Better Living Through Chemistry

I have always loved the subject of physics, but I am definitely a macro-gal instead of a quantum one. A Newton over Hamilton kind of thing. As a result, chemistry was one of my least favorite subjects in school. Having said this, I recently found that chemistry might actually be (more...)

Give me federation or give me death

Once again, several threads coalesced and lead to this blog. The chief impetus was a question asked on LinkedIn about federated identity management. Since the term federated identity management is somewhat of a misnomer (and a broadside), we'll use an even less accurate but slightly more legitimate federation. To wit, the person asking the question was wondering if federation is "critical" and why organizations are slow to adopt federation for "cross-organizational access"

My response to the question was that federation is not critical and the reasons for slow adoption are mostly standard. It's a fairly new technology with a (more...)

Give me federation or give me death

Once again, several threads coalesced and lead to this blog. The chief impetus was a question asked on LinkedIn about federated identity management. Since the term federated identity management is somewhat of a misnomer (and a broadside), we'll use an even less accurate but slightly more legitimate federation. To (more...)

Use It or Lose It

This blog post is a continuation of Waiting at a Station where I talked about attestation and possible strategies of reducing its scope. The strategy I am proposing is to segment user accounts into active and dormant where the definition of dormant is set by audit guidelines or IT policy; (more...)

Use It or Lose It

This blog post is a continuation of Waiting at a Station where I talked about attestation and possible strategies of reducing its scope. The strategy I am proposing is to segment user accounts into active and dormant where the definition of dormant is set by audit guidelines or IT policy; dormant accounts can then be excluded from attestation. At its simplest (and for the sake of this example), we can define dormant as any account that has not been used since the last attestation. If we assume that attestation is done once a quarter, our definition becomes "any account that (more...)

Ask Identigral (Issue 3)

Ask Identigral is our answer to Dear Abby. According to Wikipedia, "Dear Abby ... is known for its uncommon common sense and youthful perspective", two qualities we're striving for in our blog. Since Abby isn't very good when it comes to identity and access management products' arcana, I together with the (more...)

Ask Identigral (Issue 3)

Ask Identigral is our answer to Dear Abby. According to Wikipedia, "Dear Abby ... is known for its uncommon common sense and youthful perspective", two qualities we're striving for in our blog. Since Abby isn't very good when it comes to identity and access management products' arcana, I together with the rest of Identigral staff have decided to step in and close the gap. Email us your questions about any Oracle identity or access management product(s) and once a week we will post the answers here.

We want to use Oracle Identity Manager (OIM) to manage Active Directory (AD) passwords. However, (more...)

Waiting at a Station

In a blog post a few days ago, I wrote about the parallels between Security Information and Event Management (SIEM) and Identity Administration solutions. In both cases, when an event comes in from an external system, there are rules that evaluate the event. If the event is deemed to imply (more...)

Waiting at a Station

In a blog post a few days ago, I wrote about the parallels between Security Information and Event Management (SIEM) and Identity Administration solutions. In both cases, when an event comes in from an external system, there are rules that evaluate the event. If the event is deemed to imply a threat (in SIEM case) or a compliance issue such as a rogue account that could lead to a threat (in Identity Administration case), I wondered about possible actions that could be taken without involving a human. In this blog I'd like to examine a related premise and do it (more...)

The KOL Miner’s Daughter

Just when you've escaped from your past, it comes back to haunt you, something about learning from history and being doomed to repeat it. I had every intention of doing a blog post about identity management challenges associated with implementing business processes having to do with internal (employee) transfers but (more...)

The KOL Miner’s Daughter

Just when you've escaped from your past, it comes back to haunt you, something about learning from history and being doomed to repeat it. I had every intention of doing a blog post about identity management challenges associated with implementing business processes having to do with internal (employee) transfers but when worlds collide, singularity happens. Prodded by the announcement of an improved Twitter search, Oracle's Nishant Kaushik writes about the new "identity equation" This comes only two days after a blog on the very same subject by a former colleague of mine, Endeca's chief scientist Daniel Tunkelang. Two blogs, two (more...)

