[MUSIC PLAYING] We're going to talk about things that you may not have known about IdM. IdM is a very large, complex product. It's been out for years. There's a lot of little features that you may not have known about.
But a little addition of that is that at the end of the session, if you come up with a thing that many people didn't know about and we didn't mention, we will give you this lovely Unite Security t-shirt. And with this t-shirt, you don't have to go through TSA. You can skip TSA.
[CHUCKLING]
You just say, I'm with Security. OK, they'll let you through. So anyway, so start thinking about that. So we're going to go through this.
So [INAUDIBLE], like I said, is a lead developer, especially our user interface area. Josh Karnes-- you've probably seen him here today. What is your title, Josh? I know you've gotten, like, 18 promotions in the last year.
[LAUGHING] Not true, 17.
So OK.
Yeah, I'm the Principle IAM Product Architect.
OK. All right, and Rob Kraczek is in the Field Strategy Group. Is that right?
Yep.
Yeah. And so anyway, we're going to go on. So we're not going to spend a lot of time on the core features. You guys know about the core features of Identity Manager. And that's fine.
So let's look at the first thing. Did you guys know that there's a way to validate credentials to ensure that they're not compromised? Some of you are familiar with that.
Rob is.
Rob, how does that work? Tell me.
So VeriClouds is a service provider for dark web inspection of your passwords. And so actually, we have an integration with Identity Manager. It's actually-- isn't it on GitHub-- it's a solution accelerator. And it's in our documentation on how to connect VeriClouds with IdM so that when you reset a password or when you want to check on a credential, VeriClouds will provide that service, go to the dark web, and tell you whether or not that's a valid password that you can use.
Yeah. So that means if you-- a user ID, they know, and it's not just the user ID, but it's also the password. If it's been compromised, if it's out for sale on the dark web, something needs to be done about it. Anyway, if anybody had a question, raise your hand. We're real relaxed up here.
All right, next one, recommendations, so we have three levels. We have different types of recommendations. [INAUDIBLE], why don't you tell us, what kind of recommendations are available now? And what's coming in 9.2?
So 9.1 and 9.0, we already have recommendations for access requests. So if somebody goes in, makes an access request, the system will calculate if other members of the team of the peer group already have the same kind of access, if the approval has approved or rejected requests for that same entitlement in the past. So we use past data to make a recommendation to the approval. So based on past behavior, you're probably going to want to approve this or not approve this.
So and as you can see here, the system will show that recommendation to the approver. And the other thing is that it will also make recommendations for things that you're probably going to want to request based on your role, based on your team memberships. So it can actually tell you and make recommendations for entitlements that correspond to your role.
So [INAUDIBLE], are you saying that Identity Manager can predict the future?
I think that's what machine learning is all about, pretty much. Yes, you use the data that's already there to make predictions.
I knew you were going to say that.
So now we can use these recommendations in a workflow, right? There's a workflow step?
There's a workflow step for that. And depending on your needs, you could still have a manual approval step after it or just let the system decide and run a recertification maybe after that. It's very flexible in what it can do.
One more thing on recommendations, I noticed that we have-- just stay there for a minute-- so I noticed that we have the ability with the risk index to actually use that as part of the collection metrics. Is that correct? Can we add-- so when you weight an item as part of that, it'll actually make a recommendation based on the risk level of that item as well.
Right. It will use the risk index. And certainly, if something is a very critical entitlement, it will not auto approve. It will still make it so that a human approver still has to approve that request.
Yeah, we're going to talk about risk in a few minutes. So [INAUDIBLE].
So we also have interactions with Teams in Slack, so as you know, we've had for a number of years the ability to do approvals through email. But as environments have progressed, we're doing more and more with instant messaging, with Teams, Slack, other things, to have a very interactive way and a very quick way to make decisions. And so we have the ability to integrate with Teams or Slack to make decisions based-- to approve or deny an attestation or an access very easily through Identity Measure. How many of you are using that capability today? Anybody?
It's through cloud [INAUDIBLE].
