FAQs Tools4ever
General FAQs
How are products licensed?
Our products are typically licensed by the number of users and a subscription time frame. Some of our older legacy products are perpetual licenses based on the number of users. Please see individual pricing pages for more information.
Can I get a 1:1 demonstration?
Yes, absolutely. Click here to request a software demonstration, and one of our account managers will contact you to arrange a demonstration of how our products can meet your specific requirements.
Do you have a customer service team?
Yes, Tools4ever is an international company with offices in multiple countries. Each office has a dedicated support team; however, support hours may vary. Please contact your local office for support.
How do I open a new support case?
You may contact our support department by visiting our support page. From there, select the office that you wish to contact and fill out their contact form.
Identity Management
For over 20 years, Tools4ever has developed multiple solutions within the identity management (IDM) industry. We provide organizations with the power and insight they need to automate processes, provision accounts, and control access throughout their networks and applications. In addition, our solutions give the right access to users who can use the resources they need and have access only to the data their work position requires.
How does IDM stop permissions from accumulating and unstructured data from building up in the network?
With identities often being interwoven in the network, our transparent process automates and/or delegates access management to prevent the accumulation of permissions. This prevents unauthorized access, minimizes data breach risk, and ensures that users always have the correct access required. It also simplifies processes.
How does IDM make the helpdesk more efficient?
Onboarding can be automated with our solutions, thus eliminating the need for manual intervention from IT or the helpdesk. Access rights are created based on a Role Based Access Control (RBAC) model or granted and approved by managers or the data owners on a one-off basis. This frees up the helpdesk to work on more important tasks instead of repetitive work such as user provisioning.
How does IDM benefit organizations on a business level?
It is inefficient to have staff spending hours every day managing access, users, and permissions. The risk of human error is mitigated when the process is automated. This can be solved using one of our IDM solutions.
How does IDM aid compliance/audits?
Our solutions leave a transparent access trail based on the permissions granted and/or revoked in the network. Access governance makes it easy to ensure that users have the correct access—no more, no less than needed. In addition, our solutions add layers of accountability to the process by assigning certain users as data owners. RBAC ensures that rights are correct for every position and individual while discrepancies are available for managerial review.
How long does an IDM implementation take?
The length of implementation depends on the specific requirements of any particular organization. Before quoting a timeframe, we will assess the requirements and provide a detailed scope of services for your specific needs.
Our unique approach to implementation has been the key to our 20+ years of success in the industry. We implement our solutions in phases to avoid users or IT having to adjust to drastic changes overnight. The phases also allow our expert consultants to address any small challenges as they arise. With a phased implementation, we can ensure that each module works seamlessly before we move on to another.
How do Role Modeling and Business Rules work?
Our IDM solutions replace the copy-user, spreadsheets, user templates, and other types of manual access management practices prone to human error and oversight. Access rights are recorded in an easily managed RBAC model and then issued, updated, and withdrawn accordingly. Role modeling and business rules offer a variety of methods to build the model, such as role mining and the ability to manage it via workflow requests and approvals. Validation of any discrepancy of rights can be accomplished via attestation and reconciliation.
Certain user attributes (e.g., department, title, location) are picked up from the HR/SIS. We put these through our role modeling and business rule processes to determine the given individual’s entitlements. For example, on the network, Exchange, O365, Google Workspace, or other systems need for their job. Using RBAC, along with our role modeling and business rules, you can create models and rules that will automate the process of adding and removing permissions during the employee user lifecycle.
Can your solutions add users to groups and distribution lists?
Yes—if the user has the correct role, they can create, delete, and manage group memberships. This typically is done through a delegated web form where the end user has to have a specific role to use that form. In addition, role modeling and business rules can be used to assign both security groups and distribution groups.
Can users be created with expiration dates?
Yes—users can be created with a predefined expiration date. This is ideal for short-term employees, contractors, or students and staff in schools or universities. Additionally, email alerts can be automatically generated to notify managers of new account creations or upcoming expirations.
Is there an ability to create attribute-based dynamic groups?