Meet Stanley Ipkiss

A few weeks ago a blog post by George Hulme on Health Information Trust Alliance (HITRUST) community site caught my attention. In his blog George talks about data breaches in the healthcare realm and how they are hard to prevent even if various data protection technologies are implemented. George wonders if data masking can reduce the frequency of data breaches where the primary attack vector is theft of data from non-production environments and I wanted to examine this premise in the context of implementing an identity administration solution with a product such as Oracle Identity Manager.

Data masking is an (more...)

Meet Stanley Ipkiss

A few weeks ago a blog post by George Hulme on Health Information Trust Alliance (HITRUST) community site caught my attention. In his blog George talks about data breaches in the healthcare realm and how they are hard to prevent even if various data protection technologies are implemented. George wonders (more...)

Ask Identigral (issue 2)

Ask Identigral (tag, category) is our answer to Dear Abby. According to Wikipedia, "Dear Abby ... is known for its uncommon common sense and youthful perspective", two qualities we're striving for in our blog. Since Abby isn't very good when it comes to identity and access management products' arcana, I together with the rest of Identigral staff have decided to step in and close the gap. Email us your questions about any Oracle identity or access management product(s) and once a week we will post the answers here.

Question: I am trying to use Deployment Manager for importing my prevoiusly exported (more...)

Ask Identigral (issue 2)

Ask Identigral (tag, category) is our answer to Dear Abby. According to Wikipedia, "Dear Abby ... is known for its uncommon common sense and youthful perspective", two qualities we're striving for in our blog. Since Abby isn't very good when it comes to identity and access management products' arcana, I together (more...)

Segregation of Duties – Panacea or Pandemic

Recently I have been exploring the new APIs that came out in Oracle Identity Manager 9.1.x and what they can do for our customers. Most exciting are the new reconciliation APIs. For any company that views compliance as a raison d'etre of their identity management system, reconciliation must occur. Audit and reporting are aspects of compliance that require reconciliation. From a business perspective, it doesn't matter whether reconciliation is done under the auspices of the software product or by an IT group that gets together nightly for cappuccinos and crackers while comparing source systems or by monkeys hitting (more...)

Segregation of Duties – Panacea or Pandemic

Recently I have been exploring the new APIs that came out in Oracle Identity Manager 9.1.x and what they can do for our customers. Most exciting are the new reconciliation APIs. For any company that views compliance as a raison d'etre of their identity management system, reconciliation must (more...)

Action-Reaction

One of the nice-to-have benefits of implementing an identity management solution is the ability to know what's going on inside a target system. If someone creates an account on the target and the account violates an IT policy or procedure (thou shall not create accounts directly without going through Oracle Identity Manager), this fact is quickly discovered during reconciliation (if it's smart enough!) and/or subsequent review of reports. This problem of so-called rogue accounts is encountered very often and we've engineered many a solution for it for customers. (Naturally all of our solutions are very smart (more...)

Action-Reaction

One of the nice-to-have benefits of implementing an identity management solution is the ability to know what's going on inside a target system. If someone creates an account on the target and the account violates an IT policy or procedure (thou shall not create accounts directly without going through (more...)

Authorization in Oracle BI Server (OBIEE)

Oracle Business Intelligence Server (BI Server) is a server product in Oracle's Business Intelligece Enterprise Edition Plus (OBIEE) suite. BI Server stores metadata such as business models in its own repository. Naturally, access to various repository assets needs to be secured. User accounts can be defined explicitly in an Oracle BI repository or in an external source (such as a database table or an LDAP-compliant directory server). Authenticating to an external source is a matter of configuration. Next comes everyone's favorite challenge - authorization.

BI Server uses groups as authorization principals, i.e. membership in a particular group (more...)