Skip to main content

Standardizing User Entitlements - Hitachi ID Identity Manager

Hitachi ID Identity Manager can be used to enforce a variety of security standards when creating new user accounts or managing privileges and identity information for existing users:

  • Assigning unique login IDs

    The most basic task that Identity Manager must complete when creating a new user profile is to assign that user a new, globally-unique login ID.

    Identity Manager can implement any login ID naming system and comes with a built-in system to detect and avoid name collision. Every new user gets a new, globally-unique login ID that meets corporate standards and that is not in current use on any system.

    Standard login IDs have many benefits, including usability: user only has to remember a single login ID; support: IT staff can quickly look up a user's profile; and security: log entries on different systems can be easily correlated.

  • New account configuration standards

    Identity Manager normally creates new login accounts by cloning existing accounts on target systems, that have been created specifically to act as templates. Platform administrators get to use their familiar tools to create and manage templates and Identity Manager leverages the detailed configuration (attributes, group memberships, home directories, paths, etc.) of template accounts to ensure that all new accounts are created in compliance with corporate standards.

    Using templates makes it easy for organizations to enforce security standards without having to invest significant effort in managing Identity Manager itself.

    Identity Manager adjusts newly created accounts by setting additional attributes and group memberships. These modifications may be derived from user input, data from systems of record, business rules or a combination of all three. Control over how and when attributes are set to differentiate new accounts from templates allows organizations to further control the set up of new accounts.

  • System dependencies and order of events

    Identity Manager is configured with dependencies between systems and account types. For example, technical requirements stipulate that a new user be set up with an account on Active Directory before an Exchange mailbox can be set up. In a similar way, business requirements may require that all new users get an ACF2 mainframe account before being provisioned with access to any other systems.

    Dependencies ensure that systems access is always provisioned in a consistent, repeatable sequence.

  • Ensuring change authorization

    Changes to user profiles, either centrally on the Identity Manager server or on individual target systems, are subject to approvals by system or application owners, as well as by appropriate managers who have a relationship with a change's requester or recipient.

    Unlike manual processes, Identity Manager change authorization is mandatory and auditable.

Read More:

  • Secure User Administration:
    Changing business processes and infrastructure to secure user administration.
  • Locking Down Identity Manager:
    Protecting the Identity Manager server, its data and its communications against attack.
  • Finding and Deactivating Orphan Accounts:
    Using Identity Manager to find and deactivate dormant and orphan login accounts.
  • User Access Deactivation:
    Prompt and reliable user access termination are essential to internal controls over enterprise IT infrastructure.
  • Access Change Authorization:
    Use Identity Manager to enforce robust processes to authorize changes to user access rights.
  • Enforcing Security Standards:
    Standards are an important way to ensure that users get just the entitlements they need, and no more. Naming standards are also important, as they help in the implementation of accountability measures, such as connecting security events on different systems back to individual users.
  • Global Access Reporting:
    One of the key requirements for secure identity management and access governance is the ability to find out who has access to what systems of data. This capability must span systems and platforms -- hence global access reporting.
  • Segregation of Duties Policy Enforcement:
    Detecting users whose already-assigned security entitlements violate policy and preventing users from acquiring new entitlements that would violate segregation of duties rules.
  • Entitlement and Request History:
    Hitachi ID Identity and Access Management Suite retains a history of all change requests – including requester, recipient, authorizers, times and dates, operations, attributes, entitlements and either connector results or implementer feedback.
page top page top