Self-service management of security group membership
Hitachi ID Group Manager is a component of Hitachi ID Identity and Access Management Suite which is automatically enabled
for every Hitachi ID Identity Manager licensee.
Group Manager is a self-service group membership request portal. It allows
users to request access to resources such as shares and folders,
rather than initially specifying groups. Group Manager automatically
maps requests to the appropriate security groups and invites
group owners to approve or deny the proposed change.
Group Manager is available both as a stand-alone solution and as a
no-cost module included with Identity Manager.
Group Manager -- available both stand-alone or as a module included in Identity Manager
-- streamlines the process of managing security groups on Active
- A Windows shell extension:
A shell extension is included with Identity Manager which can be deployed
on Windows PCs. If installed, this component can intercept Windows
"access denied" error messages and present an expanded message which
allows users to open a web browser to the Identity Manager application,
where they can request membership in the appropriate AD group.
A similar mechanism is provided for SharePoint sites, but only requires
a few lines of ASP code on each SharePoint server.
- Share and folder browsing in a web portal:
Alternately, users can navigate directly to the Group Manager web portal,
which presents a view of shares and folders similar to Windows
Explorer. Users can select the share, folder or printer in
which they are interested and request membership in the appropriate
- A UI that guides users to appropriate groups:
When users select a network resource, Group Manager presents
- Groups that have access rights to that resource, with a clear
indication as to who owns each group and what access rights the
- Nested groups, that the user might with to join instead.
- Nested resources (folders) that the user may wish to access instead.
With these options, Group Manager guides users to a selection of the
appropriate resource and group.
- Authorization workflow:
All change requests processed by Group Manager are subject to
an authorization process before being completed. By default,
group owners are invited to approve all changes, but this routing
can be replaced or augmented as required.
The Identity Manager workflow engine is designed to get quick and reliable
feedback from groups of business users, who may be individually
unreliable. This is accomplished with:
- Concurrent invitations to multiple users to review a request.
- Approval by N of M authorizers (N is fewer than M).
- Automatic reminders to non-responsive authorizers.
- Escalation from non-responsive authorizers to their alternates.
- Scheduled delegation of approval responsibility from unavailable
to alternate approvers.
- Checking authorizers' out-of-office status and pre-emptively
escalating requests if an OOO message has been set.
- Allowing authorizers to approve or reject requests from their
mobile phone (from any location, at any time, without a VPN).
Group Manager includes a rich set of built-in reports, designed to
answer a variety of questions, such as:
- What users are members of group X?
- What group memberships does user Y have?
- Who authorized membership in group Z for user W?
- When did user A gain membership in group B?
- Who requested and who authorized group B for user A?
Group Manager improves security by ensuring that changes to
membership in security groups are properly authorized before
Group Manager reduces the cost of IT support by moving requests
and authorization for changes to group membership out of IT,
to the community of business users.
Group Manager streamlines service delivery regarding the management
of membership in security groups by making it easier for users to
submit clear and appropriate change requests and automatically routing
those requests to the right authorizers. This makes the request
process painless and the approvals process fast.
Watch a Movie
Windows “Access Denied” dialog leading to group membership request
- A user is guided through the access request process.
- The video starts with the user encountering a
Windows "Access Denied" error dialog.
- The user is guided to a request to for membership in the
appropriate Active Directory security group.
- Users frequently need access to new shares, folders, etc. but
they don't understand access control lists (ACLs) or security
- To attain high user adoption for self-service security
entitlement management, it is important to implement a system
which allows for this gap in users' knowledge.
Authorization of a request for security group membership
- A request for group membership is routed to the
group's owner for approval.
- The default authorizers for changes to membership in a group
are the group's owner(s) on Active Directory.
- Customer-specific business logic can route requests to
other or additional users for approval.
- Approval by N of M people, reminders, escalation and delegation
are all built-in.
Request approved, user can access the folder
- The user signs out, signs back in and can access the
folder which previously caused an "Access Denied" error.
- On Windows, changes to a user's group memberships only take
effect when the user signs into his PC.
- This means that after the user was added to the group in
question, he must sign off and sign back on before he can
access the protected share, folder, etc.
- Access Governance:
Assigning appropriate initial security entitlements, monitoring and controlling the security rights of users and prompt/reliable access deactivation using Hitachi ID Identity Manager access governance.
- Automated User Provisioning and Deactivation:
Automated propagation of changes to user profiles from systems of record (such as HR) to target systems (such as Active Directory, Exchange, RAC/F and more).
- Identity Synchronization:
Synchronizing identity attributes such as names, department codes and phone numbers between multiple systems and applications.
- Self-service Profile Updates and Access Requests:
A self-service portal allows users to update their profiles and request access to applications and resources.
- Delegated Security Administration:
Enabling business stake-holders such as managers and application owners to manage users and entitlements directly, without involving IT.
- Access Certification:
Periodically inviting managers and application owners to review lists of users and security entitlements, either certifying them as still-appropriate or asking that they be removed.
- Access Request Portal:
A web portal where users can submit change requests on behalf of themselves or others.
- Authorization Workflow:
All change requests, regardless of where they originated, may be subject to approvals before being implemented.
- Role-based Access Control:
Assigning security entitlements to users indirectly, through roles can reduce the cost of ongoing administration and simplify the change management user interface.
- Standardizing User Entitlements:
Ensuring that new users and newly created accounts are configured in compliance with corporate standards.
- Self-service management of security group membership:
Self-service management of thousands of AD groups using the built-in component Group Manager.
- Delegated construction and maintenance of Orgchart data:
Self-service construction and maintenance of OrgChart data using the built-in component Org Manager.
- Report on Users and Entitlements:
Organizations can run report to list users, entitlements, change history and more across every application.
- Automated Connectors and Human Implementers:
A rich set of connectors and a built-in process to invite system administrators support rapid deployment of the solution to all systems and applications.