Duo Two-Factor Authentication for SailPoint Identity Security Cloud

What is Duo

Duo is a two-factor authentication solution that helps organizations boost security by verifying user identity, establishing device trust, and providing a secure connection to company networks and applications.

Why Duo

Duo is fast, easy and flexible. Passwords and even basic Multi-Factor Authentication (MFA) aren’t enough to keep you safe from today’s attackers. Duo gives you the extra layers of protection you need for secure access management. With this setup, Duo two-factor authentication (2FA) is added as a verification option for account unlocking and password resets.

Prerequisites to integrate Duo

  1. Configure SailPoint Web application and copy ClientID, secret and hostname these details are required for SailPoint integration.
  2. Add users and enroll them in the application. User should have an account in SailPoint.

Technical Overview:

Here’s the technical demonstration on the integration of Duo

Use case Demonstration – Integration flow:

Please refer to the below video to have an understanding about Duo integration

SailPoint configuration

  1. The steps to be done in SailPoint tenant for duo integration
  2. First in SailPoint, integrate the Duo and then check the test connection after successful test connection
  3. Enable multifactor Authentication in Identity profile
  4. And select duo web in Password Reset and Unlock Settings
  5. Now you are all set to use duo authentication

Duo 2FA for Identity security cloud password reset

  1. With duo integration user can reset his password
  2. First user has to proceed to reset password
  3. Enter the username
  4. Then you should enter the passcode received from duo after successful duo authentication you can able to set new password

Duo 2FA for Identity security cloud Unlock account

  1. If the user account got locked, then he can unlock his account with duo integration
  2. First user has to proceed to unlock account
  3. Enter the username
  4. After successful duo authentication your account will be unlocked

 

A Deep-Dive into Okta Sign-On Policies

  • Introduction
  • Usecase Overview
  • Usecase Demonstration
  • Challenges
  • Conclusion
  • Reference Links

Introduction:

In today’s digital landscape, organizations rely on various applications to enhance productivity, necessitating secure access for diverse workforces, including remote employees and contractors. To ensure secure access for remote workers using new devices, implementing Multi-Factor Authentication (MFA) is essential. When accessing sensitive applications from unrecognized devices, Okta prompts for MFA, requiring additional authentication steps such as a one-time password or biometric verification. Administrators can set contextual-behavior based sign-on policies to determine when MFA is necessary, enhancing security and reducing unauthorized access risks, while logging all attempts for monitoring and auditing.

Usecase Overview:

Please refer to the below video to have an understanding about Okta Sign-On Policies focusing on their structure, functionality, and how they enhance security using contextual behavior detection methods.

Usecase Demonstration:

This demonstration offers a comprehensive overview of the Sign-on Policies in Okta, highlighting the practical application with a common scenario around WFH / remote employees.

Challenges:

In general, many organizations encounter various challenges when it comes to user access management: 

  • Securing access for remote employees, contractors, and full-time staff who require varying levels of access to applications. 
  • Ensuring consistent user attributes and access permissions across all applications. 
  • Demonstrating compliance with security standards by implementing strong access controls and monitoring user activity. 
  • Minimizing administrative overhead associated with managing user identities and access. 

Conclusion:

Implementing Okta for centralized security management enables organizations to leverage the platform’s robust features and benefits. By setting up user groups, integrating applications, configuring session policies, and enabling MFA, companies can create a secure and efficient identity management system that meets their specific requirements. 

Reference Links:

Global session policies | Okta Docs

Authentication policies | Okta Docs

Multifactor authentication | Okta Docs

Behavior Detection | Okta Docs

Risk scoring | Okta Docs


Integrating Active Directory with Okta’s Universal Directory

  • Introduction
  • Understanding Okta Universal Directory
  • Key Features of Okta Universal Directory
  • Prerequisites
  • Usecase Overview
  • Technical Demonstration – Integration flow
  • Conclusion
  • Reference Links

Introduction

Active Directory (AD), a directory service developed by Microsoft for Windows domain networks, is primarily used for authentication and authorization, helping organizations manage user access to resources. However, as organizations increasingly adopt cloud-based applications, managing user access across disparate directories has become a challenge for traditional Active Directory (AD)/LDAP systems. Each cloud service often introduces its own user store, leading to a proliferation of login credentials and making it difficult to maintain consistent, secure access control.

