Information Technology Reference
In-Depth Information
users they want to look at. Your business partners' administrators only get to
see data pertaining to their own organisations. This is easy to implement
because IAM protects this application just as it does other business apps,
and the logged-in user's organisation should be one of the user attributes
passed in.
Design user creation as a two-step process. The user who enters all the
details of the user is the “requester”. You'll need another screen for an
“authoriser” to see all pending user creation requests. It's only after the
authoriser authorises a user creation request does the user actually get
created and activated. You could create the user record in the IAM database
on the creation request but mark it inactive. When authorised, you make it
active and also insert the corresponding record in the directory. Needless to
say, both steps of the user creation process need to be audit-logged.
Once the user has been created (i.e., on authorisation), send off two
separate emails to the user containing their user ID and their password
47
.
The password should be pre-expired so that the user has to change it on first
login
48
.
Other user functions
:
User search, View/Edit Selected User and Delete/Deactivate User would be
other standard user management functions you will need. Again, design
these functions to work in the delegated administration context as well.
Deletion should also follow the two-step request/authorise process and be
audit-logged at each step.
Protected Applications and Associated Systems
:
You will need to define a set of protected applications and associated
systems, and provide maintenance screens for these. Protected applications
are web applications that need to be hooked into the Access Management
side of IAM through interceptors. Associated systems are applications that
maintain user data and need to be hooked into the Identity Management
side of IAM through user event listeners. A business application could be
both a Protected Application and an Associated System, so you may need to
provision it as both.
47
Security folk don't like to see both user ID and password in the same email.
48
They may also be encouraged or forced to set two or three security questions (E.g.,
“What is your mother's maiden name?”) on their first login to assist with password
self-service afterwards. This is an extension to the CAS login screen.