I saw a couple of hands there.
Mm-hm.
So one big advantage of doing this, right, is that-- I hear many times from prospects and customers that broad adoption and use of the Identity Manager UX is difficult to push on all the business users, right? But certainly, they're all using Teams or Slack every day. So this in-band communication inside of Slack really extends the utility and the effectiveness of your governance.
Mm-hm.
And I think it's much more detailed, much more interactive than the previous. It's not just a simple yes, no. You can get additional information, and you can drill down a little bit more. Do you have a question back there?
All right, let's go to risk scoring. How many of you knew we had risk scoring? How many are using risk scoring? No hands. [CHUCKLING] I'm not surprised.
So risk indexes-- [INAUDIBLE] you guys are saying? You want to talk about it, or you want me to talk about it?
You talk about it.
OK, risk indexes can be assigned to things like resources, to entitlements, to other things, to accounts, group policies. And so you can say, for instance, if somebody has access to this resource just by the nature of them having access, their risk score is x. So it's different than what you think of user behavior or UEBA type risk scoring based on your anomaly or anything like that. It's based on what you actually have the capability of accessing. So that's one of your risk scores.
Risk scores can also be altered by things such as policy violations. So if the policy is being violated, the risk score of that entity and even that person who's violating the policy can be raised a risk. Or it can also be triggered or raised rather by the lack of certification. Once you go past a certain time [INAUDIBLE] these credentials haven't been certified in x number of time. And so the risk score is high until they get certified.
So there is a fixed amount of information dealing with, I'm assigning a fixed risk score to this thing. But there's also some variables as well. And so it's really useful from the standpoint of IdMs. So if you're thinking about the typical risk scoring of UEBA, that's more of an access product.
But risk is also involved in IGA type products as well. So there are risk capabilities there. I would encourage you to look into that. It's really very powerful.
I don't know, to me, some of maybe the naming, if you think about it, especially assigning it to an object is more of impact. What is the impact if they were to be-- if this were to be exploited. But nonetheless, that's there as a capability. It's been there for many years. So anyway, Role, Discovery, Recommendations-- you guys know about this, don't you?
The Analyzer.
Why don't you tell us about it, Rob?
So the Analyzer's a standalone tool. How many of you have used the Analyzer before? Yeah, Vlad and a few others-- yeah, so Analyzer allows you to dig into the disparate sources of identity. And it can make decisions or help you make decisions on how you should build your initial role model. Or you can do it after the fact.
But a lot of times people use it as part of a deployment to discover and recommend the types of Roles that you should be creating based on the user base that you're bringing in.
So the first one on the left is what, Rob?
So your left?
The yellow part.
The yellow part.
Yeah.
Yeah, so what we're actually doing is we're looking at similarities versus differences with the-- I can't even barely see it.
Well, it's in French, anyway.
Yeah.
[INAUDIBLE]
It's in French. [CHUCKLING]
It's in [INAUDIBLE]. Yeah, so it's looking at differences versus similarities in the different Roles that it's discovered.
[INAUDIBLE] recommendations [INAUDIBLE].
That's correct.
Whereas the second one, the middle one, is more of pruning.
Yeah, you're pruning. You're looking at similarities. And it has a nice little pretty color chart that helps you decide on whether or not you should be-- whether that's something that you want to combine or whether you don't have enough people to really make-- it makes a difference to create that role.
Yeah, and in addition to being able to identify common access that you might want to create a Role for, it can also readily identify outliers too.
That's right.
So it will show the one user who has all of the entitlements versus the rest of the people in the cluster who only have a partial group. So it gives you both pieces of insight, so you can identify the outliers and anomalies and remediate that as well as create Roles.
Yeah, so when [INAUDIBLE] and I talked this morning about futures of IdM. And one of the things on our roadmap to be taken care of is not short term is enhancing our role mining capabilities and peer group analysis. So using additional analytics capabilities to enhance this. But anyway, so this is what we have now.
