Auto Discovery of Users and Entitlements - Hitachi ID Access Certifier
Access certification is based on real, measured security entitlements --
not just the security rights that an identity management and access governance
system predicts that users should have.
Hitachi ID Access Certifier includes an auto-discovery engine, used to extract a list
of accounts, groups, group memberships and more from every integrated
system. The discovery process is scheduled to run regularly --
usually every 24 hours.
- Every Access Certifier connector supports list operations.
- By default, auto-discovery is scheduled to run every night. Some
organizations choose to schedule it more frequently.
- When connecting to each managed system, an inventory of
all login IDs (accounts) and all available security groups or roles
is always extracted.
- On systems that support this, incremental listing is used to reduce
runtime -- i.e., list only IDs that have been added, changed or moved
since the last list.
- The membership in those security groups or application roles
which have been marked as 'Managed' in Access Certifier is extracted.
- Connections to target systems are made in a massively multi-threaded
fashion, to minimize runtime.
The list operation in all Access Certifier connectors writes list files
to the filesystem of the relevant Access Certifier server. Once all list
files have been generated, a separate process determines what changed
in each list file and loads appropriate updates into the Access Certifier
database schema. This includes:
- Updating group, account, group membership, attribute and related
data in the database, to reflect current state on target systems.
- Creating new or disabling existing Access Certifier user profiles,
where new accounts were discovered on systems marked as 'source of
profile' or existing profile accounts were disabled or disappeared.
- Triggering automated processes, such as provisioning network access
in response to newly discovered HR records.
- Detecting out of band administrative changes, such as placing a user
into an Administrators group and responding with e-mail alerts,
workflow requests to undo or approve the change, etc.
The entire process can take from a few minutes to run, in smaller
deployments, to 2--3 hours to run, in large enterprises with tens
of thousands of users and hundreds of integrated systems.