISVG IM means that you want to design you AD structure for this - this could e.g. be to provide an OU setup in AD that puts specific accounts (standard employee, service, RPA , administrative etc.) in separated OUs so that you can handle them as  separate services in ISVG IM.
• It is not realistic to provide a full RBAC setup for managing all groups in the AD - some can be split into separate OUs - but it is probably important that all groups are visible in ISVG IM so what is needed is a "hybrid provisioning" approach - some groups must be mandatory (birthrights and RBAC business/project assigned entitlements) and some allowed (optional) with approval. This is a not simple to build/maintain this
• It is important to establish a Role Governance process to ensure that policies are maintained of time - it is not enough to rely on Identity life cycle management

This is bare scratching the surface - but I hope it gives you a starting point...

For account management processes, to integrate an application which utilizes MS Active Directory for authentication and authorization, with IBM Security Identity Manager. Considering the fact that IBM offers an out of the box AD adapter which already have deployed and being used for AD Service for user accounts & service accounts management through ISIM. As mentioned, application has AD groups which are going to be onboarded as Application Accesses on ISIM self-service console so the users could Request Access. Anyone could suggest the best practice on the integration method leveraging the AD adapter? I am exploring such an integration approach where the account management and reconciliation process for application can be automated in ISIM.

Yeah, the start of doing this was rough, but doable. We had to create a 'unmanaged' list of ad groups as a provisioning policy, that the automated provisioning policy was able to reference to ensure that groups that weren't managed were not inadvertently removed. We have slowly eliminated groups as we onboarded individual ad integrated applications. 

We also have a separate unmanaged policy that unmanaged all Shares and Distribution groups from the provisioning policy as those are managed by the respective teams. 

This is IMHO a good way to handle AD - the challenge is although that AD people have a tendency not to adhere to the wishes of the IAM functions. But I see more and more places where AD governance is moved from the Windows infrastructure realm into IAM - but there can be a lot of history that cannot easily be handled with this pattern alone - also the group hierarchy in AD (think forest, OU placement) may give some challenges in a setup like this. But this can definitely make a lot of things easier. 

We have implemented a couple hundred AD integrations with other applications by splitting role basing into 'realms' where each realm is essentially treated as a separate service, and they require specific AD Group prefixes, that coupled with some custom provisioning policies we have been able to achieve a great deal of success. The path your going down requires lots of customization but if done properly up front can ease the process with additional applications afterwards.

Managing AD is not a simple task and is not something I can give any definitive answers to - especially in a forum like this. My recommendation is to partner with IBM Security Expert Labs as we have extensive experience in this kind of integration.

Though I do not want to get into details there ar a couple of high level things to be aware of that I will try to describe briefly here : 

• Managing AD from an external system like ISVG IM means that you want to design you AD structure for this - this could e.g. be to provide an OU setup in AD that puts specific accounts (standard employee, service, RPA , administrative etc.) in separated OUs so that you can handle them as  separate services in ISVG IM.
• It is not realistic to provide a full RBAC setup for managing all groups in the AD - some can be split into separate OUs - but it is probably important that all groups are visible in ISVG IM so what is needed is a "hybrid provisioning" approach - some groups must be mandatory (birthrights and RBAC business/project assigned entitlements) and some allowed (optional) with approval. This is a not simple to build/maintain this
• It is important to establish a Role Governance process to ensure that policies are maintained of time - it is not enough to rely on Identity life cycle management

This is bare scratching the surface - but I hope it gives you a starting point...

For account management processes, to integrate an application which utilizes MS Active Directory for authentication and authorization, with IBM Security Identity Manager. Considering the fact that IBM offers an out of the box AD adapter which already have deployed and being used for AD Service for user accounts & service accounts management through ISIM. As mentioned, application has AD groups which are going to be onboarded as Application Accesses on ISIM self-service console so the users could Request Access. Anyone could suggest the best practice on the integration method leveraging the AD adapter? I am exploring such an integration approach where the account management and reconciliation process for application can be automated in ISIM.

We have implemented a couple hundred AD integrations with other applications by splitting role basing into 'realms' where each realm is essentially treated as a separate service, and they require specific AD Group prefixes, that coupled with some custom provisioning policies we have been able to achieve a great deal of success. The path your going down requires lots of customization but if done properly up front can ease the process with additional applications afterwards.

Managing AD is not a simple task and is not something I can give any definitive answers to - especially in a forum like this. My recommendation is to partner with IBM Security Expert Labs as we have extensive experience in this kind of integration.

Though I do not want to get into details there ar a couple of high level things to be aware of that I will try to describe briefly here : 

• Managing AD from an external system like ISVG IM means that you want to design you AD structure for this - this could e.g. be to provide an OU setup in AD that puts specific accounts (standard employee, service, RPA , administrative etc.) in separated OUs so that you can handle them as  separate services in ISVG IM.
• It is not realistic to provide a full RBAC setup for managing all groups in the AD - some can be split into separate OUs - but it is probably important that all groups are visible in ISVG IM so what is needed is a "hybrid provisioning" approach - some groups must be mandatory (birthrights and RBAC business/project assigned entitlements) and some allowed (optional) with approval. This is a not simple to build/maintain this
• It is important to establish a Role Governance process to ensure that policies are maintained of time - it is not enough to rely on Identity life cycle management

This is bare scratching the surface - but I hope it gives you a starting point...

For account management processes, to integrate an application which utilizes MS Active Directory for authentication and authorization, with IBM Security Identity Manager. Considering the fact that IBM offers an out of the box AD adapter which already have deployed and being used for AD Service for user accounts & service accounts management through ISIM. As mentioned, application has AD groups which are going to be onboarded as Application Accesses on ISIM self-service console so the users could Request Access. Anyone could suggest the best practice on the integration method leveraging the AD adapter? I am exploring such an integration approach where the account management and reconciliation process for application can be automated in ISIM.

Hi Jordan,

Here you are talking about the respective OU of an AD based application where the AD groups with certain prefix to identify that app in the Active Directory? 

In this case to integrate such application, the Service Type is ISIM would be the same (AD profile), but the Service(s) will be newly created to identify the managed application(s)?

How you managed the reconciliation for such integrated apps in ISIM? is it one time activity once app is integrated?

TIA! 

We have implemented a couple hundred AD integrations with other applications by splitting role basing into 'realms' where each realm is essentially treated as a separate service, and they require specific AD Group prefixes, that coupled with some custom provisioning policies we have been able to achieve a great deal of success. The path your going down requires lots of customization but if done properly up front can ease the process with additional applications afterwards.

Managing AD is not a simple task and is not something I can give any definitive answers to - especially in a forum like this. My recommendation is to partner with IBM Security Expert Labs as we have extensive experience in this kind of integration.

Though I do not want to get into details there ar a couple of high level things to be aware of that I will try to describe briefly here : 

• Managing AD from an external system like ISVG IM means that you want to design you AD structure for this - this could e.g. be to provide an OU setup in AD that puts specific accounts (standard employee, service, RPA , administrative etc.) in separated OUs so that you can handle them as  separate services in ISVG IM.
• It is not realistic to provide a full RBAC setup for managing all groups in the AD - some can be split into separate OUs - but it is probably important that all groups are visible in ISVG IM so what is needed is a "hybrid provisioning" approach - some groups must be mandatory (birthrights and RBAC business/project assigned entitlements) and some allowed (optional) with approval. This is a not simple to build/maintain this
• It is important to establish a Role Governance process to ensure that policies are maintained of time - it is not enough to rely on Identity life cycle management

This is bare scratching the surface - but I hope it gives you a starting point...

For account management processes, to integrate an application which utilizes MS Active Directory for authentication and authorization, with IBM Security Identity Manager. Considering the fact that IBM offers an out of the box AD adapter which already have deployed and being used for AD Service for user accounts & service accounts management through ISIM. As mentioned, application has AD groups which are going to be onboarded as Application Accesses on ISIM self-service console so the users could Request Access. Anyone could suggest the best practice on the integration method leveraging the AD adapter? I am exploring such an integration approach where the account management and reconciliation process for application can be automated in ISIM.

I cannot answer on behalf of Jordan - but let me explain how this can be organized.

In AD you can have users and groups organized in OUs (actually a tree). When you create an AD service you can provide both a user and group entry point in the service form that will limit what the service will be able to see. Users and groups reconciled will in ISVG IM (aka ISIM) be local to that service.

The challenge here is to get the tree structure "right" - you may want to run with local users bot global groups but that is depending on what you want to achieve. As users and groups are unique within AD you would try to avoid overlap between services if possible - else you need to understand the consequences (you may risk an endless loop of provisioning/de-provisioning if not careful).

Also be aware that the entities in AD that are reconciled back to ISIM is also dependent on the ACL and the account running the adapter - this is especially important if you need access to enterprise forest groups....

HTH   

Hi Jordan,

Here you are talking about the respective OU of an AD based application where the AD groups with certain prefix to identify that app in the Active Directory? 

In this case to integrate such application, the Service Type is ISIM would be the same (AD profile), but the Service(s) will be newly created to identify the managed application(s)?

How you managed the reconciliation for such integrated apps in ISIM? is it one time activity once app is integrated?

TIA! 

We have implemented a couple hundred AD integrations with other applications by splitting role basing into 'realms' where each realm is essentially treated as a separate service, and they require specific AD Group prefixes, that coupled with some custom provisioning policies we have been able to achieve a great deal of success. The path your going down requires lots of customization but if done properly up front can ease the process with additional applications afterwards.

Managing AD is not a simple task and is not something I can give any definitive answers to - especially in a forum like this. My recommendation is to partner with IBM Security Expert Labs as we have extensive experience in this kind of integration.

