Omni eControl
Download
Report
Transcript Omni eControl
eControl 2.x for Mixed Networks
Web-based, “ZERO-Rights” User Account Management,
Identity Administration and User Provisioning
and
EMU for eDirectory and GroupWise
Bulk User Management
Aldo Zanoni
B.Ed, B.A., MCNI, MCNE, MCP
CEO, Managing Director
Omni Technology Solutions Inc.
[email protected]
Agenda
1
Welcome and Introduction
2
What is eControl? What Pain Does it Relieve?
3
Is eControl Right for You? 10 Key Questions
4
Why Companies Need / Buy eControl
5
eControl Modules
6
Future of eControl
7
EMU – Bulk User Management
8
Questions and Answers
9
Appendix: Screenshots
What is eControl?
eControl is a web-based, “ZERO-Rights” enterprise
user account management and provisioning tool for
users of Novell eDirectory, GroupWise and NetMail;
and Microsoft Active Directory and Exchange systems.
eControl delivers an immediate return on investment
by enabling an enterprise to efficiently, securely and
inexpensively implement user account management
and provisioning services across multiple and mixed
network operating systems and e-mail systems.
eControl
eControl relieves the pain caused by using multiple
applications to manage mixed and multiple Novell
eDirectory, Microsoft Active Directory, Novell NetMail,
Novell GroupWise and Microsoft Exchange systems.
Who are the Identity Management Players?
The many large and small players include:
–
–
–
–
–
–
IBM (Tivoli Identity Manager and Access Manager)
CA (Entrust)
Novell (Identity Manager 3)
Microsoft (Identity Integration Server)
Oracle (Identity Management)
HP, RSA, SUN …
–
–
–
Avatier
BMC Software
M-Tech
Where does eControl Fit?
eControl can be deployed as part of a
comprehensive identity management strategy that
includes different components of:
–
–
–
–
–
–
Directory synchronization
Federated identity management
Meta directory
User Self-service
Single sign-on
Biometric and other user authentication
Is eControl Right for You?
1. Is your Help Desk or IT department often the
bottleneck in your user account management and
provisioning process?
2. Do your Help Desk operators have more rights than
they should on your network because they need to
carry out certain account management tasks?
3. Does your account management and provisioning
process comply with internal or SOX regulatory
security, privacy and audit report requirements?
4. Are you running GroupWise on Windows or
Exchange with eDirectory and/or multiple eDirectory
and Active Directory environments?
5. Does your Help Desk need to run multiple user
account management tools?
Is eControl Right for You?
6.
Have department mergers or corporate acquisitions made
your user account creation and management tasks
cumbersome and complex?
7.
Are costs increasing and productivity decreasing due to the
time required to train new Help Desk Operators how to use a
combination of ConsoleOne, NWAdmin, iManager,
Microsoft Management Console or custom Task Pads?
8.
Terrified about the consequences of a Help Desk Operator or
junior administrator hitting the delete key on the wrong
object or accessing information outside their realm of
account management responsibility?
9.
Need to deploy user password self-service or user selfservice for GroupWise or in a multiple or mixed eDirectory,
GroupWise, Active Directory or Exchange environment?
10. Are you being asked to manage and integrate more
complex systems with fewer resources?
Why Companies Buy eControl
eControl is a non-invasive solution that delivers very
specific and easily deployed user account
management and access control pain relief.
Companies are finding that achieving the “Holy Grail”
of fully automated identity management and account
provisioning services is much more complex and time
consuming than expected.
This difficulty is caused by the systemic complexity
created by the multitude of access roles and rules that
need to be defined in multiple operating systems in
order to automatically manage access rights as
employees change positions or move in and out of the
company.
Why Companies Buy eControl
With eControl, we started with what we knew best –
Novell eDirectory and GroupWise – and allowed our
customers’ needs to shape the evolution of eControl’s
features, modules and additional operating system
support.
eControl brings a large piece of the identity and user
access management puzzle to the table. In many
cases, it is the only piece that a company requires.
Why Companies Buy eControl
eControl delivers web-based, “ZERO-Rights” user
account access administration and provisioning. It
allows the IT manager and the security administrator to
determine who can carry out what user account
management tasks against which accounts.
eControl allows the CIO and IT department to focus on
contributing to the company’s high-value business
processes rather than having to be concerned with the
administration of user access rights across multiple
systems and related security issues.
Why Companies Buy eControl
eControl appeals to different business units and
levels of decision making and budget authority
because of intersecting and complementary objectives:
–
CIOs look to improve the efficiency of IT staff allocation and
allow highly-trained, scarce resources to focus on delivering
business value through IT integration initiatives.
–
Business unit managers look to increase user productivity
and time effective user management change.
–
CFOs look to implement cost containment strategies.
–
CSOs are required to satisfy legislative or internal user account
management and data access security requirements.
