Thor thunders over user provisioning tasks

Up there with authentication and authorization, account provisioning is one of the big three components in any identity management  scheme. In our Clear Choice test of Thor Technologies' latest version of Xellerate Identity Manager (8.01), we found that the platform provides flexible account provisioning across a multitude of products and technologies, supporting even the most complex of workflows.


How we did it

Archive of Network World tests

Subscribe to the Network Product Test Results newsletter


At its most basic level, provisioning software helps automate the creation of user accounts. The processes and workflows a company uses to create, assign, approve, and audit user accounts all can be managed through this type of software.

Workflows can be configured to automatically create Active Directory, PeopleSoft and Lightweight Directory Access Protocol (LDAP) accounts for new employees from one administrator screen once some basic information about the new user is entered. This greatly improves efficiency by drastically shortening the amount of time it takes to create new accounts or modify current user groups. The provisioning process also can include approvals, such as requiring manager approval before the new user accounts are created, making a central provisioning server key for audit compliance.

Xellerate's architecture comprises the Xellerate Server, an administrative console and a database. The Xellerate Server is the central component of the product, providing the intelligence to implement the configured processes and workflows. It enables the integration with external resources such as LDAP, Web services and custom applications . The administration console includes a Java console application, a Web front-end accessible through a browser, or a custom application built on the API. The database, usually Oracle, but SQL Server also is supported, contains all the processes.

Xellerate is very flexible, supporting simple and complex account maintenance workflows. This flexibility lets organizations implement provisioning around current processes.

Integration support is provided through resource adapters - pieces of code that run inside the server - for a number of enterprise products, including SAP, PeopleSoft and Active Directory. The resource adapters let the Xellerate Server communicate and control how applications create accounts or modify attributes of current accounts. These resource adapters could just be directly writing user information to an LDAP database or making a specific user account function call through an API to make the change. Custom resource adapters can be developed for nearly any application using Thor's developer kit.

We installed Xellerate on a Windows 2000 Advanced Server running Jboss - an open source Java 2 Platform Enterprise Edition application server - and Oracle as the database back end (see How We Did It ). We integrated with Active Directory, Exchange Server 2000, and a SunOne LDAP server.

Xellerate is a complex product with a relatively steep learning curve, although it is pretty intuitive once you understand the basics. We would like to see some configuration wizards help with the integration and creation for new users.

We implemented a number of scenarios to test the flexibility and complexity Xellerate can support. We set up a policy that would automatically place any new user with "full-time" or "part-time" status in the Employees group of our schema and any user defined as an Intern in the Intern group. We then expanded these processes to automatically have Exchange and Active Directory accounts created when a new user is placed in either the Intern or Employees groups. Testing several accounts, this process worked seamlessly. However, it's important to note that to create the Exchange and Active Directory accounts, you need to have a detailed understanding of how your Active Directory implementation is configured, which might add some complexity to the setup process.

Xellerate also supports self-service and approval workflows. Self-service workflows provide forms and processes that users can complete themselves, further automating tasks and alleviating over-worked administrators. Approval workflows automate the review and acceptance processes of user requests that are often required for compliance. We tested the process of receiving a request from an employee for access to an internal site controlled through a SunOne LDAP server. We implemented a process that receives the request through a Web interface, routes the request to the employee's manager for approval and, once approved, automatically adds the user to the LDAP server. We tested several accounts with this process, and everything worked as expected.

We also extended the first process without incident to add a layer of manager approval for new Active Directory and Exchange accounts. We also created more complex workflows, providing different approval paths based on the requesting user. We established a separate approval chain for contractors requesting access to the internal site than employees, who just required manager approval.

Xellerate Identity

Manager 8.01
OVERALL RATING
4.35
Company: Thor Technologies Cost: $140,000 for full platform license with unlimited servers and rights to all development tools; user licenses range from $2 to $50 based on volume; $25,000 for each adapter license. Pros: Extremely flexible; wide support for enterprise applications. Con: Complex product with steep learning curve.
The breakdown   
Workflow implementation 40%4.5
Application support/integration 40%4.5
Reporting 10%4
Ease of use 5%4
TOTAL SCORE  4.35
Scoring Key: 5: Exceptional; 4: Very good; 3: Average; 2: Below average; 1: Consistently subpar

We built processes to pre-populate configuration information for resources, such as Active Directory and Exchange. This lets the provisioning process be completely automated from end to end.

Finally, we set up direct integration with Oracle 9i to Crystal Reports software to create a number of reports from stored procedures, such as what users have which accounts, by application, provisioning date, user ID and the like. The standard reports are useful and easy to read. With the Crystal Reports engine, custom reports can be easily created with any data in the database.

With all the regulations and audit requirements now required for many organizations, provisioning products help automate implementation and track adherence to defined policies for creating and approving application access. Thor's Xellerate is a very powerful, complex tool. While the learning curve is a bit steep to get everything going, once the base is set up and all the integration is complete, you are only limited by your imagination when it comes to process implementation and automation.

Learn more about this topic

Andress is president of ArcSec Technologies, a security company focusing on product reviews and analysis. She can be reached at mandy@arcsec.com.

NW Lab Alliance

Andress is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.nwfusion.com/alliance.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT