Skip to main content

Workflow - Hitachi ID Access Certifier

A workflow engine allows people and automated processes to request and authorize security changes directly, without involving security administrators. This is a key feature of any successful identity management and access governance system.

Configuring a workflow process can be challenging. As an IAM system is scaled up to support hundreds of target systems, with hundreds of kinds of updates supported on each one, the workflow engine must scale to appropriately validate and authorize thousands of types of transactions.

With a traditional workflow engine, this would require either thousands of flowcharts or thousands of state tables (either way -- unmanageable).

To mitigate the challenge of arithmetic explosion in the number of required workflow processes, the Hitachi ID Access Certifier workflow engine is dynamic, in the sense that a single, powerful state machine is used to track authorizations for every possible change (transaction) on every target system. Plug-in programs alter the behavior of the state machine, using business logic to validate inputs, route requests to the appropriate authorizers based on requested resources or the identity of the requesting principal and so on.

Rather than requiring organizations to define one flowchart for every supported type of user profile change on every target system, a single, built-in flowchart is used to track change authorization for every possible change type, on every system. Organizations are instead asked to define business logic for a small number of control points in the master flowchart: input validation, authorizer routing, reminder timing and automatic escalation routing. The same workflow engine, implementing the same change authorization process, applies to every possible user update. Shared business logic ensures that appropriate decisions are made for validation and authorization in every case.

This approach eliminates the need for organizations to graphically draw out and maintain thousands of flowcharts (who wants to do that?), with blocks of business logic (programming) embedded in each one. Instead, Hitachi ID Systems customers use a programming language of their choice to write 4 or 5 blocks of general-purpose business logic, for tasks such as input validation, authorizer routing and escalation. The same logic applies globally, which makes dynamic workflow faster to develop, easier to maintain and clearer to audit.

Dynamic workflow is illustrated in Figure [link].


    Access Certifier Dynamic Workflow

A dynamic workflow engine is significantly easier to set up and maintain than the alternative: traditional workflow engines where a graphical flow-chart or a state table is manually defined for each and every one of the thousands of possible transaction types.

Using its dynamic workflow engine, Access Certifier can be configured and deployed in weeks, rather than months or years. Furthermore, the dynamic workflow engine in Access Certifier requires minimal ongoing maintenance, resulting in a much lower TCO than a traditional workflow engine.

Read More:

  • Architecture:
    Hitachi ID Suite network architecture.
  • Included Connectors:
    Systems on which Access Certifier can audit and reduce privileges.
  • Auto-Discovery System:
    How the Hitachi ID Access Certifier automatically discovers new, deleted and changed users and privileges on integrated systems and applications.
  • Other Integrations:
    Integrations between Hitachi ID Suite and other parts of an IT infrastructure.
  • Workflow:
    Workflow to prompt stakeholders to perform micro-audits, and to authorize access reductions.
  • RBAC:
    Relating Access Certification to role based access control.
  • Server Requirements:
    Sizing, configuration and number of servers on which to deploy Access Certifier
  • Language Support:
    Languages Supported by the Hitachi ID Identity and Access Management Suite
page top page top