ForgeRock Identity Platform 7.2

Identity Management

ForgeRock Identity Management 7.2 brings together multiple sources of identity for policy and workflow-based management that puts you in control of the data. Build a solution to consume, transform, and feed data to external sources to help you maintain control over identities of users, devices, and things. Identity governance features in ForgeRock Identity Management let you gain visibility into employee provisioning, and help you proactively take action in managing employee access to external systems.

Identity Management modules:

Overview of capabilities

  • Provisioning

  • Synchronization and reconciliation

  • Adaptable monitoring and auditing services

  • Connections to cloud services with simple social registration

  • Flexible developer access

  • Password synchronization

  • Identity data visualization

  • Delegated administration

  • User self-service

  • Privacy and consent

  • Progressive profile completion

  • Workflow engine

  • OpenICF connector framework to external systems

  • Access request (Identity Governance)

  • Access review and reporting (Identity Governance)


Several Identity Management modules require other modules. For example, the Synchronization module requires the Identity Lifecycle and Relationship module. The following diagram summarizes Identity Management module dependencies:

IDM module dependencies

Identity Synchronization module

This module can serve as the foundation for provisioning and identity data reconciliation. Synchronization capabilities are available as a service and hrough REST APIs to be used directly by external applications. Activities occurring in the system can be configured to log and audit events for reporting purposes.

Required module: Identity Lifecycle and Relationship.

Feature Description Documentation

Discovery and synchronization

Synchronization of identity data across managed data stores.


Alignment between accounts across managed data stores.

Password synchronization

Near real-time password synchronization across managed data stores.

Directory Services and Active Directory plugins

Native password synchronization plugins for ForgeRock Directory Services and Microsoft Active Directory.

Delegated administration

Grant role-based, limited access to perform fine-grained administrative tasks on managed objects.

All connectors

Extensible interoperability for identity, compliance, and risk management across a variety of specific applications and services.

Self-Service module

This module can be used to allow end users to manage their own passwords and profiles securely according to predefined policies.

Required modules:

  • Full capabilities: Identity Lifecycle and Relationship.

  • Basic capabilities: Intelligent Access. See User self-service for information about self-service capabilities in AM.

Feature Description Documentation

User self-registration

End-user self-service UI that lets users create their own accounts with customizable criteria.

Password reset

End-user self-service UI for changing and resetting passwords based on predefined policies and security questions.

Knowledge-based authentication

Verification for user identities based on predefined and end user-created security questions.

Forgotten username

Mechanisms to allow users to recover their usernames with predefined policies.

Progressive profile completion

Short forms used to simplify registration and incrementally collect profile data over time.

Profile and privacy management dashboard

Dashboard for managing personal user information.

Consent and preference management

Configurable user preferences.

Terms and conditions (or terms of service) versioning

Manage multiple terms and conditions.

Workflow module

This module can be used to visually organize identity synchronization, reconciliation, and provisioning into repeatable processes with logging and auditing for reporting purposes.

Required modules: Self-Service, Identity Lifecycle and Relationship.

Feature Description Documentation

BPMN 2.0 support

Standards-based Business Process Model and Notation 2.0 support.

Flowable process engine

Lightweight workflow and business process management platform.

Workflow-driven provisioning

Define provisioning workflows for self-service, sunrise and sunset processes, approvals, escalations, and maintenance.

Social Identity module

With this module, you can allow users to register and authenticate with specified standards-compliant social identity providers. These users can also link multiple social identity providers to the same account, thus establishing a single consumer identity.

With the attributes collected from each user profile, you can configure the module to authorize access to applications and resources, including lead generation tools.

Required modules: Self-Service, Identity Lifecycle and Relationship.

Feature Description Documentation


User registration with social identity accounts.


Social login for identity management.

Account linking

Users can select specific social identity providers for logins.

Attribute scope management

Administrators can include any or all scopes available, by social identity provider.

Identity Lifecycle and Relationship module

This module can help you to provision user identities into IDM, and includes the capability to manage roles, relationships between identities, and entitlements.

Required modules: none.

Feature Description Documentation

Inbound provisioning engine

Provisioning engine to import data from an external resource into IDM.

Data modeling

Ability to map IDM objects to tables in a JDBC database or to organizational units in a DS repository.

Identity lifecycle management

An extensible object model that enables you to manage the complete lifecycle of identity objects.

Identity relationship lifecycle management

Ability to create and track relationship references between objects.

Role lifecycle management

Provisioning roles to control how objects are exported to external systems and authorization roles to control authorization within IDM.

Entitlement lifecycle management

Entitlements to provision attributes or sets of attributes, based on role membership.

Access Request module

This module helps users search for and request entitlements for themselves, as well as on behalf of other members of the organization. Users can also view the status of existing requests, and take action on pending work items. Requests can be automatically approved or can require one or more approvals.

Required modules: Workflow, Self-Service, Identity Lifecycle and Relationship.

Feature Description Documentation

Entitlement bundles

Administrators can create and manage entitlement bundles. Bundles are groups of entitlements to which users can request access.

User notifications

Access Request can send customizable user notifications for specific events that occur within the request process.

Identity glossary

The glossary provides consolidated management of entitlement metadata, bulk export and import, and extended relationship mapping.

Access Review module

This module provides user certification, role management, policy enforcement, and reporting.

Required modules: Workflow, Self-Service, Identity Lifecycle and Relationship.

Feature Description Documentation

User certification

Multi-stage certifications let any number of certifiers participate in access decision processes, and provide an escalation process to ensure timely responses.

Role management

An extensible glossary allows for consolidated management of role and entitlement metadata, bulk export and import, and extended relationship mapping.

Policy enforcement

Supports proper segregation of duties.


Helps you meet compliance regulations and enables you to obtain a comprehensive understanding of your identity governance system. The reporting module includes a variety of reporting options such as systems access, certification, policy violations, and so on.

Copyright © 2010-2024 ForgeRock, all rights reserved.