MBProMax

IAMfuncGTAAsurvey.adoc

@@ -0,0 +1,290 @@
+
+===== Identity Provisioning Category (1)
+- Identity Matching
+** Does the product provide an identity matching service? 
+
+** Describe how the identity matching service is configured, and any scoring or weighting of attributes?
+
+** Describe how low quality matches are handled, and if there is a notion of matches in suspense, what are the mechanisms for making assertions about them.?
+
+** Can the matching service be run against an existing population seeking duplicates?
+
+** Does the product have the ability to use an external matching service?
+
+** Describe the configuration of the external service.
+
+** Describe how low quality matches indications are handled,  and if there is a notion of matches in suspense, what are the mechanisms for making assertions about them?
+
+** Describe and standards that are used in messaging or APIs for matching services.
+
+- User Name Assignment
+
+** Does the product support user selected usernames?,  if so, how are attempted duplicates handled.
+
+** Does the product support generated usernames?, if so, describe the options and configuration
+
+** Does the product support enrollment of new users?, if so, please describe the configuration of the enrollment portal, and any support for workflow.
+
+** Describe how the product handles username changes, including support for namespace protection and auditing, and any workflows?
+
+** Describe how the  product can communicate username changes to other systems that might need to be informed?
+
+- Identifiers 
+
+** Describe how the your product handles the creation of Identifiers.  
+
+** Describe how does the product handles the use of external vs internal identifiers ?
+
+** Describe how the product maintain immutable/opaque identifiers that are used system to system ? How do these identifiers help when user id's change ?
+
+- Social Id
+
+** Describe the product support for social IDs (Facebook,  Google, etc.) in place of local identities.
+
+** Describe the product support for social IDs that are connected to local identities.
+
+** Describe whether social ID can be a step in onboarding/offboarding?
+
+** Describe how does the product consider  Level of Assurance LOA when using social IDs.?
+
+** Describe  Identity Matching  even with Identity matching, even with social ID
+
+
+
+===== Credential Provisioning Category (2)
+-  Password Rules and Policies
+
+** Describe how the product the support of limiting the number of different passwords that users need to remember to one central password connected  to a central password store or if you have multiple password stores of the same password, how does the product synchronize it?
+
+** Describe the password policies you support with regard to complexity, length, and any dictionary checks. Include character classes supported in complexity checks. 
+
+** Does the product support flexible password policy based on password length? For example support pass phrases but requiring additional character sets for shorter passwords..
+
+** Describe the products support for password expiration, including any support for flexible expiration based on grouping, assurance, or other factors such as password quality.
+
+** Describe how the  product conveys password quality to end users?
+
+** Describe how the product meets accessibility guidelines?
+
+** Describe how does the product deal with passwordless?
+
+-  Password Setting/Activation
+
+** Describe how the product assures initial password setting is being done by the appropriate authority, such as invitations, one time and/or short lived tokens etc.
+
+** Describe the products support for terms of use and informed consent when getting a credential.
+
+** What platforms are supported for end user devices setting initial and subsequent passwords, including any required technologies.
+
+** Describe any features your product has to deter attacks on unclaimed credentials.
+
+** Describe how the product works with  identity proofing during the account claiming process?
+
+-  Authentication Types (Factors)
+
+** Describe the support for certificate based authentication.
+
+** Describe the product support for multifactor enrollment, specifying supported technologies and products, explicitly address U2F support.
+
+** Describe any support you have for challenge response questions.
+
+** Describe any unlisted additional authentication factors, and any features that help user recognition such as image validation.
+
+** How does the product  handle loss of a (perhaps only) two factor device, such as one time tokens?
+
+-  Provisioning/De-provisioning of credential
+
+** Describe how the product enforces control over provisioning password to a SP when Federation option is available?
+
+** Describe the states supported by the  product for credentials, such as open, expired, disabled, locked/unlocked, security deny, etc.
+
+** Describe any workflow available for deprovisioning, time based, approval based, and any attribute or membership checks that can be used for deprovisioning workflow.
+
+** Describe any controls for sanity checks in your product to prevent accidental mass deprovisioning.
+
+** Describe the administrative capabilities the product has for deprovisioning and deprovisioning intervention, include any delegation features.
+
+** Describe how the product handles deprovisioning of credentials w/r/t propagation to multiple credential stores.?
+
+** Describe how the product handles de-provisioning of MFA (Authentication methods) after the user is no longer active and how do deal with re-provisioning when the same user returns? 
+
+===== Service Provisioning (3)
+- Provisioning/Reconciliation
+ 
+** Describe how  does the product ensure that source and destination are in sync? 
+
+** Describe both targeted and full reconciliation (fully match accounts).  Incremental vs full. 
+
+** Describe how does the product identify and handle  orphan accounts ?  
+
+** Describe how the product handles manual intervention by an admin.
+
+** How flexible is customization of the IDM connector that provisions the account?
+
+** Does the product support a threshold to alert for large quantity of updates?
+
+- JIT/JIC (Cloud Services)
+
+** Describe how the product integrate with a  “Just-in-Time” provisioning model-- on demand provisioning when the user logs in. How does you product learn about this access from IGA perspective?
+
+** Describe how you support the “Just-in-Case” provisioning model in relation to the Cloud Services?  
+
+- WorkFlows
+
+** Describe how the product handles automated workflows.?
+
+** Describe how the  product supports end-user self-service workflows.
+
+** Describe how does your product support the Workflow-based provisioning model in general. 
+
+- Deprovisioning and repatriation
+