This complexity can result in administrative headaches, such as trouble deactivating user accounts when employees leave and a lack of visibility into resource access. To address these issues, many companies turn to Okta, an identity management platform that integrates seamlessly with Active Directory, bridging the gap between on-premises and cloud environments. By using Okta, organizations can continue to leverage their existing AD or LDAP services for user authentication while centralizing User Lifecycle Management, providing a unified dashboard for administrators to ensure consistent, secure access control across all systems.

Understanding Okta Universal Directory 

Okta Universal Directory is a centralized platform designed for managing user identities from various sources. As a core component of the Okta Identity Cloud, Universal Directory provides a centralized view of all users and their respective attributes, making it easier for IT teams to oversee and manage user data. This product enables organizations to maintain a unified profile for a user, no matter where their data comes from. This capability is especially advantageous for enterprises with multiple user directories, as it simplifies user management and bolsters security. 

Key Features of Okta Universal Directory 

  • Centralized User Management: Universal Directory allows you to manage all your user identities in one place. This means that whether your users are employees, partners, or customers, you can easily create, modify, or deactivate their accounts without jumping between different platforms. 
  • Integration with Multiple Sources: It allows integration with various identity sources, including Active Directory (AD), LDAP, and HR systems like Workday. This flexibility ensures that organizations can consolidate user information from different platforms seamlessly. 
  • Customizable User Profiles: Universal Directory supports both Okta user profiles and app-specific user profiles. This capability allows organizations to define and manage user attributes tailored to their applications, ensuring that each app only accesses the data it needs. 
  • Customizable User Attributes: With Universal Directory, you can customize user attributes to fit your organization’s unique needs. This flexibility enables you to collect and store specific information relevant to your users, such as job titles, department details, or location data. 
  • Real-Time Synchronization: Changes made in AD, such as user updates or account deactivations, are synchronized in real-time with Okta. This ensures that terminated employees lose access immediately, enhancing security and compliance. 
  • Delegated Authentication: The integration allows for delegated authentication, meaning that users can authenticate against AD without needing direct access to the AD environment. This feature simplifies the authentication process while maintaining security. 

Prerequisites

Okta Tenant: 

  • You must possess an account with Super Admin role privileges. 

On-Premises Active Directory: 

  • The host server should have at least two CPUs and a minimum of 8 GB RAM.  
  • Host server running Windows server 2016 & above.  
  • .NET framework 4.6.2 and above.  
  • The host server should be a member server part of the same domain.  
  • Okta agent installation wizard should be executed from the host server.  
  • An account with Domain administrator privileges for domain discovery & AD agent application installation in the host server.  
  • Delegated Authentication – Enables the users to use their AD credentials to access Okta & downstream applications. This feature is enabled by default.

Usecase Overview:

Check out the video below to explore Okta’s Universal Directory and how it works with Active Directory integration. Along with that, benefits of Universal Directory & the integration flow.

Technical Demonstration – Integration flow:

Here’s a technical demonstration, a step-by-step approach explaining the integration between Active Directory and Okta.

Conclusion 

Integrating Active Directory with Okta not only streamlines identity management but also enhances security and user experience. With Okta’s Universal Directory, organizations can manage user identities more effectively, ensuring that they are well-equipped to handle the demands of a cloud-first world. This integration empowers IT teams to focus on strategic initiatives rather than being bogged down by the complexities of traditional identity management systems. 

Reference Links

Active Directory Integration | Okta Docs

User Management | Okta Docs

Simplifying Server Access with Okta Advanced Server Access

  • Introduction
  • Prerequisites
  • Usecase Overview
  • Technical Demonstration
  • Conclusion
  • Reference Links

Many organizations face difficulties in securely managing access to their servers. This often results in compromised static credentials, delay in accessing the servers and increase in security risks. Okta’s approach to address this problem is unique, comes with Advanced Server Access (ASA) to provide simple & secure way to access the servers through ephemeral certificates. These certificates are short-lived & tightly scoped which ensures strong security for the connection. And also, JIT Passwordless authentication for server access which will create & revoke access for the user through time-bound constraints. It streamlines the login process and enhances security, ensuring that only the right people can access right resources.

To get started, we need to create and configure an ASA team, which is a designated group of users that can authenticate with Okta. Each team acts as an Advanced Server Access tenant, with all configurations and resources scoped to that team. 

