Identity Synchronization - Hitachi ID Identity Manager
Hitachi ID Identity Manager can synchronize identity data between multiple applications, systems and applications:
The Hitachi ID Management Suite maintains identity attributes in three locations:
- In user profiles -- one set of profile attributes per user.
- In user objects (accounts) on each target systems -- one set of attributes per user account / record.
- Associated with a given change request, rather than with a user or account. Typically used to hold request meta data such as the reason for the change or its effective date.
User profile attributes are mapped to target attributes.
Attributes have types -- single-valued strings, multi-valued strings, time/date, integers, etc. They are subject to read and write access controls, which makes it possible for groups of attributes to be hidden or visible, readable and/or writable by different users.
Requests to change a user profile, which may originate with user input on a web form, with the API or with business logic that implements automated provisioning, are subject to authorization. Changes to a user profile attribute may trigger changes to one or more mapped attributes on target systems.
For example, a "Last name" field populated by a user can be mapped to the "sn" attribute in Active Directory and LDAP, as well as the "LastName" field in Lotus Notes, the "LASTNAME" attribute in SAP and attached to the "First name" field to form the "fullname" attribute on a Remedy system.
The result of attribute mapping and prioritization is consistent data across multiple systems.
Matching attributes from different target systems are prioritized on a per-attribute, per-system basis, where the highest priority attribute is used to set the value of the corresponding attribute in the user's profile within Identity Manager and from there is synchronized to other target systems.
A mechanism is provided to allow the Identity Manager user interface to temporarily override the priority of other systems. This allows users to make corrections using Identity Manager to data that would otherwise come from an "authoritative" system such as HR. When the authoritative system is changed again, it will override the value that was entered into Identity Manager. This approach avoids the outcome -- common with some identity management and access governance systems -- where the IAM system itself, over time, becomes authoritative for ever more user data.
The Identity Manager auto-discovery process periodically re-reads user profile data from every integrated system and application. This allows it to detect changes to user objects, identity attributes, group memberships, etc.
Identity Manager can be configured to leverage this data to propagate changes to identity attributes from one system to another. For example, a change in a user's phone number may be detected in an integrated HR system and, assuming the HR system is configured to be authoritative for phone numbers, will override the old phone number value in the user's profile. The change in the user's phone number in the identity cache will be passed through the Identity Manager workflow engine, where it may be subjected to validation and/or authorization before being committed.
Once a change has been committed to the user's consolidated profile, it may be propagated to other systems, again based on the configuration of attribute priority and the direction of data flow. For example, the new phone number in the example above may be automatically updated on the same user's e-mail account, in the user's object in a corporate directory and on the corporate ERP application. These updates are normally automatic.
Using this infrastructure, organizations can configure Identity Manager to detect, validate, authorize, consolidate and fan-out attribute information -- in effect synchronizing information about users across multiple applications, systems and directories.