Skip to main content

Hitachi ID Access Certifier

About Hitachi ID Access Certifier

Hitachi ID Access Certifier is a solution for distributed review and cleanup of users and entitlements. It works by asking managers, application owners and data owners to review lists of users and entitlements. These stake-holders must choose to either certify or revoke every user and entitlement.

Access Certifier is included with Hitachi ID Identity Manager at no extra cost.

Business Challenge

  • As users move through an organization, periodically changing job functions, they tend to accumulate privileges.
  • Over time, a user who has had many different jobs will accumulate many privileges:
    • Some of the privileges are no longer required and
    • some of them may be inappropriate to that user's current job.

  • This process is called entitlement accumulation and can lead to situations where users have so many rights that they can bypass internal controls, possibly violating regulatory requirements for privacy protection or transparent corporate governance.
Solution and Features

Access Certifier enables organizations to automate access certification (also known as attestation) processes, which ultimately help to find and deactivate inappropriate security entitlements.

  • Access Certifier can invite managers, group owners or application owners to review a list of users and entitlements within their scope of authority.
  • These business users either certify that security rights are appropriate or flag them for further review.
  • Flagged entitlements are routed to other users using a built-in approvals workflow.
  • Security rights that are both flagged and subsequently approved for removal are deprovisioned on integrated systems and applications.
  • System administrators may be invited to manually deactivate entitlements on un-integrated or partly integrated applications.
Access Certifier can also be used to periodically review and remediate the configuration of policy objects, such as roles and SoD rules. The process is the same -- schedule a review process, invite policy object owners to perform reviews and get them to inspect and/or modify policy object settings, before signing off.
page top page top