diff --git a/docs/IAMfuncGTAAsurvey.adoc b/docs/IAMfuncGTAAsurvey.adoc new file mode 100644 index 0000000..22b91f5 --- /dev/null +++ b/docs/IAMfuncGTAAsurvey.adoc @@ -0,0 +1,287 @@ + +=== Identity Provisioning Category (1) +====== Identity Matching + +** Does the product provide an identity matching service? + +** Describe how the identity matching service is configured, and any scoring or weighting of attributes? + +** Describe how low quality matches are handled, and if there is a notion of matches in suspense, what are the mechanisms for making assertions about them.? + +** Can the matching service be run against an existing population seeking duplicates? + +** Does the product have the ability to use an external matching service? + +** Describe the configuration of the external service. + +** Describe how low quality matches indications are handled, and if there is a notion of matches in suspense, what are the mechanisms for making assertions about them? + +** Describe and standards that are used in messaging or APIs for matching services. + +====== User Name Assignment + +** Does the product support user selected usernames?, if so, how are attempted duplicates handled. + +** Does the product support generated usernames?, if so, describe the options and configuration + +** Does the product support enrollment of new users?, if so, please describe the configuration of the enrollment portal, and any support for workflow. + +** Describe how the product handles username changes, including support for namespace protection and auditing, and any workflows? + +** Describe how the product can communicate username changes to other systems that might need to be informed? + +====== Identifiers + +** Describe how the your product handles the creation of Identifiers. + +** Describe how does the product handles the use of external vs internal identifiers ? + +** Describe how the product maintain immutable/opaque identifiers that are used system to system ? How do these identifiers help when user id's change ? + +** Describe the product support for social IDs (Facebook, Google, etc.) in place of local identities. + +** Describe the product support for social IDs that are connected to local identities. + +** Describe whether social ID can be a step in onboarding/offboarding? + +** Describe how does the product consider Level of Assurance LOA when using social IDs.? + +** Describe Identity Matching even with Identity matching, even with social ID + +=== Credential Provisioning Category (2) +====== Password Rules and Policies + +** Describe how the product the support of limiting the number of different passwords that users need to remember to one central password connected to a central password store or if you have multiple password stores of the same password, how does the product synchronize it? + +** Describe the password policies you support with regard to complexity, length, and any dictionary checks. Include character classes supported in complexity checks. + +** Does the product support flexible password policy based on password length? For example support pass phrases but requiring additional character sets for shorter passwords.. + +** Describe the products support for password expiration, including any support for flexible expiration based on grouping, assurance, or other factors such as password quality. + +** Describe how the product conveys password quality to end users? + +** Describe how the product meets accessibility guidelines? + +** Describe how does the product deal with passwordless? + +====== Password Setting/Activation + +** Describe how the product assures initial password setting is being done by the appropriate authority, such as invitations, one time and/or short lived tokens etc. + +** Describe the products support for terms of use and informed consent when getting a credential. + +** What platforms are supported for end user devices setting initial and subsequent passwords, including any required technologies. + +** Describe any features your product has to deter attacks on unclaimed credentials. + +** Describe how the product works with identity proofing during the account claiming process? + +====== Authentication Types (Factors) + +** Describe the support for certificate based authentication. + +** Describe the product support for multifactor enrollment, specifying supported technologies and products, explicitly address U2F support. + +** Describe any support you have for challenge response questions. + +** Describe any unlisted additional authentication factors, and any features that help user recognition such as image validation. + +** How does the product handle loss of a (perhaps only) two factor device, such as one time tokens? + +====== Provisioning/De-provisioning of credential + +** Describe how the product enforces control over provisioning password to a SP when Federation option is available? + +** Describe the states supported by the product for credentials, such as open, expired, disabled, locked/unlocked, security deny, etc. + +** Describe any workflow available for deprovisioning, time based, approval based, and any attribute or membership checks that can be used for deprovisioning workflow. + +** Describe any controls for sanity checks in your product to prevent accidental mass deprovisioning. + +** Describe the administrative capabilities the product has for deprovisioning and deprovisioning intervention, include any delegation features. + +** Describe how the product handles deprovisioning of credentials w/r/t propagation to multiple credential stores.? + +** Describe how the product handles de-provisioning of MFA (Authentication methods) after the user is no longer active and how do deal with re-provisioning when the same user returns? + +=== Service Provisioning (3) +====== Provisioning/Reconciliation + +** Describe how does the product ensure that source and destination are in sync? + +** Describe both targeted and full reconciliation (fully match accounts). Incremental vs full. + +** Describe how does the product identify and handle orphan accounts ? + +** Describe how the product handles manual intervention by an admin. + +** How flexible is customization of the IDM connector that provisions the account? + +** Does the product support a threshold to alert for large quantity of updates? + +====== JIT/JIC (Cloud Services) + +** Describe how the product integrate with a “Just-in-Time” provisioning model-- on demand provisioning when the user logs in. How does you product learn about this access from IGA perspective? + +** Describe how you support the “Just-in-Case” provisioning