Overview of Authorization Process
All change requests processed by Hitachi ID Identity Manager, regardless of whether
they originated with the auto-provisioning engine, the identity
synchronization engine, with self-service profile updates or with the
delegated administration module may be subject to an authorization
process before being completed.
The Identity Manager workflow engine is designed to get quick and reliable
feedback from groups of business users, who may be individually
unreliable. This is accomplished with:
- Concurrent invitations to multiple users to review a request.
- Approval by N of M authorizers (N is fewer than M).
- Automatic reminders to non-responsive authorizers.
- Escalation from non-responsive authorizers to their alternates.
- Scheduled delegation of approval responsibility from unavailable
to alternate approvers.
- Checking authorizers' out-of-office status and pre-emptively
escalating requests if an OOO message has been set.
- Allowing authorizers to approve or reject requests from their
mobile phone (from any location, at any time, without a VPN).
Selecting the Right Authorizers
Requests may be submitted to the Identity Manager workflow engine using
the included request web portal, by an automated process that monitors
a system of record for changes, via a batch loader or through the inbound
web services API.
Any request may require approval. Any operation on any managed
resource (account/target system, group membership, role assignment)
may have one or more authorizers assigned. These resource-linked
authorizers are normally augmented by organizationally-linked
authorizers, selected via business logic. This logic specifies
how many approvers are required (possibly zero), who they are, etc.
A rules table is normally used to select participants for a workflow
request. The request is compared to a series of rules and where
a rule matches, participants, such as authorizers, are assigned,
typically using a user class that relates the new participant to
the requester or recipient. Rule matching may be based on the
form that was used, the membership of the requester or recipient in
a group, the type of operation requested, the initial or end-state
risk score for the recipient, the entitlement(s) involved, etc.
Identity Manager Dynamic Workflow
- Access Governance:
Assigning appropriate initial security entitlements, monitoring and controlling the security rights of users and prompt/reliable access deactivation using Hitachi ID Identity Manager access governance.
- Automated User Provisioning and Deactivation:
Automated propagation of changes to user profiles from systems of record (such as HR) to target systems (such as Active Directory, Exchange, RAC/F and more).
- Identity Synchronization:
Synchronizing identity attributes such as names, department codes and phone numbers between multiple systems and applications.
- Self-service Profile Updates and Access Requests:
A self-service portal allows users to update their profiles and request access to applications and resources.
- Delegated Security Administration:
Enabling business stake-holders such as managers and application owners to manage users and entitlements directly, without involving IT.
- Access Certification:
Periodically inviting managers and application owners to review lists of users and security entitlements, either certifying them as still-appropriate or asking that they be removed.
- Access Request Portal:
A web portal where users can submit change requests on behalf of themselves or others.
- Authorization Workflow:
All change requests, regardless of where they originated, may be subject to approvals before being implemented.
- Role-based Access Control:
Assigning security entitlements to users indirectly, through roles can reduce the cost of ongoing administration and simplify the change management user interface.
- Standardizing User Entitlements:
Ensuring that new users and newly created accounts are configured in compliance with corporate standards.
- Self-service management of security group membership:
Self-service management of thousands of AD groups using the built-in component Group Manager.
- Delegated construction and maintenance of Orgchart data:
Self-service construction and maintenance of OrgChart data using the built-in component Org Manager.
- Report on Users and Entitlements:
Organizations can run report to list users, entitlements, change history and more across every application.
- Automated Connectors and Human Implementers:
A rich set of connectors and a built-in process to invite system administrators support rapid deployment of the solution to all systems and applications.