h3>Detecting Changes on Target Systems and Applications
Hitachi ID Identity Manager can detect all administrative changes made to users
and entitlements on target systems as a normal part of the
auto-discovery process. This includes new users, terminated users,
attribute changes and group membership changes.
Normally such changes are simply loaded into the Identity Manager identity
cache, so that the various Identity Manager processes can act on correct
current state data.
Such changes can also be fed into alarm systems (such as e-mail or SMS),
can be reported on and can be fed as input to the auto-provisioning
component of Identity Manager.
The auto-provisioning module (ID-Track) applies business logic to
decide what to do about detected changes -- (disable unauthorized new
accounts, revoke group membership changes and so on). Changes are
submitted to the workflow engine, where they may be automatically
approved or require human authorization before being executed.
Automated removal of detected changes is not normally recommended,
however, as it is difficult to predict a-priori what kinds of changes
might be legitimately required by systems administrators. It is
normally safer to report on changes than to blindly revoke them.
Human beings can then decide whether to retain or back out changes
made outside of Identity Manager.
Event Notification Infrastructure
Identity Manager includes over
300 exit points.
Exit points may be triggered by many events, including:
- Attempts to sign into Identity Manager (successful or failed).
- One user looking up the profile of another.
- Triggering an intruder lockout.
- Password synchronization or reset, success or failure.
- Checking out a managed account, account set or group set.
- Time-out of a privileged access session.
- Changes to a user's profile, such as creating a new account or
changing attributes or group memberships for an existing account.
- Assigning a role to a user or removing a user from a role; changing
Identity Manager's configuration.
- Running a report.
Example uses of exit points include sending e-mails to users,
manipulating incidents in a ticketing system or forwarding an event
to a security incident/event management (SIEM) system.
Various pre-built interface programs designed to be called from exit
points are included with Identity Manager. Scriptable interface programs can
create help desk incidents (e.g., ServiceNow, BMC Remedy, HP Service
Manager, etc.) and sending e-mails.
- Network architecture:
Identity Manager network architecture.
- Replicated, High Performance Database Architecture:
Identity Manager includes built-in data replication and uses stored procedures to ensure optimized transaction processing.
- Included Connectors:
Connectors included in Identity Manager and their capabilities.
- Auto-Discovery System:
How the Identity Manager automatically discovers new, deleted and changed users on integrated systems and applications.
- Reconciling User IDs:
How Identity Manager maps user IDs on different systems back to their human users, both automatically and with human assistance.
Integrations between Identity Manager and other parts of an IT infrastructure.
- Custom Business Logic:
How organizations can implement their own business logic without modifying the core Identity Manager product or impairing system reliability or upgradeability.
- Dynamic Workflow:
How Identity Manager invites business users to review and approve changes to user profiles.
- Reliable Authorization:
Using parallel invitations, reminders, escalation and delegation to get reliable results from human authorizers.
- Roles & Rules:
Using roles and rules to simplify the management of user provisioning policies.
- Self-service Group Management:
Using the included Group Manager module to move AD group management to a self-service model.
- Event Notification:
Identity Manager can alert people and other systems of changes that it detects on target systems and of events that took place within identity management and access governance business processes.
- Server Requirements:
How to configure Identity Manager servers and how many are required.
- Customizable User Interface:
How the Identity Manager user interface can be branded, rearranged and adapted to specific customer requirements.
- Language Support:
Languages in which Identity Manager can display its user interface.