Reconciling User IDs
Every enterprise identity management and access governance system,
regardless of its features, must support login ID reconciliation.
Users have login accounts and other records on various systems and
these have to be attached to a single profile, in order to create a
user-centric identity system. The process of attaching non-standard
login IDs and other user identifiers to a single profile is called
login ID reconciliation.
Hitachi ID Identity Manager supports multiple options for login ID reconciliation, as follows:
- Automatically, typically by matching consistent login IDs.
- By matching other attributes such as an SSN or employee ID,
where they are available.
- By drawing on an external source of data -- for example, some
organizations maintain a mapping table or spreadsheet.
- Using a self-service reconciliation process.
When self-service login ID reconciliation is required, it works
- Users are automatically invited to complete their profiles --
for example via an e-mail with an embedded URL.
- Users sign into the registration system, using a primary
login ID and password or other types of credentials.
- Users are asked to type their additional ID/password pairs.
Each provided ID/password pair is compared against an automatically
maintained inventory of login IDs drawn from target systems, to
find instances where the user-entered login ID appears on a system
and does not yet belong to a known user profile. Identity Manager then
attempts to sign into that system with the user-entered password.
If the login attempt succeeded, the user's profile is updated
with the system ID and the user-entered login ID.
Self-service reconciliation is inexpensive (about 5 minutes per user),
reliable, fully automated (users are reminded to enroll until they
actually do) and very secure.
Both self-service and administrative login ID reconciliation are
logged. Other forms of login ID reconciliation are typically batch
oriented and can be configured with logging if required.
Note that attempts to reconcile login IDs by matching on attributes
of user profiles on target systems are often costly and/or insecure,
especially when combined with a password management system:
- The only attribute that is commonly available on every system is
a user's full name. This may be inconsistent across systems and in
many large organizations multiple users share the same full name and
sometimes the same location.
- Failure to automatically correlate an account leads to manual,
administrative reconciliation, which is expensive.
- Incorrect ID mapping allows one user to set another user's
password, which is a serious breach of security.
Where self-service login ID reconciliation is required, the process
is both inexpensive (25,000 users spending 5 minutes each costs
nothing, while one consultant spending weeks or months is expensive)
and error-free (since IDs are claimed with a validated password).
This process is, to the best of Hitachi ID Systems knowledge, unique.
- Network architecture:
Identity Manager network architecture.
- Replicated, High Performance Database Architecture:
Identity Manager includes built-in data replication and uses stored procedures to ensure optimized transaction processing.
- Included Connectors:
Connectors included in Identity Manager and their capabilities.
- Auto-Discovery System:
How the Identity Manager automatically discovers new, deleted and changed users on integrated systems and applications.
- Reconciling User IDs:
How Identity Manager maps user IDs on different systems back to their human users, both automatically and with human assistance.
Integrations between Identity Manager and other parts of an IT infrastructure.
- Custom Business Logic:
How organizations can implement their own business logic without modifying the core Identity Manager product or impairing system reliability or upgradeability.
- Dynamic Workflow:
How Identity Manager invites business users to review and approve changes to user profiles.
- Reliable Authorization:
Using parallel invitations, reminders, escalation and delegation to get reliable results from human authorizers.
- Roles & Rules:
Using roles and rules to simplify the management of user provisioning policies.
- Self-service Group Management:
Using the included Group Manager module to move AD group management to a self-service model.
- Event Notification:
Identity Manager can alert people and other systems of changes that it detects on target systems and of events that took place within identity management and access governance business processes.
- Server Requirements:
How to configure Identity Manager servers and how many are required.
- Customizable User Interface:
How the Identity Manager user interface can be branded, rearranged and adapted to specific customer requirements.
- Language Support:
Languages in which Identity Manager can display its user interface.