Removing Inappropriate Security Entitlements - Hitachi ID Access Certifier
Once certifiers have reviewed user entitlements and identified
inappropriate ones, Hitachi ID Access Certifier can follow through by authorizing
the deactivation of those rights and then removing them from
Authorizing Deactivation of Entitlements
Any request may require approval. Business logic selects
authorizers and determines how many are required (possibly zero).
Multiple authorizers may be selected, with some level of consensus
required (e.g., N of M).
Authorizers are selected automatically and may be chosen by their
relationship to the requester and/or recipient. For example, the
recipient's manager, or a department head, or a regional security
officer are common authorizer choices. Authorizers may be based on
what was requested, such as the owner of an application or group.
Finally, authorizers may be selected via lookup into an external
service or database.
A single flow-chart (state diagram) is used to authorize all requests
in the Access Certifier workflow engine. The Access Certifier workflow engine
- Parallel change authorization.
- Multiple groups of multiple authorizers.
- Automatic reminders to unresponsive authorizers.
- Automatic escalation, when authorizers continue to be unresponsive.
- Delegation -- for example, when authorizers take extended leaves
- Authorizers with veto power over some or all of a request.
Workflow is used in Access Certifier to approve change requests,
to implement approved requests, to certify user access and more.
A participant in the workflow process is a person invited
to complete a task.
The Access Certifier workflow engine has built-in support for
automatic reminders, escalation and delegation, so as to elicit
reliable responses from individually-unreliable users:
- When participants are first chosen, their out-of-office status
on their primary e-mail system may be checked, to trigger
early escalation to an alternate participant.
- Non-responsive participants that have been asked to review
a request receive automatic reminders. The reminder interval
- Participants who remain non-responsive (too many reminders) are
automatically replaced with alternate participants, identified
using escalation business logic. Escalation is most often based
on OrgChart data -- i.e., the original authorizer's direct manager
is often the escalated authorizer.
- Participants can pro-actively delegate their authority, temporarily
or permanently. Delegation may trigger its own approval -- asking
the new participant to accept a new responsibility.
- A workflow manager can reassign participants attached to open
requests, for instance when they are terminated or when a request
is urgent and already-assigned participants are not available.
Removing Inappropriate Entitlements on Target Systems
Once access deactivation has been approved, Access Certifier removes
excess entitlements directly on target systems. This is done
using the over 120 built-in connectors, by:
- Unassigning roles (within Access Certifier).
- Disabling login accounts.
- Removing users from security groups.