model in relation to the Cloud Services? + +====== WorkFlows + +** Describe how the product handles automated workflows.? + +** Describe how the product supports end-user self-service workflows. + +** Describe how does your product support the Workflow-based provisioning model in general. + +====== Deprovisioning and repatriation + +** Describe how the your product handle a service account de-provisioning with flexibility ( account disabled vs account remove) in accordance with the service and business needs? + +** Describe how the product triggers deprovisioning to a service. + +** How is authorization removal handled for deprovisioned users? + +** Describe how the product supports repatriating a service account from institutional to personal. + +** Does the product support a threshold to alert for large quantity of changes? + +====== Life Cycle + +** Describe how does the product captures changes in affiliations/roles that matter for service entitlements? + +** Describe how does the product handle grace periods used in extending services to users beyond a specific period of time . Does the product have a Business Rule Engine to handle this need? + +** Does the product support the establishments of policies and processes to reinstate disabled identities/services? + +=== Target directory provisioning Category (4) +====== Linking identities between directories or services +** Describe how the product links an identity in a source directory to the same identity in the target (and service?) + +** Are your user linkage attributes characterized as follows: + +*** Immutable +*** Static +*** Globally unique + +** What is the process of account matching if accounts already exist? + +====== Reconciliation +** How does the product ensure the target directory or service has state in sync with the source? + +** Does the product support rollback or transaction? + +** Does the product support incremental/full sync with the target directories ? + +====== Deprovisioning and repatriation +** Describe how the product triggers deprovisioning of identities in a target directory or service. + +** Describe the process of deprovisioning identities in a target directory or service. + +** How is authorization removal handled for deprovisioned users? + +** Does the product support a threshold to alert for large quantity of changes? + +=== Roles and Groups Category (5)+ +====== Type of Roles/Groups +** Describe how the product support RBAC/ABAC/Groups models ? + +** Describe how the product supports a list of definable /extendible groups/roles?. + + +** Describe how the product supports a hierarchy of groups (i.e., nesting and relationships between groups/roles) + +** What upstream data sources does the product readily support to derive roles/groups? + +** Does the product support sets of groups/roles associated together? (i.e., base, exceptions, includes/excludes). + +====== Administration +** Describe delegated access administration features for group management. + +** How does the product deal with “orphaned” delegation? (When previous admins are no longer there.) + +** Does the product provide APIs that would allow an external group and access management tool to drive your product’s groups and group memberships? + +** Does the product support attribute-based (ABAC) or role-based (RBAC) concepts to drive groups and group membership? + +** Can groups have permissions associated with them? + +** What sort of attributes or metadata about groups are available? + +** Does the product support automatic review of roles/groups (attestation) + +** How does the product expose or link groups or roles for fine-grained service authorizations? + +====== Guidance for architecting +** How does your product define a default role or template (set of groups) for new entities? + +** Does the product provide any tool for role mining ? + +** Does the product provide a deployment /architecture guidelines for implementing roles/groups ? + +=== Reporting/Auditing Category (6)+ +====== Integration with External Reporting Engine +** Does the product support the export of data to external sources for building reports? + +====== Target Systems +** Does the product support reports on: + +*** Access for an application (target system) + +*** All access for a user, all users in a unit, all users for a supervisor + +*** Elevated or high-risk access + +*** Separation of Duties + +====== Auditing +** Can the product provide a tool to compare intended provisioning to the actual state of an application on demand? + +** Does the product audit changes made within it (eg, who made a change to group membership logic when, and what the change was)? + +** Does the product support Separation of Duties audits? + (If you do access reviews / attestations) does the product provide adequate support? + +*** review by person, unit, application + +*** review of only manually-decided access, exceptions only, etc + +** Can audit results include “comments” (eg, “access being removed because …”) that become part of the record + +** Can the auditing work with an external ticketing system (eg, ServiceNow, Remedy) + +** How does the product define and schedule reviews, notify and remind reviewers, etc? Can the product send emails and/or use an external ticketing system? Are reviews done within the product, or in a document sent to the reviewer? + +** How does the reviewer to report results? Is the effort required proportional to the number of changes? + +** Does the product support workflows, logic, etc. needed to implement access changes determined by a review? + +=== Cost/Vendor Considerations Category (7) +====== On Going Maintenance/Cost +** What is the product on-goin service support contract structure ? + +** What is the Software licensing cost structure (Enterprise vs non)? + +** If one of the product license model is pay-per-active-account , how does the product consider the following populations? : +*** Alumni users +*** Guest users +*** Extended Community users (Parents, Propsect Students , Applicants, Continuing Ed students ,ec..) +*** Social identities that are linked to Idm system + +** Does the product provide any Higher Ed discount ? + +====== Vendor Stability +** How long is the product being in the market ? + +** How many Higher Ed clients does the product have ? + +====== Ease Of Deployment +** Ease of Deployment under the following categories: +*** Software Package +*** Cloud ready +*** Containers/orchestration support +*** Install from binary +*** Install from source code +*** Security Updates +*** Patch updates +*** Install/Deploy/Tuning Documentations