  • An Okta Org account with the necessary permissions to configure applications and integrations.
  • Supported OS for ASA Server Agent – Linux & Windows
  • Supported OS for ASA Client Agent – Linux, Windows & MacOS
  • Administrative permission to install ASA Server Agent & Client Agent on servers & end devices.
  • For Network settings, please refer to Okta Docs.

Please refer to the below video to have an understanding about Okta Advanced Server Access & the usecase around integrating servers with Okta ASA.

Here’s the technical demonstration on the integration of Windows and Linux servers with Okta ASA. We will cover the process of creating an ASA team in ScaleFT, followed by integrating and configuring the ASA application in Okta. Next, we will explain how to enroll servers and clients, and finally, we will test the process by accessing the server from client machines to showcase a seamless user experience.

On a closure note, with all the steps carried out in this blog it is fair enough to say integrating Servers with Okta Advanced Server Access not only enhances security through ephemeral credentials but also simplifies management processes while ensuring compliance. Its scalable architecture supports modern cloud environments, making it a comprehensive solution for organizations looking to secure their server access effectively.

Okta Advanced Server Access Guide

Simplifying Salesforce Access with Okta SSO Integration 

  • Introduction
  • Pre-Requisites
  • Usecase Overview – Integration flow
  • Technical Demonstration
  • Conclusion
  • Reference Links

In today’s fast-paced business environment, manually logging into multiple App’s can be a tedious and time-consuming process, especially when dealing with multiple accounts or complex password policies. Moreover, security risks associated with password-based authentication can put your organization’s sensitive data at risk. 

That’s where Okta Single Sign-On (SSO) comes in, a solution that streamlines App access, boosts productivity, and fortifies security. By integrating Okta SSO with multiple App’s like Salesforce, Slack, LinkedIn, etc.., organizations can provide teams with seamless, one-click access to the platform, while maintaining the highest levels of security. 

In this blog, we’ll explore the benefits of using Okta SSO with Salesforce and provide a step-by-step guide on how to set up and configure this powerful integration. 

  • An account with Super Admin role privileges 
  • Salesforce Org with system administrator privileges 
  • Custom Domain: acme 

Please refer to the below video to have an understanding about Okta & the use case around integrating Salesforce with Okta.

Here’s the technical walkthrough on the integration and provisioning between Salesforce & Okta.

In conclusion, integrating Okta with Salesforce has significantly streamlined the users access to the platform. With Okta’s Single Sign-On (SSO) capabilities, users can now seamlessly log in to salesforce without remembering multiple passwords, reducing login times and increasing productivity. The integration backed up with Okta’s Sign-On policies, enhances organization security posture by providing an additional layer of authentication, ensuring that only authorized personnel can access sensitive customer data. By streamlining Salesforce access with Okta, we have improved user experience, increased efficiency and strengthened security, ultimately driving business growth and success. 

Okta Docs | Setup SSO for Salesforce

Okta Docs | Adding Salesforce to Okta 

Microsoft 365 SSO Integration using Okta

  • Overview
  • Prerequisites
  • Usecase Overview – Integration flow
  • Technical Walkthrough
  • Conclusion
  • Reference Links

Most of the organizations, rely on Microsoft Active Directory Services or LDAP for a centralized store for identities & access permissions. Majority of the on-prem applications rely on these services to authenticate and authorize the actions. But with the cloud-based application, where the applications would have their own identity profiles to manage the application it is challenging for the administrator to manage the user accounts & it would be challenging for the end user too to use multiple identities for multiple applications.

Okta provides a solution to utilize the existing Microsoft Active Directory Services / LDAP services to access the SaaS applications through Active Directory / LDAP integration. This allows a single dashboard for the users to access the applications using their existing credentials and for administrators a centralized service to handle the lifecycle management.

In this section, we will integrate an existing on-premises Active Directory to Okta and let Okta provision the user accounts for us in Microsoft 365 tenant.

For simulating this in our lab environment, we’ll need to have access to 3 entities & few prerequisites.

  • Okta Tenant.
  • Member Server for Okta Active Directory Agent Installation.
  • Microsoft 365 tenant.
  • An account with Super Admin role privileges.
  • The host server should have at least two CPUs and a minimum of 8 GB RAM.
  • Host server running Windows server 2016 & above is supported.
  • .NET framework 4.6.2 and above is supported.
  • Host server should be a member server part of the same domain.
  • Okta agent installation wizard should be executed from host server.
  • Microsoft 365 tenant name – This is the default tenant name registered as “comanyname.onmicrosoft.com”
  • Microsoft 365 domain – This is the custom domain which is chosen for federation.
  • Microsoft 365 global administrator user account.

Please refer to the below video to have an understanding about Okta & the use case around integrating Office365 with Okta.

Here’s the technical demonstration on the integration between Office 365 & Okta.

On a closure note, with all the steps carried out in this blog it is fair enough to say integrating Okta with Active Directory & Office 365 eases the overhead of IT administrators for access management and provisioning happening through Single Sign-on. With this integration in place, IT administrators can manage the user assignments & modifying the attributes from Okta and the replication will happen to AD & Office 365 tenant.

Okta Docs | Configure Single Sign-On for Office 365

Okta Docs | Active Directory integration

SailPoint IdentityIQ Custom Connector

Introduction

Connectivity is critical to successful IAM deployments. SailPoint is committed to providing design, configuration, troubleshooting and best practice information to deploy and maintain connectivity to target systems. SailPoint IdentityIQ enables you to manage and govern access for digital identities across various applications in your environment. Connectors are the bridges that IdentityIQ uses to communicate with and aggregate data from applications. SailPoint IdentityIQ provides a wide range of OOTB connectors that facilitate integration with variety of systems, applications and data sources. These connectors are designed to simplify the process of managing Identity information and access across different platforms.  

In SailPoint IdentityIQ, a Custom Connector is a specialized integration component that allows the IdentityIQ platform to connect and interact with external systems, applications, or data sources that are not supported by the standard OOTB connectors. Custom connectors extend the capabilities of IdentityIQ by enabling it to manage identity-related information in a wider range of systems. 

High level architecture of Custom connector 

Custom Connector Development

Developing Custom connector in SailPoint IdentityIQ involves creating a Java-based implementation that adheres to the connector framework and API provided by SailPoint.  

This allows you to define the interaction between IdentityIQ and the specific external system you want to integrate with. A typical development of custom connector includes 4 steps – 

  1. Creating a new implementation of functionality and packaging it into JAR file. 
  • The custom connector uses the openconnector framework provided by SailPoint in the openconnector package where there are lot of methods provided for different type of operations.  
  • The custom logic which you want to implement using this custom connector shall be developed in the specified methods.  
  • Once code development is completed, Custom connector code with all the classes must be compiled and packaged to a JAR file.  
  • And the JAR file must be placed in WEB-INF/lib folder of IIQ Installation directory 
  1. Defining Connector type in Connector Registry 
  • Connector Registry is an XML file present in IdentityIQ as Configuration object. This file contains the information about all the different connectors and their related details.  
  • Now that we have created a new connector in our IdentityIQ, we have to declare its information and details in Connector Registry.  
  • Here we will create an xml file consisting of the details pertaining to our custom connector. Once we Import this xml file into IdentityIQ, it will be merged with the existing Connector Registry file in IdentityIQ database allowing IdentityIQ to create a new entry in the list of connectors.  
  • Alternatively, the Connector Registry could be manually edited through the Debug page
  1. Defining .xhtml page which specifies required and optional connection parameters. 
  • Usually, some parameters are required to define the connection to the target resource (e.g. host, port, username, password, etc.).  
  • To allow these parameters to be specified through the UI for each application that uses this connector, an .xhtml page must be written to define how the Application Configuration user interface will request and record those parameters.  
  • This file must be placed in the [IdentityIQ Installation Directory]/define/applications/ directory and must be referenced in the application definition’s XML as the “formPath” entry.  
  1. Testing the connector by Creating an application which uses this connector. 
  • Finally, after completing all the development related activities, one must start the application server which is hosting IdentityIQ.   
  • An Application object must be created for using the IdentityIQ’s UI. Select the configured custom connector as application type to tie it to the connector registry configuration and specifying any connection parameters through the configuration. 
  •  Once the application is onboarded, we can perform all the configured functionalities in it and verify back the results within the targeted external application.  
  • Alternatively, Application connector can be tested from the integration console (run iiq integration from the [IdentityIQ Installation Directory]/WEB-INF/bin directory).  
  • This console can be used to test the various features of your connector including Aggregation and Provisioning

The following presentation gives you clear understanding of custom connector development in detail.

