Security Global Access Reporting
Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Report on Users and Entitlements - Hitachi ID Identity Manager

One of the key elements of both security management and regulatory compliance is to periodically review who has access to systems, to find exceptions, and to remove them.

Global access reporting includes finding and eliminating dormant and orphan accounts, reviewing the access rights of current users to find entitlements that are no longer required, and the ability to simply report on "who has what."

Hitachi ID Identity Manager comes with built in capabilities to meet these security reporting requirements, including: Identity Manager provides over 100 built-in reports, including:

In addition, Identity Manager has an open schema and data access layer, allowing customers to develop their own security reports. (1) All data in Identity Manager is in a normalized, relational database schema and can be accessed using standard analytical tools (Crystal Reports, Cognos, MS-Excel, SQL queries, etc).

The schema is well documented and is available to all product licensees and evaluators under NDA. The current release schema documentation is about 127 pages long, and includes detailed descriptions of every field, table, relation, value constraint, etc.

Hitachi ID Systems customer can add custom reports right to the Identity Manager web UI, so that they can be run interactively, scheduled, have output delivered via e-mail, etc. These reports are written using short Python scripts that mostly contain a SQL SELECT statement which interacts with the Identity Manager back-end database, but can also pull data from other sources (e.g., web services, other SQL databases, LDAP directories, etc.).

Identity Manager includes many built-in reports, which can be run interactively from the web portal or scheduled to run automatically (and periodically if so desired). Report output is HTML or CSV and can be delivered to the same web portal or via e-mail or filesystem. Built-in reports cover:

The same data is accessible to 3rd party reporting tools.


Watch a Movie

Users and accounts


Play movie

Content:

  • List of users, with and without identity attributes.
  • List of accounts on a given system.

Key concepts:

  • The simplest reports in any IAM system are lists of users and accounts.
  • Built-in Identity Manager reports can enumerate users, attributes, accounts, group memberships, roles and more.

Orphan and dormant accounts


Play movie

Content:

  • Shows accounts with no known owner.

Key concepts:

  • Built-in reports make it easy to find orphan and dormant accounts:
    • Orphan users are user profiles with no login accounts.
    • Orphan accounts have no known owner.
    • Dormant accounts have had no recent login activity.
    • Dormant profiles have all-dormant accounts.

Violations of segregation of duties rules


Play movie

Content:

  • Finds users who violate any segregation of duties (SoD) rule.
  • Finds users whose violation of an SoD rule has been approved.

Key concepts:

  • SoD reports are a detective control -- i.e,. they find already-existing violations.
  • There is also a preventive control, embedded in the change request workflow.
  • SoD violations may be approved, for example if they are a legitimate situation that the policy did not take into account.

Detailed change history


Play movie

Content:

  • Displays all changes made to users, accounts and groups as a result of workflow requests.

Key concepts:

  • Change requests are retained indefinitely.
  • Details including what changed, who requested the change and who authorized it are accessible via built-in reports.
  • Changes detected on target systems (i.e., not initiated by Identity Manager) are also available.