Technology Roles & Rules
Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Roles and Rules - Hitachi ID Identity Manager

(1) Hitachi ID Identity Manager can create login accounts using templates and roles:

(2) Identity Manager does not require that users be classified into roles.

Identity Manager can be configured to compare users' actual security entitlements on target systems to the entitlements that their assigned roles predict and to automatically make adjustments to bring users into compliance. This process is called RBAC enforcement.

RBAC enforcement is not a mandatory component of Identity Manager and indeed the scope of enforcement can be controlled at multiple levels:

  1. Users can be enabled/disabled for enforcement.
  2. Roles can be enabled/disabled for enforcement.
  3. Entitlements (i.e., accounts on target systems and security groups whose membership is managed by Identity Manager can be enabled/disabled for enforcement).
  4. The number of users whose profiles are subjected to enforcement per day can be capped.

These mechanisms allow Hitachi ID Systems customers to use RBAC enforcement -- or not -- based on the appropriateness of this mechanism to their environment. In general, we have found that RBAC enforcement is manageable for large numbers of users with identical needs (e.g., point of sale, retail, etc.) and to small numbers of high-risk users (e.g., finance/budget) but not usually cost-effective for other, unique, back-office user populations.

Attributes can be attached to templates, groups and roles in Identity Manager, to make them easier to find. For example, these resources can be classified by type and location and automatically assigned, filtered on search results, etc. accordingly.

In order to ensure that the numbers of templates and roles are manageable, Identity Manager supports request attributes, which override the detailed attributes of templates and roles.

Request attributes may be entered by users and are in general validated and filled out by plug-in programs, written to implement Hitachi ID Systems customer-specific business logic. These plug-in programs can be thought of as implementing rules.

The combination of roles and rules can be best explained using an example: