ForgeRock Identity Cloud: Allowing users to only access what they need


Allowing workforce users to only access what they need enforces least-privileged access and mitigates internal fraud and data breaches. It also reduces administrative overhead by making it easier to grant, modify, or revoke access as job roles change.

ForgeRock Identity Cloud enables you to centrally administer and manage user access to applications and data across your organization. Its capabilities include:

Application management

What is it?

With application management, you can integrate your identity management system with external data stores or identity providers. This involves registering applications and provisioning users.

How is it achieved in Identity Cloud?

Identity Cloud provides a simple UI with templates that allow you to quickly and easily register and provision popular applications such as Azure AD, Salesforce, ServiceNow, Workday, and many more. You can choose the application you wish to onboard from an app catalog (Applications > Browse App Catalog).

In addition to the applications provided in the app catalog, you can also register custom applications as OAuth 2.0 or SAML 2.0 applications.

All registered applications are either target or authoritative applications. With target applications, user accounts are managed and created in Identity Cloud. With authoritative applications, the application acts as a source of identities; users and roles are not managed or created in Identity Cloud.

After you have registered an application and established the server connection, you can provision the application. Provisioning creates and manages connections to the target system such as Salesforce. Reconciliation ensures synchronization and consistency between Identity Cloud and the external application, using details defined in the mappings to determine how to map and update properties.

Example Applications > Provisioning tab for Salesforce

You can also assign users and roles directly from the application. Roles contain specific access privileges to assign to the appropriate users.

Example Applications > Uers & Roles tab for Salesforce

For further information on application management in Identity Cloud, see Application management.

Business benefits

Application management provides a single UI for Identity Cloud administrators to manage all aspects of an application relevant to Identity Cloud. This streamlines application onboarding, changes and offboarding processes, ensuring that access privileges align with employees’ roles and responsibilities, reducing administrative overhead and enhancing operational efficiency. Provisioning capabilities ensure the synchronization and consistency between Identity Cloud and external applications.

Application management also helps prevent over-provisioning of licenses and resources, leading to cost savings by ensuring that users only have access to the applications relevant to their roles.

Application/entitlement onboarding

What is it?

With application/entitlement onboarding, users are granted access to applications with the proper permissions and roles defined. This may involve an identity governance process or product.

How is it achieved in Identity Cloud?

In Identity Cloud, entitlements are specific permissions given to an account in an onboarded target application. Entitlements are pulled into Identity Cloud when you onboard a target application.

Identity Cloud’s Identity Governance add-on component aggregates entitlements from onboarded target applications into a centralized repository (called the entitlements catalog) to provide a unified view of the entitlements. Administrators can view the entitlements users in Identity Cloud have for accounts in onboarded target applications.

NOTE: Onboarded applications are applications connected and configured with Identity Cloud using application management templates.

For further information on managing entitlements in Identity Cloud, see

Business benefits

With application/entitlement onboarding in Identity Governance, organizations can tightly manage user access to applications. This reduces the risk of unauthorized or malicious activities, helping safeguard sensitive data and resources from breaches and cyber threats.

By providing a unified view of the entitlements in one place, Identity Governance delivers the security, scale, and resiliency needs of large, complex enterprises allowing administrators to process large numbers of permissions in one place.

Access certifications

What is it?

Access certifications involve verifying and validating the access rights and permissions granted to users so that only authorized individuals have access to critical applications.

How is it achieved in Identity Cloud?

Identity Cloud’s Identity Governance add-on component includes access certification. Certifying access in Identity Cloud means enabling the appropriate people to review user access to applications and the accounts in those applications.

To configure certification access for users you first need to create a certification template, which defines the data to review, who is responsible for the review (certifiers), and when the data needs to be reviewed. Certification templates can be saved and used multiple times in the data review process.

Example Certification > Template tab with templates

Once you have created the template, you can run a campaign. A campaign sends notifications to all the certifiers defined in the template.

Example Certification > Campaigns tab

The data defined for review is then sent to the end users defined in the template for access review.

Example Identity Cloud end user screen showing Access Reviews inbox

For further information on access certification in Identity Cloud, see:

Business benefits

Access reviews ensure that individuals have the appropriate level of access to systems, applications, and data based on their roles and responsibilities while minimizing the risk of unauthorized or unnecessary access.

By regularly reviewing and certifying users’ access rights, organizations can prevent unauthorized users from gaining access to sensitive data and functionalities, therefore reducing the risk of data breaches and insider threats.

Access certifications also help demonstrate compliance with frameworks such as GDPR, HIPAA, and SOX by providing an auditable record of access rights and actions taken to ensure that only authorized users have the appropriate access.

Identity Governance in Identity Cloud streamlines the user access review process by providing a structured and automated way to review and approve user access rights, reducing the administrative burden on IT and security teams. By automating the access certification process, organizations can reduce the time and effort required for manual access reviews.

1 Like