Report on Users and Entitlements - Hitachi ID Identity Manager
One of the key elements of both security management and
regulatory compliance is to periodically review who has
access to systems, to find exceptions, and to remove them.
Global access reporting includes finding and eliminating dormant and orphan accounts,
reviewing the access rights of current users to find entitlements
that are no longer required, and the ability to simply report on
"who has what."
Hitachi ID Identity Manager comes with built in capabilities to meet these security reporting requirements,
Identity Manager provides over 150 built-in reports, including:
- Users: list selected users or those with specific attributes or
- Targets: list selected target systems or those accessible by some users.
- Orphans: list login IDs on target systems not attached to active
user profiles or with too-old last-login dates.
- Authorizers: list available authorizers and their attached resources.
- Roles: list roles and their component templates.
- Templates: list templates, their dependencies and role membership.
- Requests: list current and closed change requests in the system.
- Inventory: list physical objects under management and their locations.
In addition, Identity Manager has an open schema and data access layer, allowing
customers to develop their own security reports.
All data in Identity Manager is in a normalized, relational database schema
and can be accessed using standard analytical tools (Crystal Reports,
Cognos, MS-Excel, SQL queries, etc).
The schema is well documented and is available to all product licensees
and evaluators under NDA. The current release schema documentation
is about 127 pages long, and includes detailed
descriptions of every field, table, relation, value constraint, etc.
Hitachi ID Systems customer can add custom reports right to the Identity Manager web UI,
so that they can be run interactively, scheduled, have output
delivered via e-mail, etc. These reports are written using short
Python scripts that mostly contain a SQL SELECT statement which
interacts with the Identity Manager back-end database, but can also
pull data from other sources (e.g., web services, other SQL databases,
LDAP directories, etc.).
Identity Manager includes many built-in reports, which can be run
interactively from the web portal or scheduled to run automatically
(and periodically if so desired). Report output is HTML or CSV and
can be delivered to the same web portal or via e-mail or filesystem.
Built-in reports cover:
- Identities -- users, accounts, attributes, orphan/dormant accounts, etc.
- Entitlements -- roles, groups, accounts, etc.
- History -- by user, role, group, etc.
- Workflow -- activity in the queue, historical trends, request popularity, etc.
- Role analytics -- users sharing entitlements, SoD violations and more.
- Configuration data -- roles, groups, etc.
- System data and troubleshooting -- event logs, unsatisfiable
requests, entitlements with no/invalid owners, etc.
The same data is accessible to 3rd party reporting tools.
Watch a Movie
Users and accounts
- List of users, with and without identity attributes.
- List of accounts on a given system.
- The simplest reports in any IAM system are lists of users
- Built-in Identity Manager reports can enumerate users, attributes,
accounts, group memberships, roles and more.
Orphan and dormant accounts
- Shows accounts with no known owner.
- Built-in reports make it easy to find orphan and dormant
- Orphan users are user profiles with no login accounts.
- Orphan accounts have no known owner.
- Dormant accounts have had no recent login activity.
- Dormant profiles have all-dormant accounts.
Violations of segregation of duties rules
- Finds users who violate any segregation of duties (SoD) rule.
- Finds users whose violation of an SoD rule has been
- SoD reports are a detective control -- i.e,. they find
- There is also a preventive control, embedded in the change
- SoD violations may be approved, for example if they are
a legitimate situation that the policy did not take into
Detailed change history
- Displays all changes made to users, accounts and groups as a
result of workflow requests.
- Change requests are retained indefinitely.
- Details including what changed, who requested the change and
who authorized it are accessible via built-in reports.
- Changes detected on target systems (i.e., not initiated by
Identity Manager) are also available.
- Secure User Administration:
Changing business processes and infrastructure to secure user administration.
- Locking Down Identity Manager:
Protecting the Identity Manager server, its data and its communications against attack.
- Finding and Deactivating Orphan Accounts:
Using Identity Manager to find and deactivate dormant and orphan login accounts.
- User Access Deactivation:
Prompt and reliable user access termination are essential to internal controls over enterprise IT infrastructure.
- Access Change Authorization:
Use Identity Manager to enforce robust processes to authorize changes to user access rights.
- Enforcing Security Standards:
Standards are an important way to ensure that users get just the entitlements they need, and no more. Naming standards are also important, as they help in the implementation of accountability measures, such as connecting security events on different systems back to individual users.
- Global Access Reporting:
One of the key requirements for secure identity management and access governance is the ability to find out who has access to what systems of data. This capability must span systems and platforms -- hence global access reporting.
- Segregation of Duties Policy Enforcement:
Detecting users whose already-assigned security entitlements violate policy and preventing users from acquiring new entitlements that would violate segregation of duties rules.
- Entitlement and Request History:
Hitachi ID Identity and Access Management Suite retains a history of all change requests – including requester, recipient, authorizers, times and dates, operations, attributes, entitlements and either connector results or implementer feedback.