Hitachi ID Identity Manager: User Provisioning

Overview:

Hitachi ID Identity Manager (formerly ID-Synch) is a complete user provisioning solution that automates and simplifies the routine tasks of managing users across multiple systems. Enterprise-scale organizations depend on Identity Manager to ensure that their employees and contractors are securely and efficiently connected to vital systems and information.

Identity Manager implements the following business processes to drive updates to users and entitlements on managed systems:

Automation: copies changes from one system to another.
Self service: delegates change requests and approvals to users.
Consolidation: allows administrators to manage multiple systems at once.
Delegation: empowers departmental or regional administrators with limited authority.
Fulfillment: gives other systems the ability to manage users through Identity Manager.

Features:

Identity Manager is enterprise user provisioning software. It reduces the cost of user administration, helps new and reassigned users get to work more quickly and ensures prompt and reliable access termination. This is accomplished through: automatic propagation of changes to user profiles from systems of record to managed systems; self service workflow for security change requests; and consolidated and delegated user administration. Identity Manager can manage users on over 70 kinds of systems.

(1)Core Identity Manager features include:

Automatic Propagation of Changes from Authoritative to Target Systems
(2)Identity Manager monitors one or more systems of record, such as HR or a corporate directory, for changes. Events such as hires, moves and terminations are transformed into administrative updates, such as creating new users, changing user attributes or disabling existing users and applied to managed systems.
Automatic change propagation leverages existing business processes (in HR or payroll for example) to automate predictable systems administration tasks. Automated administration eliminates unnecessary manual work, hastens productivity for new users and ensures that access is promptly deactivated for terminated users.
Self-service Authorization workflow for Change Requests
(3)Users are empowered to submit requests for new, changed or terminated systems access or to change their personal profile information. For example, a manager may submit a request for new accounts for a new hire or contractors may request additional system access for themselves.
Requests are automatically validated, filled out with extra attributes such as login ID or directory OU and routed to the appropriate authorizers. Authorizers are assigned based on the resources requested or the identity of the requester.
Authorizers review open requests and may approve or reject them.
Approved requests are automatically applied to managed systems by Identity Manager.
In many organizations, most of the cost and delay of access management is due to entry, routing and approvals of change requests. Identity Manager streamlines requests with easy input and parallel routing, to significantly reduce the delay between first input of a request and its fulfillment.
Rapid access provisioning improves user productivity: new hires no longer spend days or weeks waiting for access before they can start work. Managers spend less time filling in and tracking paper requests.
Consolidated and Delegated User Administration
(4)Security administrators can log into an Identity Manager web user interface, from which they can create new accounts; delete, enable, disable, rename or update existing accounts; and manage the membership of users in security groups and distribution lists.
Local IT resources and managers can be assigned the right to manage some users on some systems, so they can get faster service without direct involvement from security administrators.
Simplified management of users across systems, plus the ability to delegate some work to local IT resources, reduces the workload for security administrators.
Consolidated Reporting and Auditing
(5)Identity Manager collects, correlates and manages information about user access to every enterprise system, including each user's multiple login IDs, last login dates and specific security entitlements. This data is directly available for reporting and audit using either canned reports built into the Identity Manager administrative web GUI or by exporting data for use with third party reporting and analytical tools.
Identity Manager user profile data can be used to review and adjust user access to enterprise systems. This is useful for finding and cleaning up excessive access privileges that users accumulate over time.

Benefits:

Identity Manager reduces the cost of user provisioning using:

Automated user administration, which leverages information in other systems (HR, corporate directory) to automatically create or delete systems access
Self-service user administration workflow, allowing users to request security changes, automatically routing them to suitable authorizers, tracking approvals and automatically implementing authorized changes
Consolidated and delegated user administration, making security administrators more productive by enabling administration of multiple systems from a single point

Identity Manager strengthens security by:

Enabling prompt and complete access deactivation across multiple systems.
Automatically deactivating access for terminated users.
Automatically detecting and deactivating or deleting orphan and dormant accounts.
Enforcing authorization rules over security change requests.
Implementing standards for the privileges assigned to new users.
Subjecting security administrators to personal authentication, authorization and audit logs.
Providing consolidated reports on user access to systems, which can be used to review compliance with security policy.
Providing an audit log of all provisioning / deprovisioning events.