Hitachi ID Identity Manager includes a built-in infrastructure to perform periodic
certification of users and entitlements.
Access certification is a process where business stake-holders are
periodically invited to review entitlements, sign-off on entitlements
that appear to be reasonable and flag questionable entitlements for
There are several components to access certification:
Before entitlements can be reviewed, they have to be collected
from systems and applications and mapped to users. Technical
identifiers should be replaced by human-legible descriptions
that reviewers will understand. Since entitlements change
all the time, discovery should be a regularly scheduled,
automated process, not a one-time data load.
- Who performs the reviews?
Options include managers -- invited to review their subordinates,
application or data owners -- invited to review lists of users
who can access their applications or data or security officers --
asked to review high risk entitlements.
- When are reviews performed?
The frequency may vary with the business risk posed by the
entitlements in question.
- What kinds of entitlements are reviewed?
The highest level review is of employment status -- should the
user in question still have access to any systems? Slightly more
granular is a review of roles -- should the user in question
still have these roles? At the lowest level of granularity
are basic entitlements -- should the user in question have
a login ID on this system or belong to this security group?
- Which entitlements warrant a review?
Not every entitlement poses a significant business risk.
User membership in the social committee mailing list is
not really worth reviewing, for example. Some determination
must be made of the risk level posed by each entitlement,
as this forms the basis for deciding whether to review it
and how often.
- What happens to denied entitlements?
Reviewers may flag entitlements as inappropriate, in which
case something should be done. Does this raise a work order
in an IT issue management system or trigger a connector to
revoke the entitlement immediately? Should further reviews
take place before the entitlement is reviewed?
Watch a Movie
Review list of subordinates, certify that they still need logins
- Certify that a list of users are still employed by the organization
and each of them still reports to the manager performing the
- The simplest form of access certification asks "do these people
still work here, and report to you?"
- For each subordinate, the manager can accept (still works
for me), revoke (left the organization) or transfer (works for
- This type of review is normally hierarchical -- every manager
in the organization is asked to review his or her list of
direct reports, in a bottom-up sequence.
- This is a good starting point for access certification.
Review group memberships
- Review a list of users in a security group.
- Approve most, revoke one.
- Owners of security groups may be periodically invited to
review the membership of their groups.
- They can either accept or reject every group member.
- When a group member is removed, this triggers a workflow
request - with an audit trail and possibly further
validation and/or approvals - before the user is actually
removed from the group.
Review assigned roles
- Review a list of users who have been assigned a role.
- Approve most, remove the role from one.
- In principle, any user may be asked to certify role assignment
for any list of other users.
- By default, a resource's owner is assigned to certify
the users who have that resource (the resource is a role
in this case).
Review violations to segregation of duties (SoD) policies
- Review a list of users violate an SoD policy.
- For each violation, either remove one of the offending security
entitlements or create an approved exception.
- SoD rules may be expressed in terms of individual entitlements
(accounts, group memberships), roles or both.
- SoD violations must be corrected manually, since the
system cannot predict which of several conflicting
entitlements should be removed and which are appropriate
to the user's needs and should be kept.
- SoD violations can also be approved, which means that there
is a business reason to violate the policy.
- Application owner reviews a list of users with access
to his application as well as their entitlements (groups) within
- Review of application access by application owner.
- Review includes fine-grained entitlements.
- Organize data by user or by login ID/group.
- Access Governance:
Assigning appropriate initial security entitlements, monitoring and controlling the security rights of users and prompt/reliable access deactivation using Hitachi ID Identity Manager access governance.
- Automated User Provisioning and Deactivation:
Automated propagation of changes to user profiles from systems of record (such as HR) to target systems (such as Active Directory, Exchange, RAC/F and more).
- Identity Synchronization:
Synchronizing identity attributes such as names, department codes and phone numbers between multiple systems and applications.
- Self-service Profile Updates and Access Requests:
A self-service portal allows users to update their profiles and request access to applications and resources.
- Delegated Security Administration:
Enabling business stake-holders such as managers and application owners to manage users and entitlements directly, without involving IT.
- Access Certification:
Periodically inviting managers and application owners to review lists of users and security entitlements, either certifying them as still-appropriate or asking that they be removed.
- Access Request Portal:
A web portal where users can submit change requests on behalf of themselves or others.
- Authorization Workflow:
All change requests, regardless of where they originated, may be subject to approvals before being implemented.
- Role-based Access Control:
Assigning security entitlements to users indirectly, through roles can reduce the cost of ongoing administration and simplify the change management user interface.
- Standardizing User Entitlements:
Ensuring that new users and newly created accounts are configured in compliance with corporate standards.
- Self-service management of security group membership:
Self-service management of thousands of AD groups using the built-in component Group Manager.
- Delegated construction and maintenance of Orgchart data:
Self-service construction and maintenance of OrgChart data using the built-in component Org Manager.
- Report on Users and Entitlements:
Organizations can run report to list users, entitlements, change history and more across every application.
- Automated Connectors and Human Implementers:
A rich set of connectors and a built-in process to invite system administrators support rapid deployment of the solution to all systems and applications.