Rapid User Provisioning
Several processes are available for rapid provisioning of systems access to new users. Choice of the appropriate process depends on business requirements and preferences:
- HR-initiated user provisioning
In organizations where new employee data is updated promptly, reliably and with sufficient detail by human resources, Hitachi ID Identity Manager can periodically detect changes and create suitable systems access for new users automatically.
To implement automatic user provisioning, the ID-Track change propagation engine in Identity Manager is configured to periodically poll the HR system for new users and automatically create accounts for them based on business logic that is programmed into Identity Manager.
For example, all new employees might get basic network access -- a network operating system account, an e-mail address and mailbox, a home directory on file server at their location and an account through the Internet proxy firewall. Users in specific departments, roles or locations may get additional systems access and privileges.
The scope of automatic user administration depends primarily on the quality and granularity of data available on the system of record, which is typically an HR application, payroll system or contractor management system.
Physical assets, such as building access badges tokens, hardware authentication tokens and infrastructure changes, such as activation of telephone lines and network jacks, can also be integrated into the automated process.
- Manager-initiated user provisioning
Often, data in a system of record (such as HR) is either not available for a new user or is not sufficiently detailed or timely. One example of this is contractors, who are frequently not tracked in any global database and are out of scope for an HR system. Another example is new employees in an organization where HR only creates new user records in time for payroll runs, rather than on the start date. A final example is users who require access to vertical applications, locally in their department, where this access cannot be predicted based on (coarse-grained) information in the HR system.
In these situations, the process that leads to user provisioning must start outside of the HR department. Most commonly, the new employee or contractor's manager will submit a change request, which must be validated, routed to appropriate managers and system owners for authorization, approved and finally implemented.
Identity Manager supports manager-initiated user provisioning with its built-in workflow engine. Managers sign into the Identity Manager web portal, initiate a change request, fill in the blanks to describe the new user and select roles, systems and entitlements that the user will need access to.
Change requests are validated by Identity Manager and the manager may be required to make corrections. Completed requests are automatically routed to the appropriate authorizers (using business logic programmed into Identity Manager) and await approval. Once a change is approved, Identity Manager applies it to target systems, by creating accounts, allocating badges or tokens, enabling phone lines, etc. This system allows for user provisioning, which decreases employee down-time and therefore increases productivity.
- Security-initiated user provisioning
In case an existing change management process continues to be used or in the event that a user requires access urgently -- sooner than HR can make an update and sooner than the workflow system could authorize the change, security administrators can be called into action.
A security administrator signs into the Identity Manager user management console and creates a user on multiple systems quickly, by providing user profile information (name, SSN, EID, etc.) and selecting suitable roles, systems and entitlements.
Users created through the Identity Manager user management console are created on target systems immediately.