Before you move on from this, one other trick too with the Analyzer tool is that it will actually create the Role in Identity Manager. So it will perform a configuration for you. And then you can use the out-of-the-box Role Lifecycle Management tools for business users to be able to do things like merge and split Roles.
So you can create a role class, for example-- if any of you are familiar with Role Classes in Identity Manager for these discovered Roles or for the role mining results-- and then you can let the role owners or the IT owners of those objects go in and evaluate this new role and decide to merge it with an existing role rather than just bulk replacing Roles. So it gives you a life cycle where you can monitor. This new role was created. It had these extra entitlements. And then--
That's a good point. That's a good point because it doesn't just create a static list that then you have to populate on your own. It actually will populate the database for you.
Yep.
All right, everybody good with that? Let's go on. This is something I didn't even realize we have. And I think [INAUDIBLE], I showed him. And he said, I didn't know we had that.
Dealer Pricing-- in other words, you can assign a unit price to an object, to access requests or entitlements. And you think, well, what's the good of that? Well, think about what we've been talking about with behavior-driven governance. One of the advantages of that is for if you have SAS-based user entitlements, user accounts, you're getting charged if you're going to charged by the account.
This is a way you can actually assign a price to that so that you can go back and do reporting on it. Or you can even have it there if you wanted to put it on the request screen, the user request screen or the approval screen, just say, hey, this guy's requesting this. And it's going to be $5 a month. And you're like, I'm not going to pay $5 bucks a month for this guy. So I'm rejecting or whatever.
So it's a way of us moving more-- I think it's really important that security in general moves more toward looking at things from a business standpoint. But we always try to. But this is another way we can actually move closer to that. So anyway, that's there.
OK, another thing about the pricing and cost reporting is Azure Active Directory. And I didn't realize it's one of our guys [INAUDIBLE] Australia brought to my attention. But it made sense. [INAUDIBLE] it is. We manage it different.
Like, in this case, MS 365 license plans, E3 versus E5, and we report on those. And we can do the same thing for Google Workspace connector. So you can manage things differently with different plans. Do you have a comment on that?
I guess not.
All right, moving on. Tell us about it, Josh.
Tell us about our Solution Accelerators.
Well, we have Solution Accelerators. I have mentioned them multiple times today. So many of you were in the room earlier when I've talked about them. This is really a space where, we're hoping going forward, I think we've done it in the past, but I'm relatively newer to the organization, and so looking forward, we'll be doing much of our sort of field developed innovation in the form of Solution Accelerators.
So this gives us an opportunity to present features to the market before they can become fully productized and so you can get a quicker time to value. You can begin using features even when we're still working on building them fully into the product. Also, it gives you a good chance to give us feedback on how usable they are, how are you using them, and we can refine our process and make them more effective as we're developing.
So they're kind of a win-win. They're good for us because we get a lot of feedback. And they're good for you guys because you get early access to features.
And there's the thing that Josh-- oh, I didn't mean to do that. The thing Josh had talked about earlier, behavior-driven governance, [INAUDIBLE], the VeriClouds-- we talked about on the first slide, I think it was. And so there are several things that exist here. So make sure you access that and check it out.
Yeah, and actually, stay there for a minute. So I've actually used the Docker Containerization files to set up labs when I want to build my own Identity Manager containerized environment. So it's a great way to understand the commands, the file format, and things.
And if you want to build a easy to stand up and take down Identity Manager environment to experiment with, it's a great way to do it because you can just containerize the environment. You don't need to stand up a heavy lift. Because, for example, in my environment, I use Azure DevOps.
And I use Azure. And I'd stand it up in there. And it takes, I don't know-- was [INAUDIBLE] like five minutes to make a whole Identity Manager system stand up once you get the container set up correctly. So it's a great way to leverage that. And I encourage you to do it.
And as you can see, there's other products here. You scroll down. There's Safeguard and ARS and everything [INAUDIBLE].
And included in many of these, it's not just the code artifacts and things that you need to deploy, but also there's documentation. There's how to put it into use and sort of best usage and best case usage.
Yeah, you know who Josh is now, so you can just email him with any problems.
[CHUCKLING] My email address is Ted.Ernst.
[LAUGHING]
That sounds familiar. All right, here's a little goofy little UI trick. And you may think, well, this is stupid. Of course you could do that. I didn't realize it.
You can actually bring up, like in this case, you bring up a tab. This is in a Manager. And let's say you have two users. And so you have the tab one for user one tab two for user two, if you drag tab two down next to tab one, you can see them side by side, so you can compare.
Another thing you can do is, like, in the hierarchy chain, you can multi-select. And I didn't realize you could do that. So let's say I was changing my cost center or whatever, something that's going to change for all these people, I can do it in one change. So these are simple little tricks. Again, these are hidden gems.
Is this something that you would go and buy IdM just for that? No. But it's things you may not realize you could do. And you're probably thinking, I knew that all along. Well, I didn't, so.
Yeah, I recently discovered the Shift select in the Manager UI for many objects, that it will just select everything in a range. And then you can say, oh, yes, I want to turn all of this on, so.
That's cool. All right, let's go. Anybody want to talk about this? Do you even know about this? OK, here's one of the best things-- Sample Customization Scripts, out-of-the-box predefined scripts. And so, like, in this case, we have whatever it is, using database objects. So this comes only when downloading the software package with the product.
So you can go into this folder. And you can see all these predefined scripts. It'll help you get started if you want to do any of this customization yourself. So they're there.
They're documented fairly well-- well, documented in the code. It's not like external [INAUDIBLE]. But in the code-- actually, in the script, it's documented. And so it's a great way if you're new to the product or if you've never done anything like this, it'll help you get going.
All right, anybody familiar with this? It's [INAUDIBLE] little baby here.
[CHUCKLING]
All right, so extending the Launchpad to easily trigger tasks. So in this case, you set up synchronizing data. So you can set it up if you want to synchronize the data. You can just go and press the Run button there.
And you can get things going. So it's just an easy way to give the users a simple, just a quick way of doing this. It's something that you think they may want to do frequently, so you set it up on the Launchpad.
I think we're losing the crowd here. We're going to do something really crazy like this, OK--
[LAUGHING]
--Lifecycle management of nonemployees. Now, you probably knew this already. But not everybody knows. And as we get more and more into RPA and robotics, you need to realize, we're not just talking about nonhuman, and sometimes it's robotics. Sometimes it's like Megan who's a combination of [INAUDIBLE]. I don't know if you've all seen that advertised. That's a scary movie. But anyway, anything you guys want to share [INAUDIBLE], something you probably run into all the time, Josh, [INAUDIBLE] is a nonhuman robots.
Yeah, not just nonhuman, but in addition to employees too, oftentimes we get asked, can you govern non-Identity type objects as well. And so that's another example of the flexibility of Identity Manager is that we don't have a fixed object model. So we can do Lifecycle Management and governance over objects that-- even if it's just a container, just an indicator of something that you want account for, you can do that as well, so even an empty object.
OK. And Subidentities-- [INAUDIBLE] we could do this. This is probably-- I think it's-- OK, anyway, so the ability to have Subidentities within Identity Manager. So what's some good use cases for this?
So if you have a regular user account but they might have a-- well, even in the case of administering Identity Manager itself, you could have a system account attached to that Identity. Or you could have a robotic-- maybe they're responsible for a service account or an AI account, you can have that attached to the Subidentity. Or it could be any number of-- a disconnected Identity, right-- something where they're not actually being provisioned and deprovisioned out of using Identity Manager.
You can still connect that. So there's a lot of different ways to layer identities on top of that main person record or into that person record that a lot of customers take advantage of. I think, George Washington, you talked about that on your main thing with the students, so.
Yeah, it's like the persona thing, right? You can be a student and a teaching assistant, member of faculty. And then those are Subidentities of the same person. Or maybe it's a teaching hospital. And you can be a student and also an attending physician at the same time, so.
