Skip to main content

Auto Discovery of Users and Entitlements - Hitachi ID Access Certifier

Access certification is based on real, measured security entitlements -- not just the security rights that an identity management and access governance system predicts that users should have.

Hitachi ID Access Certifier includes an auto-discovery engine, used to extract a list of accounts, groups, group memberships and more from every integrated system. The discovery process is scheduled to run regularly -- usually every 24 hours.

  • Every Access Certifier connector supports list operations.
  • By default, auto-discovery is scheduled to run every night. Some organizations choose to schedule it more frequently.
  • When connecting to each managed system, an inventory of all login IDs (accounts) and all available security groups or roles is always extracted.
  • On systems that support this, incremental listing is used to reduce runtime -- i.e., list only IDs that have been added, changed or moved since the last list.
  • The membership in those security groups or application roles which have been marked as 'Managed' in Access Certifier is extracted.
  • Connections to target systems are made in a massively multi-threaded fashion, to minimize runtime.

The list operation in all Access Certifier connectors writes list files to the filesystem of the relevant Access Certifier server. Once all list files have been generated, a separate process determines what changed in each list file and loads appropriate updates into the Access Certifier database schema. This includes:

  • Updating group, account, group membership, attribute and related data in the database, to reflect current state on target systems.
  • Creating new or disabling existing Access Certifier user profiles, where new accounts were discovered on systems marked as 'source of profile' or existing profile accounts were disabled or disappeared.
  • Triggering automated processes, such as provisioning network access in response to newly discovered HR records.
  • Detecting out of band administrative changes, such as placing a user into an Administrators group and responding with e-mail alerts, workflow requests to undo or approve the change, etc.

The entire process can take from a few minutes to run, in smaller deployments, to 2--3 hours to run, in large enterprises with tens of thousands of users and hundreds of integrated systems.

Read More:

page top page top