eTrust Admin FAQs

eTrust Admin is a robust, scalable solution for provisioning users across multiple, heterogeneous eBusiness security systems. It enables policy-based creation, modification or removal of users and related objects across the enterprise.

What is role-based user provisioning?
Role-based user provisioning is the ability to automatically and systematically provide users with a set of userids based on their business functions. In today’s complex eBusiness environment, there are many diverse operating systems, mail systems and networks, each with its own style and rules for account management. This often creates a need for specialized administrators for each of these systems, leading further to unique and conflicting security policies. At the same time, auditors have increased needs for consistent and consolidated views of end user access permissions - who granted them and when.

eTrust Admin:

• allows consistent user access policies to be defined and applied across a wide range of system types and directories

• provides administrators with a common interface for adding, maintaining and deleting user accounts across multiple, heterogeneous systems

• reduces administrative costs through role-based policy administration

• produces consolidated audit logs and reports on users, groups and user management activity

Why use eTrust Admin when each security system and directory has its own management?

Platforms and applications provide tools to manage their own user security database (referred to here as “directory”), but do not provide cross-directory management. Adding a user across multiple directories requires multiple tools and redundant effort -- each tool presents a different style of management and the same action must be performed numerous times.

What problem does eTrust Admin solve?

As eBusiness has redefined company relationships with customers, partners, suppliers and employees, it has also presented new challenges to IT for managing user access to corporate resources and directories. eTrust Admin allows consistent management of security privilege across multiple environments. It helps organizations that have recently been affected by merger or acquisition to quickly achieve a manageable directory structure. Admin ensures the removal of all the accounts for terminated employees in a timely fashion, and reduces the time needed to perform individual steps involved in managing user accounts. Through its embedded workflow capability, it ensures that proper approvals are attained before changing any user account. In addition, eTrust Admin provides a complete audit of all the actions associated with account management, while reducing the cost of security administration.

How does eTrust Admin work?

eTrust Admin automates the provisioning of user accounts on a variety of IT systems and ERP applications, using a role-based approach. It allows administrators to centrally define and manage security policies This automation can, optionally, be driven directly from an HR system, like PeopleSoft, eliminating the need for most manual input. There are also web-based delegated administrator interfaces available when automated input is not appropriate. The product employs a server / agent technology. The Admin Server maintains a master directory of roles, groups and global users to be managed. It accepts requests for updates to those lists and directs the agents on various managed platforms to perform the needed work.

Will eTrust Admin scale to manage large numbers of users?

Yes. A single administrator cannot manage large directories one object at a time. eTrust Admin resolves this bottleneck through the use of policies and roles, as well as distributed administration. eTrust Admin leverages eTrust Directory, CA’s X.500 compliant directory, to support millions of users and resources

How does eTrust Admin help to enforce security policies?

The use of policies and roles allows users to receive only the security privileges the organization has assigned to their job function – and nothing more. To ensure that administrators apply only authorized policies, eTrust Admin limits the objects each can manage, and the policies that can be applied. The security policies are specified by the central security administrator.

What systems can be provisioned by eTrust Admin?

The following systems are supported by eTrust Admin :

o Microsoft Windows NT	o SuSE Linux
o Microsoft Windows NT	o DEC UNIX
o Microsoft Windows 2000/Active Directory	o SGI Irix
o Microsoft Exchange	o NCR UX
o eTrust CA-ACF2 Security	o Open VMS
o eTrust CA-Top Secret Security	o eTrust Access Control
o IBM RACF	o eTrust Single Sign On
o OS/400	o Novell NDS
o IBM AIX	o Netware binderies
o HP-UX	o Lotus Notes Domino
o SUN Solaris	o PeopleSoft Feed
o Red Hat Linux	o ODBC Option for any application using a relational database as its credential data store
o Oracle	o LDAP Agent for any directory with a standard LDAP interface

Does eTrust Admin affect the performance of my production environment?

During normal operations, the amount of processing that eTrust Admin adds to a production environment is negligible. The dynamic performance achieved significantly depends upon the hardware, the database used and the network. GUI transactions should typically occur in less than 10 seconds, and remote actions, such as the creation of a user account, should take less than 30 seconds.

Does eTrust Admin support self-service password reset?

Yes. eTrust Admin allows users to reset their own passwords on systems accounts. Additionally, it has a challenge/response web-based interface to allow a user to reset a forgotten primary password.

Does eTrust Admin support self-service profile administration?

Yes. eTrust Admin provides a web-based that allows users to authenticate themselves and update personal information – such as address changes – in their own profiles.

Does eTrust Admin support self registration?

