Concepts

The data exchange between the organization’s systems and ObserveID centers on Integration Data. This data comes from the Integration and serves as the primary source of information regarding access to the target system. Integration Data is linked to an Identity and plays a crucial role in supporting Identity Management and Access Control.

Identity

An identity can be seen as a unique identifier with many additional properties. From the business perspective, an Identity is an employee or a contractor of the organization. For Identity and Access Management tasks, it is important to recognize the same Identity across corporate systems, whether on-premises or in a multi-cloud environment.

Integration

In a corporate infrastructure, any system that communicates with ObserveID is classified as a Target. When communication is successfully established, it is referred to as Integration.

Depending on the scale of the system, one Integration might have one, some, or many resources, for example, a database A, a database B, and a database C. Communication with all three databases is treated as the MS SQL Server integration in ObserveID, and each database is an individual Resource.

The Integration Type, such as MS SQL, AWS, or Google, determines the communication method.

Integration Data

Integration Data varies across different integrations but typically includes accounts, resources, entitlements, and additional properties. These elements are essential for managing access.

Accounts refer to entities that represent users or logins within a specific system. They are imported into ObserveID during the initial launch of the integration and are subsequently managed through Workflows, Analytics, and other tools.

Resources refer to the target systems involved in the integration, for which access can be granted or revoked from an Account. These resources can include sub-systems within a larger system, individual systems within a platform, or single databases running on a database server. Essentially, they are any resources that the integration makes accessible to users.

All resources are imported during the initial launch of the integration and are subsequently updated as part of the Integration Data. The integration itself is often hierarchical, with one primary root resource and various lower-level resources. Typically, the leading resource is utilized for creating and managing Accounts.

Entitlements are viewed from two perspectives: the entitlements that can be granted or revoked, and the privileges that have already been assigned, either directly or indirectly, to an account. In the first perspective, entitlements are categorized by Permission Types, which include specific rules and constraints for each resource and account. The second perspective focuses on Account Entitlements, which refer to the scope of access that a particular account has been granted. The available entitlements within the Permission Types are processed through workflows for the provisioning and deprovisioning of access. Account Entitlements are monitored and managed using Identity Intelligence and Automation.

Additional Properties refer to any integration-specific information related to accounts, resources, and entitlements that is necessary or beneficial for effective Identity and Access Management.