Capgemini Oracle Blog

Capgemini Oracle Blog

Oracle Identity Governance; Solve your biggest identity challenges!

Categories : IAMSecurityTechnical

Until now, enterprises have been forced to piece together different kinds of technology to get a comprehensive identity protection. They want to ensure users have sufficient access privileges to perform their job functions but at the same time constrain those privileges to meet compliance and security policies. Due to an increasing number of systems, apps and users, this concerns millions of entitlements for just a handful of Administrators. How can you ever handle this directly, agile and even partially automated?

Oracle Identity Governance gives you a purposeful solution for these governance challenges. It provides a unique focus in Identity Governance by combining access grants and access monitoring. Users are thereby able to procure access when they need it. Oracle Identity Governance Suite offers you also a preventative and controlling monitor tool to ensure that users have just enough access to fulfill their job responsibilities. This will offer you a closed loop governance by using a common data model and a platform based architecture which is fully integrated with your identity and access management solution.

Oracle Identity Governance Suite is part of Oracle Identity Management 11G release 2. This release contains also:

  • Oracle Identity Manager
  • Oracle Identity Analytics
  • Oracle Privileged account manager
This together offers a complete and integrated, next-generation identity management platform that provides enormous scalability; enables rapid compliance; secures sensitive applications and data; works on premise and in the cloud while reducing operational costs by improving control.

With this new way of combining security and productivity you will not only be able to use your identity at the office. You can take it with you on your phone, in the cloud and across the social world.


Identity Governance Suite Components

Okay, let us take a closer look on how Oracle Identity Governance Suite solves today’s challenges.

We can divide the core functionalities into provisioning and de-provisioning:

Provisioning(Granting / enabling)

  • Access request
  • Privileged account request
  • Role lifecycle management
  • Check-in / check-out
De-provisioning(Monitoring / disabling)
  • Identity certifications
  • IT audit monitoring
  • Rogue detection & reconciliation
  • Reporting & privileged access monitoring

Besides those two parts of functionality which both covers four unique government challenges there is also the heart of the Oracle Identity Governance Suite in place. This heart is called the Access Catalog. The access catalog provides a storage of various access rights across applications and platforms in addition to comprehensive catalog management capabilities.  This  catalog contains a continuous job which automatically harvests new information about privileges and entitlements when they become available in the target systems or when roles are defined or modified in the role management features build in this solution. Automatically harvested data can be enriched with descriptions and risk levels to make it more business user friendly.

Access requests

Procure access by filling a browser based form, it is now possible with Oracle Identity Governance Suite. The procurement looks just like a normal web shop, instead of now you are shopping for entitlements. This will increase the user experience trough the high level of user friendliness. This will also create a bigger awareness for the user.

Privileged account management

All enterprises are familiar with highly privileged administrator accounts which can do enormous harm to even their most sensitive systems and applications. The number of privileged accounts is increasing with the addition of every server, device or application to manage. To address this challenge a privileged account manager is included in the Oracle Identity Governance Suite. It enables the separation of privileges, self-service requests to privileged accounts and provides password auditing and reporting. The privileged account manager can for example manage your credential store, policy store, wallet, authentication, authorization, and audit application programming interfaces.

Role Lifecycle management

Role lifecycle management begins with the definition of roles. Oracle Identity Governance Suite offers a unique combination of tools to define enterprise roles while achieving a role governance process. Role discovery is a comprehensive set of market leading tools of role mining and analytics that utilize the discovery of roles in an enterprise environment.

This approach leverages a bottom-up ( from entitlements) and a top-down ( from HR user ) methodology to cluster roles with discovered algorithms. Role Discovery uses the industry leading wave methodology, which is a practical approach to Role Definition, Oracle Identity Governance Suite provides a set of capabilities for organizations to solve their access control challenges.

Identity certifications

As mentioned before many organizations are facing millions of entitlements with only a few people to manage them. A lot of these entitlements can now be automated. Automation makes it possible to create sustainable, repeatable auditable processes that enable the enterprise to address compliance in an ongoing manner without starting from scratch to address every new regulation or prepare for every audit. Thereby the Identity certification solution integrated in the Oracle Identity Governance Suite will provide enormous time and cost savings by automating access reviews and revoking processes based on multiple risk factors.

IT Audit monitoring

A well known fact for many enterprises is that most of the computer-related criminal activity is a result of activities performed by insiders. Fraud detection is one of the most important topics in identity and access management for today’s enterprises. Therefore it is very important to implement a solution to prevent such illegal activities. IT Audit monitoring helps with identifying conflicting and violating roles, privileges and entitlements for a single user.

Audit & reporting

Oracle Identity governance Suite enables a huge set of reporting possibilities. It offers for example the following out of the box reports:

  • Roles assigned to Users within each business unit in the enterprise
  • Accounts associated to Users within each business unit in the enterprise
  • Roles and associated policies within each unit in the enterprise
  • Lists of all entitlements, roles, applications and their owners
  • High privileged entitlements associated to users in the enterprise
  • Operational exception reports classifying any missing data required for important correlations such roles without any policies, users with no roles, users with no entitlements, business unit with no associated users and so on
  • Expiration forecast reports specifying user expiration, role expiration and role to user expiration
  • Terminated user reports displaying terminated users in the enterprise for historical reporting
  • Assigned vs. actual reports displaying users with access outside their roles
  • Orphan Account dashboards providing the ability to accurately determine rogue accounts or assign accounts to their rightful owners
  • Remediation Tracking Dashboards providing a comprehensive audit trail of revoked access (during certification reviews) and their remediation status
  • Identity Audit Violations with a comprehensive exception management audit trail displaying action taken by remediators to correct IT Audit exceptions caused due to toxic combinations of user access
  • Reports detailing who checked out privileged account passwords over a given period of time


The Oracle Identity Governance Suite lets users live their identity in a more agile manner while at the same time enterprises are reducing time and costs by gaining more control and meeting more compliancy.

Rob Ojevaar -

Source: - idgovernance-business-whitepaper-1708105.pdf

About the author

Leave a comment

Your email address will not be published. Required fields are marked *.