Skip to main content

Self-service Group Management - Hitachi ID Identity Manager

Hitachi ID Identity Manager includes a unique technology for managing user membership in security groups. This technology is called Hitachi ID Group Manager. You can learn more about Group Manager in its own web site:


Group Manager is a self-service group membership request portal. It allows users to request access to resources such as shares and folders, rather than initially specifying groups. Group Manager automatically maps requests to the appropriate security groups and invites group owners to approve or deny the proposed change.

Group Manager is available both as a stand-alone solution and as a no-cost module included with Identity Manager.


Group Manager -- available stand-alone and as a module in Identity Manager -- streamlines the process of managing security groups on Active Directory with:

  • A Windows shell extension:

    A shell extension is included with Group Manager which can be deployed on Windows XP, Windows Vista/7/8 PCs. If installed, this component can intercept Windows "access denied" error messages and present an expanded message which allows users to open a web browser to the Group Manager application, where they can request membership in the appropriate AD group.

  • Share and folder browsing in a web portal:

    Alternately, users can navigate directly to the Group Manager web portal, which presents a view of shares and folders similar to Windows Explorer. Users can select the share, folder or printer in which they are interested and request membership in the appropriate group.

  • A UI that guides users to appropriate groups:

    When users select a network resource, Group Manager presents several options:

    • Groups that have access rights to that resource, with a clear indication as to who owns each group and what access rights the group has.
    • Nested groups, that the user might with to join instead.
    • Nested resources (folders) that the user may wish to access instead.

    With these options, Group Manager guides users to a selection of the appropriate resource and group.

  • Authorization workflow:

    All change requests processed by Group Manager are subject to an authorization process before being completed. By default, group owners are invited to approve all changes, but this routing can be replaced or augmented as required.

    The built-in workflow engine is designed to get quick and reliable feedback from groups of business users, who may be individually unreliable. It supports:

    • Concurrent invitations to multiple users to review a request.
    • Approval by N of M authorizers (N is fewer than M).
    • Automatic reminders to non-responsive authorizers.
    • Escalation from non-responsive authorizers to their alternates.
    • Scheduled delegation of approval responsibility from unavailable to alternate approvers.

  • Reports:

    Group Manager includes a rich set of built-in reports, designed to answer a variety of questions, such as:

    • What users are members of group X?
    • What group memberships does user Y have?
    • Who authorized membership in group Z for user W?
    • When did user A gain membership in group B?
    • Who requested and who authorized group B for user A?


Group Manager improves security by ensuring that changes to membership in security groups are properly authorized before being implemented.

Group Manager reduces the cost of IT support by moving requests and authorization for changes to group membership out of IT, to the community of business users.

Group Manager streamlines service delivery regarding the management of membership in security groups by making it easier for users to submit clear and appropriate change requests and automatically routing those requests to the right authorizers. This makes the request process painless and the approvals process fast.

Read More:

  • Network architecture:
    Identity Manager network architecture.
  • Replicated, High Performance Database Architecture:
    Identity Manager includes built-in data replication and uses stored procedures to ensure optimized transaction processing.
  • Included Connectors:
    Connectors included in Identity Manager and their capabilities.
  • Auto-Discovery System:
    How the Identity Manager automatically discovers new, deleted and changed users on integrated systems and applications.
  • Reconciling User IDs:
    How Identity Manager maps user IDs on different systems back to their human users, both automatically and with human assistance.
  • Integrations:
    Integrations between Identity Manager and other parts of an IT infrastructure.
  • Custom Business Logic:
    How organizations can implement their own business logic without modifying the core Identity Manager product or impairing system reliability or upgradeability.
  • Dynamic Workflow:
    How Identity Manager invites business users to review and approve changes to user profiles.
  • Reliable Authorization:
    Using parallel invitations, reminders, escalation and delegation to get reliable results from human authorizers.
  • Roles & Rules:
    Using roles and rules to simplify the management of user provisioning policies.
  • Self-service Group Management:
    Using the included Group Manager module to move AD group management to a self-service model.
  • Event Notification:
    Identity Manager can alert people and other systems of changes that it detects on target systems and of events that took place within identity management and access governance business processes.
  • Server Requirements:
    How to configure Identity Manager servers and how many are required.
  • Customizable User Interface:
    How the Identity Manager user interface can be branded, rearranged and adapted to specific customer requirements.
  • Language Support:
    Languages in which Identity Manager can display its user interface.
page top page top