Yes. Our solutions have the capability to programmatically create AD groups based on attributes available from the HR/SIS system. For example, a group could be created based on the title “Office Administrator,” and employees with that designation would automatically be added to the group.
What is the run time for an account management process?
Many factors affect the run time for provisioning process execution, including the number of employees, the number of changes, and the total number of systems connected. Most of our clients can run their processes every hour. We also provide the ability to run processes on-demand.
How do you provision users to Google Workspace and Office 365?
Tools4ever has developed connectors that tightly integrate with both Google Workspace and Office 365. These connectors run in conjunction with the provisioning processes, and changes in both systems are implemented immediately. Any action, including module licensing, can be addressed by our connectors.
Can employees request access to a resource or group?
Yes. Most of our solutions support a self-service workflow feature where employees can request access. The request is then sent to product owners for approval. If approved, the solution will automatically grant the access. This type of feature reduces the workload for the helpdesk and grants them more time to work on more critical issues.
What is "permission bloat"?
Permission bloat (or occasionally “privilege creep”/”access creep”) refers to the gradual accumulation of access rights that naturally occurs over a user’s employment, most often in under-managed IT environments. These information security vulnerabilities and compliance risks often coincide with promotions, role changes, reassignments, or comprehensive reorganizations when user access is not reviewed and adjusted accordingly.
By contrast, automated identity management and provisioning keep your users’ access up-to-date based on role-based controls. When changes occur that alter a user’s access needs, an automated solution will remove the unnecessary rights and eliminate permission bloat.
Adhering to the precise access rights a user needs to meet their job responsibilities—no more, no less—is referred to as the “Principle of Least Privilege.”
What is "CRUD"?
CRUD is an acronym for “Create, Read, Update, Delete” and refers to the overarching identity management processes that occur over the course of a user’s account lifecycle. “Create” begins the lifecycle; “Read” and “Update” recurs as needed to adjust account information and access rights throughout employment; and “Delete” ends the lifecycle with the employee’s departure from the organization.
What is identity and access management (IAM)?
Identity and Access Management (IAM) is an umbrella term that describes all aspects of managing user digital identities and providing secure access to resources. IAM solutions include identity authentication, single sign-on, user provisioning, authorization, RBAC, role management, user lifecycle management, encryption, data loss prevention, privileged access management, and more.
A key component of any IAM solution is authentication, which verifies the identity of an individual who attempts to gain access to a resource. The goal is to provide secure access to resources while minimizing the risk of unauthorized users accessing those resources. In other words, IAM seeks to ensure that only authorized individuals can perform actions within an organization’s network.
The most important advantage of IAM is that organizations can reduce their security risks. For example, instead of having separate passwords for different websites, users only need one password to log into all of them. In addition, by ensuring that no unauthorized users may access the system, IAM lets organizations enforce security policies across all devices and networks, such as requiring employees to use two-factor authentication when accessing sensitive corporate data.
IAM also helps protect against cyber attacks by managing access to the organization’s resources. For example, when a hacker gains unauthorized access to a system, they often try to use stolen credentials to gain further access to other systems. Organizations can prevent hackers from accessing additional systems by restricting access based on user accounts.
Besides helping organizations protect against security breaches, IAM also helps them comply with regulatory requirements and reduce operational costs.
What is user account provisioning, and why should I automate it?
User Account Provisioning (UAP) refers to the process used to manage user accounts across multiple systems and devices. It provides centralized management of user identities and passwords and helps prevent unauthorized use of resources.
Manual or Delegated User Account Provisioning typically requires the IT department to handle all Provisioning. A new hire, for example, will have to be granted access to specific files, documents, and systems depending on their position. Doing so manually is a slow process that is also prone to errors. In addition, when an employee leaves, deprovisioning them requires revoking all rights and removing or deactivating their account.
