Where To Go From Here OpenIDM can do much more than reconcile data between two different sources. In this chapter, you will read about the key features of OpenIDM, with links to additional information about each feature. Integrating Business Processes and Workflows A business process begins with an objective and includes a well-defined sequence of tasks to meet that objective. In OpenIDM, you can configure many of these tasks as self-service workflows, such as self-registration, new user onboarding, and account certification. With OpenIDM, you can automate many of these tasks as a workflow. Once you configure the right workflows, a newly hired engineer can log into OpenIDM and request access to manufacturing information. That request is sent to the appropriate manager for approval. Once approved, the OpenIDM provisions the new engineer with access to manufacturing. OpenIDM supports workflow-driven provisioning activities, based on the embedded Activiti Process Engine, which complies with the Business Process Model and Notation 2.0 (BPMN 2.0) standard. OpenIDM integrates additional workflows such as new user onboarding, orphan account detection, and password change reminders. For more information, see "Workflow Samples" in the Samples Guide. Managing Passwords You can manage passwords from the Self-Service User Interface, also known as the Self-Service UI. From the Admin UI, click on the icon in the upper-right corner. In the menu that appears, click Self-Service: You should now be in the Self-Service UI. Click Profile > Password. You can now change your password, subject to the policy limits shown. As you can see, OpenIDM supports a robust password policy. You can modify the rules shown, or add more rules such as the following: Elements that should not be a part of a password, such as a family name Password expiration dates Password histories, to prevent password reuse For more information, see "Managing Passwords" in the Integrator’s Guide. Managing User Roles Some users need accounts on multiple systems. For example, insurance agents may also have insurance policies with the company that they work for. In that situation, the insurance agent is also a customer of the company. Alternatively, a salesperson may also test customer engineering scenarios. That salesperson may also need access to engineering systems. In OpenIDM, each of these user scenarios is known as a role. OpenIDM allows you to set up a consolidated set of attributes associated with each role. To do so, you would configure custom roles to assign to selected users. For example, you may assign both insured and agent roles to an agent, while assigning the insured role to all customers. In a similar fashion, OpenIDM allows you to assign both sales and engineering roles to the sales engineer. You can then synchronize users with those roles into appropriate data stores. For more information, see "Working With Managed Roles" in the Integrator’s Guide. For a sample of how you can configure external roles within OpenIDM, see "Roles Samples - Demonstrating the OpenIDM Roles Implementation" in the Samples Guide. Connecting to Remote Data Stores You can use OpenIDM to connect to a substantial variety of user and device data stores, on premise and in the cloud. While OpenIDM can connect to some connectors dedicated to a few data stores, OpenIDM can also connect to many more data stores using a scripted connector framework. OpenIDM includes support for connectors to the following external resources: Google Web Applications (see "Google Apps Connector" in the Connectors Guide). Salesforce (see "Salesforce Connector" in the Connectors Guide). Any LDAPv3-compliant directory, including OpenDJ and Active Directory (see "Generic LDAP Connector" in the Connectors Guide). CSV Files (see "CSV File Connector" in the Connectors Guide). Database Tables (see "Database Table Connector" in the Connectors Guide). If the resource that you need is not on the list, you should be able to use one of the OpenIDM scripted connector frameworks to connect to that resource: For connectors associated with Microsoft Windows, OpenIDM includes a PowerShell Connector Toolkit that you can use to provision a variety of Microsoft services, including but not limited to Active Directory, SQL Server, Microsoft Exchange, SharePoint, Azure Active Directory, and Office 365. For more information, see "PowerShell Connector Toolkit" in the Connectors Guide. OpenIDM includes a sample PowerShell Connector Toolkit configuration, described in "Samples That Use the PowerShell Connector Toolkit to Create Scripted Connectors" in the Samples Guide. For other external resources, OpenIDM includes a Groovy Connector Toolkit that allows you to run Groovy scripts to interact with any external resource. For more information, see "Groovy Connector Toolkit" in the Connectors Guide. "Samples That Use the Groovy Connector Toolkit to Create Scripted Connectors" in the Samples Guide includes samples of how you might implement the scripted Groovy connector. Reconciliation OpenIDM supports reconciliation between two data stores, as a source and a target. In identity management, reconciliation compares the contents of objects in different data stores, and makes decisions based on configurable policies. For example, if you have an application that maintains its own user store, OpenIDM can ensure your canonical directory attributes are kept up to date by reconciling their values as they are changed. For more information, see "Synchronizing Data Between Resources" in the Integrator’s Guide. Authentication Modules Available for OpenIDM OpenIDM has access to several different authentication modules that can help you protect your systems. For more information, see "Supported Authentication and Session Modules" in the Integrator’s Guide. Finding Additional Use Cases OpenIDM is a lightweight and highly customizable identity management product. The OpenIDM documentation includes additional use cases. Most of them are known as Samples, and are described in "Overview of the OpenIDM Samples" in the Samples Guide. These samples include step-by-step instructions on how you can connect to different data stores, customize product behavior using JavaScript and Groovy, and administer OpenIDM with ForgeRock’s commons RESTful API commands. How OpenIDM Can Help Your Organization Now that you have seen how OpenIDM can help you manage users, review the features that OpenIDM can bring to your organization: Web-Based Administrative User Interface Configure OpenIDM with the Web-Based Administrative User Interface. You can configure many major components of OpenIDM without ever touching a text configuration file. Self-Service Functionality User self-service features can streamline onboarding, account certification, new user registration, username recovery, and password reset. OpenIDM self-service features are built upon a BPMN 2.0-compliant workflow engine. Role-Based Provisioning Create and manage users based on attributes such as organizational need, job function, and geographic location. Backend Flexibility Choose the desired backend database for your deployment. OpenIDM supports MySQL, Microsoft SQL Server, Oracle Database, IBM DB2, and PostgreSQL. Password Management Set up fine-grained control of passwords to ensure consistent password policies across all applications and data stores. Supports separate passwords per external resource. Logging, Auditing, and Reporting OpenIDM logs all activity, internally and within connected systems. With such logs, you can track information for access, activity, authentication, configuration, reconciliation, and synchronization. Access to External Resources OpenIDM can access a generic scripted connector that allows you to set up communications with many external data stores. Stopping and Removing OpenIDM Follow these steps to stop and remove OpenIDM. To stop OpenIDM, return to the console window where you saw the following message: -> OpenIDM ready Press Return, and enter the following command: -> shutdown OpenIDM is self-contained. After you shut down OpenIDM, you can choose to delete the files in the /path/to/openidm directory. OpenIDM includes no artifacts in system registries or elsewhere. We hope that you want to continue exploring OpenIDM. To do so, review the rest of the OpenIDM documentation. Reconciling Identity Data Installation Guide