Now let’s have a demo on building custom connector, deploying it into SailPoint IdentityIQ and using it. 

Please subscribe to our social media and stay updated with latest technology content. Thanks!

SailPoint IdentityNow Workflows

About SailPoint IdentityNow Workflows:

IdentityNow workflows are a way to automate processes related to Identity Security Cloud. These processes when carried individually are manual, error prone and laborious in nature.

Here are a few examples of the power of workflows.

  1. Design workflows that can handle a growing number of users onboarding requests, ensuring scalability as the organization hires new employees.
  2. Design workflow to raise tickets in ticketing system to automate the resolution of access-related issues reported by users, ensuring a streamlined process.
  3. Modify an existing workflow to include new steps for managing temporary access during a special project, adapting to changing business needs.
  4. Implement a workflow for access reviews that automatically identifies and revokes unnecessary access rights, ensuring that users only retain permissions relevant to their current roles.
  5. Streamline access request procedures including approval steps for access approval or modification.
  6. Send email alert when an identity changes group in end application.
  7. No human involvement while configuring and activating certification campaign when identity changes department and also send email alert to reviewer.

In this video blog, we will be discussing about the IdentityNow workflows in detail. The following are the key topics that are discussed as part of the blog.

  1. Why SailPoint introduced Workflow in IdentityNow
  2. Available platforms in IdentityNow to build a workflow.
  3. General terminology and use of Inline variables
  4. Simulating and testing a workflow
  5. Migrate workflows between sandbox and production.

The detailed discussion of Workflows, it’s terminology and configuration process are present in the following video.

Detailed demo on developing & testing workflows in all 3 possible ways is present in the following video.

Please subscribe to our socials and stay updated with latest technology content.

SailPoint IdentityNow Automation Testing

Introduction
Automation testing refers to the testing of the software in which tester write the test script once with the help of testing tools and framework and run it on the software.
The test script automatically tests the software without human intervention and shows the result.

Prerequisites for Automation:
To begin automation testing using Selenium, there are few prerequisites should have in place:

  1. Programming Language: Choose a programming language in which you will write your test scripts. Java, Python, C#, and Ruby are common choices for Selenium automation. You should have a good grasp of the chosen language.so we have chosen java.
  2. Integrated Development Environment (IDE): Install an integrated development environment (IDE) such as Eclipse, IntelliJ IDEA, or Visual Studio Code to write and manage your Selenium scripts. We have chosen Eclipse as IDE platform.
  3. Java Development Kit (JDK): If u opt for Java, you’ll need to install the Java Development Kit (JDK) on your system.
  4. Selenium WebDriver: Download the Selenium WebDriver for your preferred programming language. You can add the WebDriver libraries to your project using build tools like Maven.
  5. Web Browsers: Make sure you have the web browsers you intend to automate (e.g., Chrome, Firefox) installed on your system.
  6. Web Drivers: Selenium interacts with browsers through web drivers. You should have the appropriate web drivers for the browsers you plan to test with (e.g., Chrome Driver, Gecko Driver). These should be downloaded and configured. Ensure that your chosen IDE is integrated with the Selenium WebDriver, making it easier to write, run, and debug test scripts.
  7. Test Framework: Select a test framework such as TestNG or Hybrid. Test frameworks help structure your tests and provide reporting capabilities.

By meeting these prerequisites, you’ll be well. prepared to start automation testing using Selenium and create efficient, maintainable, and effective test scripts.

The following below video showcases a small presentation on automation testing:

Tools used for Automation testing.