Automating user account provisioning can help free up IT staff while increasing the organization’s security. With Automated User Account Provisioning, provisioning actions are automatically triggered when information is changed in a “source system,” such as an HR or SIS system, which then serves as a “single point of truth.” If, for example, an employee is promoted, the Automated User Account Provisioning software will detect the change in the organization’s HR system (the source). Once detected, the change will be automatically synchronized to the downstream systems (the targets). This significantly speeds up account management and makes it simple, secure, and cost-effective.
What is User Account Lifecycle Management?
The “User Account Lifecycle Management” is the process of managing user accounts and digital identities throughout the entire lifespan of an employee, student, or temporary worker. This process is called “CRUD,” Create, Review/Update, and Delete/deactivate.
In designing a user account lifecycle process, most organizations’ first attempt is using a “manual” process. Where the IT department is required to manually manage multiple digital identities for a single user account across multiple systems. As the process matures, many organizations adopt an automated provision solution. With automation, a change in the HR (source) system is detected and automatically synchronized to the third-party downstream systems (targets). In return, the IT department is freed up to focus on more impactful projects.
What is Role-Based Access Control (RBAC)?
Role-based access control (RBAC) is an authorization model used to restrict user access to resources based on their Role within the organization. The RBAC model helps design roles in an organization and assign users to the appropriate roles.
The Identity and Access Management system using the RBAC roles allows only authorized users to gain access to a resource. If they don’t have permission to do so, they will receive an error message. For example, a manager may be able to view all employees’ salaries but not change them. A salesperson may be allowed to create new accounts but not modify existing ones. Or a user may be able to view certain documents but not edit them.
Thus, RBAC increases security by preventing unauthorized individuals from accessing sensitive data without proper authorization. This reduces the potential for breaches or information leaks. It also helps organizations comply with regulations like Sarbanes–Oxley Act (SOX), HIPAA, and others. In addition, it helps prevent accidental damage caused by unauthorized users who gain access to sensitive information. Finally, RBAC increases efficiency by automating Provisioning, deprovisioning, and access management processes.
RBAC is commonly used both on-premises and when granting permissions to external systems such as cloud applications.
What are Role Modeling and Role Mining?
As the size of an organization increases, the need to have structured roles (aka Business Rules) is paramount. Role Modeling is a key factor when designing a well-thought-out security model for any identity management implementation. The process starts with basic “Role Mining” to determine the resources required for each job responsibility. Then design roles or business rules (aka Role Generation) into groups or classifications. For example, the “Jr. Accounting Role” requires access to QuickBooks and the invoice folder. The “Sr. Accounting Role” requires the same access along with the accounts receivable folder. How an organization designs its roles is based on many factors. They are typically based on job titles and entitlements, but other factors such as building location or department are used. For example, here are two different ways to group two roles.
Role: Jr. Accounting
Job Titles: Jr. Accounting, Level 1 Accounting, Accounting
Entitlements: QuickBooks, Invoice Folder
Role: Sr. Accounting Role
Job Titles: Sr. Accounting, Accounting Manager
Entitlements: QuickBooks, Invoice Folder, Accounts Receivable Folder
OR
Role: Accounting
Job Titles: Jr. Accounting, Level 1 Accounting, Accounting, Sr. Accounting, Accounting Manager
Entitlements: QuickBooks, Invoice Folder
Role: Sr. Accounting Role
Job Titles: Sr. Accounting, Accounting Manager
Entitlements: Accounts Receivable Folder
What is Segregation of Duties?
The term “segregation of duties” or “separation of duties” refers to the practice of assigning different tasks to separate employees so they cannot conspire with each other. It is an important part of preventing fraud because it prevents collusion between employees who might work together to commit fraud. In some IDM software products, the segregation of duties is automatically done. In others, you need to manually design the segregation of duties into your security roles or business rules.
In general, segregation of duties should be implemented whenever possible. A person who performs one task alone should not be able to access sensitive data without proper safeguards. For example, an employee who has only been assigned to perform administrative tasks cannot gain unauthorized access to sensitive company records. The same applies when employees are given permission to access certain areas of the business but are restricted from accessing other parts of the system.
In addition to preventing employees from gaining unauthorized access to confidential data, segregation of duties helps ensure that no single individual is responsible for all aspects of a project. In this way, the risk of error is reduced.
