Choosing Certifiers - Hitachi ID Access Certifier
By its nature, access certification implies that one user
reviews the security rights assigned to another. To configure
access certification, it is therefore important to specify
the right person to review any given security entitlement.
Hitachi ID Access Certifier supports a number of strategies for selecting
appropriate certifiers for each security entitlement:
- Single certifier: a single person is invited
to perform a review for a set of privileges.
This certifier will be presented with a list of users
who have been assigned each of the privileges under
- Multiple certifiers: when a certification round
impacts too many users, the population of users whose security
rights must be reviewed can be broken down into segments.
This is done by considering identity attributes such as location,
department or division. A different certifier may be assigned
to each set of users (each segment).
- Resource owners: resources such as connected
systems and applications, security groups, roles
and SoD policies normally have named owners. An
access certification round can be configured to invite
the owner of each of its constituent entitlements to
review a list of users who possess that entitlement.
- Managers / relationship based: in some cases, the best
person to decide whether a given security entitlement is appropriate
for a given user is simply the user's manager. A certification
round can be configured so that managers will review the security
rights assigned to their direct subordinates. This is a generic
infrastructure and other types of relationships (not just
manager/subordinate) can also be defined.