All right. So I'm Ted Ernst. I'm the product Manager for One Identity Manager. This is Dr. Stephan Hausman. What is your title, Stephan?
I'm a pre-sales engineer.
Pre-sales engineer. Matthias Bauer most of you know. Director of Engineering.
Try to lead the product development team for Identity Manager for a couple of years now. Do be careful.
A couple of years. A couple of decades. And Rob Byrne.
Yeah, I'm Rob. I'm in the Field Strategy team.
All right. So the first thing is just our general slide about all the things that Identity Manager can do from a high level standpoint. But the things we're mentioning today aren't on this chart. So we're going to start with the first thing-- recommendation and approval with Stephan. Is that--
Yeah, let me take that one. So Matthias mentioned before, we're doing recommendations in the roadmap slide deck. And what is recommendation used for? What is good for us? So we use recommendation to simplify or provide additional information for people who need to either request or to approve or certify something. And in the history of the product, we are using it basically using peer group analysts. That's like-- Matthias, like version 8? Something like that? Just starting version 8.
And that was used as a [? user. ?] We can do a thing later, but I'll just expand and we [? click ?] later. And we're using-- it if you do request, the question is always, what do I need? And then peer group analysis has been used to identify areas your colleagues have or request your colleagues might to give you an idea of what may be of interest for you. It's not the usual "I want to request something specifically amongst my peer group."
And then we had the peer group analysts also for approvals. So when you did the request there was an approval step saying, if your peer group has also this service item requested and got it approved, then there was a positive approval in there. And this could be used by the next approver to understand if it makes sense or not. It wasn't graphically [? nice ?] embedded. It was just an additional approval step.
And starting with version 9, we got a different approval step in the workflows that allows us to represent the thing in a very graphical way. So for the approvals you have a specific-- and that's what you need to do. You can't use the approval process you're doing today. You have to have a specific approval step in there. And then it will appear of course in the new web UI in the Angular portal.
And if we look at the screen-- so you see an approval. The approval is there, and on the right side you will see there's the recommendation. It's either green or red, and this is just a hint for you-- what the system says. And if you select the recommendation you get all the details why we recommend or we don't recommend that thing. That's based on 9.2, to be honest, so it's a brand new screenshot. And there's still one thing missing-- is what Matthias mentioned about behavior-driven governance. So that would also be included if things like that are relevant.
So that's one thing for the approvers. So when you request something-- can we just have the next screen? Thank you. That means you get an idea-- and that's the bar in the middle of the screen-- what your colleagues or your peer group has requested. That was already there in web design if I'm not mistaken.
And the last one is done for recertification or attestation. If we look at that again, you see on the right side a lot of green and a few red recommendations. And then, as Matthias said, you can automatically approve things that are recommended or you can use it as an additional information step. And if you select one of the recommendations-- one click please. Thank you-- then you get again the details why this has been recommended or not recommended. And that's how you can use the recommendation and the product today, and in 9.2, there's already additional features in there for usage. That's a [? recognition. ?]
Great.
Not so fast. Not so fast. Go back.
I'm there.
You got it, right? So I just got some comments on this from a value point of view, like, what's this good for? So think about it this way as well. A lot of times we have the comments like-- think about usability as a security issue, right? What do I mean by that? If an approver or an attester in an identity governance platform is going to click yes, this is OK, then he's taking that responsibility to say this access is valid. It's good. It still makes business sense. It means an awful lot.
And bad user experience is actually a security risk for that reason, right? If he doesn't understand what he's looking at and he's clicking yes, this is OK-- because honestly in brackets I don't really know what it means, then that is a security issue. It's not just, oh, there's a few less clicks, or it looks nice. Wow, it's all green and red.
And look at this. I've got an insight here. Based on analysis, it is recommended you deny this request. That's an identity access insight that you've got there. And we're trying to make their jobs easier, right? So now he's not only got a button that says, the system is telling you this looks kind of normal, or actually, this doesn't look normal at all, but it's telling you why and what's behind it.
Now how many people think that you need a neural network to figure out these risk indicators here? You're not going to put your hand up. Nobody ever puts their hands up. But in your own little head, you think about whether your hand is going up or not. You do not need a neural network to compute these. And the first rule in machine learning is if there's an easier way to do it, do it the easy way. Don't just use machine learning because your boss thinks it's a really good thing.
If I'm not mistaken, Matthias, these are all SQL-based queries. Calculations of that nature.
To be honest, it's a mix. But most of the stuff is really just using the data that's there with simple SQL in the end. There is some more stuff behind in some area, but it's not really that relevant.
Right. So thanks. Of course he's got the details. But the point is-- and guys, don't get me wrong. Machine learning is the single most important innovation in computer science since copy-paste, because honestly, we've not been doing a lot in the last 20 years, right? So I'm a big supporter. We need to use it. We are using it. I'll bring it up later where we do explicitly use it. But here we're using pertinent identity analytics insights. Why? To make the user experience easier.
And that's what these guys have been working on with [INAUDIBLE] and Rusty Smith and those guys in the Whisper Suite. This is where we're going. So that's the background to this thing. And we need to talk more about this stuff and we want to see more and more you guys building real use cases with this stuff and demonstrating usability around these processes.
Yeah, and I want to add something to it also. Just because somebody says the user [? word ?] analytics doesn't mean there's value to it. Analytics is a tool, and so is heuristic. So are other just basic-- well, just use your common sense. And that's what we're trying to do is we're trying to solve problems. We don't care how it is. If it's ML, AI, we don't care. We don't care if it's just doing a simple SQL query. Whatever will do the job. But saying "analytics" is not the answer.
If I would do my job as a developer right, I would have used wild ML algorithms and show real spline charts and stuff here that nobody can use just because I'm a techie. But luckily enough, we have a PM who is driving me. No, just make stuff that is helping people making the right decisions. And I think that's what it comes down to.
All right. Very good. OK, where are we now? Interaction through Teams or Slack.
I can do that if you want to. I mentioned it shortly in the presentation of the roadmap and state of the art where we are. This is coming from our Starling Development Group. They decided to implement-- I would call it just notification service. Got called Cloud Assistant. It's for our customers free of charge. You just have to register to our Starling Cloud application, and then you get it for free.
And basically it allows you to send adaptive cards to a Teams bot/ a Slack bot at the moment, and we ship with some adaptive cards. And my colleague [? Marcus ?] did a great job here. Here you see a request. Also approval thing. And you can validate, you can set a reason, you can do a lot more, and then you can submit it. And you see the history. [? That's ?] all you can see in that adaptive card in Teams or Slack. You can make your decision.
And you even implement the full infrastructure around it. So you can create your own adaptive card, upload them to our database in a library. And instead of sending emails, you can send-- or either instead of or in addition to our traditional email notifications, you can send now any kind of notification through Cloud Assistant to Teams or Slack.
And I think this is a pretty good thing because I don't know who is not using Teams or Slack, meanwhile, as communication platform in the company. I guess we are close to 95% or 98% that are using either Teams or Slack these days.
Yeah.
Yeah, you're just talking, [? Giovanni. ?]
Yeah. And I think there is another slide for attestation as well, I guess. Or including SoD. So even if you have SoD violations, you can see the details of the SoD violations. If you click forward there should be another picture with it. And you can even localize it in the languages you need. So this is all built in and available since 9.0. So this is not 9.2 or something, so this is really since 9.0.
All right.
I have a question. I have a question.
You have a question for us?
Well, maybe for them. How many people would like to redevelop all of this really great functionality-- full control over your approval in your-- you'd like to redevelop it? You want to redevelop it? OK, how many people in the room who are actually saying we'd like to redevelop this capability-- [? Henrik, ?] why do you need to redevelop it?
To make it better.
You want to make it better? OK, you want to improve it. So it's already really good, but you just want to make it better. OK. How many people would like to redevelop it in ServiceNow? Do you want to spend money on that when you've already got it in one of your favorite, most widely, globally deployed business channels for your approvals? Do you really want to redevelop it in ServiceNow?
Now, don't get me wrong. I know that we've all got these strategic initiatives and ServiceNow is the place to go, and you will go to ServiceNow. But honestly, if the business really cares about business agility, are you really going to force people to log into those things when they've got a channel open on their phone? They're standing in the airport and they've got that channel there, and they can do all of that stuff with all of the information?
I'm just saying, if you don't like that UI and you don't like that UI, how are you with Teams? Yeah, I do use Teams. You can get it right there. You never even have to log in as an approver or attester to any of those UIs. So that's where if you're in conversations or [? you're a ?] customer are thinking about this, it's the way my business users are not going to have to log into that old portal over there or that crappy thing there. They can just receive it straight into where they are working all the time.
So this is bang in with Microsoft's whole approach of trying to keep you in their interfaces, right? Not that I'm particularly supporting that, but I'm just saying that's where we find ourselves a lot of the time. That's the value here of this. So again, just to restate it and reframe it, it's not just the capability. It's actually a business enabler. So that's my point.
And if you compare it to the previous Starling communicator we had, this is much more information and so it's a really good implementation. All right.
Question. Is it customizable?
Yes.
[? So the ?] One Identity [INAUDIBLE], can you put my name on it or whatever?
This is just an adaptive card that is stored in Identity Manager, and you can replace it with any adaptive card you want to create.
And the editor for that is actually on the Microsoft side, so you can copy what we have in Identity Manager, bring that to the Microsoft as a UI designer on the Microsoft side. You can use that and bring it back to Identity Manager. That's how it's done. Very simple.
And the question was, can you customize it? So it's like Jeopardy. I asked the question last.
Does it work also for [INAUDIBLE] like [INAUDIBLE]?
It works for any kind of notification you want to do in Identity Manager. Wherever we send mail, like in the approval workflows where you have the [? Send ?] Mail, you can add an adaptive card there and it will just send the adaptive card.
And actually for the attestation, there's a default adaptive card already available. So we have it for approvals and for attestations. Any further questions on the topic? OK.
In the back, but that will be hard to understand.
[? We probably ?] should have brought a microphone.
[INAUDIBLE] What if [INAUDIBLE] gets, let's say, 100 [? approval requests ?] [INAUDIBLE]?
I would think about a different solution and probably would send an adaptive card that's just forwarding you to the website.
So the question was, what if an approver gets a hundred approvals?
That's what we're doing today already when we have a config [? part ?] for the mail sent algorithm to say, OK send single emails, or send one day or twice per day a notification. Hey, you have 20 approvals to do. Here's the link to the website. You can put that in an adaptive card and then the adaptive [? card to ?] Teams, and they can click within Teams to the website. That's what would be my recommendation without further thinking about it.
But technically it would work. You can send hundreds of adaptive cards through the channel, and then you have to work on each adaptive card individually. It's a bit cumbersome, but technically it would work. Depends how you like it or your employees like it.
