Automated Connectors and Human Implementers - Hitachi ID Identity Manager
Hitachi ID Identity Manager can be integrated with existing systems and applications
using a rich set of over 120 included connectors.
This allows it to automatically provision, update and deprovision
access across commonly available systems and applications.
Organizations may opt to integrate custom and vertical-market
applications with Identity Manager by using the included flexible
connectors. Alternately, the built-in ''implementers'' workflow
can be used to invite human administrators to make approved changes
to users and entitlements on those systems.
Connectors for Automated Fulfillment
There are over 120 connectors included with Hitachi ID Systems,
out of the box and at no extra charge. This includes:
- 63 executable programs that run on the Hitachi ID Systems server whose job
is to create, update and delete users and passwords on different
types of target systems and applications.
- 23 executable programs that run on the Hitachi ID Systems server whose job
is to create, update and close support incidents on help desk
- 23 executable programs that run on various types of Unix and Linux
systems, to implement local user/password/entitlement changes on
behalf of a Identity Manager server.
- A local connector that installs on z/OS mainframes and can manage
users/entitlements/passwords on 3 types of security databases.
Some of these connectors support multiple versions and types of systems.
For example, the LDAP connector can manage users, passwords and entitlements
on any standards-compliant LDAP directory.
Some of these connectors are scriptable and are expressly designed to
integrate with new systems. For example, there is a SOAP agent and an
SSH agent, both designed for rapid integration with new applications
Built-in Process to Invite Human System Administrators
Identity Manager supports the notion of an "implementer-style" target
system, where a human system administrator is asked to create, modify
or delete a user object on the target system, in place of an automated
Identity Manager connector.
Implementer-style target systems are useful in two main circumstances:
- A custom or vertical-market target application has either a
small or static population of users. The level of
effort required to deploy automated integration to manage identities,
entitlements or credentials (typically on the
order of several days) is uneconomical.
- It is desirable to publish all applications in Identity Manager, but
there has not yet been time to integrate with all of them.
Initially, changes on some applications will be handled manually,
but over time more connectors will be deployed to expand automation.
Applications may also be configured in a hybrid mode, where some
operations are automated using a connector but other operations are sent
to human implementers to complete. For example, a CSV file might be
used to enumerate users, groups and/or group memberships but a human
implementer may be invited to complete changes manually.
- Access Governance:
Assigning appropriate initial security entitlements, monitoring and controlling the security rights of users and prompt/reliable access deactivation using Hitachi ID Identity Manager access governance.
- Automated User Provisioning and Deactivation:
Automated propagation of changes to user profiles from systems of record (such as HR) to target systems (such as Active Directory, Exchange, RAC/F and more).
- Identity Synchronization:
Synchronizing identity attributes such as names, department codes and phone numbers between multiple systems and applications.
- Self-service Profile Updates and Access Requests:
A self-service portal allows users to update their profiles and request access to applications and resources.
- Delegated Security Administration:
Enabling business stake-holders such as managers and application owners to manage users and entitlements directly, without involving IT.
- Access Certification:
Periodically inviting managers and application owners to review lists of users and security entitlements, either certifying them as still-appropriate or asking that they be removed.
- Access Request Portal:
A web portal where users can submit change requests on behalf of themselves or others.
- Authorization Workflow:
All change requests, regardless of where they originated, may be subject to approvals before being implemented.
- Role-based Access Control:
Assigning security entitlements to users indirectly, through roles can reduce the cost of ongoing administration and simplify the change management user interface.
- Standardizing User Entitlements:
Ensuring that new users and newly created accounts are configured in compliance with corporate standards.
- Self-service management of security group membership:
Self-service management of thousands of AD groups using the built-in component Group Manager.
- Delegated construction and maintenance of Orgchart data:
Self-service construction and maintenance of OrgChart data using the built-in component Org Manager.
- Report on Users and Entitlements:
Organizations can run report to list users, entitlements, change history and more across every application.
- Automated Connectors and Human Implementers:
A rich set of connectors and a built-in process to invite system administrators support rapid deployment of the solution to all systems and applications.