Products
Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+

Suite 8.0 New Features

Webinar: Review of the 8.0 Release for Identity Manager and Password Manager

Press Release: Hitachi ID Systems Releases Hitachi ID Management Suite Version 8.0

HTML Presentation: What's New in v8


Scope of the 8.0 release

The Hitachi ID Management Suite 8.0 release includes both Hitachi ID Identity Manager and Hitachi ID Password Manager.




Brand New User Interface

The Hitachi ID Management Suite user interface has been significantly revamped. This includes both style changes and updated screens and layout.


Image:  screen-shots/user-profile-screen-nb
(Click to enlarge)

Hitachi ID Management Suite - user profile screen.


Image:  screen-shots/view-orgchart-nb
(Click to enlarge)

Hitachi ID Management Suite - view org chart.


An innovative, new access control model

In previous releases of Hitachi ID Management Suite and in all other identity management and access governance products, a user's access rights depend on who he is and what groups he belongs to. For example, access to personally identifying information or to salary data might be restricted to HR staff. This is essentially role based access control (RBAC).

The problem with this model is that sometimes business requirements are more dynamic. For example, a manager should be able to see some confidential data pertaining to his subordinates, but not other users. An HR user might be allowed to see certain data relating to other users, but not himself. The real world is more nuanced than traditional access control models. RBAC is simply not sufficient.

Starting in Hitachi ID Management Suite 8.0, the access control model in all Hitachi ID Systems products depends on the relationship between a requester who wishes to view some data or perform an action and the recipient whose user profile is being accessed. This is a relationship-based access control model, where organizations define types of relationships and attach access rights to those relationships.

Relationships can specify multiple participants -- for example, a requester, a recipient, an authorizer, an implementer or a certifier. The relationship between these participants (reports-to, shared-group, same-location, same-department, etc. is easy to specify. Once a type of relationship has been defined, it can be used to control what one user can see of or do to another.

Relationship-based access control is new and only available from Hitachi ID Systems. It more naturally represents business needs than RBAC. It is easy to configure and eliminates the need for significant amounts of custom business logic.

Examples:

Read/write termination date

  • Requester in HR.
  • Requester not recipient.

Read/write termination date

  • Recipient reports to requester.

Read home address

  • Recipient has active profile.

Read/write home address

  • Requester is recipient.

Read SSN, DoB

  • Requester is recipient.

Write SSN, DoB

  • Requester in HR.

Relationships are defined interactively as shown below:


Image:  screen-shots/sample-userclass-local-it-support-nb
(Click to enlarge)

Hitachi ID Management Suite - relational user class.


Advanced search

Hitachi ID Management Suite 8.0 includes a new search infrastructure for key objects -- users, groups, roles, etc. This search infrastructure is very flexible -- for example, one can search for ``even user in department X and location Y'' or ``every user whose scheduled termination date is in the next 30 days and is a member of the AD Administrators group.''.

More importantly, the search engine is aware of access controls and will censor its results. For example, if a manager searches for all users with a near-term scheduled termination, the search engine will return only those users whose termination date the manager would normally be allowed to see (for example, his direct or indirect reports).

This privacy-preserving attribute of the search engine is essential if sensitive data is to be managed by Hitachi ID Management Suite.

Examples:

The search engine is shown below:


Image:  screen-shots/advanced-search-nb
(Click to enlarge)

Hitachi ID Management Suite - advanced search.


Ad-hoc and single-user certification

Access certification in Hitachi ID Management Suite has been significantly enhanced.


Image:  screen-shots/single-user-cert-nb
(Click to enlarge)

Hitachi ID Management Suite - single user certification.


Extensible resource schema

In previous Hitachi ID Management Suite releases, resources such as roles and groups were described using a fixed set of attributes -- name, description, location, type, authroizers, etc. In Hitachi ID Management Suite 8.0, this schema is extensible.

Attributes can be defined per type of resource:

Attributes may represent any business information, including:

New screens, access controls and API functions are included to view, modify and search on these attributes.

Hitachi ID Systems is working on linking these resource attributes to a variety of components of Hitachi ID Management Suite in future releases. This includes creating and deleting groups on target systems, synchronizing attributes such as description and ownership between Hitachi ID Management Suite and target systems, selecting entitlements to certify using their attributes and more.


Image:  screen-shots/resource-attributes-nb
(Click to enlarge)

Hitachi ID Management Suite - resource attributes.


Reports: workflow and analytics

Hitachi ID Identity Manager 8.0 introduces many new reports and some new dashboards. The infrastructure used to generate and deliver reports has also been enhanced since the 6.2.x release series.

Workflow

Analytics

General

  • Authorizer activities
  • Authorizer request status
  • Escalated / delegated requests
  • Implementation requests
  • Inactive requests
  • Participant response time
  • Request event log
  • Request popularity
  • Request volume trend
  • Search requests
  • Stuck requests
  • Approved exceptions to rules violations
  • Certification coverage
  • Changes since review
  • Disappeared groups
  • Discovered accounts
  • Entitlement review privileges
  • Entitlements comparison
  • Entitlements with invalid authorizers
  • Inconsistent account attributes
  • Invalid certifiers
  • Invalid user attributes
  • Orphan / inactive
  • Role assignments
  • Role exceptions
  • Roles entitlements comparison
  • Roles sharing entitlements
  • Uncertified data
  • Users qualifying for notifications
  • Users with common entitlements
  • Users with inactive roles
  • Users with no managers
  • All reports can be scheduled to run periodically.
  • Run time/date is a parameter to the query.
  • HTML, CSV and PDF output.
  • New dashboards to monitor: workflow, user adoption and certification.

Image:  screen-shots/workflow-reports-menu-nb
(Click to enlarge)

Hitachi ID Management Suite - workflow reports.


New and updated connectors

New

Updated

  • Microsoft 365 / BPOS
  • Microsoft System Center Service Manager
  • PeopleSoft HR and PeopleSoft Campus
  • PGP Full Disk Encryption
  • FrontRange HEAT
  • Oracle Hyperion EPM Shared Services
  • Active Directory forest-level connector (cross-domain groups)
  • McAfee Endpoint Encryption 6.x (ePO Managed)
  • Vault support for Domino
  • BMC Service Desk Express 10.0
  • IBM iSeries V7R1




Faster deployments


Built-in features

Reference build

  • Relational ACLs.
  • Authorizers attached to attribute groups.
  • Auto-assigned roles and groups.
  • Pre-defined requests.
  • Analytics for entitlements, workflow and data quality.
  • Request portal.
  • Approvals workflow.
  • Scheduled and urgent termination.
  • Access certification.
  • Consensus approval, auto escalation.
  • Implementer workflows.