Skip to main content

Hitachi ID certification

Product Sites

Suite 8.2 New Features

HTML Presentation: What's New in v8.2

Scope of the 8.2 release

The Hitachi ID Identity and Access Management Suite 8.2 release includes all Hitachi ID Systems products -- Hitachi ID Identity Manager, Hitachi ID Password Manager and Hitachi ID Privileged Access Manager.

  • Hitachi ID Identity Manager and Hitachi ID Password Manager can be installed in a single instance.
  • Hitachi ID Privileged Access Manager is intended to be deployed stand-alone, due to its higher risk profile and distinct population of users. Some features of Identity Manager are included however -- notably to manage membership in groups on AD or LDAP directories that are then used to control access to elevated privileges both within Privileged Access Manager and on target systems.

Summary of enhancements

  • An upgraded technology platform in 8.2 includes:
    • Graphical dashboards: to monitor system state and trends
    • Simplified addition of nodes: to add new or replace defective server nodes
    • Multiple UI skins: decoupling the appearance of the web UI from language translations
    • Improved report delivery: via filesystem drop of HTML or CSV reports
    • IPv6 support: for replication, proxy connections and more
    • Performance improvements: with scalability to as much as onboarding 2 users/second, sustained
  • Functional enhancements to Privileged Access Manager in 8.2 include:
    • Group sets: A new framework for requesting and granting temporary membership in multiple security groups.
    • Push/pull integration: Consolidating the mechanism for importing and managing systems regardless of which endpoint initiates communication.
    • Simplified import rules: For activating target systems and attaching them to managed system policies.
    • Support for network level authentication: When launching RDP connections from user devices to managed systems.
    • Ability to unapprove checkouts: Enabling authorizers to disconnect already-active login sessions.
  • New capabilities and improved usability in Identity Manager in 8.2 include:
    • New workflow search: A totally redesigned search engine for workflow requests.
    • Improved navigation: Making it easier to compare entitlements between users, access user profile history and more.
    • More friendly table editor: For external tables containing policy and lookup data.
    • Social platform integrations: Ability to enroll and authenticate users using OAuth 2.0, with their, or credentials.
    • CAPTCHA support: Easy integration with reCAPTCHA and AreYouAhuman to protect Extranet-facing deployments against scripted attacks.

Upgraded technology platform

Graphical dashboards

Hitachi ID Identity and Access Management Suite 8.2 introduces graphical dashboards to the web portal:

  • Dashboards added throughout the product.
  • Caching infrastructure minimizes performance impact of data aggregation.
  • Graphs to monitor both system state (e.g., enrollment status, configuration) and trend analysis (e.g., workflow requests, check-outs).

Simplified addition of nodes

Hitachi ID Identity and Access Management Suite has a multi-master architecture. This means that each server node normally has its own, local database and provides full functionality. To support this, there is a built-in data replication layer that forwards local database updates from one node to another.

Hitachi ID Identity and Access Management Suite 8.2 introduces a simplified process for adding nodes to a replicated application instance:

  • The new mechanism makes it much easier to:
    • Add a lost server (post-disaster).
    • Grow capacity, temporarily or permanently.
  • Replicated nodes:
    • Need not be configured in advance, as was recommended with previous releases.
    • Are somewhat disposable, because it's always easy to add another one later.
  • The new mechanism for adding a replicated node works as follows:
    • Install the Hitachi ID Identity and Access Management Suite software on a new server.
    • Configure a new replica, in disabled state on an already-working source node.
    • Instruct the source node to send a full data set to the new node.
    • The source node will briefly go off-line to create a local database snapshot. During this time, other nodes can continue to receive traffic and provide service.
    • All nodes queue up changes for the new node while it receives and loads the full database snapshot.
    • Once the snapshot is loaded on the new node, it is enabled and queued updates from other nodes are are applied.
    • The entire process is aware of schema dependencies and automatically applied in the correct table sequence.
    • All data transmission from the source node to the new node is encrypted, fault tolerant, bandwidth efficient and tolerant of high latency.
  • So long as there are at least two working nodes, adding a third (or fourth, fifth, etc.) introduces no system-wide downtime.

Image:  screen-shots/add-replica-simple-nb
(Click to enlarge)

Adding a node to a multi-node Hitachi ID Identity and Access Management Suite instance.

Multiple UI skins

  • Skins are now independent of language selection.
  • It is possible to deploy multiple user interface / web skins per product instance.
  • In addition to the default skin, Hitachi ID Identity and Access Management Suite 8.2 includes 4 additional sample skins: mobile, kiosk-mode, unbranded and customer-logo.

Image:  screen-shots/mobile-skin-pw-ops-small-nb
(Click to enlarge)

Password reset and intruder unlock using the mobile skin on a smartphone.