Yeah, and roamers too. In a hospital, you have doctors that go between different facilities. Or you might have someone who has certain access at one place and access at another. You can use a Subidentity to attach that all together and attach them differently.
Well, speaking of that, I'm about to win one of these t-shirts because one we didn't mention-- I already have a t-shirt, so I don't need one-- but--
[LAUGHING]
--one that we haven't mentioned yet maybe-- I was reminded by one of our customers is that we have connectivity between different Identity Manager tenants. And so if you have, like, hospitals, which are a part of a group, then each Identity Manager or instance can talk to the other ones. And so then you can consume Identity data that's already been governed for that set of policies in their organization. So you don't have to worry about SOD policy and whatever for those users.
That's good. No t-shirt, though.
All right.
[LAUGHING]
Verification of data quality-- so if you have processes that are relying on a person to have a Manager or else they're not going to run, they're going to fail, you can verify that that data is that way beforehand, so you can rely on that so you can do data verification. What else?
Well, hey, on that note, so if you guys have been in my previous sessions today, I talk about these company policies. And a lot of this is prepackaged with Identity Manager. We have a couple dozen company policies out of the box that do things like, every department must have a Manager assigned. Every user has to have a Manager. Every job code must be associated with a, whatever.
I mean, so there's all of these things so that if your governance program depends upon a certain approval hierarchy or ownership hierarchy, then this ensures that the data actually conforms to that because otherwise it can't be governed. And we're using these same company policies to do our OneLogin Application Governance to say, is this application configured correctly so that we can continue to govern it.
And since these are mostly based on a query, and everybody knows here probably that way in the back end, Identity Manager's largely a bunch of database tables, then we can construct a query that will give you data quality in whatever terms that you need, so across many different tables and in any type of object. So that's just a way to make sure that your compliance program is actually going to work. If a Manager has to approve your attestations, then everybody must have a Manager. And so we can assure that as well.
OK, good. Object Tagging is my term. But really, it came out in 8.2. [INAUDIBLE], do you remember this one?
Yes.
You want me to talk about those?
[INAUDIBLE]
[CHUCKLING]
So you have an Identity, and then something happens to it. I think that's number three on the diagram. So something happens about that Identity, for example, the Identity changes its assigned department. And you have a policy somewhere that says, OK, so if something happens, if an event occurs, like a department change or a manager change, then an event gets created.
And the system will tag that Identity as basically, having their department changed, having their Manager changed. Whatever you want to define as a policy can be used to tag that Identity. And then either periodically or ad-hoc on-demand, whenever you want to run it, you can run a recertification based on that. So you take the set of objects that were tagged before and run an attestation just on that particular set of objects.
Yeah.
And these are things you could have done before. But it would've taken more work. You had a simple workflow to check for these. And this way, it's just kind of automatic.
It automatically tags these objects. And you can attest to them. All right, they're getting bored again. OK.
[LAUGHING]
Josh, you love Extended Attributes.
[LAUGHING] Yeah, and this, often, we like this. And as a demo jockey, I like to show these things because oftentimes, there are things that are outside of the standard database or standard object model. So this is where we can assign a bunch of extended attributes. Out-of-the-box Identity Manager does include many user-defined attributes. I think there's, what, 20 by default?
At least--
Yeah--
--if not more.
--on the Person table, anyway. And then you can extend the schema as you like and on any of our tables in order to include multiple attributes, just like the ones that I always use to create our Solution Accelerators.
Yeah.
And this is a good way of-- I don't want to say bypass. It's supplementing, giving you alternative ways to authenticate--
Mm-hm.
--certain things. So anyway, then other things, and these are yours, Josh. These are things you enjoy talking about.
Yeah, and again, any of you been in my previous sessions, you know, I like these System Roles. But one thing that I love about it is that we can have System Roles that are empty. System Roles give us a unit of governance. Imagine that you have a chat application. So maybe today it's Teams. And tomorrow, you're going to switch it to Slack.
Well, you could use a System Role to say this is the assignment of your chat application. And then that way, people will still be assigned this Role even if you switch the application, so you can later on go and change that. And it will interactively change the thing without you having to go in adjust everybody's Role and change everybody's attestations and certification history and whatever. So it gives continuity across an access object, so it's pretty cool.
Plus, you can use it sort of like a tag or a way to group users together, which is easy to query. And then you can use it, like, to flag, to drive actions. So and the nice thing is unlike some other-- you can do this multiple ways. You could use tagging.
Or you could use those Extended Attributes. But these System Roles can be managed by the business user, just like any role within the business user UX. So in the web UI, if you're a Manager of System Roles, then you can manage this Role and change the composition of it, request changes for membership, et cetera.
And that leads to the next one, which is this Business User delegation. So we have many App Roles available in the system. I mean, there's probably 100 or more. You could probably tell me how many System Roles we-- it depends on what the build of the system is. But there are certainly many dozens, up to hundreds. And you can create your own.
And what these provide is a really granular delegated administration toward your business users. I kind of call it crowdsourcing your IGA platform. It enables business users to engage in governance. And so you can have a Department Manager be the owner of the Roles for their department. And then they're able to say, well, everybody access requests this same thing.
When I hire a new person, I'm just going to request it to be added to the Role. And that bypasses them having to go to IT and request that they make changes on the back end to the system. They can do it themselves. And that's true for virtually everything in the system. You can delegate it that way.
[INAUDIBLE]
Job Server cluster [INAUDIBLE].
[LAUGHING]
No, I'll talk about it. So-- [CHUCKLING]-- he asked me, you want to take the next one-- like, eh. So Job Server clustering is interesting. How many of you knew you could take Job Servers, and essentially, you can create a mesh, so there's no single point of failure. That's a favorite of [INAUDIBLE] and I, right?
So that's essentially some of the mechanism that we use for Identity Manager On-Demand, right? So we have Job Servers that are able to interact so that we don't have a single point of failure for the job service itself. So when you cluster them together, you're essentially not only sharing the networking information, but also, you're splitting the queues out. So I don't know if you have any real world examples that you've seen of that.
Well, the biggest request that I get around multiple Job Servers is that they want to have them co-located with the target system. So maybe you want one or two or multiple on-premise on your AD system, since that's where the heaviest work is being done.
Right.
And then you want another Job Server for all of your cloud applications or another cluster of Job Servers. So yes, the ability to sort of interactively redistribute the load and target certain Job Servers for certain activities is really helpful.
Yeah, we can leverage the Microsoft native clustering services for those too. So in the past, we've set up-- I know I've done POCs with a couple people in here that we've actually used the native Microsoft tools. And then we've just leveraged Microsoft SQL clustering along with job service clustering and create a very robust environment. This was pre-cloud. But obviously, if you have an on-prem implementation and you want to make it more robust, you can take advantage of this feature.
OK, great. This next one, I'll take, Flexible Governance Framework. And I love this because with IDM, we can govern pretty much anything. And we do. You know, we have our normal entitlements here.
We have through PAG, Privileged Governance, we have Application Governance [INAUDIBLE] Data, the DGE product that we have. And we have Cloud Governance with our [INAUDIBLE] solution. And with that, it brings consistency. Your users don't have to be retrained. You can have, really, one group to govern a lot of different things.
But it also gives you the ability to build a policy or policies across the siloed areas, maybe a separation or segregation of duty policy. You can also have visibility. I want to see what this person has access to. I can see across these things. So anyway, that's just one of my favorites. And anybody else have any comments on that?
No?
No, that's good.
They're ready to get out of here.
[LAUGHING]
It's good stuff.
And so thanks to all of you for coming and for the great questions. [INAUDIBLE]. These slides will be available to you, so we hope you make use of some of these things we've talked about. Anyway, thank you very much.
Thanks, everybody.
If you asked a question or anything, you want a t-shirt, come up here. I'll give you a t-shirt.
[MUSIC PLAYING]