So what you could do is you can get [? Henrik ?] to write a bot that sits on top and processes them all for you. And any that are recommended green, it improves them automatically. So just have a chat with [? Henrik ?] afterwards. There's some work for you.
There was a question over there.
[? Hi. ?]
[INAUDIBLE] all communication [INAUDIBLE] just [INAUDIBLE].
What [? was-- ?]
[INAUDIBLE]
Get the mic guy, please.
Do you have to connect to any on-prem when you approve this? You can be on a device outside?
It's a pure notification channel between Starling, and it's all HTTP and there is nothing weird.
Nothing back to the [INAUDIBLE].
All right, we're seven minutes in. No, we're 17 minutes into this [? and ?] we've done two topics.
So we're going now to Ted's favorite topic, which is risk scoring?
Risk scoring, yes. We mentioned that before-- being able to a specific risk score on an entitlement, on-- you can't do it on a user, I think. They can trickle down to the user. But you can have it on different things. And so the risk score is then aggregated. It's computed. It can change over time based on things happening or based on things not happening. So if an attestation has not been performed or if it hasn't been approved in time, that risk score goes up and it can trickle down.
So anyway, this is another feature. And you can have policies driving off of these risk scores and other things. Any other comments?
Yeah. Maybe the screenshot you see is from 9.2, so heatmaps are back of course in 9.2. So you see the heatmaps. You will have more details on the heatmaps for the history of the risk score. And what you also get is the risk score and attestation. So that's what we already had in the Web Designer portal. But it's now of course also then available in 9.2 to show it here.
Rob, any comment?
Well I've just got one comment, and I can't help myself. Look at this. Natural language processing in Identity Manager. Thank you, Matthias. Look at this. Should the identity Stephan Hausman be assigned to the pre-sales primary department? Natural language. That's like NLP right there. Not really, but it's kind of what you want from NLP, right? It's in a human language now.
I don't know if you particularly like that style or not, or you prefer something more technical like-- I don't know. Personally at first, I didn't really buy into that. But actually now that I look at it and see it and think about it and think about usability, I think the natural language way of phrasing it is actually not a bad approach. I mean, it might not work for everybody's preference, but I think it's a good thing.
We've talked about that this week, matter of fact.
And if you don't like it, go down to the UX Whisper Suite and blame it to Rusty.
Absolutely.
If you like it, I'm happy.
All right.
OK, so the next topic is then role analyzing or role discovery and recommendations.
How many of you even realize this exists? The role analyzer? Like, three hands. OK, four or five. OK. But still, in a room this size, this many people. Tell us a little bit about it, Stephan.
Yeah, let's chat about it. So at the end of the day when we talk about role mining, you're looking at a matrix like we see there. Employees or other entities have permissions, entitlements, accounts. And you need to figure out what are the clusters of the entitlement distribution for that entity. And we have this-- I wouldn't say beautiful, but we have the tool Role Analyzer in the product. It may look a bit old fashioned, but it still does its job.
And what you do is you're building your mining roles, and the colors should indicate how that belongs together. So most people it's like the top role in red are getting all the entitlements marked as red. And then it's getting distributed on the hierarchical tree. [? You ?] see that? You see on top how the tool looks like. It's as I said beautiful. It's really beautiful materials. I love it.
And this is a separate executable, is that correct, Stephan? This is a separate executable?
Separate executable, yeah. Don't make any comments, please.
I think I know why this is taking too long. So anyway. Whatever.
Also you get to view which-- if you're selecting an identity, then which entitlements you get. So that's usually the use case you're talking about. And most of the time people are asking for, what can we do to bring information to our business unit? And they're not talking about role mining about everything. They're talking about, I have a department. I need to talk to the business responsible of that [? department-- ?] what we can cluster or bring together.
I've been doing role mining a long time ago. At the end of the day, what you need is a nice graphical representation so everyone in the business understands what belongs together or what doesn't belong together. And most people don't know that we have a report for that. So you don't have even to do role mining. If you know I want to have a look at a certain department, there's a report there where you select the employees and then it will give you a nice presentation-- graphical representation of what belongs together or not.
So on top you see the employees, on the left you see the entitlements, and then you get a nice view of where it would make sense to have a role defined. You don't even need to do role mining. I know it's a fancy topic, but I think if you have a nice graphical representation it's very easy to see what belongs together. The brain is much better than tooling, I would say.
I think this is probably the most powerful tool that people don't realize we have. I constantly hear about people saying, I wish we had this. Well, we do. We have pretty much-- it may not be called exactly what you're looking for, but this has a lot of power to it, and so please use it.
And bad news-- this is really using ML algorithms in the back end.
Say that again.
This is not only SQL or simple stuff. This is really ML algorithms implemented in the back end of that tool.
So you're saying if a partner-- let me rephrase what you're saying. So you're saying if there's a partner in the room filling in an RFP and the RFP says, does your recommended product use machine learning for entitlement recommendations, then the answer would be--
Yes.
Yes.
And you say it's bad news. OK, whatever.
And without lying.
Yeah, without any-- because actually what I'm seeing in RFPs these days is customers are getting very smart. They'll say, no, no, no. They started saying, that is not a SQL or some sort of-- it's real machine learning according to-- for example, look at the AI Act from Europe. They tell you what machine learning is, and if I'm not mistaken it's using unsupervised clustering mechanism techniques. They're well-known machine learning techniques, and it's all being used there. Yeah.
OK. Next topic then. Who wants to jump on that one? Rob?
Pricing.
Pricing.
I started. You can probably improve what I'm saying. This functionality has its 20th anniversary this year. This was implemented in 2003, and basically every item in the service catalog can have in the end three prices as we implemented it back then. But basically it means you can give-- anything a user can request, you can give a price. And based on that pricing, you can make decisions of course. And we can even drive algorithms that do a cost center back calculation per month or per whatever period to show your cost center owners in terms of IT cost what they have requested, what they are using, and how much license costs are related to it.
We call it the chargeback module. But basically really this was implemented 2003, and three prices was back then because there was a price that the IT department wanted to give the end users [? while ?] they are requesting, and that was the price they were charging the cost centers internally with. And one price was with the service provider they had.
So the service provider was accepting the chargeback information we gave them from their customer to the provider. And then the external price of the provider as well. So this was pretty complex, but you really can simply use it for adding price tags to everything you want to have requested by end users, and even do a cost center chargeback calculation and process automatically.
And this fits really nicely with our behavior-driven governance, which one of the advantages of that-- one of the values of that is for these cloud-based accounts that you're paying monthly for-- now before you even approve it you can see, hey, this guy is requesting whatever it is-- Salesforce or something, and it's going to cost me this much per month. Do I want to approve it or not? Or is there another way of doing it? All right.
And [? we ?] were also looking at license costs [? as ?] for Azure. So we know what kind of licenses have been assigned, what kind of licenses are available, and you can do similar things then around Azure. And we have reports that allow you to understand where the license is coming from, or if it's directly assigned or if it's coming from a group in Azure, which allows you to have a bit more control on the Azure side. Any comment on that?
No.
Any question?
Nope.
Good. Then the next one-- the solution accelerator.
Yeah, let me just [? talk to ?] this real quick. We mentioned it earlier that we're really starting to use our GitHub site-- more of a marketplace to have early releases. So we can release what we call solution accelerators. They're unsupported, we've done minimal testing, but we want to release features to our customers early so they can get a feel for them, give us their feedback. And we're not using you as QA. Trust me, that's not the goal. But it's to get your feedback so you don't have to wait till the next feature release. Which we're on an annual feature release cycle now, but still, that's a long time to wait sometimes.
So behavior-driven governance was done this way. We're going to be doing hopefully the SAP-BDG integration and a few other things that we had mentioned earlier. And so just get used to it that until we get our own marketplace, this is going to be the way we role things out. Not everything, but certain items, especially things that our field develops. All right.
Yeah, one example, we choose from the GitHub is-- the integration is VeriClouds. So when someone's changes his passwords or you define the password or you generate a password, [? that is ?] an example how to verify that with VeriClouds and make sure it's not compromised or things like that. So that's one of the examples. It's available there. You can download it from GitHub and integrate it with your Identity Manager.
And they're one of our partners, and so you can go purchase their service and it's really helpful. Yeah, Rob?
Well, just one comment on [? that. ?] So what you're looking at there is an integration of what's traditionally back end identity governance platform, but linking it straight into everything that's information about the dark web or all that modern cyber security stuff. It's just one example, right? So Rob [INAUDIBLE] there, my colleague in field strategy, is working with several of these technology partners to bring us more-- we like to be-- Identity Manager needs to be more on stage right up front and center, not in the chorus line at the back, right?
And the way we're doing that-- we're making and keeping it relevant to what's happening in modern trends in security-- is by connecting it with these things. SpyCloud is one of the latest ones that Rob's been looking at and talking to those guys. He's also talking with AuthMind for ITDR, as well as Sherlock, the Italian guys. So there's all kinds of those integrations like Ted was talking about with ITDR and so on, and we'll talk more about some of our other technology partnerships.
That's just one example that happens to be on GitHub. Not all of those are on GitHub. But the idea of doing that is part of the value that we need to be selling as identity people within our organizations to keep us relevant and to explain the importance of identity to securing the organization as a spectrum across all of the different activities that are happening in it. So it looks just a little small thing with a few arrows in a box, but there's a lot behind that as an idea. So that's just what I invite you to think about if you want to.
All right.
Good. So to the next one, which is using the Manager UI. That's one of my favorite topics. It's always easy to impress the PM then with the capabilities of the Manager. And the longer you work with Identity Manager, the more you realize what's possible in the Manager UI. And it's interesting to see that a lot of people need to see how others are using it just to get aware that it's possible.
So we are looking at three things now. So the first one is we are going to compare two users or two identities in the Manager UI, and we have a small video for that. I hope it's running. Is it running? No, not yet. Now it's running.
[INAUDIBLE] keep going, maybe.
Yeah. So what we are doing is, we are selecting one of the identities in the Manager Tool-- the [? Hyperview. ?] Then we select the details, and then you want to compare that-- what you see in the details-- to a second identity. You just open it and then you see the other one. It's a bit difficult to compare. But what you can do-- you can of course open it in a new tab. Go to the Manager and then open it again, and then you select a tab and move it to the-- there should be a small arrow. You can't see it from here.
But you move it to the arrow or to the plus sign, and then you have them just next to each other and can start comparing them. That's quite powerful. And you can not only do it with one. You can do it with, I think up to 10. That's pretty impressive.
What ever your screen real estate gives you.
For the recording I had to reduce my screen size. That's why it's so small. But it's a very simple way to compare things in Identity Manager. You just open it in the next tab and then drag it, and you can do it with all the elements. You can move them around, drag them as you want [? them ?] to have them. Try to do that in the web UI.
The next one, if you want to change mass changes of information, I've seen-- there's one of the partners showing how to upload or mass upload data using an Angular plugin. This is a way how you can modify data in Manager for several identities. So the assumption is you want to change for more than one identity department, and that's what we are going to do here.
So we are again having the manager. Select employees, [? then ?] open one. Have a look at the department, I think.
Yep.
The problem is, I have to look to this one because that's way too small for me. I feel my age. Sorry. And then we open another one that should-- or we can select a few, open them. There's [? open-- ?] [INAUDIBLE]. No. There's on [? task. ?] Change my data. So we have selected them all at the same time, and then because they have all the same department, you can just select that, change the department for employees selected over there, and you're done. Takes a second, and then you are done and everyone has now the new department. So it's very easy to do mass changes in there. You see the department has been changed for all those guys.
And the last example is-- I'm just showing that because I learned that last year while I watched a colleague-- how he was doing that. And I saw that. Wow. Wait, how are you doing that? So when you have the master data view opened in Manager, you can just select the employee. And [? so ?] one-- select the one, and where you have the option to select a reference, you can simply right click on the small arrow on the right side, and then you can follow the reference. And then you are on the hyperview of that object and you can continue same way as in the view just following the references in there, which is quite powerful if you are aware of that.
Does it also work in the Object Browser, Matthias? Do you know that?
I have no clue. But my good conscience, [? Marcus, ?] says yes.
Oh, great.
OK, that's a few things you can do in Manager. If you're new to it or haven't done it for a while, it's quite useful to know that, especially comparing mass changing and navigating in [? Manager-- ?] Object Browser, as we learned from Marcus. That's pretty powerful and helpful to get quicker and do the job faster [? then. ?]
The next one-- sample customization scripts. Who wants to talk about--
Yeah, these are just-- again, these are things that I didn't realize were there-- these out of the box scripts that are included with the product. They're there, and you just-- they're downloaded and so you can access them. At one point I think you had to download them separately. Now they're part of the package, I believe.
I think they've always been part of the software download.
Nonetheless. OK, so there they are. And you can go to the different scripts and make use of them, change them, save them how you want.
OK. Rob, what you do when you need to find a bit of code in order to measure a sample? What do you do?
I think probably people who work with Identity Manager accumulate over the years or over the months a library of useful scripts that they use. And I've met some relatively new partners, very capable people that you just got to point them at this stuff and off they go. So this is a very powerful one.
What I was thinking to myself was, I know if you're in the Designer tool and you hit F2, you get some sort of tab completion or dropdown. And I can't remember-- it proposes, don't you see those scripts that are there? A [? sample. ?] They're your local custom. So what I like to do is to put all of those there so I have them. All the normal things like identity rewrites and so on.
And the other thing that's going through my head about the utility of this type of thing is what you're doing for 9.2-- the template library stuff. [? Does ?] somehow that is part of the usability around scripting and getting access to. Because we don't want to have to come out of Designer into the Windows Explorer and go down and find the script and then do the whole thing. We really just want to drop down, you know what I mean? And I think the template library feeds directly into that. And I'm not saying don't look at these. These are great, but the template library will feed into that.
Yeah, I can remember my early days, and one of the first things I was a developer for was Lotus Notes. And I had no clue what Lotus Notes was, but one of their benefits was they had that impressive library of out-of-the-box database templates and their macro language examples. And this is something like that, because it kick-starts you to understand as a developer how this thing works.
And that's why it's so important to look at it and not think we don't ship it. It's there. It's growing a little bit. Not that much anymore. And it's there I think since version 6? 4? Something like that.
The other thing that's important about these things-- and we do get this comment a lot and I know we do our best and so on, but it's [? a lot of ?] the documentation. Honestly, if you're interested in this stuff anyway, yeah, the API is documented. But the best way as a developer, as we all know, is to find an example of something that's like what I've got and use the age-old paradigm of computer science, which is copy-paste. Copy-paste and modify, right?
But that's what we all want. That's what we do on Google every day. Let's be honest, right? Oh, I'm a rally smart guy. Yeah, I know how to Google and I can copy-paste code from Stack Overflow. But you can copy-paste code from here as well obviously, and so on. I would love to see more of this stuff on Stack Overflow and Google and indexed by Google. Google indexed all of human-- I don't want to say knowledge, but at least information, right? So I would love to see these things just on Google somewhere. Like, you can just Google them. But anyway, that's just accessibility. So sorry. Yeah, that's-- anyway.
Maybe on the dark web? Is that what you're saying, Rob?
They're for sale on the dark web.
OK, great.
OK. So next one is extending the launch pad. I think everyone who worked with version-- when did the Tools tab came into it out of the box? It was 8.2, 8.1? Something like that.
8-dot-something, yeah.
8-dot-something. And I think every partner had their own tools [? transport ?] already, and that was-- I think amongst presets that was the most shared transport at all. And people of those days remember that because there was no tools. We had to do our own tools. And just to remind you, you can still of course extend the launch pad with the stuff you need on a regular basis-- or everyone needs in your teams-- and bring those functionalities into the launch pad. It's quite helpful.
But don't forget there's also the favorites. So if it's already available and you just want to have it in a specific location, put it into the favorites. It's more like for new stuff which is not in there yet.
[? Good? ?]