Improved report delivery

Starting with Hitachi ID Identity and Access Management Suite 8.2, reports generated by the application, interactively or on a scheduled basis, can be delivered via filesystem drop. To do this, configure a UNC path where report output -- HTML or CSV -- is to be placed and use a target system to hold credentials to mount that share.

IPv6 support

Organizations are increasingly deploying IPv6, either locally on servers (enabled by default on Windows 2008 and later) or across their network. Hitachi ID Identity and Access Management Suite 8.2 now supports communication between components using IPv6, including contacting proxy servers, local agents on Unix/Linux systems and database replication, all over IPv6.

Performance improvements

A variety of internal processes in Hitachi ID Identity and Access Management Suite have been optimized to run faster, including workflow approvals in Identity Manager and import rule evaluation in Privileged Access Manager. Identity Manager can now onboard 2 users per second, sustained.

Functional enhancements to Privileged Access Manager


Image:  screen-shots/hipam-status-nb
(Click to enlarge)

Managed systems, checkouts, requests and randomized passwords.

Group sets

Group sets are a new paradigm in Privileged Access Manager 8.2 for checking out temporary membership in multiple security groups on a target system. Group sets, defined within a managed system policy (MSP) can include groups specified individually or using inclusion rules based on group fully qualified names, descriptions or IDs (GID, SID, etc.). When a group set is checked out by a user, the user's existing account -- locally on the target system or on an Active Directory domain -- is temporarily attached to every group in the set on the selected system.

Access to group set check-outs is assigned separately from access to account/password check-out. On the same managed system, some users may be allowed account check-out (e.g., login to the shared Administrator account) while other users may be allowed group-set check-out (e.g., "become a member of the Administrators group").

Configuring a group set:

Image:  screen-shots/groupset-in-msp-nb
(Click to enlarge)

Configuring a group set within a managed system policy.

Image:  screen-shots/gs-inclusion-rule-nb
(Click to enlarge)

Specifying which groups to include using a rule.

Image:  screen-shots/which-acct-gets-grpmem-nb
(Click to enlarge)

Selecting a target system whose accounts will be assigned the groups.

Image:  screen-shots/gs-acls-nb
(Click to enlarge)

Granting access to check-out a group set.

Checking out a group set:

Image:  screen-shots/select-system-nb
(Click to enlarge)

Selecting a system on which to checkout a group set.

Image:  screen-shots/select-gs-nb
(Click to enlarge)

Selecting a group set.

Image:  screen-shots/request-details-nb
(Click to enlarge)

Authorizer view of the request.

Image:  screen-shots/gs-checkout-progress-nb
(Click to enlarge)

Request status showing completed, in-progress and failed group membership assignments.

Push/pull integration and simplified import rules

A single Local Workstation Service (LWS) package can be deployed to all clients, unlike in previous versions where separate MSI packages had to be created for every set of endpoints that shared a policy. In Privileged Access Manager 8.2, when a LWS system first "calls home," it is automatically attached to the appropriate policies based on import rules written in terms of attributes of the system, such as its hostname, OS, IP address, etc. • Data from the LWS system's security database (accounts, groups) and service infrastructure (SCM, Scheduler, DCOM, etc.) are then collected and periodically refreshed.

Import rules are simpler in Privileged Access Manager 8.2, no longer requiring complex expressions to be written. Instead, the product administrator specifies rules consisting of three elements: attribute, operation and value. For example, the attribute might be a hostname, the operation might be contains and the value might be prod. Multiple requirements are combined using all or any.

Configuring local workstation service (LWS) import rules:

Image:  screen-shots/create-local-admin-nb
(Click to enlarge)

The LWS can be instructed to create a new local account, which will be available for check-out by authorized users.

Image:  screen-shots/set-lws-discovery-options-nb
(Click to enlarge)

Policy determines what data about the local security database the LWS will "send home" to Privileged Access Manager.

Image:  screen-shots/lws-import-rule-requirements-nb
(Click to enlarge)

Import rules, based on attributes of the system where the local workstation service was installed, determine what policy the endpoint should be attached to.

Viewing data collected from LWS endpoints:

Image:  screen-shots/lws-discovered-accounts-nb
(Click to enlarge)

Once a system has self-registered, Privileged Access Manager can be used to see what local accounts exist in its security database.

Image:  screen-shots/lws-discovered-objects-nb
(Click to enlarge)

Privileged Access Manager also collects data about what services run on LWS-attached systems in the security context of a named account.

Support for network level authentication

The remote desktop protocol (RDP) control -- also known as the Terminal Services Client on Windows -- now supports Network Level Authentication. This newer authentication process, introduced in RDPv6, shifts the login process from server-side to client-side and is more efficient than earlier versions of RDP where the server actually prompted for login credentials.

