Hitachi ID Identity Manager Features
Hitachi ID Identity Manager enables organizations to more securely and cost effectively onboard users, manage their identity information and security entitlements and deactivate their access:
Identity Manager enables automated, self-service and policy-driven management of users and entitlements with:
- Auto-provisioning and auto-deactivation:
Identity Manager can monitor one or more systems of record (typically HR applications) and detect changes, such as new hires and terminations. It can make matching updates to other systems when it detects changes, such as creating login accounts for new employees and deactivating access for departed staff.
- Identity synchronization:
Identity Manager can combine identity information from different sources -- HR, corporate directory, e-mail system and more into a master profile that captures all of the key information about every user in an organization. It can then write updates back to integrated systems, to ensure that identity attributes are consistent. This feature is used to automatically propagate updates to data such as names, phone numbers and addresses from one system to another.
- Self-service updates:
Users can sign into the Identity Manager web portal and make updates to their own profiles. This includes changes to their contact information and requests for new access to applications, shares, folders, etc.
- Delegated administration:
Business stake-holders, such as managers, application owners and data owners can sign into the Identity Manager web portal and request changes to security entitlements. For example, a manager might ask for application access for an employee or schedule deactivation of a contractor's profile.
- Access certification:
Business stake-holders may be periodically invited to review the users and security entitlements within their scope of authority. They must then either certify that each user or entitlement remains appropriate or flag it for removal. Access certification is an effective strategy for removing security entitlements that are no longer needed.
- Authorization workflow:
All change requests processed by Identity Manager, regardless of whether they originated with the auto-provisioning engine, the identity synchronization engine, with self-service profile updates or with the delegated administration module may be subject to an authorization process before being completed. The built-in workflow engine is designed to get quick and reliable feedback from groups of business users, who may be individually unreliable. It supports:
- Concurrent invitations to multiple users to review a request.
- Approval by N of M authorizers (N is fewer than M).
- Automatic reminders to non-responsive authorizers.
- Escalation from non-responsive authorizers to their alternates.
- Scheduled delegation of approval responsibility from unavailable to alternate approvers.
- Policy enforcement:
Identity Manager can be used to enforce a variety of policies regarding the assignment of security entitlements to users, including:
- Role based access control, where security entitlements are grouped into roles, which can be assigned to users.
- Segregation of duties, which defines mutually-exclusive sets of security entitlements.
- Template accounts, which define how new users are to be provisioned.
- Rules for the composition of new IDs, such as login IDs, e-mail addresses, OU directory contexts and more.
Identity Manager includes a rich set of built-in reports, designed to answer a variety of questions, such as:
- What users have entitlement X?
- What entitlements does user Y have?
- Who authorized entitlement Z for user W?
- When did user A acquire entitlement B?
- Who requested and who authorized entitlement B for user A?
- What accounts have no known owner (orphaned)?
- What users have no accounts (empty profiles)?
- What accounts have recent login activity (dormant)?
- What users have no active accounts (dormant)?
- Automated connectors and human implementers:
Identity Manager can be integrated with existing systems and applications using a rich set of over 120 included connectors. This allows it to automatically provision, update and deprovision access across commonly available systems and applications.
Organizations may opt to integrate custom and vertical-market applications with Identity Manager by using the included flexible connectors. Alternately, the built-in "implementers" workflow can be used to invite human administrators to make approved changes to users and entitlements on those systems.
- Unified management of logical access and physical assets:
Identity Manager includes an inventory tracking system, making it suitable for managing requests for physical assets as well as logical access. For example, types and inventories of building access badges, laptops, phones and other devices can be tracked, requested, authorized and delivered using Identity Manager.