The segregation of duties also helps organizations comply with regulations like the Sarbanes-Oxley (SOX) Act, which was introduced after several high-profile fraudulent acts in the financial sector. Among other provisions, SOX compliance requires organizations to hire independent auditors to review their accounting practices, a clear example of segregation of duties.
What are user provisioning Source and Target systems?
The terms Source and Target systems are commonly used in user provisioning software solutions. The source represents the system or systems that contain the data needed for the user lifecycle processes. Typically, this is a Human Resource (HR) or Student Information System (SIS) system containing user, job, or student information. The target represents the downstream system or systems that the source data will be synchronized to. Typically, this is Active Directory, Azure AD, Google Workspace, or other software applications.
What are Data Exports and Rostering?
Not all downstream target systems support API access to manage users and access, but most support Excel or CSV imports. When this is the case, you need to format application-specific export files to complete your user lifecycle processes. This process is called “Data Exports.” Additionally, some applications support specific protocols, such as OneRoster, that compress the files into a single zip before uploading to the target system. Data Exports and Rostering are similar, but Rostering is geared more toward classrooms, staffing schedules, or event listing of users. For example, rostering is used heavily in the Education market for student classroom attendee rostering.
What is the Principle Of Least Privilege?
The Principle Of Least Privilege (POLP) states that users should be granted only the access they need to perform their job effectively. It ensures that users do not have more privileges than necessary to complete their tasks. For example, when an employee logs into a corporate network, they should be able to access files and applications needed to do their job without having to log in under other user accounts. Or an employee who needs to use a corporate database should not be given full administrator rights to the system.
This principle applies to employees and other people who use computers, such as contractors, vendors, and consultants. Therefore, ensuring that these individuals are not accidentally exposed to sensitive information when performing tasks outside their normal responsibilities is important.
That is why, when someone logs into a computer system, they must first authenticate themselves before gaining access to the entire system. Once authenticated, POLP ensures they are only given limited privileges to view files and perform specific tasks within the system. Not only does POLP strengthen security but it also speeds up deprovisioning and reduces possible errors.
HelloID FAQs
Tools4ever’s cloud-based IDaaS and identity management service provides provisioning, self-service, access management, and single sign-on. HelloID provides a single point of management and entry for all users’ web-based applications. In addition, HelloID offers employee self-service and delegation web forms.
What does identity-as-a-service (IDaaS) offer that single sign-on (SSO) doesn't?
Identity-as-a-service provides automated provisioning, self-service, sophisticated identity and access management (IAM), along with SSO, adaptive multifactor authentication (MFA), and enterprise security.
IDaaS solutions, such as HelloID, often include SSO. However, SSO alone does not support other IDaaS functionality.
What are single sign-on (SSO) solutions, and how do they work?
SSO solutions streamline user authentication, requiring only one set of credentials to access IT systems, applications, services, and other IT resources.
When a user logs in, the SSO solution acts as an "Identity Provider" (IdP). After logging into the SSO portal, the user's identity is provided to the connected resources without requiring any additional logins. The user's identity is communicated via SSO protocols, such as SAML, OAuth, or OpenID Connect.
While this may sound complicated and pretty technical, the end user simply sees a dashboard of their accessible resources after logging into the SSO portal. HelloID offers multiple "plug-and-play" connectors for all types of systems, applications, services, and other IT resources.
For more information on individual connectors, including functionalities and SSO protocols, please refer to our continually expanding list:
https://www.tools4ever.com/connectors/
How does HelloID work? What do connectors do?
Gaining a basic understanding of attributes, business rules, entitlements, source systems, and targets will provide a solid framework for understanding HelloID, its operations, and why connectors are so valuable.
Attributes, Business Rules, & Entitlements
In order to drive identity management and provisioning automations throughout your IT environment, HelloID relies upon user attributes, business rules, and entitlements. Attributes include various pieces of identity data that make up a person within HelloID (e.g., name, title, department, manager).
