Hitachi ID Access Certifier Features
Hitachi ID Access Certifier enables organizations to review and clean up security entitlements with:
- Certification of users:
Access Certifier can invite managers to review a list of their direct subordinates and for each one -- certify that the subordinate still works for them, transfer the subordinate to their new manager or indicate that the user in question has left the organization and their access should be terminated.
- Certification of entitlements:
Access Certifier can invite both managers and the owners of roles, applications and security groups to review the entitlements which have been assigned to users and either certify that they remain appropriate or ask that they be revoked.
- Certification of exceptions to policy:
Hitachi ID Identity Manager supports enforcement of two types of policy -- role based access control (RBAC) and segregation of duties (SoD). Access Certifier can be used to review approved exceptions to these policies and either certify that they remain appropriate or ask for the user in question to be brought back into compliance.
- Electronic signatures:
Access Certifier requires certifiers to sign off on their work. Signatures form a chain of accountability, acting as evidence that entitlements are still needed. The sign-off process also triggers workflow requests to revoke entitlements which certifiers indicated are no longer required.
- Certification by entitlement owners:
Application, group and role owners can be invited by Access Certifier to review lists of users with access to their entitlements.
- Certification by managers:
Access Certifier can be configured to invite every manager to review his direct subordinates and their entitlements. Managers are prevented from signing-off until managers that report to them have completed their own certification. This process creates downwards pressure on managers to complete their reviews.
- Authorization workflow:
Every user deactivation or access revocation request processed by Access Certifier is subject to an authorization process before being completed. The built-in workflow engine is designed to get quick and reliable feedback from groups of business users, who may be individually unreliable. It supports:
- Concurrent invitations to multiple users to review a request.
- Approval by N of M authorizers (N is fewer than M).
- Automatic reminders to non-responsive authorizers.
- Escalation from non-responsive authorizers to their alternates.
- Scheduled delegation of approval responsibility from unavailable to alternate approvers.
Access Certifier includes a rich set of built-in reports, designed to answer a variety of questions, such as:
- Who certified user X getting entitlement Y and when?
- What users have entitlement Z?
- What entitlements does user W have?
- Which certifiers respond quickly and which procrastinate?
- What accounts have no known owner (orphaned)?
- What users have no accounts (empty profiles)?
- What accounts have recent login activity (dormant)?
- What users have no active accounts (dormant)?
- Automated connectors and human implementers:
Access Certifier can be integrated with existing systems and applications using a rich set of over 120 included connectors. This allows it to automatically detect and deprovision entitlements across commonly available systems and applications.
Organizations may opt to integrate custom and vertical-market applications with Identity Manager by using the included flexible connectors. Alternately, the built-in "implementers" workflow can be used to invite human administrators to make approved changes to users and entitlements on those systems.