måndag 11 september 2017

Delegated Administration and ForgeRock Identity Management

What is Delegated Administration?
Through delegation of administration, a directory or application services infrastructure, such as ForgeRock Identity Management, can be designed to span multiple and / or non-structured organizations that have unique management requirements. In particular, the delegation of administration in resources can help organizations meet specific requirements for structural and operational independence.

Why do people need Delegated Administration?
People generally look to delegate administration (portions or full administration) for 3 reasons:
  1. Organizational Structure: Understanding and control over resources are bound to a structure defined by an organization. They need the ability to participate in shared resources, while still maintaining independence in the decision-making process.
  2. Legal Requirements: Configuring and maintaining the ability to operate in a manner consistent with regulatory (or other legal) requirements that may restrict access or activity (government, defense or financial institutions, for example).
  3. Operational Requirements: Today's applications and services leverage structured constraints based on metadata (attributes) for configuration, availability or security. This is not uncommon in hosting or outward facing scenarios

Foundational components providing Delegated Administration
  1. Organizational Units: Provides a way to scope and group objects
    1. Managed Objects (including. roles, users, orgs, devices)
    2. Policies (password policies)
    3. Connectors
    4. Workflows (associate workflows to organizations)
  2. Authorization Layer: Granular entitlement on what can be done thru the RESTful layer on what objects and organizations
  3. Ability to group entitlements into assignable Administrative Roles

What do people do in OpenIDM today?

Today, there is no formal model for delegated administration; however, users can define their own model and methods to accomplish basic delegation tasks. This is often unsupported (custom code) and not repeatable - making any “extended” or “custom endpoint” solution untenable in the long run.

Ref: Blog post from Simon Moffat

A better solution

With the addition of Hub City Media’s IDA module, delegated administration capabilities are provided by ForgeRock Identity Management and previous versions of OpenIDM (4.x) in a seamless and intuitive way. It allows administrators to deploy in such a way that administrative tasks can be fully delegated based upon a set of predefined conditions and attribute values.

Installation of Hub City Media’s IDA is simple and straightforward. The IDM administrator runs an installation script on a single or clustered IDM server and the installer handles deploying the required endpoints and user interface.

Once installed, the IDA administrative role can be assigned to a user responsible for configuring the system. Configuration involves creating Delegated Administration Policies that control who the delegated administrators are, who they can administer, and what specific operations are allowed.

Delegated Administration Policies

The power of IDA is in the policy framework. Clients can implement multiple Delegated Administration Policies to satisfy various requirements from the same system. Delegated Administration Policies contain:
  1. A Source Rule: a boolean expression based on user and relationship attributes. Any user that matches the Source Rule is an administrator in this policy.
  2. A Target Rule: any user that matches the Target Rule can be administered by any user who matches the Source Rule
  3. A Permissions Schema: defines what operations (create, delete, enable, disable) and identity data the administrator can perform on the target users. This permission schema defines very fine-grained control over each field.

These policies are configured from the user interface and there is no coding required.

User Interface and APIs

Once the policy is defined, authenticated users can access the IDA user interface and administer users based on those policies. The delegated administrator can only modify users they are allowed to, given the active policy, and they can only edit attributes defined in the policy.

Like other components of the Forgerock Platform, HCM has exposed the functionality of IDA as a set of REST endpoints. If customers want to use their own UI, they can do so while getting the benefit of IDA’s policy enforcement.


ForgeRock Identity Management is the ideal component to implement and solve complex identity management problems whether external-facing or internal-facing problems due to its flexibility. With the addition of Hub City Medias IDA component on top of ForgeRock Identity Management, organizations can easily structure and administer a large amount of identities and better adapt to internal organizational structures and legal requirements. Reach out to ForgeRock or Hub City Media to discuss how ForgeRock Identity Management and HCM IDA can be part of your Identity Management infrastructure or to request a demonstration.

Inga kommentarer:

Skicka en kommentar