A user's attributes determine the business rules that apply to them, such as all users receive an Active Directory account. The applicable business rules determine the entitlements users receive, such as accounts in various systems and permissions in the file system. By filtering combinations of attributes, your organization can build enhanced business rules and assign entitlements to meet your identity requirements.
Source & Target Systems
HelloID connects to the systems and applications within your environment to execute identity management automations and other processes. "Source systems" are those configured to provide HelloID with the user attributes needed to execute various tasks. HelloID detects and syncs all changes in the "source system," whether newly added users or updates to existing ones. For example, HR and SIS systems commonly serve as an organization's "source system."
All other systems and applications that HelloID connects to are "targets." HelloID executes identity management processes in target systems and applications, such as creating and provisioning accounts.
How do HelloID connectors automate onboarding and provisioning?
HelloID leverages connectors to create and set up new users' accounts, group memberships, and assigned permissions. For example, when new users are detected within the configured "source system," HelloID automatically syncs their data and attributes. The user is created as a "person" in HelloID.
HelloID automatically provisions each "person" accordingly based on your organization's configurations. Accounts are created, group memberships are added, and various permissions are assigned accordingly. With automated account creation, provisioning, and access management wrapped into one, new users hit the ground running on their first day.
HelloID's automated identity management processes reduce time-consuming manual efforts, reclaim significant IT staff bandwidth, ensure consistency, and track all actions for easily compiled audit logs.
How do HelloID connectors facilitate "self-service"?
By using group memberships, HelloID's Service Automation module facilitates complete self-service for users. Outside of automated role-based provisioning, self-service is used to provision specialty access cases and temporary projects.
HelloID configurations assign the "Product Owners" who approve or deny users' access requests for a given resource. Users who need to access a given resource may submit requests from the Service Automation tab located on their HelloID dashboard menu. When access requests are approved, HelloID automatically processes the group membership changes to provision the new access, which may include a revocation date.
How does HelloID account for updates to users or connected resources?
Automatically Update Roles & Access
HelloID automatically detects user attribute updates in source systems in the same manner as detecting new users. When changes occur, HelloID will sync and process them accordingly to ensure that user data and access remain up-to-date. Throughout promotions, role changes, and any other events that occur during a user's account lifecycle, HelloID has you covered.
Provisioning New Resources for Existing Users
Organizations' applications and resources are always changing. As a result, IT departments need a dynamic and simple way to provide or remove employee access. HelloID Business Rules is the solution. Rules are simple to understand and have only two parts, members and entitlements. Based on HelloID filters, you can easily and automatically determine who should be in a Rule based on HR data. Entitlements such as groups are assigned to the Rule. By being a member of a Rule, you have the entitlement to access the resource.
How does HelloID deactivate and offboard users via connectors?
As part of processing user account changes, HelloID swiftly deactivates and offboards departing employees once their status changes in the integrated source system. Typically, offboarding includes deactivating accounts, removing group memberships, and revoking access to connected systems and applications. This minimizes offboarding delays, orphan accounts, overlooked access rights, and unnecessary license expenditures.
Are you required to be licensed for all three HelloID modules?
No, HelloID has three modules, and each one can be independently licensed.
Provisioning Module
Automated Identity Management and User Lifecycle Management. The process of Creating, Reading, Updating, and Deleting/Disabling (CRUD) user accounts across multiple systems using automation.
Service Automation Module
Streamline the "Workflow Approval" process with secure web forms. Supervisors can now approve employee access requests and automatically implement them with HelloID, all with no helpdesk interaction.
Access Management Module
Single Sign-On (SSO) and MFA solution simplifying access to cloud applications by providing an application dashboard.
What is MFA (Multi-Factor Authentication)?
For added security, an organization may use Multi-Factor Authorization (MFA). While the first factor is the password itself, a second factor can be a secret question, which may include personal details such as your mother’s maiden name, favorite color, or pet’s name. They may also involve biometrics such as fingerprints, retinal scans, voice recognition, etc.
