[MUSIC PLAYING] During the last couple of videos, and especially during the last couple of demos, you have seen what Identity Manger can do for you. The good message is nearly everything you have seen is just based on configuration. That means the product was installed, some business data was added, and then we started the demo. Additionally to that, we have to think about the Identity Manager as a solution framework. Solution frameworks from it's nature are tools which can be highly customized and configured. This is what in the last part of the demo what we want to show you.
Please remember the Identity Manager after installed, comes with hundreds of processes, and again 100 of configuration power meters for the web then for the complete engine, which allows you to highly configured this tool. And this is what should take place first. That means after installation, you start configuring your system and all the standard processes until they are fitting best to your needs. That means each implemented process just comes, not with one functionality, it comes configurable. And you can just configure it without any customization. It's just switching on keys, or switching off, or just configuring things.
Once all of this is done the very last step is to extend the system because not everything you might need is just implemented in the Identity Manager. This is because, as we all know, enterprises and companies are working differently and do have different needs. And each software vendor, like One Identity, is not able to implement everything you and your company, will know.
So we hope that our standard functionality is good enough for a big amount of problems you want to solve, but for the last bits and for the specialities that only exist in your company, we have the customization capabilities. This means we differ between the installation have to be done, the configuration should be done first, and at the end to add additional functionality to the system which was not implemented before, we name that customization.
Of course, it is good to use the standard functions as long as possible. Reason is with the next software upgrade, the standard functionality gets automatically upgraded. Indifference to that, anything you add on your own. In addition, it's something you have to maintain, and because of that, it should be only the last choice. Nevertheless, there is nearly no project where not somebody is doing some customization that means some specific project development exactly and especially only for you.
The next couple of minutes will show you how this could be done best and which capabilities exist. Please have in mind everything I will show you now is just an overview, and it's absolutely not valid to learn from it in a way off that. You are the customization expert after watching this single video.
Now we're going to talk a little bit about how to configure Identity Manager and what options that are available when you configure Identity Management. Now it's very important to stress that Identity Manager is not a tool box that you install, and then you have to do everything yourself. It comes already pre-configured with a lot of built in processes, where the best practices, processes for a lot of things. Typically, what you do when you implement Identity Manager is that you want to modify the existing or extend the existing configuration.
So the first tool that we're going to take a look at is the Manager tool. So what you see on the screen here is now I just started the Manager tool. Now, for instance, you might want to load your own organizational information. So what we have loaded inside this demo environment here is a hierarchical organization for a company called Demo. Now it's not at all complicated. It contains different department for different countries, as you can see on the screen here.
Now if I just select one randomly here, I will see this object on the right hand side. I can see it's a department or organizational unit. And there's nothing preventing you from building more than one hierarchy here. You can even have your next version of your internal organization be a model before you onboard people into it. And it can be flat. And it can be hierarchical, as this one is.
Secondly, you can have locations configured inside of it. And funny enough, the location structure we have in this demo environment is actually flat. It just contains a lot of different locations. So if I just click one here, this is a finished one. As I can see, if someone is assigned to this one, they will actually receive a couple of target system entitlement automatically.
And the same goes for cost center structures. And you might wonder, why do you want to have cost centers represented in identity management solution? Well, the perfect example is that, let's say that you have something that someone wants to request. And it costs a lot of money. So maybe you have someone who is responsible for that cost center and should be the approver for that request. And that kind of information is often available anyway in your HR system. So when you on board people, you might be able to onboard a cost structure as well.
The second thing we're going to take a look at is the business roles. Now business roles. As you remember from previous videos, you have to have a role class configured in order to be able to create a business role in the first place.
Now in this demo environment, we have two role classes defined. One is called Job Roles. And the other one is called RBAC Roles. It's just a name. It can be anything. If you want to change this name, the RBAC Roles name here, I can just give it a new name. New role class. And save it. So by doing so, I will now see that my second role class is actually called New Role class And it belong-- there are two roles that uses this role class.
Now for almost any menu option, if you look here, you will see that there is something called basic configuration data. This is configuration information that you do for everything. In this case, this is configuration settings for the business roles. So obviously, one of them are the role classes. This is the one I renamed.
And the role class has typically determined what kind of behavior do we want on those roles that we create with this role class. Well, first of all, you have to decide the inheritance direction. You can't change it afterwards. That's why it's grayed out on the screen here. But either it's top down or bottom up. Bottom up is typically roles of the nature of project roles. And top down are the roles that most people understand because they behave like group memberships.
