Hitachi ID Group Manager is a self-service group membership request portal. It allows
users to request access to resources such as shares and folders,
rather than initially specifying groups. Group Manager automatically
maps requests to the appropriate security groups and invites
group owners to approve or reject the proposed change.
Group Manager is available both as a stand-alone solution and as a no-cost module included with Hitachi ID Identity Manager.
Many organizations have deployed Windows servers and Active Directory, and leveraged the powerful access control infrastructure in this platform to manage user access to data. This infrastructure uses security groups to control user access to resources:
Over time, the number of groups grows and in some organizations may surpass the number of users. Moreover, in dynamic organizations users frequently change responsibilities and are assigned new projects. This churn creates complexity:
Complexity in managing large numbers of changes in security group membership leads to real business problems:
Group membership management can be complex and costly when performed manually:
The cost and complexity of group membership management is greatly reduced using self-service:
Group Manager is a self-service group membership request portal. It allows users to request access to resources such as shares and folders, rather than initially specifying groups. Group Manager automatically maps requests to the appropriate security groups and invites group owners to approve or reject the proposed change.
Group Manager is available both as a stand-alone solution and as a no-cost module included with Identity Manager.
Group Manager is a component of the Hitachi ID Identity and Access Management Suite designed to streamline user requests to network resources.
Using Group Manager, users sign into a secure web application and request new access to a network resource, such as a share, folder, printer or mail distribution list. From the Group Manager web form, users first select a resource container (examples: share; directory OU) and then use a tree view to browse for a specific resource (examples: folder, mail DL). Once they have selected a resource, users simply submit the request.
Once the user has selected a resource, Group Manager:
The Group Manager workflow system automatically tracks change authorization and adds the user to the requested group if and when the proposed change is approved.
Group Manager produces real, concrete business value:
Group Manager improves security by ensuring that changes to membership in security groups are properly authorized before being implemented.
Group Manager reduces the cost of IT support by moving requests and authorization for changes to group membership out of IT, to the community of business users.
Group Manager streamlines service delivery regarding the management of membership in security groups by making it easier for users to submit clear and appropriate change requests and automatically routing those requests to the right authorizers. This makes the request process painless and the approvals process fast.
Group Manager is currently designed to target a single platform -- Active Directory. Its user interface exposes resources that are typically made accessible by user membership in AD groups:
Group Manager uses plugins to connect to target platforms. The Windows/AD resource discovery plugin is able to drill down into Windows-based network resources, find out which groups have rights to which resources, and lookup group owners on Active Directory. The Hitachi ID Identity and Access Management Suite Active Directory connector, included with Group Manager, can enumerate AD users and groups, authenticate AD passwords and update AD group memberships.
Group Manager can be used to manage many different types of resources. A plug-in program binds Group Manager to a specific type of resource, such as Windows shares, whose access is mediated by membership in an Active Directory group. Other resources include network printers and mail distribution lists.
The description is best clarified with a concrete example:
|User||Group Manager||Resource-Type Plug-in||Target System|
|1||Sign in using a network login ID and password.||Validate credentials|
|2||Initiate a new resource-access request.|
|3||Display a list of descriptive names for configured Windows file servers and shares.|
|4||Select a share.|
|5||Display a tree view of folders in the selected shares|
|6||Browse for and select a folder where access is desired.||Interactive tree view display||Iteratively provide a list of sub-directories from the selected share.|
|7||Select a set of privileges and an authorizer to request.||..Display and user input..||Provide a list of groups that have privileges on the share and the security privileges each one has been assigned. (read-only? read-write? etc.) One or more owners (authorizers) are provided for each group.|
|8||Workflow to track change authorization|
|9||(Change approved) Run agent to update the user's group membership. Send a confirmation e-mail to the user and to all owner/authorizers.||Updated privileges. User can now access the folder.|
A shell extension is included with Group Manager which can be deployed on Windows XP, Windows Vista/7/8 PCs. If installed, this component can intercept Windows "access denied" error messages and present an expanded message which allows users to open a web browser to the Group Manager application, where they can request membership in the appropriate AD group.
Windows Shell Extension: Replacing the Native Access Denied Dialog (1)
An analogous integration with SharePoint is provided, which works by extending the "access denied" error page on each SharePoint server.
The built-in workflow engine is designed to get quick and reliable feedback from groups of business users, who may be individually unreliable. It supports:
Group Manager is very simple to configure and manage. For example, to configure it to manage group membership in Active Directory, to enable users to gain access to group-controlled file folders, one need only:
Group Manager deployment is typically very quick:
The entire process typically requires just 2-3 days of technical configuration work.
Group Manager logs all attempted and completed requests for group membership. Group Manager workflow-related reports include:
|Approvals, rejections and failure to respond by authorizers|
Request status by authorizer
|Lists request-status information for each authorizer to whom a request is assigned. It also includes the actions taken by each authorizer for each request item|
Request status by implementer
|Lists request-status information for each implementer to whom a request is assigned.|
|Shows the configuration of pre-defined requests|
Request event log
|Details and change history of matching requests|
|Advanced search of and statistics about current and archived requests.|
Request volume trend
|Trend analysis of request volume per time interval.|
Participant response time
|Analysis of the responsiveness of participants in workflow processes.|
|Analysis of requests which have had no activity in N days.|
|Analysis of requests which cannot be completed.|
Escalated / delegated requests
|Analysis of escalation and delegation of requests.|
|Analysis of the popularity of pre-defined request types, managed resources, operations and workflow participants.|
All workflow requests are retained in the Group Manager database indefinitely, for reporting at any future date.
The Group Manager network architecture is illustrated in Figure [link].
Group Manager Network Architecture Diagram (2)
In the diagram:
Access by the requester and authorizer to Group Manager is typically HTML over HTTPS.
Access by both the requester and Group Manager to the network resources in question may be SMB, DFS or LDAP.
Group Manager currently supports Active Directory group membership management, where AD runs on Windows 2000, 2003, 2008 or 2012 servers.
It also supports management of: