Access Change Authorization - Hitachi ID Identity Manager
Any request submitted to the workflow system in Hitachi ID Identity Manager
may have to be approved by an appropriate business user before
being fulfilled. Authorizers are normally invited to act by e-mail and
respond by clicking on an embedded URL, authenticating and reviewing
a request in detail on a secure web portal.
The identity of authorizers and the number of authorizers required
prior to fulfillment depend on Hitachi ID Systems customer-specific business rules:
- In a very simple configuration, all requests can be checked and approved
by a single team, such as a security group.
- In more typical deployments, groups of authorizers may be attached
to a request because of their association with an entitlement
that was requested or because of their relationship within the
organization to either the requester or recipient specified in
Regardless of what business logic is used to select authorizers,
requests are routed to authorizers, who get an e-mail and periodic
reminders, asking for review and approval. Authorizers click on an
embedded URL in the e-mail, sign into Identity Manager with their own
login ID and password, review the details of the requested change and either
grant change approval or deny it.
Authorizers may temporarily or permanently delegate their responsibility
-- for example when they leave for holidays or change job functions.
When an authorizer fails to respond to repeated invitations to act,
new authorizer is automatically selected (escalation).
Hitachi ID Systems customer business logic controls to whom escalated requests are routed.
Authorizers may be granted partial or total veto power over a request.
With partial veto power, their denial of a change will block just
those parts of the change that they were associated with, but other
components can still be approved by their own authorizers. Global
veto allows an authorizer to cancel a whole request, for multiple
While parallel change authorization is the norm, it is also possible
to configure Identity Manager to require serial authorization, by attaching
additional authorizers to a change request after an initial set
of authorizers have either approved or denied it.
- Secure User Administration:
Changing business processes and infrastructure to secure user administration.
- Locking Down Identity Manager:
Protecting the Identity Manager server, its data and its communications against attack.
- Finding and Deactivating Orphan Accounts:
Using Identity Manager to find and deactivate dormant and orphan login accounts.
- User Access Deactivation:
Prompt and reliable user access termination are essential to internal controls over enterprise IT infrastructure.
- Access Change Authorization:
Use Identity Manager to enforce robust processes to authorize changes to user access rights.
- Enforcing Security Standards:
Standards are an important way to ensure that users get just the entitlements they need, and no more. Naming standards are also important, as they help in the implementation of accountability measures, such as connecting security events on different systems back to individual users.
- Global Access Reporting:
One of the key requirements for secure identity management and access governance is the ability to find out who has access to what systems of data. This capability must span systems and platforms -- hence global access reporting.
- Segregation of Duties Policy Enforcement:
Detecting users whose already-assigned security entitlements violate policy and preventing users from acquiring new entitlements that would violate segregation of duties rules.
- Entitlement and Request History:
Hitachi ID Identity and Access Management Suite retains a history of all change requests – including requester, recipient, authorizers, times and dates, operations, attributes, entitlements and either connector results or implementer feedback.