Why Companies Need eControl
Help desk managers need eControl because it:
–
Delivers immediacy of response and increased efficiency
dealing with user change and account modification requests
–
Delivers a common, intuitive user interface to manage users
across multiple and mixed operating systems
–
Provides granular control over who can carry out what user
account administration tasks
–
Requires approximately 15 minutes to train new help desk
operators or junior administrators
–
Takes THREE hours to completely install, configure and
integrate
Why Companies Need eControl
Business unit managers need eControl because it:
–
Allows user account administration to be decentralized to
department managers when appropriate thereby delivering
department-based administration and more timely account
change management
–
Delivers granular control to those people within the department
who should be able to control application processes
–
Provides increased productivity by delivering timely access to
user account change requests
Why Companies Need eControl
CSOs or security administrators need eControl
because:
–
They are responsible to ensure internal and external information
and security compliance requirements are satisfied
–
eControl allows the removal of all trustee assignments,
system rights, permissions and related user account access
rights from the native operating systems
–
In most environments, there is a certain measure of “trust” that
exists. Completely removing trustee assignments and
permissions from user account managers precludes the need for
this “trust” to exist. eControl allows the CSO to have 100%
control over the security failure points on the system
–
It provides a complete audit log of all transactions that occur in
eControl for everything from password changes to adding or
removing a user from a group
Why Companies Need eControl
CFOs or budget administrators need eControl
because:
–
As an enterprise grows, eControl allows the enterprise not to
have to increase the number of people who need to be hired to
carry out user management tasks (cost avoidance)
–
eControl delivers significant cost reduction by making it simple
for non-technical (less expensive) clerical staff to be assigned
user account provisioning and administration tasks
–
User self-service significantly decreases costs related to the
number of password change and demographic change requests
that would otherwise need to flow through a help desk
environment
Why Companies Need eControl
Human resource managers needs eControl because:
–
It puts account provisioning and deprovisioning back into the
hands of HR staff without any associated security risks
–
Who other than a senior HR staff member should be involved in
disabling the accounts of users in a department that is being
investigated?
–
eControl can remove account enabling and disabling
responsibility from the IT department and return it to HR
Why Companies Need eControl
eControl enhances compliance with HIPAA, SarbanesOxley and other security and privacy legislation through
increased security and controls in the following areas:
–
Authentication and Authorization: All system rights are removed from all accounts
and replaced with explicit task assignments based on group membership.
–
Configuration and Change Management: Only those users who have been
authorized to carry out user configuration and changes are able to do so. All changes
made by administrators in the eControl administration and configuration application
are tracked and can be made available for audit. A record of all administration
changes that are made is maintained so the state of eControl at any previous time can
be determined.
–
Segregation of Duties: eControl can be configured to ensure that no single person
has rights to carry out access management and be responsible for auditing, initiating
or approving incompatible activities in those systems.
–
Documentation and Reporting: eControl's audit log and tracking strategies provide
support for appropriate reporting on each participant's role and acitivites in the user
management and account provisioning process. eControl keeps track of who did
what, when. (See Sample Log.) Future enhancements to eControl will allow for nontechnical resources and auditors to run web-based, ZERO-Rights audit reports to
support Sarbanes-Oxley and other reporting requirements.
Sample Account Change Log File
Date; Numeric Action Id; Action Description; Status; Source; Login Account; Parameter(s);;; Module
2/2/2006 9:50:19 AM;10;Authentication Attempt;True;10.10.2.21;
LDAP://10.10.2.16:389/cn=HDOBerlin5,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk
2/2/2006 9:52:42 AM;10;Authentication Attempt;True;10.10.2.21;
LDAP://10.10.2.16:389/cn=HDOBerlin1,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk
2/2/2006 9:52:50 AM;1011;Group Membership Viewed;True;10.10.2.21; LDAP://10.10.2.16:389/cn=HDOBerlin1,ou=HDO,ou=Berlin,o=ACME;
LDAP://10.10.2.16:389/cn=AaJacob,ou=Berlin,o=ACME;;HelpDesk
2/2/2006 9:53:00 AM;1051;Directory Password Changed;True;10.10.2.21;
LDAP://10.10.2.16:389/cn=HDOBerlin1,ou=HDO,ou=Berlin,o=ACME;
LDAP://10.10.2.16:389/cn=AaJacob,ou=Berlin,o=ACME;;HelpDesk
2/2/2006 9:53:01 AM;1052;Email Password Changed;True;10.10.2.21; LDAP://10.10.2.16:389/cn=HDOBerlin1,ou=HDO,ou=Berlin,o=ACME;
LDAP://10.10.2.16:389/cn=AaJacob,ou=Berlin,o=ACME;;HelpDesk
2/2/2006 9:53:24 AM;10;Authentication Attempt;True;10.10.2.21;
LDAP://10.10.2.16:389/cn=HDOBerlin2,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk
2/2/2006 9:53:35 AM;10;Authentication Attempt;True;10.10.2.21;
LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk
2/2/2006 9:56:24 AM;10;Authentication Attempt;True;10.10.2.21;
LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk
2/2/2006 10:19:54 AM;10;Authentication Attempt;True;10.10.2.21; LDAP://10.10.2.16:389/cn=Stephane,o=DEV;;;HelpDesk
2/2/2006 10:20:01 AM;1021;GW Distribution List Membership Viewed;True;10.10.2.21; LDAP://10.10.2.16:389/cn=Stephane,o=DEV;
LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;;HelpDesk
2/2/2006 10:20:11 AM;1022;GW Distribution List Membership Added;True;10.10.2.21; LDAP://10.10.2.16:389/cn=Stephane,o=DEV;
LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;29D3B710-04E6-0000-9040-1F00DA008A00 2DB3B060-04E60000-9040-1F00DA008A00 30187B60-04E6-0000-9040-1F00DA008A00 328B9E40-04E6-0000-9040-1F00DA008A00 349A8110-04E60000-9040-1F00DA008A00;HelpDesk
2/2/2006 10:20:12 AM;1021;GW Distribution List Membership Viewed;True;10.10.2.21; LDAP://10.10.2.16:389/cn=Stephane,o=DEV;
LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;;HelpDesk
2/2/2006 10:20:31 AM;10;Authentication Attempt;True;10.10.2.21;
LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk
2/2/2006 1:06:28 PM;10;Authentication Attempt;False;10.10.2.7; LDAP://10.10.2.16:389/cn=Stephane,o=DEV;;;Global
2/2/2006 1:06:35 PM;10;Authentication Attempt;True;10.10.2.7; LDAP://10.10.2.16:389/cn=Stephane,o=DEV;;;HelpDesk
eControl History
EMU
Windows application for
bulk user import and
management for
eDirectory and
GroupWise
HDU
Windows-based user
account management
for eDirectory and
GroupWise
eControl
Web-based user account
management for mixed
eDirectory, GroupWise,
Active Directory and
Exchange systems
Requires full rights
“ZERO Rights”
Requires full rights
Requires Novell Client
and GroupWise Client
No customization options
Requires Novell Client
and GroupWise Client
No Client required
Customizable interface to
restrict user account
management tasks
Full customization,
multiple modules and
cross-platform support
eControl
eControl – HD, USS, AC, CL, SOX
Web-based Modules:
Browser
1
5
2
3
4
Proxy
Service
eDirectory:
LDAP and
native APIs
NetMail:
LDAP
Active
Directory and
Exchange:
LDAP and
native APIs
GroupWise:
Win32 APIs
“ZERO-Rights” Modules
1.
Help Desk User Management (HD) – Provides Help Desk
Operators with the ability to carry out the “TOP TEN” user
administration tasks – in a web browser. NO rights required!
2.
User Self-Service / Self-Administration (USS) – Allows
you to set which user fields can be updated or modified by a
user in the web interface
3.
Account Create / Manager (AC) – Allows HDOs to create
users based on eControl profiles and Account Create
templates
4.
Contact Lookup (CL)* – Allows users to retrieve configured
information from eDirectory (phone numbers, etc.)
5.
Sarbanes-Oxley Reporting (SOX)* – Allows “ZERO Rights”
web-based access to security and audit reports by nontechnical staff
*Version 3
Help Desk User Management Module
Controlled and restricted interface for Help Desk
Operators and junior administrators
Allows for delegation of standard tier-one Help Desk
operations to non-technical personnel without
jeopardizing system security
Real-time user account management changes
Benefit from significant time and cost savings in training
non-technical staff how to use eControl. 15 minutes to
train a new Help Desk staff member!
HD User Account Management Tasks
eDirectory and GroupWise
Active Directory and Exchange
1. Manage Account Password and Strong Password
2. Manage GroupWise Password and Strong Password
3. Enable / Disable User Accounts
4. Manage Group Memberships
5. Manage Organizational Roles
6. Set Password Restrictions
7. Release Intruder Lockout
8. Create User Identification Information
9. Manage Login Information (Login Script and Profile)
10. Manage Login Restrictions
11. Manage GroupWise Distribution Lists
12. Manage GroupWise Options (Visibility, Expiration Date)
13. Manage NetMail Account Status
1.
2.
3.
4.
5.
6.
7.
Manage Account Password and Strong Password
Enable / Disable User Accounts
Manage Group Memberships
Manage Exchange Mail Groups
Release Intruder Lockout
Create User Identification Information
Manage Account Expiration Date
Account Create Module Tasks
Provision accounts based on eControl Account
Create wizard linked to eDirectory / Active Directory
profiles (e.g., home directory, group memberships,
email account and all other account information
Customizable user-required fields (e.g., first name,
last name, middle initial, phone number, department,
mobile number, etc.)