Good. Next one. It's lifecycle management of non-employees. Who wants to take that?
Let's see here. Well I think it's just handling non-employees-- non-humans. So the ability to have contractors. So being able to delegate and manage things outside of your domain and delegate [? things. ?] So let's say you have a contractor and there's a point person. You want to tell them, you can create the roles, you can do all the attestations of your people, or we'll do it a little differently. As well as non-human-- robotic systems and things of that nature.
Yeah. This was always part of Identity Manager, but with version 8.2 I guess, on the identity table we have the fields for identity type and employee type where you can make that distinction between is it a real person, is it a-- whatever-- organizational persona? Is it a thing? Is it a machine? Is it a robot? Is it a whatever?
And with the employee type, you can differentiate between is it a full-time employee, a contractor, an external, a customer, a partner? And with that you can make all those process distinctions you need for driving employees, non-employees, and things. I don't know. Internet of things became a little bit out of date. Now it's now it's robots and RPA and whatever. But in the end, it's machines that somehow need some kind of governance, and you can do that with Identity Manager of course.
Yeah. I mean, we get this all the time. Almost every organization has got this issue of how do we handle those identities? And we get that question. It's perhaps not exactly the intent here, but it's also everything that's like-- well it feeds into privilege identity as well, because some of those identities-- well, accounts, identities, right? It gets a bit blurred, but some of those accounts are service accounts-- you know, privileged accounts as well. So it's feeding into that, too.
So we get this question all the time, and what we see sometimes is that Identity Manager itself can be the source for-- the starting point for the journey for these things. So some organizations talk about birthing, right? Giving birth to these virtual like chatbot Dan, helpful scheduling chatbot, or RPA, and Julie the helpful ticketing chatbot that helps you log a ticket.
Where do they come from? What's the life cycle of these things? It's a super important question. And some organizations will birth them-- it'll be within the identity management system itself. So it's an extremely important question.
And of course, the other reason that it's really good to do that in governance is because a huge question for these things is, who's responsible for these non-human identities? And of course that's what we bring-- is the ownership side of it. Who am I going to call when I'm trying to figure out if this thing is still needed, if it's still being used, or what access, or if there's a change management issue and so on? Who am I going to call? And that's part of what we're bringing-- that ownership workflow and who owns it.
So there's a whole topic there around it, but clearly identity governance is often the starting point for these things. And if it's not the source of these things, then it needs to be in that journey between wherever that source is-- call it your bot factory. A lot of these times these days the RPA crowd have a center of excellence where they birth their bots or whatever they call it. But identity governance needs to be between that bot and the access.
It's not those RPA guys job to give those things access. It's our job according to policy dynamic. [? Or whatever ?] you want. But that's what we should be doing. It's the right way to govern that. So we're bringing governance into something that's a little bit of the Wild West, right? Anyway, big topic. But we have an extremely important role to play there.
Yeah. And I get this question because the way we're always talking about managed user-- [? and ?] we're always talking about users. And people assume that we don't do this, but we do. We can handle this. All right?
Yep. The next one is the sub-identity topic. So this can be used in different ways, but basically you have main identity, support identity concept where you can link different identities of a single person together. And there's different examples. So the left side there's the Office Fred, or Fred Office. So that's kind of his manager identity. That's the identity used always for working.
And then he has this. This is Admin Fred, so this is the identity he's only using when he is doing administration tasks. And there's the Robot of Fred. And the dashed line this is the ownership. So that links back also to the slide before on robots and service accounts because it's not only accounts you use and you have, but it's also [? accounts ?] your identities you're responsible for.
And the good thing is in the web UI, once you have this sub-identities or you have the ownership, you can do requests for the accounts, you can work on those accounts or identities, and deal with them. And that's one of the things you can use it for. There's several reasons why you need to do that. The obvious one is you have your regular identity and your [? optimal ?] identity. But we also see things like board members' different responsibilities in the company, and you need to handle that in a very specific way.
Good thing is that things like SoD violations or reports handle the sub-identities. So if you do an SoD violation, you can select if you want to have the check on the violation across a single identity or across all identities. And also reports for history and things like that take care of the identities.
You can think of thousands ways of using that, and another way we often see that is that in companies, an employee or a person has more than one contract. So you can have part-time contract here, part-time contract there, and the challenge is how you bring that together from an identity point of view. So you can also think of a sub-identity as contracts.
So you may have two contracts, but you're only one person, right? And you want to bring that together on one level. And then you have to choose how you want to handle accounts. Do you need for each contract your own account, your own entitlements that work with different accounts, depending on what contract you're working? Or is it just a way of getting the amount of money you need for a full-time job together? And then you can bundle the whole thing on the main identity, which is basically a shell for the contracts. And you can think of thousand ways. Any comment on that?
Yeah, well--
Sorry. Did you--
Go ahead.
No, no, no.
No, I mean, Stephan explains it very well, right? But some simple examples-- canonical case is universities. And I think the first place I saw it being used-- interestingly it was at Radboud. And I know the Radboud guys are around somewhere. So you got a professor. He's a professor. He's got his active directory account and he has access to all his student, systems student correcting systems and so on.
But the professor-- and it's often the case in the medical faculty-- they're also students because they're also enrolled because they're always doing new qualifications. And that's a totally separate line of access, but it's the same person. And then a third case you see then is there might be a director of the lab. Often in the universities, there's maybe a private-public collaboration in a lab. And he's in the lab and there's three different personas of that professor, right?