The advantage of MFA is that it helps prevent people from guessing your password. It also makes it harder for someone who steals your login credentials to access your account because they would need your username and password, along with your answer to the secret question or access to biometric data, etc.
MFA is particularly useful when you use different devices to log into your accounts, such as your laptop, tablet, smartphone, etc. That is why organizations often use MFA to grant access to sensitive data such as their files, personal information, and other types of confidential information.
MFA is becoming increasingly popular because it offers better protection against hackers than traditional login credentials like usernames and passwords. Some organizations use MFA in front of self-service forms that allow users to change passwords, phone numbers, email, etc., without contacting helpdesk support. As a result, this frees up the helpdesk personnel, thus increasing the organization’s efficiency.
What is an OTP (One-Time Password)?
A One-Time Password (OTP) is used to authenticate users accessing their accounts. Common OTP methods are email, text messages, authentication applications, or a physical token device. The purpose of OTPs is to provide an extra layer of security on top of the normal username and password. The main benefit of this authentication method is that the OTP expires after a certain period and can only be used once.
The most common use case for one-time passwords is two-factor authentication, which is used in addition to a user’s login credentials. For example, Google Authenticator generates codes that must be entered into a website in addition to a user’s username and password. This code is generated via an algorithm and changes in intervals, usually around 60 seconds. The benefit is that users do not need to remember the code since it is different every time they sign into the resource. OTP is used extensively in organizations to prevent unauthorized access to accounts. Its main advantage is that it provides additional security measures beyond just one form of identification alone. It is also useful when users change their passwords frequently due to forgetfulness. For example, if a user forgets their password, they can use the OTP feature to reset it without remembering the old one. In addition, OTPs are more secure than traditional passwords because they cannot be easily guessed.
NIM FAQs
Tools4ever’s NexGen Identity Management (NIM) solution designed for complex multi-system environments and performance. NIM is an on-premise tool that provides enterprise-level user provisioning capabilities for organizations looking for a flexible solution. With NIM, you can provision users in a matter of minutes and track changes throughout the entire process. As a specialized user provisioning tool for enterprises, it is optimized for performance and easy self-management for any size organization with complex multi-system environments, including multiple data sources and targets.
Does NIM require a SQL license or additional database software?
No, NIM uses an internal SQLite database and does not require an external database. However, NIM can connect to a SQL database as a source or target system.
How does NIM handle full name, username, and email uniqueness?
A true identity management solution should never lock you into a specific name generation algorithm. NIM is designed to allow you to control the entire name generation process. A major part of that process is uniqueness. NIM has an entire section dedicated to uniqueness requirements. Typically, "uniqueness" is evaluated for full name, user name, and email, but in reality, it can be used for any generated variable within the NIM "Name Generator" process. Uniqueness requirements can be designed to evaluate all target systems for uniqueness before the variable is generated.
For example, guaranteeing the username is the same across all target systems. If NIM's Name Generator determines a downstream target system has a user name duplication conflict, the generator will iterate to a new username and reevaluate all target systems for uniqueness. The iteration algorithm is extremely flexible, which makes it easy to configure to meet your organization's requirements.
How many source and target systems does NIM support?
NIM's open data model is designed for simple to complex multi-system environments. This allows NIM to support virtually an unlimited number of source and target systems.
Some common systems are UKG Pro, Workday, BambooHR, Active Directory, Azure AD, Google Workspace, SAP SuccessFactors, Dropbox, ADP, and Salesforce.
How many user identities does NIM support?
Unlimited, NIM's core design is to support small to extremely large (200K+ identities) without sacrificing performance. This is accomplished by using the host system's memory and optimized data relationship algorithms.
What are NIM Applications?
NIM's main focus is automating an organization's user lifecycle provisioning process. However, not everything can be automated, and manual processes are required. This is where NIM Applications come into play. Organizations can customize web applications that leverage NIM's data and internal processes, such as data relationships, role models, and name and password generation. In addition, each application has its own security access control list (ACL). This allows you to delegate applications to specific roles, such as the Helpdesk or a single user. All the while, it logs every action to be used for auditing purposes.
