1.2 How It Works

Without the Sentinel driver or the Identity Vault collector, Sentinel receives information from other collectors and then stores the data in tables in the data store. If the same user has different account identifiers, Sentinel treats each identifier as a unique account. Sentinel stores all of this information, but it is not able to make the connections it needs to realize that each identifier is referring to the same account.

The Sentinel driver enables you to track all account identifiers for each user and to track the status of those accounts, so you have a complete picture of user activities. Figure 1-1 illustrates how the Sentinel driver works with the Identity Vault Collector to capture this information.

Figure 1-1 Synchronizing Account Data

  1. An account for John Smith is created in Active Directory and synchronized to the Identity Vault via the Active Directory driver.

  2. An account for John Smith is created in the Identity Vault that contains the DirXML-Accounts attribute. The DirXML-Accounts attribute stores the different account identifiers from Active Directory.

  3. When the new account is created in the Identity Vault, the Sentinel driver detects that the DirXML-Accounts attribute is added and sends this information to the JMS message queue that is part of Sentinel.

    The different Sentinel versions use different message queues. If you are using Sentinel, it is a SonicMQ message queue. If you are using Sentinel RD, it is an ActiveMQ message queue.

  4. The LDAP driver detects the new account created in the Identity Vault, then synchronizes this information to the LDAP database.

  5. A new account is created for John Smith in the LDAP database as cn=jsmith,cn=users,dc=company,dc=com.

  6. The new account information is synchronized back to the Identity Vault and added to the DirXML-Accounts attribute as a new entry.

  7. The Sentinel driver detects the change to the DirXML-Accounts attribute, then sends this information to the JMS message queue.

  8. The Identity Vault Collector reads the account data from the JMS message queue.

  9. The Identity Vault Collector parses, normalizes, and enhances the account data and then stores the account data in the Identity table in the data store.

  10. The Sentinel correlation engine uses the information in the Identity table to generate reports of account activity per identity across all the systems provisioned by Identity Manager.

The second half of this solution allows the other Sentinel Collectors to use the account information to track whether business policies are being enforced or not. Figure 1-2 shows how the custom events and the events from other Collectors are used to provide a complete record of John Smith’s accounts.

Figure 1-2 Synchronizing Events

  1. The account John Smith is created in the Identity Vault by the Active Directory driver.

  2. The Sentinel driver detects this new account and sends the account information to the Identity Vault Collector, which stores it in the Identity Table.

  3. John Smith logs in to Active Directory, and that information is sent to Sentinel through the Active Directory Collector to Sentinel.

  4. The Active Directory Collector receives the login event directly from Windows without going through the Identity Vault. Information is recorded in the Accounts table indicating that cn=John Smith,cn=users,dc=company,dc=com logged in at a specific time.

  5. If John Smith’s CN in Active Directory is renamed to John D. Smith, this information is synchronized to the Identity Vault via the Active Directory driver.

  6. The DirXML-Accounts attribute is updated with the new information, and the Sentinel driver detects this change.

  7. The Sentinel driver synchronizes the new account information to the JMS message queue.

  8. The Identity Vault collector reads the new account information and writes it to the Identity table.

  9. When John Smith logs in again to Active Directory, the Active Directory collector records the login information.

  10. Sentinel performs a lookup on the Identity table and detects that John Smith and John D. Smith are the same user account. Sentinel can keep a complete record of user actions.

  11. Custom audit events for the Identity Vault are defined and added to each Identity Manager driver through policies. The policies add a layer of intelligence to Identity Manager and Sentinel by defining the business logic. For a list of these events, see Section 9.0, Custom Audit Events.

    These policies are part of each driver that ships with Identity Manager.

  12. You can generate useful reports about user accounts from Sentinel.

The Sentinel driver and the Identity Vault Collector provides the infrastructure to allow Sentinel to track each user’s account. This awareness allows business policies to be enforced.