You see it in the hospitals as well. If you go from often the medical world-- and [INAUDIBLE] [? knows ?] this. The medical worlds are divided into regions, but it's the same person. And when he goes to another region, which he does because he's a specialist, and we don't have specialists. And he moves, and it helps with that use case as well. So it's those use cases that you're doing.
Now one of the great challenges as you know with identity governance is to understand the organization's access governance processes and the data model that's behind it, right? That's one of actually the great things that we enjoy as computer scientists-- dealing with these complex data. But then one of the great pleasures of working with Identity Manager is understanding that it's often quite a complex world, simplifying as far as we can. But then finding that when you look at Identity Manager, it maps-- it's rarely directly. I'm not going to be the sales guy that says that. But it often maps very, very well with existing out-of-the-box data model, which is what sub-identity is here, but also with the UI side.
So you're getting all that stuff for free-- the ability to manage your sub-identities, the ability to feed them into-- think of an SoD. Oh, identity shouldn't have this. It's not just my persona as a doctor or as my persona as a teacher, my persona as a visiting professor-- it's across all my access because I own all those. The product just figures it out for you, right? It'll just do it. So you're getting all that for free once you've done the right data modeling.
Now that being said, sub-identities are not a panacea for every kind of complex situation. Sometimes you don't need them. Sometimes they're not appropriate. For example, if you have actually a shared account across all these personas-- it's just one account, then it can become difficult to tease out the entitlements that are pertinent to each one. You may not want to go with sub-identities in that case.
You can use the other great aspects of Identity Manager like the organizational structure, like the relationships to managers, not to mention other structuring data model capabilities that are in there. So you don't always have to go sub-identity. Don't go crazy with it if it's not appropriate. But it is something to keep in your back pocket as a modeler-- as somebody who's modeling these more complex environments. So that's what I wanted to say in terms of experience with it. Yeah.
Good?
Sorry. Was that too much? But there you go.
No, we just finished your comment. Verification of data quality-- company policies. Matthias, [? a ?] one for you, or shall I take that?
Take that, please.
OK, I will. So we talked already about all the policies SoD rules, but you also have on the product-- and maybe it's not that well known. And what you can do with that is, think of your business processes. You want to do an approval and the manager is gone. You don't have a manager anymore. Then the processes will fail. But there's a way to figure that out so you can have a defining company policy and make sure that everyone is having a manager, or every department is having a manager.
And if it is not the case anymore you can detect it with Identity Manager and raise it like an SoD violation but just different level, because it's more or less an operational issue that you are facing. And that's much better to detect the operational issue than to run into a process error, because then you have already an error and you're stuck. It's better to see it upfront.
And think of the use cases we had, for example, with the ownership. You're responsible for robot and you're going to leave in two weeks because that's what we got from the HR system. You can even define the policies like, I want to know if there is someone responsible for a non-person identity as leaving within the next four weeks. And then you get just one, and if you don't have any automatic processes to transfer ownership, for example, then you get at least notified and [? know ?] I have to do some tasks and move the ownership manually in worst case.
And every case where you run into operational issues-- think about company policies if that's an appropriate way to detect it upfront. Because you can run them every night, see if there's an issue, and then you don't run into the operational issues. Because then normally end users would be affected, which is not that beautiful, right?
[? Thank ?] you.
Next one. Oh, I take that one. That's my favorite one. Sampling attestation data. That's there since 9, I think.
Yeah.
And in the past when you had [? to ?] use [? case-- ?] an employee is moving to a different organization and you want to have an attestation, you were defining a custom process and generating the attestation for that case. And we have that now out of the box, but in a bit different way because we don't do it immediately. We can collect the movers and then run the attestation on all the movers, and you can choose if you want to do it on a daily basis or weekly or monthly basis-- run the attestation.
And that's called sampling attestation data?
Yeah, I'm not sure if that's the best name in the world, but that's how it's called in the product. And what Identity Manager is doing out of the box is it's collecting all the movers, and that's then called sampling or sample data. And then you can run the attestation for the sample data. And what that means is you have a list with your sample data, which is in my case empty in the beginning. You have a person being in accounting-- Albert Accounting-- and that person is moving to the controlling department.
And with that move, we get Albert Accounting into the sample data list. And just imagine-- and then you would get more and more and more over time, and once you choose to run the attestation on top of the sample-- so you can run attestation and you don't have time to define what people, you just say I want to run it on that sample data.
Then the attestation will run and at the end, once the attestation has been generated, the sample data will be cleaned up. So that means you can collect as many movers as you want, run the attestation, and once the attestation started the sample is deleted again and you have [? the ?] attestations running for those guys. And that's what you get out of the box, which is pretty nice, to be honest.
I think there was a request from a bigger customer who didn't want to have the attestation [? on-- ?] start an attestation, each case was collected, and then use all the things we can do like sending one email and so on, and so--
This was one of our biggest customers who indeed has an agreement with the auditor-- the external auditor that they don't have to recertify each and everything per year or something, but they have a monthly approval flow for exactly all organizational changes. And this is how this was born and then implemented. Because I like the idea of having a more dynamic calculation of what needs to be recertified and not just blindly doing something like, OK, do this every year.
This came out in 8.2, I believe, and I was calling it object tagging because I didn't know what we were calling it. So that's the way I think of it-- is you're tagging this object and you're running an attestation on it later on.
