Learn Identity and Access Management Fundamentals | Shaan Bansal | Skillshare

Learn Identity and Access Management Fundamentals

Shaan Bansal, IAM Architect

Play Speed
  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x
18 Lessons (1h 28m)
    • 1. Identity and Access Management

      1:21
    • 2. Digital Identity

      3:10
    • 3. Digital Certificate

      5:56
    • 4. Digital Signature

      3:19
    • 5. Authentication and Authorization

      3:07
    • 6. L.C.M

      3:24
    • 7. Access Management

      1:54
    • 8. Identity Governance and Administration [IGA]

      3:45
    • 9. Identity Federation

      3:53
    • 10. Single Sign On [S.S.O]

      2:05
    • 11. Kerberos

      1:54
    • 12. Various IAM Products and Vendors

      1:51
    • 13. Reconciliation and Provisioning

      5:05
    • 14. User VS Account

      2:02
    • 15. Role and Rule Membership

      7:22
    • 16. Connector

      21:56
    • 17. Plugins

      2:42
    • 18. S.O.D

      13:10

About This Class

This course will help you to understand the concept and terminology used in Identity and Access Management domain.You will able to understand the basics and able to start your work smoothly.

Be sure to share a link to your completed project in the Project Gallery.
If you get stuck, post in the discussions section - we're all in this together!

Transcripts

1. Identity and Access Management: Hey, everyone, Welcome toe identity and access management course. So first question on the very first topic is forties. Identity and access. My major. So identity and access management is a framework off business processes, policies and technologies that facility the management off Elektronik, our digital identities. So what is Elektronik and digital identity? We will look in upcoming station very soon, but before that you should understand there are multiple digital identities in your organization. Those digital identities should we manage with this? I am framework or I am too or I am product or solution. So I hope you were clear now what his identity and access management repeat with me, identity and access management reward. It is nothing but a solution to manage Elektronik are digital identity. So if somebody will ask you and future, can you please explain me? What is identity and access management? So you should be in a position to explain. It is nothing but a solution where you Manus identities and also the excess off those identity and water does identities. Those are nothing but the Elektronik or physical identities. So thank you ways. Let's meet and discuss the rest of the things in the next upcoming class 2. Digital Identity: Grace will come back. So let's discuss what is digital identity. This is a terminal larger, which we use a lot and the world off. I am so our digital identity is nothing, but it is an information on an entity used by computer system to be re present as an external Asian. Actually, this agent could be a person. Could be an organization and application are devices. So generally the examples could be, Let's say, in your organization, you use your user name and password, right? Your credential, Let's say, for protesting history, your data off your shoes or security number or SSN like these kind of things, that example or for digital identity. So in the easy word, if I will X play new digital identity is nothing. But it's just like your physical agent, the way you have your let's say, your identity proof. Let's in India. We have voter card at our card numbers, right for our identity proof in the same way, in different country, you have a different idea proof, which proves your physical identity in the same way. In their digital world, you have to prove your identity. That identity is proven with the help of digital identity. So this digital identity could be any user name or password. Or let's say your company provides you some idea. God, write your own line. I d card. You're only ah, user name and password rate. With the help of there, you can authenticate yourself. You are the right person which have the access to the company sewers or company products late. So this is the way this is our digital identity, which is used a lot in the digital world. So the question is, who issued this digital island where I will go and get this digital identities. In orderto get the digital identity you have. You have to go something called C A certification authority. Let's say you want to get a passport. So you want to get a passport. You have to go to the passport office. You have to apply. Fill the form and he will let your passport in the same way. If you want, your digital identity should be issued to you. You need to go to the certification or charity or C they will give you their digital identity. Okay, so in order to assign, you can see here in order to assign our digital representation to an entity. The attributing party must Russ the claim, often after attributes such as named location rule as an employee or a is correct. So if it is correct, then associative person will given one digital identity. Okay, so I hope digital identities clear. If you want digital identity, you have to go certification authority. A place where you have to prove your documents like you are the correct person who you were claiming, Toby. After that, they will issue or digital identity for you. So generally these digital identity should be issued by your employer to you. So we should not generally do this or this is done by some different bodies were present over the Internet. Who will give you this digital identity with the help of C? So I hope you understand what is digital identity? Where you going? There, The digital identity. In the next class, we will discuss about digital certificates. So thank you. And let's meet in the next class 3. Digital Certificate : but welcome back. So today the agenda is what is total 35 year. It's very important to know what is digital certificate. I didn't see certificate or many time. You will hurt the term public A certificate. So what is that? It's certificates is nothing but an electronic document that is used to identify an individual person. It could be a company, or it could be a server or any entity belong to your company. Like you have a driving license, passport student I D library card and so many different idea proofs, right? We generally identifies which help you. Let's help other people to identify the right person. You are who you are claiming Toby in order to bind the public. Actually, their associate users actually honor of the book Private give. It is called BK ice use as Digital certificate, or PK used these digital certificate. So actually, these digital certificates are the credentials. Okay, that facilitates verification of identity between the users. Introduction, such as passport certifies one person go from one country to another country. So that is the proof. He belongs to particular state, a particular country, particular city, and he's claiming a person that is the right person, whatever he's claiming to be. So what do you do in order to obtain such driving licence in order to obtain such passport or driving licence or any I D card or I D prove lets a student I d card. Whatever it is, you have to go to that place. Fill the form after do the particular let's say some process, and after that you will get that particular. You'll get that particular idea car so same way you can get their digital certificate as well. So this is all about how this digital certificates our public is certificate use in the world. So whenever you do any online prediction this online the next let's say you want to come naked. You are a person, a and person. They want to communicate with person B. So first, their digital certificates. Our exchange that is called public certificates, our exchange. So how you will exit in the public sector. But first of all, you must have that public certificate, right? This is a electronic document that you must have its leg Your I D card proof before any handshake will start before any communication will start, Both party should understand or be sure they are the correct parties or correct bodies or entities what they're claiming to be. After that, the communication guards started. So what they do, they just go and fill the form the associate bodies and those bodies will provide you with a digital certificate. So actually hold this certificate works our certificates actually works same way the same way. Any previously identification or identity which I mentioned used to work. So as I already mentioned, certificate authorities or see are those bodies or entities where you have to go and validate your identity and business that for your physical identity or electronica and they they will provide you one digital identity or digital certificate. OK, so using this certificate, you can clear trust while started communication over the Internet. So that's why we have written client and server use certificate issued by the CIA to deter mined each other okay to determine the other certificate that can be trusted. So as I already mentioned, So this is the way this digital identity used. We walk. So here you can see the example you that you were a person, you have to request the digital identity. Okay, they will try to figure out business in utero comments he will submit the document to Summit is telling you are the correct person which you were claimed to be. Then digital certificate will be issued. Just a certificate is nothing but a combination off public e and private key. So whenever you do any kind off communication over the Internet, these keys are used. So let's say you just want to say hi to somebody. Let's say I'm your friend and you want to start communication to me over the Facebook. You just send me Hi, Mrs To this high will generally nor to go like this. First of all, you have to send me your public e and I will send you my public e both public. It will interchange and our trust is build it off. There you have your private can publican my public. I have my private keep my public in your brevity. Each off us have to public and one private key off the deadwood happens. You just send me a high message and logged this message over the Internet with her private it just like locking a room this message is leased to me and I can open and anybody can open the same message with help off your public e since in the beginning itself you shared me or public, I can open this message high and I could read the high from you. I just won't do the play with hollow. What I can do, I will lock a message. Let's say hello to my brevity and we'll send it over the Internet in the middle. If somebody will want to read the mass City will not able to use because you don't have my public e No, this message gone to you, you have my public, you can open the message and you concluded that so because off this secure communication channel has been instable, it's possible only because off this digital certificate. So it's very important, which is this digital certificate and it is issued by digital certificate authority, which is see a Okay, so this is all about guys certifications. In the next case onward, we will see what is digital signature in the digital world. Okay, before moving to the I am very hard topics. We have to have some basics off cyber security. And I didn't didn't access management dome in a lot. Thank you 4. Digital Signature: Welcome back. Today we will discuss digital signature. This is a very important topic to understand because many of the people I phoned when they joined the company the weather, fresh air, all experience or the way they are in Let's nature position or managerial position. This course is very much important for them. Their little confusing Is there a phone like they're confusing digital signature and electronic signatures. That's why I'm including this tropical, where a digital signature is nothing but Elektronik signature, right? It's just like Elektronik signature, but it's little bit different from the electronic signature. You can see it just like a physical signature as with. Okay, okay, so it also guarantee the information is not modified. So let's say you sign a document with your digital signature and send it to some party party received their document, and there they will see its have. Your digital signature means the document is 100% send by you. It's a guarantee. The document, which is a soup to him, will stand by you because it's have your digital signage. So they're very various type of Detroit's signature exist. The most common is by a Roman Microsoft. They provide you the digital signature and dinner. Different types of signatures Future such time called Elektronik Signature. Sometime call electronic signature. People got confused. Elektronik signature in one lane. If I define is not a digital signature. Let's say you sign our document. Elektronik. Let's an M s Power point or let's say in pain or let's scan signature. Okay, so these kind of signature are called electronic signature. You can sign. Let's say in the letter there is Scream. Are you signed with my signature? This will be nor disabilities. Electronic signature Digital signature is something which is coming with the product. Okay, lets you download Arab. Okay, this Sadove reader or acrobat reader with that, this acrobat reader pro, you will get optional beach resignation. Okay, then only that is called our digital signature that that looked like something. There's