Once certifiers have reviewed user entitlements and identified inappropriate ones, Hitachi ID Access Certifier can follow through by authorizing the deactivation of those rights and then removing them from target systems:
Any request may require approval. Business logic selects authorizers and determines how many are required (possibly zero). Multiple authorizers may be selected, with some level of consensus required (e.g., N of M).
Authorizers are selected automatically and may be chosen by their relationship to the requester and/or recipient. For example, the recipient's manager, or a department head, or a regional security officer are common authorizer choices. Authorizers may be based on what was requested, such as the owner of an application or group. Finally, authorizers may be selected via lookup into an external service or database.
A single flow-chart (state diagram) is used to authorize all requests in the Access Certifier workflow engine. The Access Certifier workflow engine supports:
Workflow is used in Access Certifier to approve change requests, to implement approved requests, to certify user access and more. A participant in the workflow process is a person invited to complete a task.
The Access Certifier workflow engine has built-in support for automatic reminders, escalation and delegation, so as to elicit reliable responses from individually-unreliable users:
Once access deactivation has been approved, Access Certifier removes excess entitlements directly on target systems. This is done using the over 120 built-in connectors, by: