Detecting Changes on Target Systems and Applications
Hitachi ID Identity Manager can detect all administrative changes made on target systems as a normal part of the nightly auto-discovery process. This includes new users, terminated users, attribute changes and group membership changes.
Normally such changes are simply loaded into the Identity Manager identity cache, so that the various Identity Manager processes can act on correct current state data.
Such changes can also be fed into alarm systems (such as e-mail or SMS), can be reported on and can be fed as input to the auto-provisioning component of Identity Manager.
The auto-provisioning module (ID-Track) applies business logic to decide what to do about detected changes -- (disable unauthorized new accounts, revoke group membership changes and so on). Changes are submitted to the workflow engine, where they may be automatically approved or require human authorization before being executed.
Automated removal of detected changes is not normally recommended, however, as it is difficult to predict a-priori what kinds of changes might be legitimately required by systems administrators. It is normally safer to report on changes than to blindly revoke them. Human beings can then decide whether to retain or back out changes made outside of Identity Manager.
Event Notification Infrastructure
Identity Manager includes over 189 exit points. (1) Exit points may be triggered by many events, including:
- Attempts to sign into Identity Manager (successful or failed).
- One user looking up the profile of another.
- Changes to a user's profile, such as creating a new account or changing attributes or group memberships for an existing account.
- Assigning a role to a user or removing a user from a role; changing Identity Manager's configuration.
- Running a report.
- Triggering an intruder lockout.
Example uses of exit points include sending e-mails to users or administrators and creating, updating or closing incident records in an incident management application, notifying an IT infrastructure management system of an integration problem or recording a security event to a security incident event management (SIEM) or intrusion detection (IDS) system.
Various pre-built interface programs designed for use with exit points are included with Identity Manager. They are generally scriptable and simplify the process of creating help desk incidents (e.g., BMC Remedy, HP Service Manager and the like) and sending e-mails.
For clarity, it should be noted that exit programs and plug-in programs in Identity Manager are distinct components that serve different functions. Whereas plug-in programs are bidirectional -- Identity Manager sends data to the plug-in, the plug-in responds with data that alters Identity Manager's behavior -- exit programs are uni-directional and are used strictly to pass information outbound from Identity Manager to other applications.