Below is a list of possible NIM Applications:
- Creating non-HR related user accounts such as temp workers or substitute teachers
- Helpdesk ad hoc group management
- Teacher classroom student password reset
- AUP and Acknowledgement form
- List Users Created or Modified past 30 days
- List Users with password Expires within a timeframe
- List users with no logon in the past X days
Does NIM require scripting knowledge such as PowerShell or JavaScript?
No, NIM is a menu-driven identity management (IDM) solution that does not require scripting knowledge. However, NIM supports advanced features such as using JavaScript to generate new data columns based on existing columns or manipulating the data format of a column when required.
What is NIM Role Modeling?
NIM's Role Modeling feature allows you to create business roles to help manage entitlements. An example of entitlement is an Active Directory security group or distribution group. Roles are typically based on filtered information such as job title, building location, etc. In addition to role management, NIM supports role mining and role generation.
Role mining is where you analyze your current group configuration across all your systems and display commonalities. For example, the job titles "marketing assistant" and "marketing supervisor" are members of the same five marketing groups.
Role generation is where you use role mining information to generate roles. For example, one role for marketing includes two job titles, "marketing assistant" and "marketing supervisor"; the entitlements are five groups.
Where can I find more information on configuring NIM?
For detailed information on how to configure NIM, such as source and target system configuration, user name and password generation, OneRoster exports, role mining, role generation, and much more, visit our NIM documentation website at https://docs.nimsuite.com/
What is synchronization vs. event-based evaluation?
Tools4ever has two provisioning products, NIM and HelloID, that utilize two different methods of evaluating source data: synchronization and event-based evaluation.
NIM uses a synchronization method based on the "soll-ist" philosophy of "desired situation" and "current situation." This method is also known as a "Single Source of Truth," where source data is synchronized to downstream systems on a schedule. NIM accomplishes this by evaluating the data from all source and target systems. When NIM identifies data in the target systems that does not match the source system, NIM will synchronize the source data to the target system. This method guarantees that all downstream systems have the same information as the source system.
HelloID uses an event-based evaluation method. On schedule, source data is evaluated for changes. When a change is detected, that change will then be propagated to downstream systems. In this method, downstream systems may contain different information than the source system. This allows for ad hoc changes to downstream systems without the worry that the source system data will overwrite the ad hoc change.
Does NIM support SFTP?
Yes, NIM's export functionality can also be configured to execute SFTP transfers. This allows NIM to not only export a file or multiple files (typically CSV) but can also transfer the file to a target system using SFTP. Additionally, in compliance with the OneRoster specification, you can compress the files into a single zip before uploading as well.
Can we have separate password generation algorithms for elementary and everyone else?
Yes, NIM supports any number of "Password Generators." For example, it's not uncommon for school districts to generate simple passwords for Pre-K and Elementary students. Typically these passwords use information found within the Student Information System (SIS). With NIM's multiple password generator feature, NIM can integrate into your current identity management infrastructure with minimal effort.
SSRPM: Self-Service Reset Password Manager
SSRPM is Tools4ever’s premier password self-service solution. It allows organizations of all sizes to unburden their helpdesk and empower their end users when it comes to forgotten passwords and account management. It has been estimated that 80% of helpdesk time is devoted to password issues. It also provides the ability to securely onboard new employees without sending their passwords through email or on printed paper!
Can you choose how many challenge questions are needed to reset a password?
Yes—you can customize an access policy to suit your organization’s specific requirements. For example, you can choose the number of challenge questions, if enabled, users can create their own challenge questions, choose if multifactor authentication is required, and many other options. In addition, you can have multiple access policies within SSRPM and assign different rule sets for specific OUs or AD groups.
How do I apply a license after expiration?
If you are on a subscription license and it has expired, please contact your local office for assistance.
Can you reset your password from any device?
Yes. SSRPM can be accessed via a web interface and/or a mobile app, currently available for iOS and Android. All you need to reset your password is an internet connection, your username, and the answers to your challenge questions.
What are the enrollment options for end users?