okay, So digital signature electronic signature used interchangeably. But both are not same electronic signature Could be Let's see if you sign something normal ears, electronic signature and digital signature. Actually, it's feels like you are signing something, but you are not signing it. You are just attaching one signature which is coming with the product with your name that authenticate is the right person who is claiming Toby because it's the only that only the third body will receive the male or message he will understand. It's send it by you and you can see in the picture. So that's all about the digital signature and the next class onward. I will go in the court topic off identity and access management. Okay, there we will see what is authentication and alteration. Because in identity nexus management, identity management means managing the identity and 14 off identity digital identity. So that's why understanding that digital identity, digital certificates and digital signatures are very cold topics, so that say, that I already explained. Next Fage toe off, I rented the Nexus. Management will start from tomorrow, where we will discuss authentication and arteries. That's a core and hard off way, which is heart of identity. Nexus management's Let's meet in the next class and discuss things 5. Authentication and Authorization : Hey, guys, Welcome back. So now we will discuss about authentication and authorization. What is mean by that? So authentication is nothing but a process Where you tell who you are, you prove the other party who you are, and in operation it will tell what you have and what you do actually. So let me tell you with an example let here you can see and the picture itself. Let's say if I'm an employee off a company as an example, so my i d card will be approved. Who I am, that scholar authentication in the main door. When I entered my office premises, I will show my i d card that will allow me. I just came to the office building. Okay. After authentication. No, there are 50,000 or 10,000 since my organization is very big. So there are 50,000 to 10,000 left their rooms Are there different project rooms? So let's say I'm not authorized. I am authorized to go or I'm I I have only access to two or three times belongs to my project. One off Gafford area. One off. Let's see Jim and one off. Let's say where we have where we just go and have a like plus our times let's say having dinner and all such kind of rooms. So just the point off discussion is I have excess off you rooms. Okay? I can't go. Let's I have access off. Let's the cafeteria. I have access off. Let's see Jim, I have excessive Three rooms belongs to my project. Let's say my project name is Nestle and I am trying toe goto a project. Listen, Know what is Okay? So when I would try toe goto other project which belongs to other project those premises or rooms Okay, so I will not allow my i d card will not allow And it will not open the door for me because I'm not altering so after authentication what I will do inside that Okay inside that premises is my alterations. I'm outraged to go and lets the project her rooms and protect premises where I belong to me and where I supposed to be good And also I have left the access a few other places So this is called alterations the same way Let's say you log in tow Lileks machine Let's Olynyk server in your company in that UNIX or Linux X server. When you enter, there are a number of folder, but based on your designation, you're not supposed to open every fuller. Maybe when you try to open it will give excess tonight or you don't have a sufficient permission to open that because they were not authorized the tactical alterations. Authorization is always the second step, and authentication is the first steps or tradition is not possible until unless authentication is not possible. So people got confused a lot of time in the operation and the vindication I have seen. So because of that, I just taken this example and tried toe correlate it with the real life situation. So now you I think you have a very good idea. What is the authentication? So this is all about authentication and authorization. In the next plus onwards, we will discuss a boat various life cycle, and I didn't be an excess manage. So thank 6. L.C.M: so user life cycle in identity management. So just try to understand this is identity management. It's not the access management. So what is managing identity? So let's say what is mean by identity management. So identity management we managed lifecycle for user okay, in any identity management product remanded Lifecycle, Let's say you are not a part off less X y z company, all ex weighty organization. So what happens? You given the interview and you got selected and after their to your profile will be created in the company vibrator. So let's it, fruit is the first to January and you've got selected. Let's say your joining date is from 15 January, so your profile is created on the first anybody but your profile will be as the activity more in that moment of name. But what happens when those they released after 15 days, your profile will be got activated. Okay, so your status changed from deactivated toe activated. Let's after a few moment of time, you got promoted and you become are different, like you got a different position in the organization. So again your profile got modified after free moment of time, you get a different opportunity, a career opportunity in different company, and you resigned the company. After that, a child came and this HR just deactivated your profile because you just left the company. And after, let's say, 60 days, the your profile got the lead from there. So what we learned anybody join any organization? First off all, you are not a part of organization. You are a non existing user. After that, after a few moment of time, you just be apart off the organization so your user ID's created okay, your user entries created so that organization after that, your user entries created in organization via lifecycle off you as a member off your organization. Multiple time. Your user profile is mortified based on the company requirement and your perform after that , at the last at the end of the life cycle, you may left, the organization lets you resigned the organization, and you are serving your naughty spirit. Lexus 60 days notice appeared. What happens? Maybe chances are in the 60 days notice period. You just change your mind and you want to come back to the same company. So, in that moment of nine years, status from their dear. Diverted again could be enabled. But you didn't come back after 60 day at her marker profile as deleted. And after a fuel days or after a few months, your profile will completely deleted from the company. So this is called user Lifecycle. How the life cycle of the user IHS flowing in the company as identity, so that is called identity management. Okay, I hope you understand what is identity management. So this gun complete flow is managed with a separate team in your company. Which man is some part of the team will manage the creation of the user. Some part off the team will deal with the Let's say you just promoted. Your designation should be changed. The mortification and something would deal. Let's say you left the company and let's say your excess should be revoked so these things should be managed by some different team in the company's. That's all. Those people are a part of fire and didn't manage 7. Access Management : But really, we will discuss about user access management. In previous class. We discuss about our identity management. So to David, discuss aboard Access organization Management. So let's take an example. Let's say you tried open off a website left the facebook dot com So when you heard www dot facebook dot com So what happens is when you heard this you l facebook dot com There is a Facebook server on with the Facebook application is running. So what happens when you run this? Facebook brought home this application. You will, when you hurt from your browser, it go to the sewer before reaching to the server. There is something called web Kate. Okay, which is six over your ribs over here. It will check. Okay, Head. It will check few things. What other things? This request is sent to the whim. So or your Facebook? Facebook's over. Very decide. This website is protected or not protected means this website records some creditors or not . If credentials are required immediately off like ah, logging page will be thrown to the user user will filled inform on log in page and summit. With the credit, it will go. And there will be some database or LF directories they're Those credential will be very fight if the credentials are correct. So after that, some cookies will be generated. And based on this cookies in credential, it will be decided how many servers he were authorized to use. How many webpages you are authorized to you and based on your after the authentication completed and you're or tradition, it will return. The user is Autrey's to accept this Facebook. So if you were authorized, the pace will be open. A lets you in order to raise our error page or you are not supposed to authorized or unauthorized kind of paid will be short. So this way we man is the access or logging or station to a user. So this is all about excess manage. 8. Identity Governance and Administration [IGA] : before starting today's agenda onto the stopping. I just want to discuss a very important point difference between identity management and access management. In one line, what could be different? So their differences in identity management It's all about managing the attributes. Let's say you're designation is manager all your designation is senior associate this managing the attributes your first name is lets the Sunday that's managing is called Identity management means whatever the at people's belongs could belong to our identity. Managing loses part of identity Manage access Management means letter today promoted from senior associate who? The manager position immediately. I should suppose to get some different access is okay based on the different policies applied on me right now, so this could be yes or no decision. If I am manager, this kind of policy should be applied on me. So access management is a result off those attributes means let's say you have a attribute value. Manager 10 policy should be different if you have a fellow off like position. Are your designation as associate our manager policies? If you have designation is actual policy should be different. So based on the value of the attributes if we're using of their tribute. Okay. What could be your exes? What could be the policies applied on you? Those are decided by the access management. So this point should be care to you. So today we're going to discuss about a very important topic identity, governance and administration. Idea why I'm discussing this stopping. I give guarantee. Most of the people are confused in this particular terminology. Many people called identity governance and I didn't Lee an excess management are same topic , Same thing, same domain. If you were in discuss, they will use it on interchange basis. But they're not the same thing. If ever tell identity governance is a very big part. Okay, is a very big umbrella under which identity and access management fall into the category identity and access management. Just one off the bark off. I ended in excess governance. So identity governance, if you're learning, means you're all really learning identity management. Plus, you're learning some extra features so it already have identity administration or the identity and access management part with it, where you just deal with the account credential provisioning re consolation entitlement rule. Except it also had a government part governance parties. Something based on reporting part or auditing part means if you just marja right into the excess management suit with reporting tools or let's say, with auditing tools, it becomes identity governance. So an identity governance. You have something like a Saudi