Yeah. And just to show it to you, that's how the sample data looks like in the web UI. So you can even have a look at the collected samples in the web UI in the Angular portal. And once you have an attestation running, keep in mind that you have this wonderful report. [? Marcos ?] did it, by the way. I kindly asked him a few times until--
And the important thing is, this is available for all your attestations. We often get a question, can I create a report of an attestation we just did? And that's actually the report. So what we see here is the currently running attestation. It is available for the current attestation, for completed attestations, and also for historic attestation. You can even say, give me the report for the attestation a year ago. And that's what you can give to your auditors. You can just run the report. And it's there since 8.2. Something like that, I believe.
And that's a pretty powerful one. We didn't have that before, And we got always asked for that. That's why I'm happy we have it since [INAUDIBLE].
Good.
[? Sir, ?] I have a question.
[INAUDIBLE].
How technically you define whether an object should be moved to the sample data [? or ?] [INAUDIBLE]?
There's a process chain doing that. So actually there's a process chain moving it through the sample data, and there's an API called bring me that object into the sample data." And out of the box, the process chain is there for the department change, but you can of course create your own chain.
The other thing is you can also put manually objects into the sample data if you want. So there are some cases where it may make sense to manually put a few identities for testing, and you can just put them into the bucket of sample data and then run it like that.
Stephan, we have another question here.
So we have a use case currently, and the part that the customer wants to run attestation every time a user changes department because it's an urgent case. It's an emergency case. So is it possible to always run attestation when the sample data has an entry? Every time there's an entry?
You don't need the sample data for it. You can do it really based on the event. You can run a job chain that creates an attestation case for a certain attestation policy directly. You don't need to go through the sampling data. So you just define your attestation policy-- whatever change, and whenever that change happens run a job chain that is just creating an attestation case for that specific object in that attestation policy.
Which is one of the advantages of this-- is that it makes it where you don't have to run it all the time. You can buffer them up.
We have to speed up. We have 10 slides and two minutes.
We can't. There's no way of making that anymore.
[LAUGHTER]
So extended properties-- who wants to take that? Mr. Byrne?
Well, I mean, you're a master at this extended property stuff. But what I would say about it is, this is a way to build your-- so think about identity management. It's actually what we're doing in identity management is relationship management. Identity management is really about relationship management. It's about the relationship. It's not just about the identity. If it was about the identity-- like just the identity profile, we wouldn't actually be here. We wouldn't have a product.
It's about the relationships of the identity to accounts, to policy, to violations, to its enterprise structure, to its business line, reporting structure. It's about all of those relationships. And obviously, the product has built-in relationships, but sometimes you want to add your own relationships between objects. And that's what these extended properties allow you to do.
So there are examples here. You can use it for building conditions. You make these relationships between the object, and that relationship then becomes available to you [? as ?] some table as a relationship, and you can reference it in filters. So if that identity is linked to that thing with respect to this [? extended-- ?] you can use it for attestation [INAUDIBLE] roles.
This guy used it extensively. And so on the next slide about delegated administration, he used it for delegated administration. It was very powerful as well. So this is very powerful, and a lot of people don't know it. So definitely, as a hands-on guy, have a look at that.
I just recently googled again, and for everybody who is familiar with the AWS tags and then building policy based on tags, this is a similar approach. We had probably 10 years earlier than AWS in the product, but still, it's the same thing. Tag something and then create policies, filters, whatever based on those tags. It's the same approach as AWS is doing it at the moment.
My favorite example is SoD. So if you have accounts payable, accounts receivable, tag your accounts payable entitlements with the accounts payable tag and the other ones with account receivable. Have only one SoD testing for the extended properties, and you are done. We have a big customer doing that, and I think that's quite helpful to reduce the amount of SoD [? roles ?] you have.
And I think what we're going to do now is just click through the slides because we have three seconds left. Two seconds. And we have a few. So just to see--
And we have lunch.
Just to see what's in the deck. And because you get the deck afterwards. And of course you can ask questions if you meet us. So we [? are ?] talking in the slide deck about business user delegation. We wanted to go back to Starling Connector because I still get questions. You don't have many cloud target system connectors. Now we have a bunch of them, and just to remind you, we have Starling Connect.
We're doing-- this will be my favorite topic-- manual provisioning. There's no need for manual email sending or using a ticket system. There's even a portal in Identity Manager if you want to do manual provisioning. Ask me about it in the break. We do a lot more things as part of the ecosystem of Identity Manager. Amongst the things, of course, our Data Governance Edition. It's the application governance. If you don't know, that is a topic really worth looking into it. Matthias mentioned it already in the roadmap slides [INAUDIBLE] topic.
These are not-so-hidden gems. They're more just reminders that we have these things.
Can we call it marketing? Yes.
Yup. OK, do we have any questions? I mean, we are over time, but are there any questions?
I have one question at least. Is something like that helpful for you?
[APPLAUSE]
There's a question. And I'll tell you how this came about-- is when I joined the company, I started looking at the product like, nobody ever told me you can do all these things. Like, we need to tell other people. And even some of the developers were like, I didn't know we could do that. All right, go ahead.
So I have a question. Would you provide these slides online or somewhere we can download it?
I think they're going to be on--
I think the right answer-- they will be in the app after the conference.
OK. Cool.
Well the video will be online, and I think the slides are also.
I hope I didn't say anything wrong, but in the last couple of years it was in the app in the schedule. Under the presentations there was a PDF.
All right. Well if you have any questions, please come and get us. Thank you for your being here.