Microsoft BHOLD Suite Concepts Guide Updated: February 1, 2. Applies To: Forefront Identity Manager 2. Microsoft® Forefront Identity Manager (FIM 2. It can be configured to synchronize identities, centrally manage certificates and passwords, and provision users across heterogeneous systems. With FIM 2. 01. 0, IT organizations can define and automate the processes used to manage identities from creation to retirement. Microsoft BHOLD Suite extends these capabilities of FIM 2. FIM 2. 01. 0, enabling organizations to define user roles and to control access to sensitive data and applications in a way that is appropriate for those roles. BHOLD Suite includes services and tools that simplify the modeling of the role relationships within the organization, map those roles to rights, and to verify that the role definitions and associated rights are correctly applied to users. These capabilities are fully integrated with FIM 2. IT staff alike. This guide helps you understand how BHOLD Suite works with FIM 2. The most common method for controlling user access to data and applications is through discretionary access control (DAC). In the most common implementations of this model, every significant object has an identified owner who has the ability to grant or deny access to the object to others based on individual identity or group membership. In practice, DAC typically results in a plethora of security groups, some that reflect organizational structure, others that represent functional groupings (such as job types or project assignments), and others that consist of makeshift collections of users and devices that are linked for more temporary purposes. As organizations grow, membership in these groups becomes increasingly difficult to manage. For example, if an employee is transferred from one project to another, the groups that are used to control access to the projects’ assets must be updated manually. In such cases, it is not uncommon for mistakes to occur, mistakes that can impede project security or productivity. FIM 2. 01. 0 includes features that help mitigate this problem by providing automated control over group and distribution list membership. However, this does not address the intrinsic complexity of proliferating groups that are not necessarily related to each other in a structured way. One way to significantly reduce this proliferation is by deploying role- based access control (RBAC). RBAC does not displace DAC; instead, RBAC builds on DAC by providing a framework for classifying users and IT resources to make explicit their relationship and the access rights that are appropriate according to that classification. For example, by assigning to a user attributes that specify the user’s job title and project assignments, the user can be granted access to tools needed for the user’s job and data that the user needs to contribute to a particular project. When the user assumes a different job and different project assignments, changing the attributes that specify the user’s job title and projects automatically blocks access to the resources only required for the user’s previous position. Because roles can be contained within roles in a hierarchical fashion, (for example, the roles of sales manager and sales representative can be contained in the more general role of sales), it is easy to assign appropriate rights to specific roles and yet still provide appropriate rights to everyone who shares the more inclusive role as well. InformationWeek.com: News, analysis and research for business technology professionals, plus peer-to-peer knowledge sharing. Engage with our community.KMSPico is the most successful, frequently updated and 100% clean tool to permanently activate any version of Windows and Microsoft office within matter o. For example, in a hospital, all medical personnel could be given the right to view a patient’s records, but only physicians (a subrole of the medical role) could be given the right to enter prescriptions for the patient. Similarly, users belonging to the clerical role could be denied access to patient records except for billing clerks (a subrole of the clerical role), who could be granted access to those portions of a patient’s records that are required to bill the patient for services provided by the hospital. An additional benefit of RBAC is the ability to define and enforce separation of duties (So. D). This allows an organization to define combinations of roles that grant permissions that should not be held by the same user, so that a particular user cannot be assigned roles that allow the user to initiate a payment and to authorize a payment, for example. RBAC provides the ability to enforce such a policy automatically rather than having to evaluate the effective implementation of the policy on a per- user basis. BHOLD role model objects. With BHOLD Suite, you can specify and organize roles within your organization, map users to roles, and map appropriate permissions to roles. This structure is called a role model, and it contains and connects five types of objects: Organizational units. Organizational units (orgunits) are the principal means by which users are organized in the BHOLD role model. Every user must belong to at least one orgunit. In fact, when a user is removed from the last orgunit in BHOLD, the user’s data record is deleted from the BHOLD database.) Important. Organizational units in the BHOLD role model should not be confused with organizational units in Active Directory Domain Services (AD DS). Typically, the orgunit structure in BHOLD is based on the organization and policies of your business, not the requirements of your network infrastructure. Although it is not required, in most cases orgunits are structured in BHOLD to represent the hierarchical structure of the actual organization, similar to the one below: In this sample, the role model would contain an orgunit for the corporation as a whole (represented by the president, because the president is not part of a more specific orgunit), or the BHOLD root orgunit (which always exists) could be used for that purpose. Orgunits representing the corporate divisions headed by the vice presidents would be placed in the corporate orgunit. Next, orgunits corresponding to the marketing and sales directors would be added to the marketing and sales orgunits, and orgunits representing the regional sales managers would be placed in the orgunit for the east region sales manager. Sales associates, who do not manage other users, would be made members of the orgunit of the east region sales manager. Note that users can be members of an orgunit at any level.
For example, an administrative assistant, who is not a manager and reports directly to a vice president, would be a member of the vice president’s orgunit. In addition to representing organizational structure, orgunits can also be used to group users and other orgunits according to functional criteria, such as for projects or specialization. The following diagram shows how orgunits would be used to group sales associates according to customer type: In this example, each sales associate would belong to two orgunits: one representing the associate’s place in the organization’s management structure, and one representing the associate’s customer base (retail or corporate). Each orgunit can be assigned different roles which, in turn, can be assigned different permissions for accessing the organization’s IT resources. In addition, roles can be inherited from parent orgunits, simplifying the process of propagating roles to users. On the other hand, specific roles can be prevented from being inherited, ensuring that a specific role is associated only with the appropriate orgunits. Orgunits can be created in BHOLD Suite by using the BHOLD Core web portal or by using the BHOLD Model Generator. Users. As noted above, every user must belong to at least one organizational unit (orgunit). Because orgunits are the principal mechanism for associating a user with roles, in the majority of organizations a given user belongs to multiple orgunits to make it easier to associate roles with that user. In some cases, however, it may be necessary to associate a role with a user apart from any orgunits that the user belongs to. Consequently, a user can be assigned directly to a role as well as obtaining roles from the orgunits that the user belongs to. When a user is not active within the organization (while away for medical leave, for example), the user can be suspended, which revokes all the user’s permissions without removing the user from the role model. Upon returning to duty, the user can be reactivated, which restores all the permissions granted by the user’s roles.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |