Wait, why would an identity management system need an identity management system? FreeIPA and Red Hat Identity Management (from here on out I’ll be referring to both as FreeIPA) already provide a way to create users, provide authorizations, etc. Why would I add another layer?
There are a couple of answers:
- FreeIPA will tell you the “who” and “what” of access, but not the “why”
- Creating users manually and adding them to groups is error prone and requires your admins to have to do it through either the IPA Admin tool or a script
- If you have to provide audit data to an external auditor, you don’t want to have to comb through emails to see who approved what, when and why
Enter OpenUnison. When combined with ScaleJS you can create a self service portal for FreeIPA where users can:
- Register their account
- Request access to groups
- Approve access to requests
- Update their profile
- View audit reports
- Password self service reset
This eliminates many of the manual tasks an admin might need to perform. For instance if a new user needs 6 groups to do their job an admin could manually add those users to the groups or write a script, but that takes time. Also, what if you need to be able to tell auditors why a user was granted that access? Is it being tracked in email? Who’s responsible for that? Using OpenUnison a simple workflow can be used to allow the user to request access for themselves and let the correct people, perhaps a manager or system owner or combination, approve or deny that access. When the auditors need to know what access was provided and why they can login and view the reports for themselves rather then drag your admins away from their day-to-day work to provide them the data by going through logs and emails.
We wanted to make these services easy to deploy by combining our Source2Image scripts, Docker and OpenUnison to create a FreeIPA Identity Manager Quick Start. Seeing is believing, so here’s the quick start in action:
Not to go too infomercial here, but there’s more! How often do you make sure that users with access still need their access? Do you want to provide time based access controls? OpenUnison’s integrated scheduler can be the gateway to automating these tasks making it much easier to add additional layers of compliance to your FreeIPA environment without a large investment in infrastructure.
Interested in other features? We appreciate any and all feedback. Please feel free to reach out to us directly or to open an issue on the quick start’s github page!