Entitlement Management Automation
Entitlement management processes can be automated by importing the organization and user information from source systems and exporting the entitlement changes done in the IdM system to target systems without manual intervention.
Source systems provide basic data about organizations and persons for the use of other systems, including entitlement management. For internal users the source system is often an HR application, for external ones CRM or similar. In case the organization does not have a suitable master system for source data, it can also be maintained in the entitlement management system.
The target of the entitlement management system is to generate the entitlements that a user needs in his business roles. This is carried out based on the imported source information and through the entitlement request and approval process. The entitlement information is then provisioned to data storage used by the target applications. This way the user’s access to target systems and his/her authorizations within those systems correspond to the entitlements given in the entitlement management system.
The number of target systems can vary from a few applications to several dozen. Before starting the automation of the provisioning process, it is necessary to analyze the situation and define the priority of each target application.
Entitlement Enforcement Models
An entitlement change can be enforced in a target system with the following methods:
- manual configuration
- automatic provisioning
- dynamic authorization
Manual Configuration
The manual configuration method can be seen as a semi-automatic solution: the changes done in the entitlement management system can launch a request to do the corresponding configuration in the target system manually. The entitlement management system sends an email to configured recipients with a notification to implement the entitlement update in the target system. Recipients can be, for example, administrators of the target system or the relevant service desk.
Automatic Provisioning
In the automatic provisioning method the entitlement information is automatically exported for the target system. The changes caused by the request and approval process are transferred either to the target application or to a data storage that the target application uses as a user and permission directory. Every time entitlement changes for a user are made in the entitlement management system, the changes are provisioned for the use of the target application.
Dynamic Authorization
In the dynamic authorization method the target application requests essential information from the entitlement management system run-time. Every time a user wants to start a function in the target application, the application checks from the centralized RM5 IdM entitlement data storage whether the user has entitlements for that particular function and related data.
Selecting the Entitlement Enforcement Method
When selecting the enforcement method for a particular target application, the number of entitlement changes and the cost of automation have to be analyzed. If entitlement changes are few, then the cost of implementing automatic provisioning might be disproportionate to the benefits of automation.
With modern applications the dynamic authorization method is often the best and most cost-effective.
In new application development, the application specific identity and authorization management can be externalized from the application code to the centralized entitlement management service. This standardizes the application logic, removes duplicate code and improves application quality.
