Hitachi ID Access Certifier -- included in Hitachi ID Identity Manager -- enables organizations to review and clean up security entitlements with:
Access Certifier can invite managers to review a list of their direct subordinates and for each one -- certify that the subordinate still works for them, transfer the subordinate to their new manager or indicate that the user in question has left the organization and their access should be terminated.
Access Certifier can invite both managers and the owners of roles, applications and security groups to review the entitlements which have been assigned to users and either certify that they remain appropriate or ask that they be revoked.
Identity Manager supports enforcement of two types of policy -- role based access control (RBAC) and segregation of duties (SoD). Access Certifier can be used to review approved exceptions to these policies and either certify that they remain appropriate or ask for the user in question to be brought back into compliance.
Access Certifier requires certifiers to sign off on their work. Signatures form a chain of accountability, acting as evidence that entitlements are still needed. The sign-off process also triggers workflow requests to revoke entitlements which certifiers indicated are no longer required.
Application, group and role owners can be invited by Access Certifier to review lists of users with access to their entitlements.
Access Certifier can be configured to invite every manager to review his direct subordinates and their entitlements. Managers are prevented from signing-off until managers that report to them have completed their own certification. This process creates downwards pressure on managers to complete their reviews.
Every user deactivation or access revocation request processed by Access Certifier is subject to an authorization process before being completed. The _PRODUCT workflow engine is designed to get quick and reliable feedback from groups of business users, who may be individually unreliable. This is accomplished with:
Access Certifier includes a rich set of built-in reports, designed to answer a variety of questions, such as:
Access Certifier can be integrated with existing systems and applications using a rich set of over 120 included connectors. This allows it to automatically detect and deprovision entitlements across commonly available systems and applications.
Organizations may opt to integrate custom and vertical-market applications with Identity Manager by using the included flexible connectors. Alternately, the built-in "implementers" workflow can be used to invite human administrators to make approved changes to users and entitlements on those systems.