Introduction to administering Microsoft BHOLD Attestation
Updated: May 3, 2013
Applies To: Forefront Identity Manager
Microsoft® Forefront Identity Manager 2010 R2 (FIM) enables organizations to manage the entire lifecycle of user identities and their associated credentials. It can be configured to synchronize identities, centrally manage certificates and passwords, and provision users across heterogeneous systems. With FIM, IT organizations can define and automate the processes used to manage identities from creation to retirement.
Microsoft BHOLD Suite extends these capabilities of FIM by adding role-based access control (RBAC) to FIM, enabling organizations to define user roles and to control access to sensitive data and applications in a way that is appropriate for those roles. BHOLD Suite includes services and tools that simplify the modeling of the role relationships within the organization, map those roles to permissions, and to verify that the role definitions and associated permissions are correctly applied to users. These capabilities are fully integrated with FIM, providing a seamless experience for end users and IT staff alike.
The BHOLD Attestation module is a tool that you can use to verify that individual users have been given appropriate permissions to accomplish their business tasks. The administrator can use the provided the BHOLD Attestation Campaign portal to design and manage the attestation process.
The attestation process is conducted by means of campaigns in which campaign stewards are given the opportunity and means to verify that the users for which they are responsible have appropriate access to BHOLD-managed applications and correct permissions within those applications. A campaign owner is designated to oversee the campaign and to ensure that the campaign is being carried out properly. A campaign can be created to occur once or on a recurring basis.
Typically, the steward for a campaign will be a manager who will attest the access rights of users belonging to one or more organizational units for which the manager is responsible. Stewards can be automatically selected for the users being attested in a campaign based on user attributes, or the stewards for a campaign can be defined by listing them in a file that assigns a steward to each user being attested in the campaign.
When a campaign begins, BHOLD sends an email notification message to the campaign stewards and owner and then sends periodic reminders to help them maintain progress in the campaign. Stewards are directed to a campaign portal where they can see a list of the users for which they are responsible and the roles that are assigned to those users. The stewards can then confirm whether they are responsible for each of the listed users and approve or deny the access rights of each of the listed users.
Campaign owners also use the portal to monitor the progress of the campaign, and campaign activities are logged so campaign owners can analyze the actions that were taken in the course of the campaign.
Some configuration required to perform attestation requires you to use the BHOLD Core portal. In order to use the BHOLD Core portal to administer BHOLD Core, you must be logged on with the root account (by default, the account that was used to install BHOLD Core), or an account with the same BHOLD and SQL Server permissions as the root account. Start the BHOLD Core portal by typing the following URL in the address bar of a web browser: http://<portal_server>:5151/BHOLD/Core, where <portal_server> is the IP address or server name of the server running BHOLD Core. You use the BHOLD Attestation Campaign portal to configure the BHOLD Attestation module, and to design manage attestation campaigns. To use the BHOLD Attestation Campaign portal, you must be logged on with an account that has the BHOLD Attestation Owner permission. For information about assigning this permission, see Preparing BHOLD for attestation. Start the BHOLD Attestation portal by double-clicking the Microsoft BHOLD Suite—Attestation shortcut on the desktop. If the shortcut is not available, open a web browser and type the following URL into the address bar:
http:// <server> : <port> /Attestation
where <server> is the name or IP address of the server running BHOLD Core and BHOLD Attestation and <port> is the port that was used to install BHOLD Core.
For more information about the Microsoft BHOLD Suite, see Microsoft BHOLD Suite Concepts Guide. For information about installing the BHOLD Suite SP1, including the BHOLD Attestation module, see Microsoft BHOLD Suite SP1 Installation Guide.