Suite 8.1 New Features

Scope of the 8.1 release

The Hitachi ID Management Suite 8.1 release includes all Hitachi ID Systems products -- Hitachi ID Identity Manager, Hitachi ID Password Manager and Hitachi ID Privileged Access Manager.

Hitachi ID Identity Manager and Hitachi ID Password Manager can be installed in a single instance.
Hitachi ID Privileged Access Manager is intended to be deployed stand-alone, due to its higher risk profile and distinct population of users.
Single sign-on between instances (across URLs and servers) is supported, including integrated cross-instance navigation menus.
The underlying technology is significantly enhanced -- faster run-time performance, more efficient and fault-tolerant database replication and a true multi-master architecture, with multiple servers presenting a user interface, running the workflow server and more.
Functional enhancements in 8.1 include:
- Auto-entitlements: Automatically assigned and revoked roles and groups.
- Model-after: Users can formulate workflow requests by comparing entitlements held by the intended recipient to an existing, "model" user.
- Multi-policy: Different users with accounts on the same target systems can be subjected to unique password policies, chosen based on which user classes a user falls into.
- Dashboards and analytics: Many new dashboards and reports to examine entitlements, identity data and workflow processes.
- User class caching: Membership in single-participant user classes is cached, for significantly faster runtime performance when evaluating access controls, assigning roles and groups and more.

Automatically assigned entitlements

Starting with Hitachi ID Management Suite 8.1.0, administrators can link single-participant user classes to managed groups and Hitachi ID Management Suite roles. When this is done, users whose identity attributes and other group memberships satisfy the criteria specified in the user class are automatically assigned the group or role in question. Optionally, users who no longer satisfy the conditions are automatically removed from the group or role in question.

Screenshot: configuring automatic assignment of group membership

This new subsystem comes with sophisticated underlying capabilities, including:

A throttle, that limits how many automatic role and group changes are processed per batch run. Note: batch runs are scheduled, normally every 24 hours but in some cases more often.
Groups and roles may be exempted from the throttle. For example, unauthorized members in the Active Directory Domain Administrators group may be removed automatically regardless of how many other changes are detected and processed in the same batch.
Changes proposed by this subsystem are passed back to the Hitachi ID Management Suite workflow engine, where they are subject to SoD policy enforcement, approvals and any other global policy an organization may wish to enforce. All such changes are visible in standard workflow reports and analytics.
Auto-removal can be enabled or disabled on a per-group basis.
In addition to batch processing, any changes to user profiles carried out by the Hitachi ID Management Suite automatically trigger recalculation for that user and immediate action to add/remove roles or groups.

Caching of membership in single-participant user classes supports high speed performance of this new feature.

Comparing user entitlements

Users often struggle to formulate security change requests -- they know that a given user needs some new security rights, they usually also know what other users already have those rights, but they do not know how to describe the required security rights to the security administration team. As a result, users often resort to requests of the form Please make Bob like Mary.

Cloning users is bad -- it propagates unnecessary security entitlements from one user to another and leads to a situation where users can access far more data than needed: a clear violation of the principle of least privilege.

Previous releases of Identity Manager already included robust support for role-based access control (RBAC) -- a mechanism that allows a requesting user to select a business role and apply that to a recipient user. This helps, in cases where such roles have been defined. The challenge with RBAC is to define enough roles and associate them with the right users -- easier said than done.

Identity Manager 8.1 introduces a new feature, which allows a requester to compare the security entitlements that the intended recipient already has to the entitlements which a reference, or model user already has. The requester can then choose just those security rights that seem relevant to the recipient, rather than asking IT support to copy everything from one user to another.

This more fine-grained approach to formulating security change requests is both user friendly and secure. User friendly because a requester can visually inspect the differences between the recipient and model user and select security rights to ask for from a very small and hopefully clearly labeled list of possibilities. Secure because this approach eliminates the excessive requests that arise when everything that one user has is blindly copied to another user.

Screenshot: the model-after request user interface

The model-after UI includes robust access controls that determine who can use it, on behalf of whom and with what users as available models. All these access controls are defined in terms of relationships between users -- for example, the requester, recipient and model may have to be in the same department, or the model user may have to have been flagged as "well configured."

Contextually assigned password policies

Another new use for single-participant user classes in Password Manager 8.1.0 is to assign different password policies to different sets of users on the same system. Simply define multiple password policies and attach each policy to a user class, plus one policy as "default."

This mechanism is most useful when organizations want to subject some sets of users -- such as system administrators or HR staff -- to more stringent password complexity rules than other users, on the same system(s).

Screenshot: assigning a stronger password policy to high risk users

Dashboards and analytics

Hitachi ID Management Suite 8.1 includes many new reports and important new dashboards. This includes:

Workflow	Analytics	General
Most popular ... (request type, authorizer, implementer, entitlement, etc.) Stuck / delayed requests. Participant responsiveness. Request volume trend over time.	Compare entitlements between users in a set. Inconsistent or invalid attribute values. Requests / resources with inadequate / invalid authorizers. Requests with invalid resources / users.	All reports can be scheduled to run periodically. Run time/date is a parameter to the query. HTML, CSV and PDF output. Dashboards: workflow, user adoption, certification.

Performance optimizations

As mentioned earlier, Hitachi ID Management Suite 8.1 includes many performance improvements. The most visible of these is caching of membership of users in single-participant user classes. This means that policy evaluation -- regarding what menu options to show a user, what groups or roles to assign a user, what password policy to apply to a user and more -- is reduced at runtime to a simple database lookup inside a stored procedure.

Other performance optimizations in 8.1 include more efficient replication between Hitachi ID Management Suite nodes on the network, especially under high load and when subjected to low bandwidth or high latency connections. This is very useful in global-scale deployments where servers may be on different continents and need to replicate identity, workflow and other data in near-real-time.