Customizable User Interface

How the Hitachi ID Identity Manager user interface can be branded, rearranged and adapted to specific customer requirements.

The entire Hitachi ID Identity Manager user interface is customizable and translatable. This includes graphical changes, text changes, layout changes, language translations, etc. No user interface elements are hard-coded into Identity Manager. The entire UI is web based and renders as straightforward HTML and CSS, with a bit of JavaScript for things like automatically placing the cursor in the correct field. As such, it is quite conventional and portable. Most customers brand the UI simply by modifying the CSS.

User interface customization is simple to implement. All HTML text is pulled into the web app from a "skin" file which is editable. HTML in web apps is highly repetitive -- every page looks more or less the same. Identity Manager uses a simple macro system to factor out such commonalities, which allows customers to quickly customize the look and feel of the entire UI and ensure consistency between pages. This means that customers do not normally edit a skin file directly, but rather edit HTML snippets in a macro file and recompile a new skin. This is faster and more consistent.

Common elements, such as page layout and HTML preambles, are factored out into standard macros using an open source macro language (M4). Modifications made to these macros are propagated across the entire user interface. The application does specify navigation sequence (i.e., what each screen does and how one navigates from one screen to another) but this too is quite customizable using a variety of policy settings.

Note that M4 macros (at least as used in Identity Manager) consists of just 3 keywords: include, define and ifelse -- the macro language is trivial. What complexity does exist is in the information architecture (which UI elements are defined where). To customize the Identity Manager UI, all that is needed is an understanding of HTML and CSS, plus a bit of patience to find the right macro to edit -- so that a change will propagate to the entire UI.

All English text in the UI is stored in a language file and translations are supported by installing multiple language files. The same instance of the software may be accessed by different users in different languages, at the same time -- just by specifying a language in the URL. This mechanism means that all UI text is customizable by customers, either by editing the language file directly or by configuring the web portal to run in a special "language translation" mode which allows a user to change UI text by clicking on it and editing interactively.

UI customizations are defined separately from the core UI, using an override mechanism. This allows customizations to survive Identity Manager version upgrades with minimal intervention. For example, customers may define a new markup for HTML tables. This markup is placed in an override file which takes precedence over the default HTML table code. When Identity Manager is upgraded, the customized markup will continue to take precedence over default HTML markup.

In addition to modifying HTML and CSS code, customers can change the values of a number of system variables which alter Identity Manager behavior. For example, password policy, intruder lockout frequency and duration, non-password authentication rules and more can all be adjusted from the Identity Manager administrative web portal. System variables also survive version upgrades.

Identity Manager behavioral modifications are made using plug-in points, rather than (as is common with many other applications) by modifying the source code of Identity Manager itself.

Plug-ins are scripts or executables installed on the Identity Manager server. Identity Manager components call plug-in programs to make business policy decisions or to look-up information. Examples include:

  • Look up a user's known, existing login accounts.
    • Helpful for integration with an existing meta directory.
    • Plug-ins are provided for LDAP directories and SQL databases.
  • Look up a user's security questions.
    • Can be used to leverage existing authentication data.
    • Plug-ins are provided for LDAP and SQL implementations.
  • Assign a new login ID to a newly created user.
    • A sample script is provided that implements popular ID schemes.
  • Validate form inputs for workflow requests.
    • Is normally used to validate form inputs, such as checking that a new hire's home address has mutually-consistent city, state and area code fields.
    • Can also populate hidden fields (e.g., directory OU) and assign IDs (e.g., e-mail address) based on business policy.
  • Assign appropriate authorizers to workflow requests.
    • May be based on the requester, recipient, entitlements or operations involved.
    • Global authorization logic is easier to manage than assigning static authorizers to every conceivable kind of request.
  • Escalate from non-responsive authorizers to alternates.
    • A default implementation is provided, to escalate to the previous authorizer's manager.

This architecture, which encapsulates business logic into stand-alone scripts or executables, has two important benefits:

  • It is significantly easier for organizations to adjust Identity Manager behavior, since all such modifications are made in simple, self-contained files.
  • Business logic implemented in this way survives Identity Manager version upgrades, reducing the cost and delay associated with major upgrades.

Read More:

  • Network architecture:
    Identity Manager network architecture.
  • Replicated, High Performance Database Architecture:
    Identity Manager includes built-in data replication and uses stored procedures to ensure optimized transaction processing.
  • Included Connectors:
    Connectors included in Identity Manager and their capabilities.
  • Auto-Discovery System:
    How the Identity Manager automatically discovers new, deleted and changed users on integrated systems and applications.
  • Reconciling User IDs:
    How Identity Manager maps user IDs on different systems back to their human users, both automatically and with human assistance.
  • Integrations:
    Integrations between Identity Manager and other parts of an IT infrastructure.
  • Custom Business Logic:
    How organizations can implement their own business logic without modifying the core Identity Manager product or impairing system reliability or upgradeability.
  • Dynamic Workflow:
    How Identity Manager invites business users to review and approve changes to user profiles.
  • Reliable Authorization:
    Using parallel invitations, reminders, escalation and delegation to get reliable results from human authorizers.
  • Roles & Rules:
    Using roles and rules to simplify the management of user provisioning policies.
  • Self-service Group Management:
    Using the included Group Manager module to move AD group management to a self-service model.
  • Event Notification:
    Identity Manager can alert people and other systems of changes that it detects on target systems and of events that took place within identity management and access governance business processes.
  • Server Requirements:
    How to configure Identity Manager servers and how many are required.
  • Customizable User Interface:
    How the Identity Manager user interface can be branded, rearranged and adapted to specific customer requirements.
  • Language Support:
    Languages in which Identity Manager can display its user interface.