Skip to main content

Access Change Authorization - Hitachi ID Identity Manager

Any request submitted to the workflow system in Hitachi ID Identity Manager may have to be approved by an appropriate business user before being fulfilled. Authorizers are normally invited to act by e-mail and respond by clicking on an embedded URL, authenticating and reviewing a request in detail on a secure web portal.

The identity of authorizers and the number of authorizers required prior to fulfillment depend on Hitachi ID Systems customer-specific business rules:

  • In a very simple configuration, all requests can be checked and approved by a single team, such as a security group.

  • In more typical deployments, groups of authorizers may be attached to a request because of their association with an entitlement that was requested or because of their relationship within the organization to either the requester or recipient specified in a request.

Regardless of what business logic is used to select authorizers, requests are routed to authorizers, who get an e-mail and periodic reminders, asking for review and approval. Authorizers click on an embedded URL in the e-mail, sign into Identity Manager with their own login ID and password, review the details of the requested change and either grant change approval or deny it.

Authorizers may temporarily or permanently delegate their responsibility -- for example when they leave for holidays or change job functions.

When an authorizer fails to respond to repeated invitations to act, new authorizer is automatically selected (escalation). Hitachi ID Systems customer business logic controls to whom escalated requests are routed.

Authorizers may be granted partial or total veto power over a request. With partial veto power, their denial of a change will block just those parts of the change that they were associated with, but other components can still be approved by their own authorizers. Global veto allows an authorizer to cancel a whole request, for multiple resources.

While parallel change authorization is the norm, it is also possible to configure Identity Manager to require serial authorization, by attaching additional authorizers to a change request after an initial set of authorizers have either approved or denied it.

Read More:

  • Secure User Administration:
    Changing business processes and infrastructure to secure user administration.
  • Locking Down Identity Manager:
    Protecting the Identity Manager server, its data and its communications against attack.
  • Finding and Deactivating Orphan Accounts:
    Using Identity Manager to find and deactivate dormant and orphan login accounts.
  • User Access Deactivation:
    Prompt and reliable user access termination are essential to internal controls over enterprise IT infrastructure.
  • Access Change Authorization:
    Use Identity Manager to enforce robust processes to authorize changes to user access rights.
  • Enforcing Security Standards:
    Standards are an important way to ensure that users get just the entitlements they need, and no more. Naming standards are also important, as they help in the implementation of accountability measures, such as connecting security events on different systems back to individual users.
  • Global Access Reporting:
    One of the key requirements for secure identity management and access governance is the ability to find out who has access to what systems of data. This capability must span systems and platforms -- hence global access reporting.
  • Segregation of Duties Policy Enforcement:
    Detecting users whose already-assigned security entitlements violate policy and preventing users from acquiring new entitlements that would violate segregation of duties rules.
  • Entitlement and Request History:
    Hitachi ID Identity and Access Management Suite retains a history of all change requests – including requester, recipient, authorizers, times and dates, operations, attributes, entitlements and either connector results or implementer feedback.
page top page top