Yes. Individuals can request enrollment in the eTrust Admin system using a web based form in any of its web interfaces (Self-Administration Web Interface, Delegated Administration Web Interface or Workflow).

Does eTrust Admin support workflow?

Yes. eTrust Admin includes an integrated workflow component that allows users to perform user management actions in accordance with organizational policy. Through workflow, approval for administrative actions can be mandated and automated. Where policy permits, it supports adding new users, modifying attributes for given users, disabling existing users and deleting existing users. Multiple approval chains can be defined so different requests require different approvals.

How is administration delegated?

eTrust Admin supports team working between administrators. A central administrator can define the initial administration policies and delegate tasks to sub-administrators whose scope may be limited. For example, each administrator is assigned a set of objects they can manage (which represent the users in a specific department) and a set of actions they can perform. They can add users to the department or reset passwords for users in the department but cannot make any changes to users in other departments. The administrator may be given the right to create their own sub-administrators but can only pass the privileges they already have.

Can eTrust Admin manage existing user accounts?

Yes. The discovery process of eTrust Admin identifies all existing user objects in managed directories. These objects are then managed as if created by eTrust Admin.

Is it possible to limit the scope of an administrator to only reset passwords?

Yes. You can set up an administrator with permission only to reset passwords for a certain group of systems. This resolves on of the top problems experienced by IT service organization – the user forgets his or her password.

Can eTrust Admin synchronize passwords between systems?

Yes. eTrust Admin supports bi-directional synchronization for the Windows environment. Any change made to the domain password can be detected in real time and synchronized with passwords on all other managed systems.

Does eTrust Admin provide any tools for the novice administrator?

Yes. eTrust admin incorporates a set of wizards that walks the novice or the non-IT user though the complicated tasks. Wizards are available for creating new users, adding them to roles, changing users’ roles, modifying user profiles and deleting users.

How easy is it for an administrator to manage thousands of users in the eTrust Admin GUI?

eTrust Admin uses a task-based GUI, which is suited to handle large amounts of information. This GUI includes easy-to-use search capabilities that eliminate the need to scroll through dozens of screens to find a user. Additionally, wizards are available on top level screens, and intuitive icons prompt the user with helpful hints on how to accomplish tasks.

Does eTrust Admin support LDAP?

eTrust Admin includes an LDAP option that provides out-of-the-box integration with LDAP enabled directories. LDIF is also supported for bulk take-on of user information.

Can eTrust Admin perform its operations off-line?

Yes. Administrators can perform all eTrust Admin operations off-line and schedule them for implementation at a later time.

Are the actions taken by or through eTrust Admin logged?

The changes made by individual administrators are logged, providing an audit trail of what changes were made, when, and by whom.

Where does eTrust Admin execute?

eTrust Admin Server runs on Windows NT(SP6+) or Windows 2000.

Can I integrate other systems or applications into eTrust Admin?

eTrust Admin has multiple options for integrating with other system, directories and applications. It includes an LDAP Agent for interfacing to LDAP compliant directories – these include many WEB servers and ERP products, and ODBC option for database oriented application and a Software Development Kit (SDK) that enables any CA developed component, third party vendor product, or customer-developed application to easily plug into and interoperate with eTrust Admin.

How does eTrust Admin compare to meta-directories?

eTrust Admin manages data in native directory namespaces, whereas meta-directories create yet another directory to manage. A meta-directory attempts to integrate the existing namespaces into a new master directory. This limits administrators, forcing them to use only those tools, objects and properties supported by the meta-directory vendor.

Does eTrust Admin require that Unicenter be installed to run?

eTrust Admin can be run standalone and is packaged to include three versions:

eTrust Admin for Unicenter – for organization already running Unicenter.

eTrust Admin for CA Common Services (CCS) – for organizations already running CCS.

eTrust Admin – for organizations not running Unicenter or Common Services.

Does eTrust Admin interoperate with Unicenter?

If the customer currently has Unicenter installed, the eTrust Admin for Unicenter option will seamlessly integrate with it. Additionally, many of the Unicenter facilities, will be available to the user, such as discovery, event management, and report generation.

I have had experience with DMO, how is eTrust Admin different?

DMO (formerly Unicenter TNG Directory Management Option) is now packaged as either eTrust Admin for Unicenter or eTrust Admin for CA Common Services (see questions above relating to Unicenter). Each of the eTrust admin options uses exactly the same code base and are only different in its packaging. Each supplies a unified administration solution, which spans native platforms, eTrust, and OS/390. In addition, it supports web-based administration, workflow, and LDAP-enablement.