Standardizing User Entitlements - Hitachi ID Identity Manager
Hitachi ID Identity Manager can be used to enforce a variety of security standards when creating new user accounts or managing privileges and identity information for existing users:
- Assigning unique login IDs
The most basic task that Identity Manager must complete when creating a new user profile is to assign that user a new, globally-unique login ID.
Identity Manager can implement any login ID naming system and comes with a built-in system to detect and avoid name collision. Every new user gets a new, globally-unique login ID that meets corporate standards and that is not in current use on any system.
Standard login IDs have many benefits, including usability: user only has to remember a single login ID; support: IT staff can quickly look up a user's profile; and security: log entries on different systems can be easily correlated.
- New account configuration standards
Identity Manager normally creates new login accounts by cloning existing accounts on target systems, that have been created specifically to act as templates. Platform administrators get to use their familiar tools to create and manage templates and Identity Manager leverages the detailed configuration (attributes, group memberships, home directories, paths, etc.) of template accounts to ensure that all new accounts are created in compliance with corporate standards.
Using templates makes it easy for organizations to enforce security standards without having to invest significant effort in managing Identity Manager itself.
Identity Manager adjusts newly created accounts by setting additional attributes and group memberships. These modifications may be derived from user input, data from systems of record, business rules or a combination of all three. Control over how and when attributes are set to differentiate new accounts from templates allows organizations to further control the set up of new accounts.
- System dependencies and order of events
Identity Manager is configured with dependencies between systems and account types. For example, technical requirements stipulate that a new user be set up with an account on Active Directory before an Exchange mailbox can be set up. In a similar way, business requirements may require that all new users get an ACF2 mainframe account before being provisioned with access to any other systems.
Dependencies ensure that systems access is always provisioned in a consistent, repeatable sequence.
- Ensuring change authorization
Changes to user profiles, either centrally on the Identity Manager server or on individual target systems, are subject to approvals by system or application owners, as well as by appropriate managers who have a relationship with a change's requester or recipient.
Unlike manual processes, Identity Manager change authorization is mandatory and auditable.