Creates user name based on specified naming
convention and requires name to be unique across all
configured systems
User Self-Service Module Tasks
Subscribe / Unsubscribe from email distribution lists
and groups
Select challenge-response phrases and provide
answers to enable web-based, “forgot my password”
management
Update eDirectory fields, including extended schema
values, that have been enabled by the Administrator
(e.g., mobile number, pager, etc.)
Hardware / Software Requirements
•
•
•
•
•
•
Windows 2000 or 2003 with IIS 5 or 6
•
•
•
•
MSSQL for audit trail archiving
Security certificate for SSL
Microsoft Message Queuing (MSMQ)
Novell NetWare Client 4.9*
Novell GroupWise 5.x or 6.x Client*
MSSQL or Schema Extension to provide
“forgot my password” self-service
Novell NetWare*, OES*, SUSE Linux*, Windows
NDS Version 8.5 or any version of eDirectory
Any version of Active Directory
* Target system specific
The Future of eControl
CURRENT SUPPORT
•
•
•
•
•
Novell eDirectory
Novell GroupWise
Novell NetMail
Microsoft Active Directory
Microsoft Exchange
FUTURE INTEGRATION
•
•
•
•
•
Microsoft NT Domains
Lotus Notes
Open LDAP
SQL/MySQL
Custom Applications (Ricoh)
eControl Demonstration
visit www.omni-ts.com for more information about eControl
Trends that will Drive the Future of eControl
eControl’s support for additional operating systems and
features will be driven by our customers’ and partners’
needs. The trends we see are:
– Consolidation to larger data centers
– Move to open source and open standards software model
– Increased use of heterogenous systems that provide line of business
specific applications that will require IDM and access control
integration
–
Increasing acquisitions and consolidations that bring together
systems that need to peacefully co-exist and/or be properly managed
during the transition period
–
Increased need to provide real-time user provisioning, account
enabling and account change management
–
Decentralization of user account management to those people who
need to manage their own resources (personnel and application
access)
–
Increased regulatory and internal security compliance requirements
Use EMU to:
–
Improve your Return on Investment in large
Novell® networks
–
Better manage large Netware, NDS/eDirectory®,
NetMail® and/or GroupWise® Networks
–
Create, manage, import or modify tens, hundreds
and thousands of accounts
–
Manage more accounts with fewer resources, in
less time, with less stress
–
Update tens, hundreds or thousands of telephone
numbers (or other standard or extended schema
values) with a few clicks of a mouse
EMU Features
–
Move user home directories to other volumes - keep Trustee Assignments,
File Ownership and Disk Restriction information
–
Check for duplicate user names in specific containers (or the entire tree)
before creating user IDs
–
–
–
–
–
–
Enhanced ability to modify users based on the contents of a text file
–
Identify/select/modify/delete accounts based on last login time, number of
days since last login time, never logged in, not used in X days, etc.
Bulk modify user properties based on Group Membership
Add and delete Group Membership at the same time
Bulk modify GroupWise visibility
Bulk modify GroupWise and NDS passwords
Create GroupWise users for existing NDS users schema values) with a few
clicks of a mouse
EMU Demonstration
Simply the easiest, quickest and most efficient way to distribute bulk user
management of eDirectory and GroupWise account information.
Worldwide Distribution Channel
Question and Answers
visit www.omni-ts.com for more information about eControl and EMU
Appendix - Screenshots
Help Desk Operator Tasks
System Configuration
1.
Active Directory Group
Membership
1.
2.
2.
eDirectory Group
Membership
3.
3.
4.
5.
eDirectory Restricted Tasks
6.
Manage GroupWise
Distribution List
7.
Set eDirectory Password
Restrictions
8.
Set Active Directory
Identification
eDirectory All Tasks
Change eDirectory
Password
9. Set eDirectory Identification
10. Account Create
4.
5.
System Configuration
Search Context
Configuration
Account Create
Configuration
Add Group to a Task
Configure Forgot Password
Questions.
Active Directory Group Membership
eDirectory Group Membership
eDirectory Restricted Tasks
eDirectory All Tasks
Change eDirectory Password
Manage GroupWise Distribution List
eDirectory Password Restrictions
Active Directory Identification
eDirectory Identification
eDirectory User Self-Administration
Account Create
Administration – System Configuration
Search Context Configuration
Account Create Configuration
Add Group to Task
Forgot Password
Thank you
eControl for Mixed Networks
Web-based, “ZERO-Rights” User Account Management,
Identity Administration and User Provisioning
Aldo Zanoni
B.Ed, B.A., MCNI, MCNE, MCP
CEO, Managing Director
Omni Technology Solutions Inc.
1.780.423.4200 Ext. 232
[email protected]