Access Request Portal - Hitachi ID Identity Manager
Hitachi ID Identity Manager includes a request portal, intended for users
to accomplish a variety of functions:
- Users can manage their own credentials -- choosing new passwords
and PINs for integrated systems and applications, populating
security questions, etc.
- Self-service profile updates:
- Entering information such as home contact information.
- Requesting organizational changes, such as transfers to a new
location, department or manager.
- Self-service requests for access:
- Group membership.
- Role assignment.
- Login IDs on systems or applications.
- Access to shares, folders, SharePoint sites or other resources.
- White pages / directory search:
- Find another user by entering their name, department, manager, etc.
- Browse the org-chart structure.
- Delegated changes:
- To create new user profiles for users who do not appear in
any system of record.
- To correct data that does appear in an SoR but is incorrect or
obsolete in the SoR.
- Allowing the same types of requests as self-service,
but by one user on behalf of another user.
- Workflow request management -- monitor progress on open requests,
approve, deny or cancel requests, manage delegation of authority
or responsibility from one user to another.
This portal is completely policy driven. For example, what options a user
gets, what other users he can find or make requests on behalf of and what
identity information one user can see of another is determined by rules.
Rules may be simple roles ("all users with attribute X and membership in
group Y can perform action Z"). More powerful rules are based on
relationships ("user A can request operation B in relation to user C
if user A is in group G and users A and B are in the same department.")
Requests submitted through this portal are subject to validation logic
(e.g., rules such as "is the city in the user's address consistent
with the state or province?") and to approvals. Requested are
routed to zero or more authorizers, where approval by some or all of
the authorizers is required. The choice of authorizers is normally
dynamic -- driven by policy rules and data accessed at run-time.
Account Request Workflow
An example use case of the Identity Manager request workflow portal is where
one user requests new access for another, such as when a manager hires
Identity Manager supports manager-initiated user provisioning with
its built-in workflow engine. Managers sign into the Identity Manager
web portal, initiate a change request, fill in the blanks to
describe the new user and select roles, systems and entitlements
that the user will need access to.
Change requests are validated by Identity Manager and the manager may
be required to make corrections. Completed requests are automatically
routed to the appropriate authorizers (using business logic programmed
into Identity Manager) and await approval. Once a change is approved,
Identity Manager applies it to target systems, by creating accounts,
allocating badges or tokens, enabling phone lines, etc. This system
allows for user provisioning, which decreases employee down-time
and therefore increases productivity.
Watch a Movie
Update contact information
- An employee logs into Identity Manager and updates his own contact information.
- The request is automatically approved.
- Routine changes, for example to personal contact information, can be moved from a help desk call to a self-service model.
- Access controls determine who can see and who can modify what in whose profile. In this case, self-service update of contact information is allowed.
- Security policy also determines what authorization is required before a change request is completed. In this case, none.
- Access Governance:
Assigning appropriate initial security entitlements, monitoring and controlling the security rights of users and prompt/reliable access deactivation using Hitachi ID Identity Manager access governance.
- Automated User Provisioning and Deactivation:
Automated propagation of changes to user profiles from systems of record (such as HR) to target systems (such as Active Directory, Exchange, RAC/F and more).
- Identity Synchronization:
Synchronizing identity attributes such as names, department codes and phone numbers between multiple systems and applications.
- Self-service Profile Updates and Access Requests:
A self-service portal allows users to update their profiles and request access to applications and resources.
- Delegated Security Administration:
Enabling business stake-holders such as managers and application owners to manage users and entitlements directly, without involving IT.
- Access Certification:
Periodically inviting managers and application owners to review lists of users and security entitlements, either certifying them as still-appropriate or asking that they be removed.
- Access Request Portal:
A web portal where users can submit change requests on behalf of themselves or others.
- Authorization Workflow:
All change requests, regardless of where they originated, may be subject to approvals before being implemented.
- Role-based Access Control:
Assigning security entitlements to users indirectly, through roles can reduce the cost of ongoing administration and simplify the change management user interface.
- Standardizing User Entitlements:
Ensuring that new users and newly created accounts are configured in compliance with corporate standards.
- Self-service management of security group membership:
Self-service management of thousands of AD groups using the built-in component Group Manager.
- Delegated construction and maintenance of Orgchart data:
Self-service construction and maintenance of OrgChart data using the built-in component Org Manager.
- Report on Users and Entitlements:
Organizations can run report to list users, entitlements, change history and more across every application.
- Automated Connectors and Human Implementers:
A rich set of connectors and a built-in process to invite system administrators support rapid deployment of the solution to all systems and applications.