Initial commit IDM, IAG, 2FA Portal (#2873)

initial commit
JanssenProject · Nov 8, 2022 · 7641521 · 7641521
1 parent 007b3ec
commit 7641521
Show file tree

Hide file tree

Showing 3 changed files with 96 additions and 3 deletions.
diff --git a/docs/admin/planning/identity-access-governance.md b/docs/admin/planning/identity-access-governance.md
@@ -2,7 +2,41 @@
 tags:
   - administration
   - planning
+  - IAG
+  - Identity Governance
 ---
 
-This is a placeholder
+Janssen is not a governance platform, so it does not do any of the following:
 
+## Role Management
+
+Role Based Access Control (RBAC) is a strategy used by many organizations to
+authorize access to resources. However, RBAC has a dark side: if roles are used
+to reference each unique access requirement the number of roles can grow
+exponentially. In fact, some organizations have more roles than people! This is
+known as "role explosion." Role Management is an enterprise
+workforce governance practice which correlates roles across all applications to
+reduce their number to the lowest common denominator of "enterprise roles".
+
+## Access Certification
+
+The role request and approval processes tend to result in a person accumulating
+many roles over time. However, because removal of roles no-longer-needed is often
+overlooked, it's important for organizations to regularly perform access
+certification campaigns (i.e. "recertification" or "attestation"). For example,
+once per year, managers may need to decide if the roles assigned to subordinate
+employees are still needed.
+
+Removal of a non-sensitive role is not an urgent matter. However, certain
+situations might require faster action, for example if an employee is moved to a
+different organizational unit with a different manager. The new manager assumes
+responsibility for the employee's roles, and should execute an ad-hoc
+recertification process for that specific user.
+
+## Segregation of Duties
+
+Sometimes an organization should prevent a person from having two roles
+simultaneously. For example, there could be an account rule that a person can't
+both sign and approve checks. Or a person can't perform both financial advisory
+and equity trading. The governance platform may enable organizations to define
+these Segregation of Duties to prevent such conflicts of interest.
diff --git a/docs/admin/planning/identity-management.md b/docs/admin/planning/identity-management.md
@@ -2,7 +2,53 @@
 tags:
   - administration
   - planning
+  - IDM
+  - Identity Management
+  - SCIM
 ---
 
-This is a placeholder
+# Identity Management
 
+In Janssen docs, the term Identity Management or "IDM" is the process of
+adding, editing and deleting data in various domain systems. Ideally, identity
+data would exist in only one place. But this ideal is currently undesirable.
+For performance, data joins, auditing, and many other reasons (for the
+foreseeable future) identity data is sprinkled across many systems. So when we
+update identity data, how do we keep all our infrastructure up-to-date? This
+task has been the realm of IDM platforms, which enable organizations to define
+workflows to update identity information, and through the use of "connectors",
+to push this data to all disparate databases.
+
+IDM platforms range in size and complexity. An admin could write a Python
+script to automate adding new users to a domain. Or large enterprises may
+implement a commercial IDM platform, like [Sailpoint](https://sailpoint.com) or
+an open source IDM platform like [Evolveum Midpoint](https://evolveum.com).
+Or you might have a human IDM--"Hey Bob, we hired a new person. Can you add
+her?"
+
+The Janssen platform does not include an IDM component. Fundamentally, Janssen
+is a consumer of identity data. One of the most common ways for identity data
+to make its way to the Janssen database is via the [SCIM](https://simplecloud.info)
+interface. This is an API that has a `/users` endpoint, to which an IDM system
+can send updates. For example, the IDM system may `POST` to the `/users`
+endpoint to add a new user to the Janssen database, or `DELETE` to the `/users`
+endpoint to remove a user.
+
+With that said, sometimes organizations might encode IDM business logic in the
+Janssen platform. This is particularly true for consumer-facing applications.
+In general, it only works for relatively simple requirements, particularly when
+the Janssen platform is the authoritative source of identity data. Using
+the various interception scripts, it's possible to send identity data from
+the Janssen platform to external systems. For example, let's say an organization
+has only two silos of identity data: Jans Auth Server and a MongoDB database
+record. In a case like this, when a person registers through a Person
+Authn Interception Script or Agama flow, you could call an API which updates
+the MongoDB database. It's also possible to implement approval workflows using
+UMA. For example, an API might require an UMA access token (i.e. an RPT token),
+and obtaining this token may require the consent of two different individuals.
+
+But it is worth remembering that the Janssen Platform was not purpose built for
+IDM, and therefore any implementation for such use cases should be tactical.
+You may have to build many features yourself. Especially for enterprise
+workforce applications, you should seriously consider using off-the-shelf
+software before writing too much code in Janssen.
diff --git a/docs/admin/planning/self-service-password-2fa.md b/docs/admin/planning/self-service-password-2fa.md
@@ -2,7 +2,20 @@
 tags:
   - administration
   - planning
+  - 2FA
+  - Account Recovery
 ---
 
-This is a placeholder
+If your domain offers two-factor authentication, it's a good idea to enable end
+users to manage their various credentials. Google does a great job in this
+regard. Check out [2-Step Verification](https://myaccount.google.com/security).
+What's great about this page is that Google lets you manage all your different
+credentials on one page.
 
+You can build a page like Google on your own website. You need to be able to
+list, add, and remove 2FA credentials for a given user's account. But another
+good option is the Casa web application, which is an [open source project](https://github.com/GluuFederation/casa) from Gluu, licensed under Apache 2.0. Casa supports a number of
+authentication mechanism that are already available in Jans Auth Server. See the
+[Casa Receipe](https://docs.jans.io/head/admin/recipes/casa/) and the
+[Casa Person Authn Script](https://docs.jans.io/head/script-catalog/person_authentication/casa/)
+for more information.