Identity Management
ForgeRock Identity Management 7.2 brings together multiple sources of identity for policy and workflow-based management that puts you in control of the data. Build a solution to consume, transform, and feed data to external sources to help you maintain control over identities of users, devices, and things. Identity governance features in ForgeRock Identity Management let you gain visibility into employee provisioning, and help you proactively take action in managing employee access to external systems.
Identity Management modules:
Overview of capabilities
-
Provisioning
-
Synchronization and reconciliation
-
Adaptable monitoring and auditing services
-
Connections to cloud services with simple social registration
-
Flexible developer access
-
Password synchronization
-
Identity data visualization
-
Delegated administration
-
User self-service
-
Privacy and consent
-
Progressive profile completion
-
Workflow engine
-
OpenICF connector framework to external systems
-
Access request (Identity Governance)
-
Access review and reporting (Identity Governance)
Dependencies
Several Identity Management modules require other modules. For example, the Synchronization module requires the Identity Lifecycle and Relationship module. The following diagram summarizes Identity Management module dependencies:
Identity Synchronization module
This module can serve as the foundation for provisioning and identity data reconciliation. Synchronization capabilities are available as a service and hrough REST APIs to be used directly by external applications. Activities occurring in the system can be configured to log and audit events for reporting purposes.
Required module: Identity Lifecycle and Relationship.
| Feature | Description | Documentation |
|---|---|---|
Discovery and synchronization |
Synchronization of identity data across managed data stores. |
|
Reconciliation |
Alignment between accounts across managed data stores. |
|
Password synchronization |
Near real-time password synchronization across managed data stores. |
|
Directory Services and Active Directory plugins |
Native password synchronization plugins for ForgeRock Directory Services and Microsoft Active Directory. |
|
Delegated administration |
Grant role-based, limited access to perform fine-grained administrative tasks on managed objects. |
|
All connectors |
Extensible interoperability for identity, compliance, and risk management across a variety of specific applications and services. |
Self-Service module
This module can be used to allow end users to manage their own passwords and profiles securely according to predefined policies.
Required modules:
-
Full capabilities: Identity Lifecycle and Relationship.
-
Basic capabilities: Intelligent Access. See User self-service for information about self-service capabilities in AM.
| Feature | Description | Documentation |
|---|---|---|
User self-registration |
End-user self-service UI that lets users create their own accounts with customizable criteria. |
|
Password reset |
End-user self-service UI for changing and resetting passwords based on predefined policies and security questions. |
|
Knowledge-based authentication |
Verification for user identities based on predefined and end user-created security questions. |
|
Forgotten username |
Mechanisms to allow users to recover their usernames with predefined policies. |
|
Progressive profile completion |
Short forms used to simplify registration and incrementally collect profile data over time. |
|
Profile and privacy management dashboard |
Dashboard for managing personal user information. |
|
Consent and preference management |
Configurable user preferences. |
|
Terms and conditions (or terms of service) versioning |
Manage multiple terms and conditions. |
Workflow module
This module can be used to visually organize identity synchronization, reconciliation, and provisioning into repeatable processes with logging and auditing for reporting purposes.
Required modules: Self-Service, Identity Lifecycle and Relationship.
| Feature | Description | Documentation |
|---|---|---|
BPMN 2.0 support |
Standards-based Business Process Model and Notation 2.0 support. |
|
Flowable process engine |
Lightweight workflow and business process management platform. |
|
Workflow-driven provisioning |
Define provisioning workflows for self-service, sunrise and sunset processes, approvals, escalations, and maintenance. |
Social Identity module
With this module, you can allow users to register and authenticate with specified standards-compliant social identity providers. These users can also link multiple social identity providers to the same account, thus establishing a single consumer identity.
With the attributes collected from each user profile, you can configure the module to authorize access to applications and resources, including lead generation tools.
Required modules: Self-Service, Identity Lifecycle and Relationship.
| Feature | Description | Documentation |
|---|---|---|
Registration |
User registration with social identity accounts. |
|
Authentication |
Social login for identity management. |
|
Account linking |
Users can select specific social identity providers for logins. |
|
Attribute scope management |
Administrators can include any or all scopes available, by social identity provider. |
Identity Lifecycle and Relationship module
This module can help you to provision user identities into IDM, and includes the capability to manage roles, relationships between identities, and entitlements.
Required modules: none.
| Feature | Description | Documentation |
|---|---|---|
Inbound provisioning engine |
Provisioning engine to import data from an external resource into IDM. |
|
Data modeling |
Ability to map IDM objects to tables in a JDBC database or to organizational units in a DS repository. |
|
Identity lifecycle management |
An extensible object model that enables you to manage the complete lifecycle of identity objects. |
|
Identity relationship lifecycle management |
Ability to create and track relationship references between objects. |
|
Role lifecycle management |
Provisioning roles to control how objects are exported to external systems and authorization roles to control authorization within IDM. |
|
Entitlement lifecycle management |
Entitlements to provision attributes or sets of attributes, based on role membership. |
Access Request module
This module helps users search for and request entitlements for themselves, as well as on behalf of other members of the organization. Users can also view the status of existing requests, and take action on pending work items. Requests can be automatically approved or can require one or more approvals.
Required modules: Workflow, Self-Service, Identity Lifecycle and Relationship.
| Feature | Description | Documentation |
|---|---|---|
Entitlement bundles |
Administrators can create and manage entitlement bundles. Bundles are groups of entitlements to which users can request access. |
|
User notifications |
Access Request can send customizable user notifications for specific events that occur within the request process. |
|
Identity glossary |
The glossary provides consolidated management of entitlement metadata, bulk export and import, and extended relationship mapping. |
Access Review module
This module provides user certification, role management, policy enforcement, and reporting.
Required modules: Workflow, Self-Service, Identity Lifecycle and Relationship.
| Feature | Description | Documentation |
|---|---|---|
User certification |
Multi-stage certifications let any number of certifiers participate in access decision processes, and provide an escalation process to ensure timely responses. |
|
Role management |
An extensible glossary allows for consolidated management of role and entitlement metadata, bulk export and import, and extended relationship mapping. |
|
Policy enforcement |
Supports proper segregation of duties. |
|
Reporting |
Helps you meet compliance regulations and enables you to obtain a comprehensive understanding of your identity governance system. The reporting module includes a variety of reporting options such as systems access, certification, policy violations, and so on. |