There are currently three enrollment options for SSRPM:
- Auto-Enrollment: This is when data is collected from an HR System or Student Information System (SIS) and used to pre-populate answers in the SSRPM database, thus eliminating the need for employees to complete the enrollment process.
- Onboarding: This method utilizes a mechanism to give a unique “claim ID” and one-time password (OTP) to the end user based on personal information from the HR or SIS. It ensures that SSRPM is set up before network access is granted.
- Windows Pop-Up: A wizard pops up for end users to fill in their answers to challenge questions. It cannot be closed unless this information is completed, thus ensuring enrollment in SSRPM.
Is a database needed to store SSRPM's data?
Yes. SSRPM requires a SQL Database 2000 or higher.
How are the answers to the challenge questions stored?
The answers to challenge questions are very secure. We use SHA 256 with salting and obfuscation by default.
Do any Tools4ever staff require an account on the network for SSRPM implementation?
No, but a service account is needed on the network that has sufficient rights to process an AD reset. It does not need to be a domain administrator.
Does SSRPM enforce my AD password policies?
Yes. SSRPM impersonates the end-user when resetting their password. By using this method, SSRPM automatically enforces your AD password policy requirements insofar as complexity and history are concerned.
Can SSRPM notify a user of an impending AD password expiration?
Password expiration notifications can be sent via email or SMS to end users in advance of their password expiration. As an administrator, you control the frequency and content of these alerts.
How do I add or delete users in SSRPM?
SSRPM tightly integrates with Active Directory. When you add users in AD, they are automatically given an SSRPM account. When you disable or delete users in AD, their account is deleted in SSRPM. You can restrict SSRPM to only looking at specific OU’s or groups in AD if there are specific personnel you wish to exclude.
How does SSRPM work?
Users enrolled in SSRPM are provided with a “Forgot my password…” link at the bottom of their HelloID or Active Directory login prompt. When users click on this link, they are enabled to:
- Enroll
- Reset a forgotten password
- Change their password
- Update basic Active Directory user info (e.g., contact information)
- Proceed with their onboarding
Once the user clicks to reset their forgotten password, they will be asked a series of security questions to verify their identity. The user will have already set the security question answers when they first enrolled in SSRPM. After answering the security questions, the user will be able to reset their password according to the complexity restrictions configured by the organization’s IT department.
What are some examples of SSRPM's security questions?
You may add your own, but SSRPM’s default security questions include:
- In what city did you meet your spouse/significant other?
- What was your childhood nickname?
- What is the name of your favorite childhood friend?
- What street did you live on in third grade?
- What is your oldest sibling’s birthday month and year? (e.g., January 1900)
- What is the middle name of your youngest child?
- What is your oldest sibling’s middle name?
- What school did you attend for sixth grade?
- What was your childhood phone number including area code? (e.g., 000-000-0000)
- What was the name of your first stuffed animal?
- In what city or town did your mother and father meet?
- What was the last name of your third-grade teacher?
- What is the first name of the boy or girl that you first kissed?
- What is your maternal grandmother’s maiden name?
- In what town was your first job?
For education/youth users, the following security questions are more applicable:
- Who wrote your favorite book?
- Who is the best superhero (or villain)?
- What is the name of your first-grade teacher?
- What is your favorite sports team?
- What is the name of the scientist you admire?
- What is your favorite outdoor activity?
- If you could be any animal, what would you be?
What is "onboarding"?
Simply put, “onboarding” refers to the process of getting a new hire up to speed on organizational processes and policies, and providing provisioned access to the necessary resources required for their job’s responsibilities. Successful onboarding aims to help new employees quickly become effective within the organization.
Tools4ever’s solutions optimize the business and IT side of onboarding processes that ensure new users’ access to network resources like accounts, applications, and file shares. Above all, SSRPM’s Onboarding module helps ensure the safe transfer of user accounts and passwords to new employees.
How long does SSRPM take to install?
SSRPM can be installed, configured, and enabled for users to enroll in a matter of hours.
Still Have Questions?
"*" indicates required fields