segregation or separation of duties, rule management, reportings and on like this So we can say with I am feature okay with I am feature. They also help organization made complaints requirement and enable them toe order it excess for complaints. Reporting become the ideology. Okay, so I e. G is nothing but something which is brutally related with compliance reporting or did ing Okay, If this features are in your I am product, it becomes I m plus extra feature, Mrs I. I hope that the skill you know, I eat and I am are two different burgers and next class on what we will discuss about federations, how the for additions works. So let's meet in the next class 9. Identity Federation: Welcome back. We will discuss today about Identity Federation Identity Federation is nothing but simply authentication. But we went to different parties. Are you and say companies or you can say domains. This is something which you use or you off sub. Or maybe you don't observe, but you are using on your daily life. Let's say you'd rightto open any website X rays he dot com But generally you seem you're are having two options you can directing. Log into the website with their credential, or you can authenticate with third party identity provided, like Facebook, Gmail like this. So this is something called Identity Federation means somebody else is coming on behalf off you to authenticate or telling those service provider or those websites like I know. Hey, I know this user. Okay, he's telling his name. Ascended. I know this. I am confirming this because he already conformed this. Why he created account toe. Let's say my Facebook. So let me tell a scenario that is Lepsis and it Academy is a service provider of the company that company have multiple APS that user want to use. Let the application one from that company. So when the user try to log into the APP. But the company want to use that to the company he needs to provide the user name and password. Okay, a credential in order to log in to the Sunday talk at me. So where their applications are deployed so there are two options he can directly provide the credential. Or there is the option with the Identity Federation work. If you don't have the credit chillin, if you don't want to register back to this service provider, he have optional fighting to provide. Let's say Facebook is identity provider said it already have the user name and password of the Facebook people log into the Facebook immediately after that, the Facebook it or that I didn't re provided cleared Osama Token. Based on the user name and password, the sample token is again transferred to the service provided and from the same old broken . Those service providers is fighting the user name and password and business that they are. Since this identity provided and service provided already know each other, they are trusting each other with health up. Samel. Okay, Samel protocal, Sammer do 0.0 so they already know each other and here the service provider, which is and it occurred. Me. He's he he's seeing this. Sam Erdogan is coming from identity provider to whom I owe repressed. And from the same token, I'm able to fetch the user name and password with the help of this user name and password. What it will do it will see which is the application he's authorized to access. OK, which is the application if somebody's coming from let the Facebook identity provider is authorized to access. So based on that, he will able to access that particular application that is called Identity Federation. So what decided people there isn't an identity federation. You will use a service office service provided, but not vit their credential, but are not your authenticating toe their server directly. Rather, you will authenticate yourself to a different vendor, or difference are different provided that this call identity provide and that guy will go on your behalf. That guy will go on your behalf and authentic it. You means this Facebook I didn t provide will go until the Syndicate May I know this user. I know this user. Let's say John, I know John, don't worry about this because I you trust me. And I already authenticated this user because he's general user off my my service provider my my services on my Facebook server. So I know him since you know me. So now you should trust him. So this is called Identity Federation. 10. Single Sign On [S.S.O]: everyone Welcome back. Today we will discuss of an important topic. Single sign on this is a stone which is using everywhere. And you are also using this on your daily basis. You already know. Let's say if you try to log into the Gmail, you do are let's say Google play. Don't you think you need a different account for different user name? Password? No. You create only one account in either off them lips on Gmail and with same credential you are able toe open. You two are Google, right? Means you are successfully authenticating this other applications as well. So this is going This is going Nothing but singles I know means it allows a particularly user to use only one set off credential one set off user name and password and that user name and password is helping him to access multiple applications belonged to that category started school. This is what the question is. How is the sole? So algorithm is first of all, the website first checks or see whether you have already authenticated biases Ordinary If not it's not flirts died eso process. You will enter your user name and password and after that the SS a solution. Request authentication from the identity provider. Okay, it verifies your identity. Let's say Facebook verifies your identity. Already seen How were they do provide. An answer was available. This is a solution. Buses. The authentication data to the website ended a new dad site and you were able to access that. Say okay. After logging the site buses, the authentication verification data. When you keep on moving to the various sites, let's say you are indicated once to team ill if you try to log in, you took the same authentication. Token will be staying with you when you try to look in your so no need to put two user name and password back because you already know how that joke and work. They will fetch the user name and password from the token everything. So you don't need to provide the token every name. So this is the way how sso walks 11. Kerberos: how you're doing. I hope you're doing well today. We're going to discuss a very much important thing called Khar boroughs or window native authentication, which would daily use Why logging toe render machine in our organization. So, first of all, what is Kerberos? Car bruises Nothing but failed to authenticate a user are authentication mechanism double abide atop most in it was at the mighty. So what happens is how this authentication. But let's say you supply the user name and password to return ticket to a silver. The so has something called authentication service. The service again forward this credential Tokay D. C, which is key distribution center, which is like database off the credentials again. It is very fight over there, and after that, if the verification was successful, article disseminated. Okay, ticket granting ticket. The name off the ticket is called PDT. With times time in the public's, the stupidity ticket is again for border to the user with the public in time stamp. Since the user hard, fidgety anti deity, he good that user god on behalf off the credentials. Now the user will take this digital ticket and it will try toe access the resource, but the resources protected with the help of ticket grounding Service user will transfer distant city toe the ticket granting service. He will check whether it's a valid ticket or not, since this ticket is generated based on his user name and password by Kerry. See database and if it is valid, user is provided something called cistern ticket based on ticket vending service. This is their ticket, which the user need. Finally, in order to exit the resource of end the user forward this station ticket to the resource he is allowed to use that Equilar resource. So this is where this Scarborough's authentication walks. 12. Various IAM Products and Vendors : I hope they'll know you. Herd's gone through various stomach and large using identity and access management domain nowadays before moving forward. It's my responsibility to make you aware. What can the product right now we have in the market? We have various product related. Oh, I am a few of them popular Octa You already know octaves a cloud based service. Okay, Off identity and access management. I already have a course on Octa where discuss the full octane detailed also something called Identity I, which is called Cell Point, which is also very famous nowadays Oracle Identity Manager or, I reckon, light into the nexus management suit which is very old and very trustworthy from Oracle. I already have a course on this You can use as well this particular if you want to go in there. Apart from this pink identity, that is also very much demanding. We also have several tools or fenders which are making the I am suit. Like Delon Identity manager, which is called one identity manager, already have the experience on that particular but still there is no such course given by me right now over the enemy. But soon I replay so there are figures product. But after I walked on these many product in my career where I found this, 80 to 70% predict azeem Very few difference iPhone in those product. So if you're work, if you're good in their domain rather than you are expert rising yourself in a particular product, I will say this expert izing yourself, inner dome in on be good in one particular product. Rest of the product learning will be very easy. So these are some famous vendors and products, and I am there are many more you can keep on searching that are like four stroke and so on . So this is all about the various product. Thank you. 13. Reconciliation and Provisioning : everyone. Till now we have covered, I think, more than 10 or 12 topics. All the topics are very, very much patience. Here, though you are a product expert or not, but you should be. At least we should expect. You should have a domain knowledge if you want domain knowledge. Those points were very important. But now we're going to discuss something religion. So the product or solution, which is I am solution itself. This is a terminal logically consolation or record or provisioning. These are a very frequent down we use in the daily basis. While we work with any I am so So what is that? Let me show you with an example. So first of all, the cancellation or recall is a process where the data came to the I am product or solution . If they don't go out off. The I am product is called Professor. Let's an example. Let's assume yourself you are I am product. Let's a salary come to you on the first day off the month. So salaries coming towards you, the flow off the salary or the arrow off the Salafist War through that scullery consolation on the same day itself. You go to the let's say city centre and somewhere else, and bought some dress for your girlfriend so that particular amount is going out off you. The arrow should be out off your particular entity, your particular money back. OK, so that is gold provisioning mean something. Going out off you means the process where the data go from the identity nexus management product to the target system is called professing. Let's say for an example you have any CHADEMA system. Okay, Where the user where the hr When recruit someone put the data is called a theremin system from the chariman system. When the user joined the company, their identity is created inside the organization with the I am So we are inside I am doing That process is called reconciliation. I am tool could be left the Oracle identity minute your rocked up. Let's say after a moment the user identities created now user need various account. Let's say you came in this world When you take the birth and you came to this world, you get an identity. Okay, you get your birth certificate, Blake identity. After that, you get younger. And