SECTION 5 - PART B-30

Identity Management
General
i. Identity Management shall allow for centralized provisioning of users at the regional data
center, thereby allowing users to get access to resources like operating system- AIX,
Solaris, HPUX, Windows, RDBMS- Oracle, DB2 , Directory Servers (LDAP), BSS/OSS
applications, IN and VAS elements etc. It shall integrate with the Access Management
System. Bidder shall calculate the user count based on number of concurrent users
which will access the different systems of data center.
ii. Identity Management software shall include user provisioning for Access Management
and OS and Database Software for provisioning.
iii. Identity Management system shall seamlessly integrate with the Access Management,
LDAP Server, Operating System and Database Software for provisioning.
iv. The Identity management for user provisioning shall have a workflow for automating
approvals for user access management, self-registration and self-care functionality for
reducing the administrative load and manual intervention.
v. The Identity Management Solution for Provisioning shall have the following functionality a. Connectors to Access Controlled Systems
b. Password Management
c. Access Rights Accountability
d. Access Request Approval and Process Automation
e. Access Request Audit Trails
f. Distributed Administration
g. User Administration Policy Automation
h. Self -Regulating User Administration across Departments
vi. Connectors to Access Controlled Systems shall include the following:
vii. It shall provide connectors for all target BSS/OSS systems that need to be managed.
viii. There shall be a connector development tool to extend support to additional target
systems.
ix. Connector communications shall be bi-directional to efficiently receive changes from the
managing system and to report changes made to the local resource.
x. Connector communications shall be secured with encryption/authentication.
xi. Connectors shall protect authentication credentials used to log into administrative
privileges on managed systems.
xii. Password Management shall provide the following:
a. User self-service through the Web without logging onto the network.
b. Challenge-Response system to authenticate a user with a forgotten password
by using shared secrets.

c. Ability to implement password formation rules to enforce password strength

across the organization.
d. Ability to synchronize passwords for multiple systems to the same value to
reduce the number of different passwords to be remembered by the user.
e. Delivery of password-change success/failure status to requestor.
f. Ability to securely deliver passwords to users for new accounts.
xiii. Access Rights Accountability shall provide the following:
xiv. Flexible mechanisms to connect to multiple data stores containing accurate information
on valid users.
xv. Ability to load identity store information on a scheduled bulk basis.
xvi. Ability to detect and respond to identity store changes in near real time.
xvii. Ability to retrieve account information from target managed resources on a scheduled
basis, both in bulk or in filtered subsets to preserve network bandwidth for various
operating systems including different flavors of UNIX.
xviii. Ability to detect and report in near real time local administrator account maintenance
(creation, deletion, changes) made directly on local resources.
xix. Ability to compare local administrator changes against a system-of-record of account
states to determine if changes comply with approved authorities and policies.
xx. Ability to notify designated personnel of access-rights changes made outside the
provisioning solution.
xxi. Ability to compare account user IDs with valid users to identify accounts without owners
(orphans).
xxii. Ability to automatically suspend or delete a detected orphan account.
xxiii. Ability to automatically suspend or roll back a reconfigured account that violates policy.
xxiv. Ability to examine reports on orphan accounts.
xxv. Ability to readily view the accounts associated with a user or a resource.
xxvi. Ability to assign discovered orphan accounts to a valid user.
Access Rights Accountability
i.
Web-based mechanism for requesting access to a system.
ii. Automatic approval routing to the persons appropriate to the system access requested
and organizational structure.
iii. Review the approval mechanisms
iv. Ability to use defined organizational information to dynamically determine routing of
approvals.
v. Ability to delegate approval authority to another person.
vi. Ability to escalate a request to an alternative approver if the allotted time elapses.
vii. Ability for different personnel to view different levels of information based on their job
duties.

viii. Ability to request information from approval participants to define account-specific

information during the process.
ix. Ability to determine service instances where a physical account shall be created.
x. Ability for the system to change account information in the managed resources of your
specific organization.
xi. Ability to request information from specific participants in the workflow process.
xii. Ability to request information from external functions, applications or data stores during
the process.
xiii. Ability to easily create/design/modify a workflow via a graphical drag and drop
interface.
Access Request Audit Trails
i. Time-stamped records of every access change request, approval/denial, justification and
change to a managed resource.
ii. Time-stamped record of every administrative and policy-driven change to access rights.
iii. Time-stamped record of any encountered orphan accounts and bypasses of
administrative systems.
iv. Convenient, flexible means of running reports that show audit trails for users, systems,
administrators and time periods.
v. Audit trail that is maintained in a tamper-proof environment.
Distributed Administration capabilities
i. Ability to define organizational structures based on the access-granting authorities of an
organization.
ii. Ability to delegate each administrative task with fine-grained control (e.g., approval
authority, user creation, workflow definition).
iii. Ability to delegate administrative tasks to n -levels of depth.
iv. Ability to access all delegated capabilities over the Web.
v. Ability to create private, filtered views of information about users and available
resources.
vi. Ability to incorporate Web access control products to include the provisioning solution
within the Web single sign-on environment.
vii. Ability to incorporate custom user authentication approaches commensurate with internal
security policies.
viii. Ability to distribute provisioning components securely over WAN and Internet
environments, including crossing firewalls.
User Administration Policy Automation
i. Ability
ii. Ability
iii. Ability
iv. Ability

to
to
to
to

associate access-rights definition with a role within the organization.

assign users to one or more roles.
implicitly define subsets of access to be unavailable to a role.
explicitly assign users individual access rights.

v. Ability to dynamically and automatically change access rights based on changes in user
roles.
vi. Ability to define implicit access rights available to users in a role upon their request and
approval.
vii. Ability to use defined organizational information to dynamically determine routing of
approvals.
viii. Ability to detect, evaluate and respond to user authority changes made directly to a
managed resource.
ix. Ability to report on roles, rights associated with roles, and users associated with roles.
x. Ability to set designated times for changes in access rights or policies.
xi. Ability to create unique user IDs consistent with policies and not in current use or
previous use by the organization.
xii. Ability to create user authorizations extending an existing account.
xiii. Support for mandatory and optional entitlements (optional entitlements are not
automatically provisioned but may be requested by a user in the group).
xiv. Ability to create a single account with multiple authorities governed by different policies.
xv. Ability to create user IDs using a set of consistent algorithms defined by the
organization.
Self -Regulating User Administration across Departments
i. Secure environment for transmitting access changes across the Internet.
ii. Protection of private user information through secure facilities and sound processes.
iii. Reports of user rights into external systems, sponsors of users and audit trails of access
rights changes.