The second thing you do with a role clause, you also determine what kind of things do we allow to be assigned into the roles. And what you see on the list here depends on what kind of modules you selected when you installed the identity management platform. So you can say that everything that's available here could be possible to put into the role. But as you can see on the screen here, that the SAP part of it, it's not allowed to put in those business roles of the role class job roles. I can change this afterwards if I like.
But this is how you can limit what you can put into a business role. You can, for instance, say that the only thing we allow in business roles are persons being employees and, for instance, technical roles, what we call system roles. If you make a role clause like that, no one can put an Active Directory group, or an LDAP group, or anything on SIP, entitlement, or anything inside that role because the role class will determine what's allowed and not allowed.
And the final thing I wanted to look at inside the Manager tool is the IT shop configuration. As you may remember from when we did previous videos, when we looked at request and we made a role request-able, there are a couple of things to consider here. When a person requests access to whatever they want to have, they will see what we call a service item name. This is something that's user friendly. The end user will understand what they request. And it will also belong to a category. But the IT shop structure determines who should be able to access and what approval policies applies to it.
And if we open up the basic configuration data settings in the IT shop, we can scroll down and look at approval workflows. Now we can also look at approval workflows that's predefined. Predefined are things that comes with the product. You don't have to build them. As you can see, there is a recipient manager, a workflow already available in the product. But you can also define your own.
So I'm going to open up one that I have defined myself here. And I call it Manager Approval And if I look at it, I can open up the Graphical Workflow Editor. And this is one of the few editors where you edit workflows that you don't have to be a workflow specialist. I would say that anyone can add steps to this workflow and understand what's happening.
So if we look at this workflow, the first thing that happened is that it runs a compliance check to detect if the request violates any kind of policy or rule that you have configured. And if so, it goes to an exception approval. Otherwise, it will go to a manager approval. Now the step you see down here on the right hand side is, if this manager does not approve within a configured time period, it will be escalated to someone else.
So this workflow is very simple to modify. If you want to add a step, you simply click on the Add button here. And what you see on the screen is the possibility to add yet another step. And obviously, what you want to see in the step is what kind of procedure. Well I want the-- for instance, I want a named IT approver from the recipient's location if that's available. And when I say OK here, I can simply take this new step that I just added. And I can say if it's-- I don't know if this really makes sense. But this is how easy it is to modify an existing workflow.
Another of the tools that we can use when we configure the platform is the tool called Web Designer. The Web Designer is configuring exactly what it sounds like, the web front end. So the Web Designer has a lot of things you can do. It's a very capable application. But it also has configuration settings. So typically, these are all parameters you can change in your web project.
So if I open up, for instance, the general settings, I can scroll down and see things like what we have configured here is a link to the password reset web, because in the previous video you saw that the end user could change their own password. The sign in logo and the company logo are typically things that we change when we deploy Identity Manager. So the customer can get their own logo here.
And also, if I close down the general settings and open up the layout color settings, this is how you modify the color scheme on the screen. By modifying the color settings and the logos, it will look like an application that conforms to how applications should look at the customer when being deployed.
And finally, there is a third tool to do configuration. And this is the tool where you do the basic configuration settings for the implementation itself. This is also where you do any kind of customization on the processes that executes when the application runs. So from this tool, you can click on the Edit Configuration parameter. And this is also built in a hierarchical way, how you can modify certain parameters.
And if you open up one of those parameters, for instance, we can open up the authentication settings here. And we can look at how often do we, for instance, this group that defines the interval in minutes after the authentication is verified. We can also have some basic settings regarding attestation, for example. An example where we can set configurations, or, for instance, if we open up the target system, what's listed here are target's system modules that we have installed in this particular demo environment. And the ADS stands for Active Directory.
An interesting setting here, for instance, could be the setting called Person Auto Full Sync. What it effectively means is that when you synchronize to your existing target system, in this case, the Active Directory, what's going to happen when I find an account that I cannot match to an existing identity or person object? Well, we are just going to add the account. We are not going to do anything. But we can select. For instance, we are going to create a new identity based on this account because there are situations where we want the application to work.
Now these were only a very limited number of settings that I showed you right now. Again, the Manager tool, it's mainly there to manage your data. But there are configuration parameters in there. Examples were the workflow. The Web Designer tool is definitely where you can modify the complete behavior of the web UI. And finally, the designer tool, we just looked at the configuration parameters. But there are so much more things you can do with that tool. But that's another video series.
[MUSIC PLAYING]
15:18