Automated Connectors and Human Implementers - Hitachi ID Identity Manager
Hitachi ID Identity Manager can be integrated with existing systems and applications
using a rich set of over 120 included connectors.
This allows it to automatically provision, update and deprovision
access across commonly available systems and applications.
Organizations may opt to integrate custom and vertical-market
applications with Identity Manager by using the included flexible
connectors. Alternately, the built-in ''implementers'' workflow
can be used to invite human administrators to make approved changes
to users and entitlements on those systems.
Connectors for Automated Fulfillment
There are over 120 connectors included with Hitachi ID Systems,
out of the box and at no extra charge. This includes:
- 63 executable programs that run on the Hitachi ID Systems server whose job
is to create, update and delete users and passwords on different
types of target systems and applications.
- 23 executable programs that run on the Hitachi ID Systems server whose job
is to create, update and close support incidents on help desk
- 23 executable programs that run on various types of Unix and Linux
systems, to implement local user/password/entitlement changes on
behalf of a Identity Manager server.
- A local connector that installs on z/OS mainframes and can manage
users/entitlements/passwords on 3 types of security databases.
Some of these connectors support multiple versions and types of systems.
For example, the LDAP connector can manage users, passwords and entitlements
on any standards-compliant LDAP directory.
Some of these connectors are scriptable and are expressly designed to
integrate with new systems. For example, there is a SOAP agent and an
SSH agent, both designed for rapid integration with new applications
Built-in Process to Invite Human System Administrators
Identity Manager supports the notion of an "implementer-style" target
system, where a human system administrator is asked to create, modify
or delete a user object on the target system, in place of an automated
Identity Manager connector.
Implementer-style target systems are useful in two main circumstances:
- A custom or vertical-market target system either has a very small
or very static user population. In these cases, the level of
effort required to deploy automated integration to manage users
on the target system (typically on the order of several days)
is not warranted given the small pay-back.
- There are many target systems (hundreds, thousands) in-scope for
the project and it is desirable to give users a "one stop shop"
experience for security change requests, using Identity Manager, at the
start of deployment. This is preferable to asking users to refer
to different request systems depending on what kind of access
Individual target systems or applications may also be configured
in a hybrid mode. For example, a CSV file might be used to
enumerate users, groups and/or group memberships but a human
implementer may be invited to make updates manually.
- Access Governance:
Assigning appropriate initial security entitlements, monitoring and controlling the security rights of users and prompt/reliable access deactivation using Hitachi ID Identity Manager access governance.
- Automated User Provisioning and Deactivation:
Automated propagation of changes to user profiles from systems of record (such as HR) to target systems (such as Active Directory, Exchange, RAC/F and more).
- Identity Synchronization:
Synchronizing identity attributes such as names, department codes and phone numbers between multiple systems and applications.
- Self-service Profile Updates and Access Requests:
A self-service portal allows users to update their profiles and request access to applications and resources.
- Delegated Security Administration:
Enabling business stake-holders such as managers and application owners to manage users and entitlements directly, without involving IT.
- Access Certification:
Periodically inviting managers and application owners to review lists of users and security entitlements, either certifying them as still-appropriate or asking that they be removed.
- Access Request Portal:
A web portal where users can submit change requests on behalf of themselves or others.
- Authorization Workflow:
All change requests, regardless of where they originated, may be subject to approvals before being implemented.
- Role-based Access Control:
Assigning security entitlements to users indirectly, through roles can reduce the cost of ongoing administration and simplify the change management user interface.
- Standardizing User Entitlements:
Ensuring that new users and newly created accounts are configured in compliance with corporate standards.
- Self-service management of security group membership:
Self-service management of thousands of AD groups using the built-in component Group Manager.
- Delegated construction and maintenance of Orgchart data:
Self-service construction and maintenance of OrgChart data using the built-in component Org Manager.
- Report on Users and Entitlements:
Organizations can run report to list users, entitlements, change history and more across every application.
- Automated Connectors and Human Implementers:
A rich set of connectors and a built-in process to invite system administrators support rapid deployment of the solution to all systems and applications.