Features Automated User Provisioning and Deactivation
Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Automated User Provisioning and Deactivation - Hitachi ID Identity Manager

Hitachi ID Identity Manager can monitor one or more systems of record on a periodic basis (e.g., nightly or every few hours), enumerating new, deleted and changed users. In the case of an HR application, for example, these changes may represent new hires, terminations and transfers. Auto-discovery is performed on all integrated systems and applications -- not just systems of record.

Changes detected by Identity Manager are passed through a data filter, which removes users that are outside Identity Manager's scope. For instance, in a scenario where Identity Manager manages all users in one country, but the HR system is global, Identity Manager would ignore changes to users from other countries.

All changes to a given user are aggregated and business logic is executed, with the set of changes as input. This is best illustrated with some examples:

Detected change

Actions

Net result
New user appears in an HR application.

  • Lookup appropriate role based on the user's location and job code.
  • Submit a change request to the Identity Manager workflow engine, to create a new user, with the HR-provided identity attributes and with resources specified by the role.

Auto-provisioning.
New phone number detected on white pages directory.

  • White pages has a higher priority for the phone number attribute than other systems.
  • Submit a change request to the Identity Manager workflow engine, to change the phone number in the user's profile.
  • Once approved (most likely automatically), the new phone number is mapped to other login IDs belonging to the user and connectors are run to update this information on other systems.

Identity synchronization.
Change to termination date is detected on the HR system.

  • Using the identity synchronization mechanism described above, set this date on the user's profile.
  • A separate batch process periodically identifies users with today or earlier termination dates and submits requests to disable all accounts for every matching user.

Automated termination.
User disappears from system of record (HR).

  • Lookup all of a user's login IDs.
  • Submit a "disable all accounts" change request to the Identity Manager workflow engine.
  • Given the source of the request (employee gone from HR), this type of change may be auto-approved.

Automated termination (2nd method).
User was added to Administrators group on Active Directory domain.

  • Since the change was detected on AD, it follows that it was not initiated by Identity Manager.
  • Submit two change requests to the workflow engine:
    • Remove the user from the Administrators group (this is an auto-approved change).
    • Add the user from the Administrators group (requires approval).
  • Create a security incident in the help desk system.

Detect unauthorized privilege escalation.

 

Collectively, these processes are known as automated user management. They are implemented by the ID-Track component in Identity Manager.


Watch a Movie

Automatic provisioning (scheduled batch process)


Play movie

Content:

  • A new employee is added to an HR application.
  • A batch process is triggered manually (just for demos -- normally it is scheduled).
  • Accounts for the new user are automatically created on AD and elsewhere.

Key concepts:

  • Automation is typically a batch process that runs at least once daily.
  • Business logic determines what to do when user records are added to, removed from or changed on each system of record.
  • Most suitable for coarse-grained (i.e., hire/fire) changes detected on HR systems.
  • Can also automate synchronization of identity attributes between systems.

First login for new contractor


Play movie

Content:

  • A newly hired contractor signs in by answering security questions based on PII data (driver's license, mother's maiden name, date of birth, etc.).
  • A random PIN may also be sent to the user's phone or personal e-mail address.
  • Once authenticated, the user must complete a profile of security questions / answers.
  • The user resets his own password -- there was never a known, shared password value.
  • The user may be asked to review and accept policy documents at first login.

Key concepts:

  • Eliminate the need for predictable initial password.
  • Capture security questions at first login.
  • Get new users to read and accept policy documents.

Automatically provisioning new employees


Play movie

Content:

  • HR creates new employees in the HR system.
  • HiIM detects the changes and requests network and application access.
  • Managers approve requests and new accounts are created.

Key concepts:

  • Leverage HR input to automatically create and delete logical access.
  • Manager approval can be used if HR is not totally authoritative.

Scheduling and automating access deactivation


Play movie

Content:

  • A termination date is scheduled for a contractor.
  • HiIM reminds the manager that the date can be changed before it passes.
  • Access is automatically disabled on the termination date.
  • Accounts are deleted at a later date.

Key concepts:

  • Lifecycle events, such as hires and terminations, can be scheduled.
  • Sequences of events, such as advance warnings before the termination date and actual deletion at a later date, are also automated.

Scheduled termination


Play movie

Content:

  • A manager schedules termination/deactivation for one of his subordinates.
  • Members of the HR department are invited to approve the change.

Key concepts:

  • Scheduled events, such as deactivation, are modeled using a date attribute in the user's profile.
  • Access controls determine who can see this date, who can request a change and who must approve a change.
  • In this example, a user's manager and anyone in HR can see/edit this date, but the user cannot. If the manager requests a change, HR must approve it. Conversely, if HR requests a change, the manager will be asked to approve it.
  • Once the request is approved and stored in the user's profile, other processes take care of the deactivation process. The workflow component is simply for setting this date.

Authorize scheduled termination


Play movie

Content:

  • Approval of a change to a user's scheduled termination date is handled by an HR user.
  • In this example, three HR users were invited but any one of them can do the job -- increasing process reliability and shortening time to completion.

Key concepts:

  • Who is invited to approve a change is determined by policy.
  • Policy is based on relationships between requester, recipient and authorizer.
  • A random subset of a users (e.g., members of an HR group) can be chosen.
  • A further subset of invited users may be sufficient to approve.
  • Invitations go out via e-mail, with responses via authenticated, secure, encrypted web form.

Defer scheduled termination


Play movie

Content:

  • After termination was scheduled, but before it was completed, it can still be deferred.
  • The manager of a user scheduled for deactivation is automatically invited to review and possibly defer the termination date.

Key concepts:

  • Batch processes send advance warnings of scheduled events like termination.
  • Users can follow an embedded link and make appropriate changes, if required.