Run Reports on Users and Entitlements - Hitachi ID Identity Manager
All data in Hitachi ID Identity Manager is in a normalized, relational database schema
and can be accessed using standard analytical tools (Crystal Reports,
Cognos, MS-Excel, SQL queries, etc).
The schema is well documented and is available to all product licensees
and evaluators under NDA. The current release schema documentation
is about 127 pages long and includes detailed
descriptions of every field, table, relation, value constraint, etc.
Hitachi ID Systems customer can add custom reports right to the Identity Manager web UI,
so that they can be run interactively, scheduled, have output
delivered via e-mail, etc. These reports are written using short
Python scripts that mostly contain a SQL SELECT statement which
interacts with the Identity Manager back-end database, but can also
pull data from other sources (e.g., web services, other SQL databases,
LDAP directories, etc.).
Identity Manager includes many built-in reports, which can be run
interactively from the web portal or scheduled to run automatically
(and periodically if so desired). Report output is HTML or CSV and
can be delivered to the same web portal or via e-mail or filesystem.
Built-in reports cover:
- Identities -- users, accounts, attributes, orphan/dormant accounts, etc.
- Entitlements -- roles, groups, accounts, etc.
- History -- by user, role, group, etc.
- Workflow -- activity in the queue, historical trends, request popularity, etc.
- Role analytics -- users sharing entitlements, SoD violations and more.
- Configuration data -- roles, groups, etc.
- System data and troubleshooting -- event logs, unsatisfiable
requests, entitlements with no/invalid owners, etc.
The same data is accessible to 3rd party reporting tools.
Watch a Movie
Reports -- users and accounts
- List of users, with and without identity attributes.
- List of accounts on a given system.
- The simplest reports in any IAM system are lists of users
- Built-in Identity Manager reports can enumerate users, attributes,
accounts, group memberships, roles and more.
Reports -- orphan and dormant accounts
- Shows accounts with no known owner.
- Built-in reports make it easy to find orphan and dormant
- Orphan users are user profiles with no login accounts.
- Orphan accounts have no known owner.
- Dormant accounts have had no recent login activity.
- Dormant profiles have all-dormant accounts.
Reports -- violations of segregation of duties rules
- Finds users who violate any segregation of duties (SoD) rule.
- Finds users whose violation of an SoD rule has been
- SoD reports are a detective control -- i.e,. they find
- There is also a preventive control, embedded in the change
- SoD violations may be approved, for example if they are
a legitimate situation that the policy did not take into
Reports -- detailed change history
- Displays all changes made to users, accounts and groups as a
result of workflow requests.
- Change requests are retained indefinitely.
- Details including what changed, who requested the change and
who authorized it are accessible via built-in reports.
- Changes detected on target systems (i.e., not initiated by
Identity Manager) are also available.
- Access Governance:
Assigning appropriate initial security entitlements, monitoring and controlling the security rights of users and prompt/reliable access deactivation using Hitachi ID Identity Manager access governance.
- Automated User Provisioning and Deactivation:
Automated propagation of changes to user profiles from systems of record (such as HR) to target systems (such as Active Directory, Exchange, RAC/F and more).
- Identity Synchronization:
Synchronizing identity attributes such as names, department codes and phone numbers between multiple systems and applications.
- Self-service Profile Updates and Access Requests:
A self-service portal allows users to update their profiles and request access to applications and resources.
- Delegated Security Administration:
Enabling business stake-holders such as managers and application owners to manage users and entitlements directly, without involving IT.
- Access Certification:
Periodically inviting managers and application owners to review lists of users and security entitlements, either certifying them as still-appropriate or asking that they be removed.
- Access Request Portal:
A web portal where users can submit change requests on behalf of themselves or others.
- Authorization Workflow:
All change requests, regardless of where they originated, may be subject to approvals before being implemented.
- Role-based Access Control:
Assigning security entitlements to users indirectly, through roles can reduce the cost of ongoing administration and simplify the change management user interface.
- Standardizing User Entitlements:
Ensuring that new users and newly created accounts are configured in compliance with corporate standards.
- Self-service management of security group membership:
Self-service management of thousands of AD groups using the built-in component Group Manager.
- Delegated construction and maintenance of Orgchart data:
Self-service construction and maintenance of OrgChart data using the built-in component Org Manager.
- Report on Users and Entitlements:
Organizations can run report to list users, entitlements, change history and more across every application.
- Automated Connectors and Human Implementers:
A rich set of connectors and a built-in process to invite system administrators support rapid deployment of the solution to all systems and applications.