Access Certification - Hitachi ID Identity Manager
Hitachi ID Identity Manager includes a built-in infrastructure to perform periodic
certification of users and entitlements.
Access certification is a process where business stake-holders are
periodically invited to review entitlements, sign-off on entitlements
that appear to be reasonable and flag questionable entitlements for
There are several components to access certification:
Before entitlements can be reviewed, they have to be collected
from systems and applications and mapped to users. Technical
identifiers should be replaced by human-legible descriptions
that reviewers will understand. Since entitlements change
all the time, discovery should be a regularly scheduled,
automated process, not a one-time data load.
- Who performs the reviews?
Options include managers -- asked to review their subordinates,
application or data owners -- asked to review lists of users
who can access their applications or data or security officers --
asked to review high risk entitlements.
- When are reviews performed?
The frequency may vary with the business risk posed by the
entitlements in question.
- What kinds of entitlements are reviewed?
The highest level review is of employment status -- should the
user in question still have access to any systems? Slightly more
granular is a review of roles -- should the user in question
still have these roles? At the lowest level of granularity
are basic entitlements -- should the user in question have
a login ID on this system or belong to this security group?
- Which entitlements warrant a review?
Not every entitlement poses a significant business risk.
User membership in the social committee mailing list is
not really worth reviewing, for example. Some determination
must be made of the risk level posed by each entitlement,
as this forms the basis for deciding whether to review it
and how often.
- What happens to rejected entitlements?
Reviewers may flag entitlements as inappropriate, in which
case something should be done. Does this raise a work order
in an IT issue management system or trigger a connector to
revoke the entitlement immediately? Should further reviews
take place before the entitlement is reviewed?
Watch a Movie
Review list of subordinates, certify that they still need logins
- Certify that a list of users are still employed by the organization
and each of them still reports to the manager performing the
- The simplest form of access certification asks "do these people
still work here, and report to you?"
- For each subordinate, the manager can accept (still works
for me), revoke (left the organization) or transfer (works for
- This type of review is normally hierarchical -- every manager
in the organization is asked to review his or her list of
direct reports, in a bottom-up sequence.
- This is a good starting point for access certification.
Review group memberships
- Review a list of users in a security group.
- Approve most, revoke one.
- Owners of security groups may be periodically invited to
review the membership of their groups.
- They can either accept or reject every group member.
- When a group member is removed, this triggers a workflow
request - with an audit trail and possibly further
validation and/or approvals - before the user is actually
removed from the group.
Review assigned roles
- Review a list of users who have been assigned a role.
- Approve most, remove the role from one.
- In principle, any user may be asked to certify role assignment
for any list of other users.
- By default, a resource's owner is assigned to certify
the users who have that resource (the resource is a role
in this case).
Review violations to segregation of duties (SoD) policies
- Review a list of users violate an SoD policy.
- For each violation, either remove one of the offending security
entitlements or create an approved exception.
- SoD rules may be expressed in terms of individual entitlements
(accounts, group memberships), roles or both.
- SoD violations must be corrected manually, since the
system cannot predict which of several conflicting
entitlements should be removed and which are appropriate
to the user's needs and should be kept.
- SoD violations can also be approved, which means that there
is a business reason to violate the policy.
- Application owner reviews a list of users with access
to his application as well as their entitlements (groups) within
- Review of application access by application owner.
- Review includes fine-grained entitlements.
- Organize data by user or by login ID/group.