jspωiki
ABNAmro2006

Overview#

As part of a Novell Led team, designed and implemented a large complex IDM solution.

CashPro Web is a web based single point of access to critical treasury management functions for various client organizations. It provides centralized access to client account activity and the ability to perform a complete range of transactions, from cash management to investments and foreign exchange.

In order to more effectively serve CashPro Web customer needs, ABN AMRO is undertaking an effort to centralize the user administration function and consolidate the user interface within the CashPro Web product through more effective use of Identity and Access Management technologies By centralizing the Administrator role, ABN AMRO would have the ability to eliminate inefficiencies in the existing process. This streamlined functionality would allow greater control and increase customer service response time. A greater customer service and responsiveness will allow ABN AMRO to maintain a competitive edge in their commercial business and retain customer market share.

In the competitive landscape, greater customer service and quicker response time to customer requests can translate into customer retention and increase revenues for the business unit. Additionally, to simplify the effort of adding functionality to the CashPro platform, ABN AMRO is also attempting to more effectively utilize standard-based protocols such as SAML for Single Sign On (SSO) and SPML for user provisioning.

CPW JDBC Driver#

The proposed solution utilizes the Identity Manager 3 JDBC connector to synchronize Accounts, Customers and Bank information in a unidirectional and users in bidirectional manner between the CashPro and Identity Vault (IDV) using real-time transaction processing.

The publisher channel of the CPW JDBC connector will synchronize Account, Bank and Customer details to IDV from the CashPro application. The subscriber channel of the CPW JDBC connector will use the existing Program Manager (PM) API to synchronize user key attributes information from IDV to CashPro application database.

eDirectory Driver#

To provision users in a central LDAP authentication directory the proposed solution utilizes the eDirectory IDM3 driver to connect IDV and Authentication Tree. This will provide a central authentication infrastructure. The driver will only synchronize user object form IDV to Authentication Tree. Some of the key attributes like intruder lockout and account status will be synchronized back from Authentication Tree to IDV.

MIBS Service Provisioning Markup Language (SPML) Driver#

The proposed solution will use the IDM 3 Simple Object Access Protocol (SOAP) driver to implement SPML capabilities between CashPro and MIBS. This driver will allow ABN AMRO to provision users in the MIBS module using SPML.

Currently all user provisioning and access management is done in the MIBS using its native toolset. MIBS provides ECOM API for provisioning with very limited functionality. CashPro is currently using these API to perform basic provision for Account and Customer objects in MIBS. The Driver will send SPML request to a custom MIBS Provisioning Service Provider (PSP) server which will use ECOM API to provision users in MIBS.

Audit#

Novell Audit is a secure network logging and auditing product that collects and stores data about security, system, and application events from various components as shown above. The proposed solution will use Audit to collect events using real-time monitoring. The stored data will be used to evaluate compliance with internal policies and regulations. Audit can stores information in multiple data formats including flat file, Microsoft SQL, MySQL, Oracle or SYSLOG. Proposed solution will use Oracle to store data.

Identity Services Layer #

Identity Service Layer will provide Provisioning Engine and access to the Data Store to Admin workstation. It will contain both standard services and custom developed services for the overall solution. This provides a common abstraction layer which will be used by user interfaces to retrieve data for display and to initiate provisioning and administration tasks. The Identity Services Layer will be comprised mainly following two types of services.