after that you just open your words Applicant bank on Facebook account so user have account So same way user identity is created on I am doing Or I am product. I am solution. And based on that particular identity Ah count circulated the same way based on your identity. What is your identity? Your name? First name. Last name. You're all the details are related to you right into the based on that identity you create your Facebook account, right? The account is a sub product which is created based on the user riel information Okay which is created based on the user. Real information to a different target like bank Facebook wards. So that is called provisioning Miss. When the I am tool creates account, you should understand the difference User is different. Account is different Use it has a cold. Okay, that should you should be very much sure. Okay, if you that is not that they live in Oakland If you don't have you don't exist in this world do not have a bank account. Facebook won't like this the same if user is created which is called three consolation in the I am so now If I am sort create that user if I am to create that Susan account in any target Late, Lex, a bank account. Okay. In the bank, in the Facebook, in the world, Safe based on your user identity. If they dis created something, there is Goolagong. So in relay for happens, provisioning is something when based on your real identity, your identity data is taken and business that account the skated on various target target could be active. Directory started. Could be exchanged over it could be documentum like any kindof target. Okay, Any kind off place where you can create the home. So account is a sub product. Okay, so what is the consolation and provisioning like Mary wise it back in the re consolation. It is a process. We're based on the HR data. Counties visit the each other user identity is created and based on the user identity. When you create a count, your target that is called provisioning. I hope it's giving a sense to you. Okay, Maybe I'm sure I given a ah, very definite definition. Maybe. May confuse, but for easy. It would be if something coming to the I am two is country cancellation. If data is coming to the I M practice conflict Eric re consolation and it is going out off . Time is called provisioning as easy as it is. Okay, Something coming to the salad is coming to you. See, It's called reconciliation Salary going out off. You okay to let the certain mall has called pro business. 14. User VS Account: to discuss about user versus accord. So before entering into the advance features off, I didn't really next management like rule and other things like connectors and, ideally, souls these many things before that you should aware of what is user and what is upon because many people have confusing in user and account. Because if you want to understand these things, uses an account, are very important. Why learning every consolation provisioning kind of top, so user is nothing but an Why am entity? And I already told multiple times user has account User is someone who is really ah County someone which is virtual. Let's say I have a Facebook account. You can't touch it. Okay, you annoyed exists for I am a user. You can touch me because I really exist in this world based on me. My account is there. If I exist in this void, that's why my bank account is there. It's not possible to have a bank account of such a person who never ah, like presenting the Earth. So that's where we can tell user is someone who is really a currently something which is based on a user's information. Let's the user have been kind off information out off Then if you picked 23 information, we can clear the cone like you are a usually were first name. Last name, middle name, father's name, hobby and number of thing you have right You have education degree certificate Lord off the out. Off you information. Let's the first name last name Phone number You could It works up a counter instagram account, right? So a subset off your information creates in a home or or a county something which is for Chua Huge. Very something which Israel and third way toe explain it. User has a okay. Ah cone kind to be possible tohave users But in the reverse where you can say user has a means account exist because if users okay user not exist because of account like this Ok, and vice versa. So this is all about user an account. In the next section we will discuss more details and other topics which is very important to the aim. So let's meet in the next 15. Role and Rule Membership : come back today. We're going toe. Discuss Very important entity and identity and access management rule rule play a very much important role in identity and access management. What I said Role play. Very important role. It sounds funny, but see it's role play a very important role in identity and access management Domain to make you understand. Let me tell you a scenario. Let's say ah guy just joined a project. Listen, this liberated he hired in the company and after that he just staggered in a project called Nestle. Let's say again, a different guy joined the same project on the same day itself. So, for example, to new employees joined the Nestle project. So then he need the Let's say everyone need excess off these three resources, which you've seen over the screen. So what do we need to do? So do we need to assign a perform for him three times because one for this resource second operation for this resource lets it third operation. After that, he will run some quickie and after it he performed three times operation and this guy will get a resource three resource the same way DVD to perform for him means Did we need to assign a perform or present six time in order to give the resources to the new employees? Hence, to reduce this manual task, he will create a rule. Let's say a role he created, let's say, are 123 So rule will be created to reduce such operations. So let's say they were created a rule. Let's there are 12 After that, he will sit a policy and say, if the user have a rule, are 123 will automatically get the access off the resource R one R two and r three. So this role are 123 Gives the common nexus to the employees. We use a rule to create and manage the records off a collection off uses to whom you want toe permit the access to the common functionality such as access rate or permission, and also if you want toe. Let's say there is a scenario right now to use Is that there? If rule will be not there? There were 10 thousands User, Let's say so. It d be a need to perform 10,000 into 3 30,000 operation. But right now debate don't need to perform anything. Db just need toe Add are 123 to him are 123 to him and are 1234 This 10,000 user only So rather than 30,000 operation any to perform 10,000 operation But but But is it not you thing? Performing 10,000 operation is also a hectic job. So in orderto automate rather than let's say all new joiners need this rules rather than performing this 10,000 operation. Okay, though 30,000 is bigger and 10,000 is lesser compared to 30,000 but 10,000 is also a very big number. So in orderto reduce this thing, I can create something called rule membership. If you create rule membership did deviate don't need to perform a single thing means zero operations And after that when anybody will join the company we will write a full membership where if else logic will be there automatically rule membership will see Let's say I writing a logic if user status equal equals two new means. If new user is joining the company assigned automatically roll are 123 means role are 123 will be added to this particular user. So in this way, if anybody joins the company, there will be rule membership before the rule. It will keep on checking, and it will assign the users through the particular rule. So let this rule numbers so rule membership. So how I can define the rule membership in one line, I can tell upon which condition upon which condition our rule should or domestically assigned. Did they use it that is called rule membership. So in the rule membership, I will show you in the practical. So let's say we write condition like this. If let's that you can write like user underscored status equals two new If somebody means if somebody this in place, If someone joins newly the company, then what you have to do, then you can define any, then condition. Then assign. Let's they are 123 Do they use it? So, in this way, this rule membership removes a lot of hectic work. Our man will work from the people initially. What do you have to root initially? You have to manually assigned the role to the user. That was a very had picked us. So that task that assignment. So the rule is automated with the help of rule members. But it is automation of assigning the rule, and based on the automation, this automation will get the rule. And since you get the roll automatically, you will get this resource is in identity and access management. OK on there is something called access policy. Excess policy is nothing but the automation off provisioning. Okay, miss it. Help us to automate the process of provisioning. Okay, so that's cool. Alexis policy does a separate thing, so excessive policy generally do words. Excess policy. Lexi Hair. We define an excess policy excess policy, excess policies there. So how excess policy is working? Let's say there is excess policy. So how excess policies working here, Let's say users joins the company and based on the rule membership in the middle. Okay, he will get a rule, are 123 and after getting are 1 to 3, he should be added to their targets. Let's the three targets. So there is something in the middle car Alexis policy What this excess policy will do. It will check if you have rule equal equal to our 123 It will check like a rule equals equals two R 123 Assigned this. Ah, particular let's say, active directory assigned. The user provisioned the user to the exchange provisioned the user to Skype lets the Documentum anything. So in this way the floor work. So how the flow will work actually access policy. Right now we're not discussing. I'm just giving a brief over word access. Policy works like how it works. But yes, it's very easy if you join a company based on rule membership. Okay, you will get a rule. Okay, let's say rule membership is there. If a status equal to new let's see here status is new new employees. So based on their status equal to new rule, membership will add you to the Are 123 on hair excess policy. Let's say a P one toe or let's say a P 123 AP 123 We'll check if you have are 123 or not. If you have are 123 it will assign. Let's see, Resource is our one prior to it's very simple, right? I hope you are quite smart enough to understand this thing is very, very simple. You know, that very had picked us. So don't worry about this. This rule membership I will show you how to create in the next video. So let's meet in the next left. 16. Connector : before discussing about the connector, the very first question came into the mind. What is ITV? So so what? A nightie resource is actually OK, so the idea resource is nothing, but it is a place where you placed all their target connection letter information. So let's say there is a target whose name is Marcelle, who support is 15 to 1 left days. Whom name is this? His door number. Is this his area? Is this like this? Okay, so, like this kind of thing. So he's all information are kept inside the idea. Resource. Okay, so let's say this is the guy living, Let's say USA, let's say in USA, which places living Alexei's living in New York. Okay, And let's say, in the New York, he's living in a colony whose colony name is like X y Z and in the colony locks. Their door number is, let's say, 15 to 1 like so. This way you can understand. So whatever his perimeter, our connection detail by which you can reach at him, he's discovered by with the help of some people and those information are kept strolled in ideas, so ideally, those actually knows where he is living. It is, There's no all the time. Okay, so I d. Resource is nothing. But it is a place where the all connection