Though I do not want to get into details there ar a couple of high level things to be aware of that I will try to describe briefly here : 

• Managing AD from an external system like ISVG IM means that you want to design you AD structure for this - this could e.g. be to provide an OU setup in AD that puts specific accounts (standard employee, service, RPA , administrative etc.) in separated OUs so that you can handle them as  separate services in ISVG IM.
• It is not realistic to provide a full RBAC setup for managing all groups in the AD - some can be split into separate OUs - but it is probably important that all groups are visible in ISVG IM so what is needed is a "hybrid provisioning" approach - some groups must be mandatory (birthrights and RBAC business/project assigned entitlements) and some allowed (optional) with approval. This is a not simple to build/maintain this
• It is important to establish a Role Governance process to ensure that policies are maintained of time - it is not enough to rely on Identity life cycle management

This is bare scratching the surface - but I hope it gives you a starting point...

For account management processes, to integrate an application which utilizes MS Active Directory for authentication and authorization, with IBM Security Identity Manager. Considering the fact that IBM offers an out of the box AD adapter which already have deployed and being used for AD Service for user accounts & service accounts management through ISIM. As mentioned, application has AD groups which are going to be onboarded as Application Accesses on ISIM self-service console so the users could Request Access. Anyone could suggest the best practice on the integration method leveraging the AD adapter? I am exploring such an integration approach where the account management and reconciliation process for application can be automated in ISIM.

Thank you Franz for the response.

We currently have an existing Active Directory (AD) service configured with a root level of "Users/Groups" for the Base Point DN. This service successfully synchronizes users and groups residing within the OU and sub-OUs in ISIM.

I am looking for a solution to manage groups specifically associated with e.g. two AD-based applications: App-A and App-B. These application groups reside within a distinct OU in our AD structure.

My understanding is that creating separate services in ISIM for App-A and App-B, leveraging the existing AD profile as Service Type and specifying the dedicated OU path for each application's groups in the service creation form would be an appropriate approach? Since all users are already being created in the specific single OU different than the OU of groups, so reconciling the service for App-A won't bring any accounts as OU in the service form only has groups defined for the App-A. Furthermore, what if user has groups assigned from both App-A and App-B, how would ISIM be managing the accounts/accesses within Service(s).

AD based integration means that the App-A/App-B takes authentication from the AD (user account exists and enabled in AD) and authorization is catered by the AD groups created specifically for those apps.

I cannot answer on behalf of Jordan - but let me explain how this can be organized.

In AD you can have users and groups organized in OUs (actually a tree). When you create an AD service you can provide both a user and group entry point in the service form that will limit what the service will be able to see. Users and groups reconciled will in ISVG IM (aka ISIM) be local to that service.

The challenge here is to get the tree structure "right" - you may want to run with local users bot global groups but that is depending on what you want to achieve. As users and groups are unique within AD you would try to avoid overlap between services if possible - else you need to understand the consequences (you may risk an endless loop of provisioning/de-provisioning if not careful).

Also be aware that the entities in AD that are reconciled back to ISIM is also dependent on the ACL and the account running the adapter - this is especially important if you need access to enterprise forest groups....

HTH   

Hi Jordan,

Here you are talking about the respective OU of an AD based application where the AD groups with certain prefix to identify that app in the Active Directory? 

In this case to integrate such application, the Service Type is ISIM would be the same (AD profile), but the Service(s) will be newly created to identify the managed application(s)?

How you managed the reconciliation for such integrated apps in ISIM? is it one time activity once app is integrated?

TIA! 

We have implemented a couple hundred AD integrations with other applications by splitting role basing into 'realms' where each realm is essentially treated as a separate service, and they require specific AD Group prefixes, that coupled with some custom provisioning policies we have been able to achieve a great deal of success. The path your going down requires lots of customization but if done properly up front can ease the process with additional applications afterwards.

Managing AD is not a simple task and is not something I can give any definitive answers to - especially in a forum like this. My recommendation is to partner with IBM Security Expert Labs as we have extensive experience in this kind of integration.

Though I do not want to get into details there ar a couple of high level things to be aware of that I will try to describe briefly here : 

• Managing AD from an external system like ISVG IM means that you want to design you AD structure for this - this could e.g. be to provide an OU setup in AD that puts specific accounts (standard employee, service, RPA , administrative etc.) in separated OUs so that you can handle them as  separate services in ISVG IM.
• It is not realistic to provide a full RBAC setup for managing all groups in the AD - some can be split into separate OUs - but it is probably important that all groups are visible in ISVG IM so what is needed is a "hybrid provisioning" approach - some groups must be mandatory (birthrights and RBAC business/project assigned entitlements) and some allowed (optional) with approval. This is a not simple to build/maintain this
• It is important to establish a Role Governance process to ensure that policies are maintained of time - it is not enough to rely on Identity life cycle management

This is bare scratching the surface - but I hope it gives you a starting point...

For account management processes, to integrate an application which utilizes MS Active Directory for authentication and authorization, with IBM Security Identity Manager. Considering the fact that IBM offers an out of the box AD adapter which already have deployed and being used for AD Service for user accounts & service accounts management through ISIM. As mentioned, application has AD groups which are going to be onboarded as Application Accesses on ISIM self-service console so the users could Request Access. Anyone could suggest the best practice on the integration method leveraging the AD adapter? I am exploring such an integration approach where the account management and reconciliation process for application can be automated in ISIM.