  1. Eclipse:
    Eclipse is a digital workspace for automation testing. It’s a special software that makes creating and running automated tests easier. It is used by testers because it’s super flexible and works with different programming languages. It helps in writing, organizing, and running tests for finding problems or bugs in software, making sure everything works smoothly.
  2. Selenium:
    Selenium is an Open source, It Supports multiple languages like java, python, Ruby. Scripts can be run on Multiple browsers like Chrome, Firefox, IE, Microsoft Edge. It supports Multiple operating systems like Linux, Windows, MacOS. It can be integrated with third party applications like TestNG, Cucumber.
  3. TestNG:
    TestNG is a testing framework used with Selenium for automating tests. It allows for organizing test cases, running tests in a specific sequence. It offers annotations to manage test execution flow, such as @Test for defining test cases, @BeforeMethod and @AfterMethod as you can see the highlighted point in the picture for pre and post-test setups, and @DataProvider for parameterization. This combination of Selenium and TestNG helps in efficient and structured automation testing, enabling testers to create, manage, and execute test cases reliably. Generates HTML reports showing test execution details.
  4. Maven:
    Maven is an open-source tool. Maven allows to download all the JARs and Dependencies and manage lifecycle for a Selenium Java project. This makes it easier for the QA to configure dependencies for Selenium Java by automatically downloading the JARs from the Maven repository.

Advantages of Automation testing

Efficiency: Automation testing can execute repetitive and complex tasks faster than manual testing.
Accuracy: Automated tests perform the same steps precisely every time, reducing the chance of human errors.
Reusability: Test scripts can be reused across different phases of development and in various testing scenarios.
Faster Feedback: Automated tests provide rapid feedback on the software’s stability and functionality.

Let us see how we can execute the test cases in the below video:

SailPoint IdentityNow REST API’s

Introduction

API stands for Application Programming Interface. APIs are mechanisms that enable two software components to communicate with each other using a set of definitions and protocols.

API architecture is usually explained in terms of client and server. The application sending the request is called the client and the application sending the response is called the server.

API Workflow

Fig. – API dataflow

What is REST API:

  REST stands for Representational State Transfer. This is the most popular and flexible APIs found on the web today. The client sends requests to the server as data. The server uses this client input to start internal functions and returns output data back to the client.  REST defines a set of functions like GET, POST, PUT, DELETE, etc. that clients can use to access server data. Clients and servers exchange data using HTTP.

The main feature of REST API is statelessness. Statelessness means that servers do not save client data between requests. Client requests to the server are similar to URLs you type in your browser to visit a website. The response from the server is plain data, without the typical graphical rendering of a web page.

Rest API operation in SailPoint IdentityNow

Post Operation: POST APIs request allows appending data to the endpoint. This is a method used to add information within the request body in the server. It is commonly used for passing delicate information.

GET operations: GET APIs request is used to obtain details from the endpoint and does not have any impact on the endpoint. The GET request does not update any endpoint data while it is triggered.

UPDATE operations: PUT APIs request is used to pass data to the server for creation or modification of an endpoint. The difference between POST and PUT is that POST request is not idempotent.

DELETE operations: DELETE APIs request deletes a resource already present in the server. The DELETE method sends a request to the server for deleting the request mentioned in the endpoint.

Let us understand usage of REST API’s in SailPoint IdentityNow in the following below presentation:

Pre-requisite

  • Base URL of SailPoint tenant.
  • secret key and client ID for the token generation.
  • Generating access token with Authorization code.

Rest API Authentication in IdentityNow

              Authentication is the process of determining whether someone or something is, in fact, who or what it says it is. Authentication provides access control for systems by checking to see if a user’s credentials match the credentials in a database of authorized users or in a data authentication server. In doing this, authentication assures secure systems, secure processes and enterprise information security.

OAuth 2.0

  • OAuth 2.0 is the industry-standard protocol for AUTHORIZATION.
  • OAuth 2.0 is designed primarily as a means of granting access to a set of resources, in simple way OAuth 2.0 Access Token is a string that the OAuth client uses to make requests to the resource server.

JSON Web Token

          JSON Web Token (JWT) authentication is a stateless method of securely transmitting information between two parties as (JSON) object. It is often used to authenticate and authorize users in web applications and APIs.

Rest API Authorization in IdentityNow

          Authorization in system security is the process of giving the user permission to access a specific resource or Authorization is the act of validating the user’s permission to access a given resource. This term is often used interchangeably with access control or client privilege.

Personal Access Token in IdentityNow

In IdentityNow a personal access token (PAT) is a method of authenticating to an API as a user without providing a username and password.

Now, let us go through a demo on how we can use these REST API’s in SailPoint IdentityNow.

Features of Rest API in IdentityNow

  • APIs extend IdentityNow functionality and Usability
  • Advanced configuration such as
    • Transform creation
    • Customization of account profiles
    • Ranking authoritative source priority
    • System level changes
    • Object management
  • Interface with other systems – pull data/initiate processes