information of the target system or canning figuration details are screwed. Next, we're going to talk about something called Connectors. What is connected, connected is nothing but a translator between your wind in the target. So let's say the oil. The aim is a guy who likes a who speaks English. And let's say this is a guy. Let's say he's a family guy hotel, yoga and this guy speaks only Hindi. So it's a family guy. You want to communicate with something called Tell Go by a family. I want to communicate with someone who speaks Hindi. This guy, I don't know his language. This guy, I don't know his language. So how the communication will happen. So there is a guy who know everything who knows the Miller. Tell us well, and he knowing him be as well. So what this guy will do? This guy will create a connector like as I it will place as a mediator. And it will wherever the things you want to tell this guy you will tell him on he will understand and let him know what you want to tell. After that, he will get a respond. He will respond this particular guy. And after that, he will take the response and convert the things Whatever this guy will understand. So we can tell Connector is nothing but a translator. Whitman Radius targets and wine. So you could just tell me this guy. Let's say this guy, no off. In the end, the tell you, Let's it. Let's go tomorrow when guy new guy came. And that guy No, let's say friends. But this guy don't know friends. So do you think the same connector is applicable for that particular target? No. You need a different connector. Who will connect that particular target who understand French. Okay, Who? Just speak French. So you need someone who understands. Let's that Palguta Miller, whatever language it is, this site do that language. If it is, he's don't have this kind off feature in that, so you shouldn't need to go further different connectors of by default. By default, we go for a different connector. Each target have a different set of connectors. Okay, so if This is a connector for charity. One is a connector using C one. So generally what we observe for target Ito, we have a connected car seat, so Yeah, this is that. So what? That I was talking about this connector. This connector actually uses this idea resource in order to I know where this target exists , where they started exist, he don't know. It will take help of the idea resource. And he will tell where the things are and he will establish the connection. So that I was talking about means the sighting resource is used by the connector in order to find where the target is. Okay, so this other things we do. But the next question came into the mind. Let's say tomorrow, at the end of the day, this is nothing but an integration integrating your wine with the target. So what? What is the purpose of this integration? The purpose could be very clear. Okay, So the purpose could be either the target. Ah, County one to manage means what is mean by that? Let's say in the target in the oh, you re already. Whatever it is, there are 50 accounts on the same 50 accounts are present over the William. So that you want to man is you don't want to log in every time in the 80 and want to manage . You want to manage the same thing from William itself so that my name it is possible when the integration is happening you want to matter something you want to manage this particular target integrate from I'm ok integrated to the wind and the integration is done . You can manage the target from here. But if you are sitting over the way, Miss. But I hope I'm making some sense. Okay, so and the second thing is trusted socially. Consolation means let's say there is a trusted source from there how the data will come to you. That thing also manage and configured using different different connectors. So there are generally two kindof management will do in the target. First, we do re consolation in the park. It means we're managing in such a way. Let's save some changes are happening in their target. That should replicate to the way that is managed. We are target reconciliation on Let's see, some changes are happening in the I am level and the changes. You want to replicate the target? That should be. Man is using provisioning. Okay, So that that is managers improvising. Right? So in the Italian, we can have Ah, bi directional management. Right. You can understand from the right one is from our target. Changes are replicated toe. I am using target re consolation and the changes in the AM actually replicate. So that particular target using provisioning. Right? So this bi directional things are there but in the trust Rican, You can't find that kind off bidirectional things. Only single direction is there, like from the HR amiss system or that thruster system toy Uni directional. Right. So let me explain you again. You already know what its target re cancellation. So in target reconciliation left that there is a user left. His name is Sundays in both the places alerted His name change from Sunday to Monday. That is replicating means whatever the things is there that should sink toe. I'm that is then we're target we consolation. Okay, So what do they know? Things couldn't be got to be there. Okay. In the target re cancellation. Let's say modification is there okay? Ah, deluded is there and create could be also be there based on the condition to condition again. Pro reasoning provisioning is something. Let's say today a new user joins the company that should be in William Day from that is annoying but that the country should be created in any target rate so that create activity should be performed in the province in English that some user which is already there in women Italian Let's so you re so that particular thinks modifications will replicate rate. So that modification career delete all kind of activity are taken care in the province where some entry is mortified Creator deleted in the William sort of a replica to the particular target. Okay, so that management is taken care in the provisioning and there is 1/3 thing which is already over services trusted reconciliation. And what is that? Treasure? The cancellation. Trust every cancellation where you have something to stretch source or authority of source . Okay, because that sources a source where we blindly believes in the data on their data would splittist tomorrow Something is new coming to the system. Okay, so whatever the changes you do will replicate. So that why I am so interested. Consolation well happening. If you are adding some users, the system will automatically create toe the wine you're modifying the user over there will automatically modified wine. If you believe some user over there sort of related from the UAE mess. Well, okay, so next question is next question. That's what a post travel you can see. That's where it in the pool more locate you are pulling from data from William on. Other are push moral. So the first question is came into the mind. Okay. Yeah, fine. I understood. You want to integrate? Okay, let's integrate. But I think is how you're gonna integrate. Yeah, right There is the question, right. How to integrate the things. Okay, so if you want to integrate the thinks OK, so it's not one quick, short, right? You need to integrate. Is the database right? But I just told it only speaks. There are ways structure with SQL structured query language, right? I'm is a guy we just talked generally. How does database will talk with hatred? Ability? So the thing is, we need someone who will connect this who will help in this configuration. And here the rule came into the picture off connected. Okay, so there are three different ways a Steiger use connected in 90 industry, actually, first, very common style, which we use it out of. Box connector. Okay. Or pretty fine. Connector. More than 80% of the case, which is already there. And just you need to configure. That's it. You just need to configure for both. The place of the second very famous way is to use is based on the customization there is that after factory is a very powerful feature given by who I am. Don't need to write the court, like used to do before in the earlier was enough. Why am what I am telling? Do you have requirement? Do you want to connect? Your Why am with any target? Don't need to write the court. And don't waste your time in the client time. Well, writing two months or three months for the court. Or maybe the core get failure. The other Eckel validated in the score for you. Okay. We already have a coordinator for you, right? That is called an after factory. Just go over there, right. Generated the court and connected the third way is a general technology connector. Okay, What a record told Oregon. See? Let's say a requirement came. Okay. Lets there tomorrow. You want to connect your Oh, I am Euro. I am with a target. Let's say the database Lexis Regulator Base tomorrow, my squid of its welcome. Okay, so for the database, let's say we have a connector. See, when this Devi one we have a C one with DB. One is a type of oracle database. There is a separate vendor, my Skrill. People. OK? These people created their own readers. They have their own products. Okay, My squinted abuse for that. What you have to do? You have to create connector, Cito. Right? Which was a real case. You have to have C two connector 40 to target t three. Target is there than see two reconnected is required. How to deal with that? S o Oracle told why we waste our engineer time and money. Well, creating three different different connectors. What we will do. We care that General connect that modify the connector. So that isn't that modification is not easy as compared to pretty fine connected. Your William engineer should use their brain and just configured or general connector, and that general connector could be created as in the general base. Under general connector, you can create an instance like I 80. You can create a instance off while you re you can create a insert off my school means you're gentle connector. You can make it such a way it could use The journal connector could be used to connect to the Oracle database. If you configure it like that, if you have my square did not and worry about that you will use you will configure your general connector in such a way it can be connected with the my square database as well. So these were This was the whole concept for developing this particular general connect up . So the thing is more than 80%. We will use that this out of books connector. Okay, If you are not gonna use their out of box connector is not available. You have to pick either off them. Most of the time. People pick them. Pick this on sometime if there is no general connected at all. So go ahead and customizer connect. So let me discuss about something called out a box of pretty fine connector. I already told these Are the connector defined for a particular target? Simply remember, if there is your target, the one he'd have, it's pretty fine. Connected. Let's say PC one pretty fine. Connector one, if we're target to it, have a pretty fine connector. PC toe. Okay. And so on. So PC one is for target. The one the specie One is for Target T one. So you can't use that PC one for charity toe for this, Tito, you will get in another prettify in connector so you can tell that most of the cases each target have their own pretty fine connectors to connect it from him. Okay, so if I'm a vendor like Sam or you D vendor or a tea vendor I know tomorrow somebody want to integrate their company with 80. So definitely 10 I want o increase my market. If I want to increase my plane, I will make a connector. Really? I already make ah pretty find connector before selling the product in the market. So tomorrow, if somebody wanted toe integrate their company with my product, it's very easy for them. They don't need to put extra money nobody wanted. Put extra money and effort. Okay, everybody born. Things should be given as much as it is available free, of course. So what I will do before launching my any of the product I will provide with my product a free, off cost out of box connector. So tomorrow you want