Fine-grain policy based access control decisions require knowledge about the subjects and resources inside and outside of the enterprise. The challenge is to make this information available to the policy layer so that it can be easily leveraged.
Enrollment Manager is an enterprise attribute dictionary that integrates, normalizes, and publishes subject and resource attribute information from diverse policy information points (PIP) to thousands of distributed policy decision points (PDP). The Enrollment Manager is unique in its ability to enroll and publish necessary attribute information for local policy evaluation, without expensive network round trips. It provides out-of-the-box support for user, contact, computer, and site objects from Microsoft AD and LDAP sources, as well as automated resource discovery for file servers, Microsoft SharePoint, and applications.
Key Benefits
Out-of-the-box integration with Microsoft Active Directory and LDAP policy information points (PIP) with multi-domain support
Automated resource discovery for file servers and Microsoft SharePoint PIPs
Powerful dictionary modeling and policy preview/testing tools
Scalability to thousands of systems and applications based on the unique distributed PIP publishing architecture
Extensible adapter architecture to support all classes of PIP sources
Enrollment Manager Features
Identity Enrollment Adapters for AD and LDAP
Enroll user, computer and group information from enterprise directory like Active Directory (AD) and LDAP and automatically synchronize changes. AD integration provides up-to-date user and group membership information to ensure identity-based policy enforcement is actively applied to the right user. Supports enrollment of multiple directory sources or domains. Additional user or contact information in other applications, such as customer relationship management (CRM) or human resource management (HRMS), can also be enrolled and used to specify identity.
Automated Resource Discovery
Automated tools to discover the structure of data resources in Microsoft SharePoint, File Servers, and even applications running on end user desktops. Addresses resource naming and aliasing issues to ensure complete policy coverage.
File Based Attribute Enrollment
Enroll other attribute sources using standard LDIF file format. Allows companies to "enrich" directory information with attribute data managed in other sources such as HRMS or CRM applications.
Enrollment Adapter SDK
Enrollment Manager has a plug-in architecture that allows customers to develop and integrate customer adapters to other Policy Information Points (PIP) in their environment.
Attribute Publishing and Caching
Semi-static attributes, whose values change infrequently, can be published to the distributed Policy Controllers for local evaluation. This optimization allows policies to be evaluated without requiring network round trips and increased transaction volume on AD or LDAP servers and enables full offline enforcement.
Dictionary Modeling
Through the Policy Studio tool, users can browse the attribute dictionary to easily use PIP data to develop policy components and preview their effects. Policy Modeling also allows Enrollment Manager to extend the attribute schema to accommodate additional data elements.
