AnsweredAssumed Answered

Duplicate Identities in IdM

Question asked by Chris_Ryan_Thomas on Sep 15, 2017
Latest reply on Sep 18, 2017 by GilFreund

Community IdM Wizards,

 

Seeking some real world guidance here from the trenches. In more than one financial banking deployment of CA Identity manager, which has only one managed endpoint (AD), I'm seeing duplicate identities created in CA IdM. I suspect this is a bad practice and something that should be handled differently, but am wondering what feedback the community has about this topic because I don't see too much info about it, but suspect it's something that CA services, partners and CA IdM architects have encountered before. I'm wondering what strategies and tactics have been implemented to circumvent such a dependence on duplicate identities created within IdM, which I'm concerned in the long run will create more confusion and complexity. I'm thinking long range as IdM continues to grow and add multiple endpoints what impact will these duplicate identities have on the deployment and what is the best practice to follow here. I'm thinking perhaps the reliance needs to slowly shift from taking data from AD as what's needed and populating it in IdM as the authoritative source (with E/Cs), but instead pull onboarding data from Payroll or wherever user attribute data is updated in AD outside of IM, get that into a process (task) or feeder file (for Top-Down processing), but please IdM experts help me confirm my thinking.   

 

Many times when CA IdM lands (then works to expand) in a banking environment, it is initially heavily dependent on AD for data. If policies already exist, within AD, for creating duplicate accounts so that different sets of GPO security policies can be mandated based on OU / DN location, perhaps that ID duplication process should be handled differently within IdM? Perhaps don't create duplicate identities for these admin users (special privileged ids), maybe create additional provisioning roles for these users with account templates and tie the multiple AD accounts to the same root identity, rather than creating separate identities from each. I think I have some ideas as to what can be done, but how best to transition from a practice of E/C creating duplicate IDs to then making these AD accounts correlate with the one true user and remove the duplicate Identities from IdM without adversely impacting the ad accounts.

 

Many Thanks,

Chris.

Outcomes