to connect with my prick connected. Use it connected, but still. Let's say there are many target. There are many target. They don't have their photo books connected. Okay, there is no out of box connected for them. There is no at all. It's not implement right tomorrow. Somebody newly came to the market and they're told this is my new product. But definitely there could not be a connected. Maybe take 2 to 3 years. Somebody will come and develop the connective. From the fourth year onwards, the connector will be free. But let's that there is no connector. So this moment off name the pre defined connector conserve, Wolfie. Pretty find will only available if the vendor make these things available. If the vendor is not having the connector to connect to their product, so you should go and ask article. Hey, I want to connect with the target team on how to do that. There is no connector. See one for their t one. So the article can give you two solutions. Oracle can check. Tell you. Can you please tell me what is their target type? Let's say you are telling the target type is database. And then Oracle ask the next question. What is their target are like, What is the target vendor? Let's see. You do It is my scwill Oracle tools. We have a connector for our Oracle database. We don't have a my SQL connect. What you can do, we will pay me. I will create a my school connected and we'll sell it to you. Or go to the my school People they will create or they will sell to you. It's up to you what you want. We're definitely up to pay. Okay, right. So why you will choose the wine? We will choose different like cell point that when I am right, this kind of like, ah Ford Iraq, like this kind of fight entered a nexus management. So in order to survive in the market, right or a closet article created gender technology connectors. What article will tell you now what you need to do? You don't need to create Ah, like don't need to pay for creating a connector from the scratch. I'm giving you already 80% prepared connector. Put your some logic and make it 100% Amuse it over there. There is a second approach. Oracle will suggest to the tired approach. Let's see, the target type is nor database not file system, not cloud. This is a something which was never there in the mark. So definitely there will be no general connected at all. So what to do? Go for the custom connector. Okay, try to customize the thing by your own Java code, it will help you toe create them like some default Java codes after five. Pretty good. But if they left perfectly also have some limitations. It's not able to create. Write your own shall accord. Collect the information about the target. What is the connection parameter and all? OK, how to connect that How to make let's say, Oh, I am generally talk with database. That thing you need to write in your job. Okay. So busy their target radio job record and connect. So I hope this point is clear about the connector. So before Target like trusted reconcilation chapter where we will recount the things I want to start, I want to talk about something called re consolation type, which you already know on next year's types of the cancellation morts. It's free cancellation of two more for the cancellation and increments. So what is fully consolation? More? Let's in the William. There are 50,000 users if you run fully consolidated. 50,000. Welcome. Let's say one new user board added, Let's say in in the tar Electra. In the 19 William, it is in a chair amiss in a terrorist. 50,000 users are there. You run full reconciliation that 50,000 and three will be created in William. Let's say again, a new users joint. Let's say again. 100 new eases joins in a tournament. So fifth, 80,100. When you run again for reconciliation again, it will run for first of 50,000 which is a waste of time, and then it will clear next 100 entry for creating this next 100 entry. It's not warty to go through that again. 50,000 re consolation. So that moment of time incrementally consolation came into the picture. This incrementally cancellation will run from where you run from the last time. So already you have created 50,000 users. So, in the environment of the cancellation lets you choose the point from here to heroin, and it will increasingly run from there. So this is the purpose off this reconsider. But there are different variety of free. Council isn't like there is a battery consolation. There is a battery. Cancelation means left there There are 15 years or 20 users, rather than sending the twenties are together. If the failure will happen, you will lose this 20 user data and you have to run the reconcilation again. If some failure will happen while the processing American Indian level would you need to do you need to create a batch? Let's say if one batch pass and it got failure in number, they love for two seconds, so you will lose only this true batches information. One is already there. So this moment of time we will only run for these two batches. Okay, So it will save your time. Effort and money is because in organization time is the money, so you should not deal with the time you can. You can can like, have ah, adjustment in money. But time noted us So here you can see let's say I have ah recall of 13 people and I want to send. So let's say I have a record of 13 people and I want to send those information. So let's say I have created a bad side. Your Fife. Okay. And a number of matches are three. Okay, so part of it, I will fight for you and rest up the rest of the three year captain of my third back of it . So here you have to choose the point from which bat you need to start select to start from the back number one from the batch one. It will pick the data, throw to the wine bash toe, pick the later through to the William Bad three, pick the data and throw to the way. So if you are not a specific battery consolation by default, it's a normal known badged. The cancellation. There is a limited re cancellation, Let's say, out of 50,000 User, you just wanna recon two or three users out of a number off set. You want to record the user? Who is the alleged? The department somebody stand like that? Or whose first name is this? The last name is that email? Is that so you can write your query in Based on the query, Let's say there is a two guys whose name there are any number of people in the team I want to fit. I want to recon from a cherry misto. I am the information of the caving in Bob. So what I will do? I will write on Query, which will only fetch the cave in whose first name equal, equal to Kevin are equally Will do Bob, and I will reckon them. Okay, if you're not doing so, a limited re cancellation will be regularly consolation. Like other cases, that is something called period decree. Cancelation means, let's say, Ah, every 12 a.m. or 1 a.m. or one PM Whatever time you will said or automatically GT, she should. Willard will run on federal data from experiments to your why I'm OK. So that's the thing. Let's say there are 10,000 users who joined ah company. Let's say? Ah, just no. Right now it's Ah, let's say Ah, nine AM, and they just joined the company. Your economy is going to run in afternoon. 12 after three hours. But you immediately warned those people in William. These are very critical. A comment. Okay, so what to do? Should you wait three hours? No, business is not telling. You should wait three over. There should be some other way. So the other way is on demand, right? Cancellation on demand. Reconciliation means you will run forcefully that particular people right now. So just go there in the Schuler and hinterland. Now that's it. And it will fetch that a tragedy. See, will run before the time. Okay, let's say you run it now. In nine AM the island, we will come and let's say against you and regarded after Lexi five user again, God at it. And you did under an on demand re consolation. So it will got at it automatically when they're 12. Them ordered a laid off the periodically concede. Listen, Wilburys, No. Let me talk about something called provisioning. Okay? So anybody any doubt they'll here? Okay, so I take it as no and Let me talk about something called provisioning. Okay? Provisioning have three morts. Okay. Request based provisioning, policy based provisioning and direct provisioning. Let's say you are in. No, I am. You want to request some account of the 80 or so you re So what do you do? You just go. And there is a button called request account rate. So when you click on the request account and you add it and submitted in the card, it will go for the approval. And if it is approved, you will get that account or you will added to the loan that is called request based provisioning means you are requesting for some account and this will go for some approval. If the approval is done, you will get added to the account. Okay, It's there's the one thing something called policy based professing. What is that policy based pro business left for you to rejoin the company? So what happens? You joined the company and you need lets the cafeteria access main door, exes, email, exit some basic success rate. So initially, we need to do it manually. Right now. What debut people will do they will assign some rules to you. Let's say newly joined people will added a rule. RMP There is a concept off excess policy. What is excess policy? That's why it's called policy based, as this policy will see if rule equal to RMB immediately give this this excess Okay, so initially what we have grew First you have to go here. And when the excess policy was not there, you have to manually manually add this entitlements to the user. Now you created to a rule off this entitlement and what you excess policy will do it will trigger for this rule lets you have rule RMP and in the RMP you have business, entitlement or access. If we're getting our MP minutes, you should have to have this excess. As per the policy off RMP means RMP is defined in such a way. If you have a RMP, you will get this three or four access pregnant. Okay, so in the same way, if you are getting ah, the rule RMP or immediately this excess policy will do these things. You don't need to manually provision, so it automate the provisioning. So that's why we called the art image of the automation. If you want to do in the provisioning, you should be very good in access policy 17. Plugins: What is Blufgan? Blufgan is nothing. But it is a software or nothing. But it is the way by which you can extend the functionality off a Guinness. Nothing, but is a software that expense the functionality? Awful, William. Okay, so what is meaning, ladies? Let's say this is on William. So when you have some functionality, right, we already discussed when we started our journey. I already told water the functionality coming with this particular words and off for him. But what happens if you want some more? Let's say why Am is giving you lets the 7 to 8 features out of the box. But what happens if you want something more with this product is not giving out of the box , which is not coming by default. So what these people did? What, this or record? This these guys knows one day. Maybe you are not satisfied with the product. You are not satisfied with the product because this product is not giving everything but a word. Okay, Most of the things are there. But maybe tomorrow you will find your business requires something more from this product and that things are not available. So what? They did. They made something called plugging point in the product. They made something called a plug in point in the product. So these are nothing but the plug in points. So what is this plug in point? This plug in points are the points from which you can connect your y um you can extend your William feature all other. Every Blufgan point is different from other Blufgan Point. There are any number of plug in point coming with this passage three. So let's that this is a plug in point for some other task. Let's say you want to clear Sindelar. So you will extend this plug in point. You want to create some Ah, different functionality will extend this Blufgan point. Okay, You want toe, create