Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+

Suite 8.1 New Features

HTML Presentation: What's New in v8.1

Scope of the 8.1 release

The Hitachi ID Management Suite 8.1 release includes all Hitachi ID Systems products -- Hitachi ID Identity Manager, Hitachi ID Password Manager and Hitachi ID Privileged Access Manager.

Automatically assigned entitlements

Starting with Hitachi ID Management Suite 8.1.0, administrators can link single-participant user classes to managed groups and Hitachi ID Management Suite roles. When this is done, users whose identity attributes and other group memberships satisfy the criteria specified in the user class are automatically assigned the group or role in question. Optionally, users who no longer satisfy the conditions are automatically removed from the group or role in question.

Image:  screen-shots/auto-group-nb
(Click to enlarge)

Configuring automatic assignment of group membership.

This new subsystem comes with sophisticated underlying capabilities, including:

Caching of membership in single-participant user classes supports high speed performance of this new feature.

Comparing user entitlements

Users often struggle to formulate security change requests -- they know that a given user needs some new security rights, they usually also know what other users already have those rights, but they do not know how to describe the required security rights to the security administration team. As a result, users often resort to requests of the form Please make Bob like Mary.

Cloning users is bad -- it propagates unnecessary security entitlements from one user to another and leads to a situation where users can access far more data than needed: a clear violation of the principle of least privilege.

Previous releases of Identity Manager already included robust support for role-based access control (RBAC) -- a mechanism that allows a requesting user to select a business role and apply that to a recipient user. This helps, in cases where such roles have been defined. The challenge with RBAC is to define enough roles and associate them with the right users -- easier said than done.

Identity Manager 8.1 introduces a new feature, which allows a requester to compare the security entitlements that the intended recipient already has to the entitlements which a reference, or model user already has. The requester can then choose just those security rights that seem relevant to the recipient, rather than asking IT support to copy everything from one user to another.

This more fine-grained approach to formulating security change requests is both user friendly and secure. User friendly because a requester can visually inspect the differences between the recipient and model user and select security rights to ask for from a very small and hopefully clearly labeled list of possibilities. Secure because this approach eliminates the excessive requests that arise when everything that one user has is blindly copied to another user.

Image:  screen-shots/model-after-nb
(Click to enlarge)

The model-after request user interface.

The model-after UI includes robust access controls that determine who can use it, on behalf of whom and with what users as available models. All these access controls are defined in terms of relationships between users -- for example, the requester, recipient and model may have to be in the same department, or the model user may have to have been flagged as "well configured."

Contextually assigned password policies

Another new use for single-participant user classes in Password Manager 8.1.0 is to assign different password policies to different sets of users on the same system. Simply define multiple password policies and attach each policy to a user class, plus one policy as "default."

This mechanism is most useful when organizations want to subject some sets of users -- such as system administrators or HR staff -- to more stringent password complexity rules than other users, on the same system(s).

Image:  screen-shots/multi-policy-nb
(Click to enlarge)

Assigning a stronger password policy to high risk users.

Dashboards and analytics

Hitachi ID Management Suite 8.1 includes many new reports and important new dashboards. This includes:

Workflow Analytics General
  • Most popular ...
    (request type, authorizer, implementer, entitlement, etc.)
  • Stuck / delayed requests.
  • Participant responsiveness.
  • Request volume trend over time.
  • Compare entitlements between users in a set.
  • Inconsistent or invalid attribute values.
  • Requests / resources with inadequate / invalid authorizers.
  • Requests with invalid resources / users.
  • All reports can be scheduled to run periodically.
  • Run time/date is a parameter to the query.
  • HTML, CSV and PDF output.
  • Dashboards: workflow, user adoption, certification.

Performance optimizations

As mentioned earlier, Hitachi ID Management Suite 8.1 includes many performance improvements. The most visible of these is caching of membership of users in single-participant user classes. This means that policy evaluation -- regarding what menu options to show a user, what groups or roles to assign a user, what password policy to apply to a user and more -- is reduced at runtime to a simple database lookup inside a stored procedure.

Other performance optimizations in 8.1 include more efficient replication between Hitachi ID Management Suite nodes on the network, especially under high load and when subjected to low bandwidth or high latency connections. This is very useful in global-scale deployments where servers may be on different continents and need to replicate identity, workflow and other data in near-real-time.