Ability to unapprove checkouts

Privileged Access Manager 8.2 allows the authorizer of a workflow request for temporary access to a system to change his mind and revoke an already-approved and possibly already-established request. If the user in question had already launched a login session, that session will be disconnected.

Note that previous releases already supported revoking a user, which would terminate all of that user's sessions and block the user from signing into Privileged Access Manager. Whereas revoke was normally only appropriate in the event of an urgent termination, unapprove is a more fine-grained mechanism, suitable where someone asked for the wrong access, that request was mistakenly granted, and only the mistaken access request should be reversed.

New capabilities and improved usability in Identity Manager


Identity Manager 8.2 includes three main dashboards:

  • System status, in terms of what is licensed and how many users have completed each type of enrollment -- security questions, login ID aliases, optionally activating password synchronization and optionally enrolling voice print biometrics.
  • Workflow status and trend -- volume of recent requests submitted, approved and completed, most active participants, most popular request types and oldest open requests.
  • Certification progress, in terms of number of users, roles, accounts and groups certified and pending review.

Image:  screen-shots/psa-license-enrollment-nb
(Click to enlarge)

License file statistics and user enrollment progress.

Image:  screen-shots/workflow-state-nb
(Click to enlarge)

Workflow request activity, including most active participants and oldest requests (possibly needing attention).

Image:  screen-shots/workflow-trend-nb
(Click to enlarge)

Workflow trend analysis, showing activity over time.

Image:  screen-shots/cert-progress-nb
(Click to enlarge)

Certification progress, showing what has been reviewed and what remains.

New workflow search

The mechanism used to search for workflow requests has been completely redesigned in the Hitachi ID Identity and Access Management Suite 8.2. Since workflow requests are used in both Privileged Access Manager and Identity Manager, this is really core infrastructure, but is most evident in Identity Manager. The new screen allows a requester to search for requests based on status, participants and dates, as shown below. Whether a request appears in the search results depends on access controls and on how the person performing the search is related to each request in the result set.

Image:  screen-shots/workflow-search-nb
(Click to enlarge)

New workflow request search screen.

Improved navigation

In previous releases, special functions relating to a user's profile, such as the ability to view the user's change history, to compare the user (as a recipient) with another user (a model) or to initiate a single-user recertification were accessed from the user's "Custom request" page. This meant that, to access these features, requesters had to be granted the right to submit custom requests. Starting with Identity Manager 8.2, these capabilities have all been replicated to the pre-defined request selection page, which means that a requester need not have the right to submit a custom request on behalf of a given recipient in order to access these features:

Image:  screen-shots/pdr-select-all-options-nb
(Click to enlarge)

New navigation to built-in requests, such as comparing entitlements between a model user and a recipient.

More friendly table editor

Hitachi ID Systems deployments increasingly leverage "external" tables -- stored as SQLite tables and edited using the "DBE" table editor -- to hold policy rules and lookup data. For example, the Hitachi ID Identity and Access Management Suite reference implementation stores information such as attribute validation and reformatting rules, authorizer routing policies and lookup tables for OUs, home directory paths and mail servers in such external tables. To support this increased use, Hitachi ID Identity and Access Management Suite 8.2 includes a more user friendly table editor, with drop-downs for column values that have enumerated types in the database, validation for column values that refer to objects such as roles and groups inside the Hitachi ID Identity and Access Management Suite and better on-screen formatting.

Social platform integrations

Hitachi ID Systems customers are increasingly deploying instances of the Hitachi ID Identity and Access Management Suite to manage the identities of customers and partners, in an Internet-facing arrangement. In some cases, it may be more convenient or desirable to leverage an existing identity when onboarding a new user, rather than creating a new identity for that user. To support this, Identity Manager 8.2 now supports provisioning new users using a social-network driven process using the OAuth 2.0 protocol. Samples are included to show how the system is configured so that users can leverage their, or identities to quickly and conveniently create new profiles in Identity Manager. Once enrolled, users can sign into the Hitachi ID Identity and Access Management Suite using their social profiles -- with one less password to manage.

Image:  screen-shots/fb-login-nb
(Click to enlarge)

Integration with social platforms such as Facebook for business-to-consumer deployments.

CAPTCHA support

The corporate perimeter is fast disappearing and many Hitachi ID Systems customers are exposing their Hitachi ID Identity and Access Management Suite deployment to the Internet. To protect their user profiles against automated password-guessing and security-question-guessing attacks, it is helpful to introduce a CAPTCHA in the login sequence, to verify that the person attempting an authentication to the Hitachi ID Identity and Access Management Suite web portal is actually a human. Hitachi ID Identity and Access Management Suite 8.2 includes two sample CAPTCHA integrations, one for Google's reCAPTCHA and another for

Image:  screen-shots/ayah-nb
(Click to enlarge)

Integration with, to verify that the user is not a script.

page top page top