one, even handler, which will handle a particular event. Okay, Alexa, in preference, Sisters. So you will use this black in point. So this plug in points are nothing but to extend the functionality off William. And each plug in point is different. Promise. So why views this Blufgan point? This Blufgan point is nothing but the Basie in your home. You have ah, electric bored. And they left trick board. There is a plug in point. Right there. You put your left off block. So when you put your laptop look what happens because of this plug in point, your laptop started charging. OK, so this give you extra feature to your laptop? Flex it, David. These are the points using which you can plug other concepts, okay? 18. S.O.D: agenda is a sort. So a Saudi is the thing. But segregation off duty. Or you can tell it's separation off duties. So what is that? A Saudi? So let's say what happening. Let's say there is a guy. Let's see. And this person is requesting some entitlement for him or some excess for him. What happened? If he will request the entitlement and he is, the only approval means he's the requester and he's the approval rate. Where will be the scenario? This means he can request a number of thing in the company. He will approve it and enjoy it. So these kind of things we can entertain in any organization. So that's why for if you request anything, there will be not only one person who will approve it. There will be the set off. A person will approve it Okay, means a requester first awful card being approved for the first thing alone. Approve, er, there will be a set up, approve er there so that he will approve the request. So in this kind of situation that duties whatever is performing, we need to separate that. We need to separate their duty among people. Let's say he's requesting, but he is not. He should not approve the things. So what we have to do? We need a second person to verify his task. Very phrase duties. Let's say he's requesting this index element. There will be someone else will, very failure other than him. And he will approve it for that. This coil separation, off duty, our segregation off duty. And let's say what if he's going to request the thing and he's again approving. So in this way, there will be a lot of compliance. Issue will come in an organization. So that's why we don't understand that generally. So in that case, what happens if some if lex supporter scenario, this guy is requesting and he's also approving? So in that case, this combination is called toxic combination. This girl toxic combination in William okay, there discovered toxic combination. What this toxic combination means if you are creating a request, let's say the user is creating a request creating a request and user The same user itself approved the request. OK? Approved the request of that moment of time. This kind of combination is called toxic combination. You know him and generally we don't entertain this kind of toxic combination because it can clear a lot of issues. So that is why it is called Separation of beauty or segregation of duty are required. Means whatever you request is fine. Maybe you are, Ah, senior associate. Or maybe you had a manager. Or maybe you are senior manager. It's fine, but there will be someone who will approve you. Okay, so let's say you are thinking you are my nature. We were approving a lot of things. So whatever you request, you can't approve. Let's they employ working under you. Request something you will approve. But what if if you were going to request, there will be someone else for approving yours? Things okay, So that's why it's called separation of duty or segregation of beauty to save the life from this a toxic combination, because this could do a lot of him. But in an organization, if a guy who is requesting and he's also the approvals of that moment of time, it's very, very dangerous combination that is for toxic combination. So beautiful we don't entertain to provide a such a scenario where you have the option to request as well as a proof. Okay, So that moment of time, separation of duty or segregation off duty is required. Why Separation of duty? The first question. The first question is why separation of duty or segregation of duties required again. How it is related with William. So separation of duty or segregation of duty required because it prevents users from having toxic combinations having toxic combinations or that toxic combination sometime in organization are called conflicting, said conflicting zit. Okay, so because of this, you are preventing person from having stocks a combination or conflicting combination or conflicting set off entitlements. Entitlements in nothing but access. Lipsett. Okay, so what is entitlement? We will discuss in gentlemen ruling these things on there A lot of things in separate decision. So for now, you can treat it like it is an excess, or you can treat it like in the thing. But in Amazon, whatever you're ordering, those are thing entitlement. Let's say you added clothes. You added. Ah, lifts a bread butter. Let's say you order bread, butter and jam like that. This kind of thing. Coffee, this kind of things, whatever things in your cart are called entitlement for now, you can treat later. It is nothing but it prevent toe Having the toxic combination on conflicting set of the entitlement means you were requesting some entitlement and you are nor the approval up that particular entitlement. Okay, so it prevent that a person should not have the ability to create the order and approve it . That's the concept. So in inter prays every inter place have ah generally business application is specific. SRT Indian mean there in any enterprise, when and where you go there will be a separate Asadi Indian. It will find there will be a Sardinian who will take care of this air sorties so it become known and explain. So what happens in any inter place? Every inter place every inter place worth every enterprise will have every enterprise will have Okay business Business application application is specific A specific A Sardinian. So there are multiple specific Indian related to business which is using inter place. So there are multiple engines. A few examples. If ever tell some example of him was asserting any companies are oh, a city like s a B GRC like these are Indians And let's see what is the full form A s, A p as it be system, you can go, Will it? Application system application product, sen production and DRC's government risk complaints go over meant risk complaints. So full form is not important. Nobody will ask you full from Main thing is and this is some examples of the main purposes Every company have their own assorted Indian Okay, their defiance and enforce a sortie policies on the entitlement within the application for that user means let me write that point. This is a very important point. So that so what? That means this is sort of engines so that enforces over there defines and enforces as well means they're these easily Indians will enforce you Your company to follow the Saudis means if some somewhere there is conflicting set will be there. They will immediately stop that person from there. There s all these. The road rules are defined, rules are defined. So liberal see, enforces a Saudi policies Okay, on the entitlement means you are not supposed to. I'm writing entitlement in the short form. Okay, You're not supposed to request whatever anything and you should be in approval This kind of 30 for disarming this assorted policy will come immediately, and this policy reside inside a sort of engine. And it will stop you from doing that. Okay. Within, within the application within the application for that user. Okay, so for an application, if you're raising and entitlement and that moment of time, what happens? Me? Just say you're aging a access that moment of time. This a Saudi will come and enforce the policy. Ennis will stop you doing there. So let's say let's said this user is there. And what happens? He's just created a request. Lexa, let me copy him against. We will understand it. See, this user is there. And what happened? He just creating a request. So what happened? That moment of time? When? Then somebody will be here. They're sort Indian will be in the middle. So what? This has sort of left? Said this is a Saudi engine. Okay, lets that this is a sort of Indian. So what this is really Indian will do. So let's say he's creating a request. So anything able to will pass through a Saudi, Okay. He will pass through a sort of let's say he's creating a request. Okay, so lets him. This is the request is create request. So he's creating a request and lets it He is trying toe approve the request as well. He's trying to approve the request as well approved the request. So that moment of time it will not allow. So let's say he's tryingto approve this particular request. So that moment of time work as what he will do. He's trying to approve it as well. So that moment of time as already will come into the picture and s sorry will enforce you. You are not allowed to do that. So that moment of time world will happen. It's really will come and it will cancel this approval. Okay, Because you're not supposed to do. But it is. Harry were passed creating the request. But you should not supposed to approve the request. There will be set off different approval Peep for you. And for that operable people again will be approval people. There is there is a chance like that in and on the organization. So what is a Saudi Indian look likes? What is inside? This has sort Indian. What is? So let me discuss about a sortie. Injun framework engine framework. So what is that inside That a sortie framework. So first off, all first off, all in a Saudi. There is something The world s Saudi itself is segregation off duty or suppression off duty . Is it concept? Okay, off having off having more than one more than one person required to complete Does task to complete their task Means initially, if you are only the approve, er and you are the requested as well. So that moment of time it can create issues. So you we need more than one person there, Okay, to complete a particular task. So their school a Saudi Okay, So that moment of time we have to people like that here you can see we have two kind of people, one is requested and there is always an approval. Is there? So what? It will do what it will impact actually, So there is a requester and approval always be there. Only one request you cannot be approved for in that case, so it prevent fraud. It prevents fraud and errors Means you try to do some wrong activity that moment of time that you can't do because there is another guy who also have the same powers. Okay, so we can tell this The second ship, a Saudi as well. Segregation of duty. There is a word which is you is called separation of power. Separation off powers means you alone don't have the power means you Come Mina Lee can do the any task. But alone you can do means the power is divided in separate people. So that discourse separation of power And there is one other terms also like some some time it is called separation of power. Sometime it is called political re lump. It is also called political the love. Okay, so these are the some mineralogy which is used in separation, off duty or segregation of duties. So the main thing is suppression of duty and segregation of duty is something very were allowed to request. But you were not allowed to approve your request which you are requesting. You can approve a request of other person but you could not approve the request of yourself . So that is separation of duty. So if you were are requested and approval as well. So that moment of time. So it is called toxic combination. So this is the first thing this will not be any toxic combination or conflicting surgeon in any organization. Okay, let's say John Doe is a person. He is the requester, often entitlement. Even so, that woman took time. He should not be the approval, er, off that particular entitlement. Even there should be some other person. Let's say, um, let's Ah, rowhite or somebody who will approve that.