Once certifiers have reviewed user entitlements and identified inappropriate ones, Hitachi ID Access Certifier can follow through by authorizing the deactivation of those rights and then removing them from target systems:
Any request may require approval. Any operation on any managed resource (account/target system, group membership, role assignment) may have one or more authorizers assigned. These resource-linked authorizers are normally augmented by organizationally-linked authorizers, selected via business logic. This logic specifies how many approvers are required (possibly zero), who they are, etc.
A rules table is normally used to select participants for a workflow request. The request is compared to a series of rules and where a rule matches, participants, such as authorizers, are assigned, typically using a user class that relates the new participant to the requester or recipient. Rule matching may be based on the form that was used, the membership of the requester or recipient in a group, the type of operation requested, the initial or end-state risk score for the recipient, the entitlement(s) involved, etc.
A single flow-chart (state diagram) is used to authorize all requests in the Access Certifier workflow engine. The Access Certifier workflow engine supports:
Workflow is used in Access Certifier to approve change requests, to implement approved requests, to certify user access and more. A participant in the workflow process is a person invited to complete a task.
The Access Certifier workflow engine has built-in support for automatic reminders, escalation and delegation, so as to elicit reliable responses from individually-unreliable users:
Once access deactivation has been approved, Access Certifier removes excess entitlements directly on target systems. This is done using the over 120 built-in connectors, by: