Dynamic Workflow

How the Hitachi ID Identity Manager dynamic work-flow streamlines deployment and minimizes ongoing administration.

A workflow engine allows people and automated processes to request and authorize security changes directly, without involving security administrators. This is a key feature of any successful identity management and access governance system.

Configuring a workflow process can be challenging. As an IAM system is scaled up to support hundreds of target systems, with hundreds of kinds of updates supported on each one, the workflow engine must scale to appropriately validate and authorize thousands of types of transactions.

With a traditional workflow engine, this would require either thousands of flowcharts or thousands of state tables (either way -- unmanageable).

To mitigate the challenge of arithmetic explosion in the number of required workflow processes, the Hitachi ID Identity Manager workflow engine is dynamic, in the sense that a single, powerful state machine is used to track authorizations for every possible change (transaction) on every target system. Plug-in programs alter the behavior of the state machine, using business logic to validate inputs, route requests to the appropriate authorizers based on requested resources or the identity of the requesting principal and so on.

Rather than requiring organizations to define one flowchart for every supported type of user profile change on every target system, a single, built-in flowchart is used to track change authorization for every possible change type, on every system. Organizations are instead asked to define policies for a small number of control points in the master flowchart: input validation, authorizer routing, reminder timing and automatic escalation routing. The same workflow engine, implementing the same change authorization process, applies to every possible user update. Shared business logic ensures that appropriate decisions are made for validation and authorization in every case.

This approach eliminates the need for organizations to graphically draw out and maintain thousands of flowcharts (who wants to do that?), with blocks of business logic (programming) embedded in each one. Instead, Hitachi ID Systems customers use a programming language of their choice to write 4 or 5 blocks of general-purpose business logic, for tasks such as input validation, authorizer routing and escalation. The same logic applies globally, which makes dynamic workflow faster to develop, easier to maintain and clearer to audit.

Dynamic workflow is illustrated in Figure [link].


    Identity Manager Dynamic Workflow

A dynamic workflow engine is significantly easier to set up and maintain than the alternative: traditional workflow engines where a graphical flow-chart or a state table is manually defined for each and every one of the thousands of possible transaction types.

Using its dynamic workflow engine, Identity Manager can be configured and deployed in weeks, rather than months or years. Furthermore, the dynamic workflow engine in Identity Manager requires minimal ongoing maintenance, resulting in a much lower TCO than a traditional workflow engine.

Read More:

  • Network architecture:
    Identity Manager network architecture.
  • Replicated, High Performance Database Architecture:
    Identity Manager includes built-in data replication and uses stored procedures to ensure optimized transaction processing.
  • Included Connectors:
    Connectors included in Identity Manager and their capabilities.
  • Auto-Discovery System:
    How the Identity Manager automatically discovers new, deleted and changed users on integrated systems and applications.
  • Reconciling User IDs:
    How Identity Manager maps user IDs on different systems back to their human users, both automatically and with human assistance.
  • Integrations:
    Integrations between Identity Manager and other parts of an IT infrastructure.
  • Custom Business Logic:
    How organizations can implement their own business logic without modifying the core Identity Manager product or impairing system reliability or upgradeability.
  • Dynamic Workflow:
    How Identity Manager invites business users to review and approve changes to user profiles.
  • Reliable Authorization:
    Using parallel invitations, reminders, escalation and delegation to get reliable results from human authorizers.
  • Roles & Rules:
    Using roles and rules to simplify the management of user provisioning policies.
  • Self-service Group Management:
    Using the included Group Manager module to move AD group management to a self-service model.
  • Event Notification:
    Identity Manager can alert people and other systems of changes that it detects on target systems and of events that took place within identity management and access governance business processes.
  • Server Requirements:
    How to configure Identity Manager servers and how many are required.
  • Customizable User Interface:
    How the Identity Manager user interface can be branded, rearranged and adapted to specific customer requirements.
  • Language Support:
    Languages in which Identity Manager can display its user interface.