+** Describe how the your product handle a service account de-provisioning with flexibility ( account disabled vs account remove) in accordance with the service and business needs?
+
+** Describe how the product triggers deprovisioning to a service. 
+
+** How is authorization removal handled for deprovisioned users?
+
+** Describe how the product supports repatriating a service account from institutional to personal.
+
+** Does the product  support a threshold to alert for large quantity of changes?
+
+- Life Cycle
+
+** Describe how does the product captures changes in affiliations/roles that matter for service entitlements?
+
+** Describe how does the product handle grace periods used in extending services to users beyond a specific period of time . Does the product have a Business Rule Engine to handle this need?
+
+** Does the product support  the establishments of policies and processes to reinstate disabled identities/services?
+
+===== Target directory provisioning Category (4)
+- Linking identities between directories or services
+** Describe how the product links an identity in a source directory to the same identity in the target (and service?)
+
+** Are your user linkage attributes characterized as follows:
+
+*** Immutable
+*** Static
+*** Globally unique
+
+** What is the process of account matching if accounts already exist?
+
+- Reconciliation
+** How does the  product ensure the target directory or service has state in sync with the source?
+
+** Does the  product support rollback or transaction?
+
+** Does the product support incremental/full sync with the target directories ? 
+
+- Deprovisioning and repatriation
+** Describe how the  product triggers deprovisioning of identities in a target directory or service.
+
+** Describe the process of deprovisioning identities in a target directory or service.
+
+** How is authorization removal handled for deprovisioned users?
+
+** Does the product support a threshold to alert for large quantity of changes?
+
+===== Roles and Groups Category (5)+
+- Type of Roles/Groups
+** Describe how the product support RBAC/ABAC/Groups models ? 
+
+** Describe how the product supports a list of definable /extendible groups/roles?.
+
+
+** Describe how the  product supports a hierarchy of groups (i.e., nesting and relationships between groups/roles)
+
+** What upstream data sources does the product readily support to derive roles/groups?
+
+** Does the product support sets of groups/roles associated together? (i.e., base, exceptions, includes/excludes).
+
+- Administration
+** Describe delegated access administration features for group management.
+
+** How does the product deal with “orphaned” delegation? (When previous admins are no longer there.)
+
+** Does the product  provide APIs that would allow an external group and access management tool to drive your product’s groups and group memberships?
+
+** Does the product support attribute-based (ABAC) or role-based (RBAC) concepts to drive groups and group membership?
+
+** Can groups have permissions associated with them?
+
+** What sort of attributes or metadata about groups are available?
+
+** Does the  product support automatic review of roles/groups (attestation)
+
+** How does the  product expose or link groups or roles for fine-grained service authorizations?
+
+- Guidance for architecting
+** How does your product define a default role or template (set of groups) for new entities?
+
+** Does the product provide any tool for role mining ? 
+
+** Does the product provide a deployment /architecture guidelines for implementing roles/groups ?  
+
+===== Reporting/Auditing  Category (6)+
+- Integration with External Reporting Engine
+** Does the product support the export of data to external sources for building reports?
+
+- Target Systems 
+** Does the product support reports on:
+
+*** Access for an application (target system)
+
+*** All access for a user, all users in a unit, all users for a supervisor
+
+*** Elevated or high-risk access
+
+*** Separation of Duties 
+
+- Auditing
+** Can the product provide a tool to compare intended provisioning to the actual state of an application on demand?
+
+** Does the product audit changes made within it (eg, who made a change to group membership logic when, and what the change was)?
+
+** Does the product support Separation of Duties audits?
+ (If you do access reviews / attestations) does the product provide adequate support?
+
+*** review by person, unit, application
+
+*** review of only manually-decided access, exceptions only, etc
+
+** Can audit results include “comments” (eg, “access being removed because …”) that become part of the record
+
+** Can the auditing work with an external ticketing system (eg, ServiceNow, Remedy)
+
+** How does the product define and schedule reviews, notify and remind reviewers, etc? Can the product send emails and/or use an external ticketing system? Are reviews done within the product, or in a document sent to the reviewer?
+
+** How does the reviewer to report results? Is the effort required proportional to the number of changes?
+
+** Does the product support workflows, logic, etc. needed to implement access changes determined by a review?
+
+===== Cost/Vendor Considerations Category (7)+ 
+- On Going Maintenance/Cost
+** What is the product  on-goin service support  contract structure ?
+
+** What is the Software licensing cost structure  (Enterprise vs non)? 
+
+** If one of the product license model is pay-per-active-account , how does the  product consider  the following populations? :
+*** Alumni users 
+*** Guest users
+*** Extended Community users (Parents, Propsect Students , Applicants, Continuing Ed students ,ec..)
+*** Social identities that are linked to Idm system
+
+** Does the product  provide  any Higher Ed discount ?
+
+- Vendor Stability
+** How long is the product being in the market ?
+
+** How many Higher Ed clients does the product have ? 
+
+- Ease Of Deployment
+** Ease of Deployment under the following categories:
+*** Software Package
+*** Cloud ready
+*** Containers/orchestration support
+*** Install from binary
+*** Install from source code
+*** Security Updates
+*** Patch updates
+*** Install/Deploy/Tuning Documentations

docs/README.md

@@ -0,0 +1,3 @@
+# Headline
+
+> An awesome project.

docs/index.html

@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <title>Document</title>
+  <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
+  <meta name="description" content="Description">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0">
+  <link rel="stylesheet" href="//cdn.jsdelivr.net/npm/docsify@4/lib/themes/vue.css">
+</head>
+<body>
+  <div id="app"></div>
+  <script>
+    window.$docsify = {
+      name: '',
+      repo: ''
+    }
+  </script>
+  <!-- Docsify v4 -->
+  <script src="//cdn.jsdelivr.net/npm/docsify@4"></script>
+</body>
+</html>