Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Suite 8.2 New Features

HTML Presentation: What's New in v8.2

Scope of the 8.2 release

The Hitachi ID Identity and Access Management Suite 8.2 release includes all Hitachi ID Systems products -- Hitachi ID Identity Manager, Hitachi ID Password Manager and Hitachi ID Privileged Access Manager.

Summary of enhancements

Upgraded technology platform

Graphical dashboards

Hitachi ID Identity and Access Management Suite 8.2 introduces graphical dashboards to the web portal:

Simplified addition of nodes

Hitachi ID Identity and Access Management Suite has a multi-master architecture. This means that each server node normally has its own, local database and provides full functionality. To support this, there is a built-in data replication layer that forwards local database updates from one node to another.

Hitachi ID Identity and Access Management Suite 8.2 introduces a simplified process for adding nodes to a replicated application instance:

Image:  screen-shots/add-replica-simple-nb
(Click to enlarge)

Adding a node to a multi-node Hitachi ID Identity and Access Management Suite instance.

Multiple UI skins

Image:  screen-shots/mobile-skin-pw-ops-small-nb
(Click to enlarge)

Password reset and intruder unlock using the mobile skin on a smartphone.

Improved report delivery

Starting with Hitachi ID Identity and Access Management Suite 8.2, reports generated by the application, interactively or on a scheduled basis, can be delivered via filesystem drop. To do this, configure a UNC path where report output -- HTML or CSV -- is to be placed and use a target system to hold credentials to mount that share.

IPv6 support

Organizations are increasingly deploying IPv6, either locally on servers (enabled by default on Windows 2008 and later) or across their network. Hitachi ID Identity and Access Management Suite 8.2 now supports communication between components using IPv6, including contacting proxy servers, local agents on Unix/Linux systems and database replication, all over IPv6.

Performance improvements

A variety of internal processes in Hitachi ID Identity and Access Management Suite have been optimized to run faster, including workflow approvals in Identity Manager and import rule evaluation in Privileged Access Manager. Identity Manager can now onboard 2 users per second, sustained.

Functional enhancements to Privileged Access Manager


Image:  screen-shots/hipam-status-nb
(Click to enlarge)

Managed systems, checkouts, requests and randomized passwords.

Group sets

Group sets are a new paradigm in Privileged Access Manager 8.2 for checking out temporary membership in multiple security groups on a target system. Group sets, defined within a managed system policy (MSP) can include groups specified individually or using inclusion rules based on group fully qualified names, descriptions or IDs (GID, SID, etc.). When a group set is checked out by a user, the user's existing account -- locally on the target system or on an Active Directory domain -- is temporarily attached to every group in the set on the selected system.

Access to group set check-outs is assigned separately from access to account/password check-out. On the same managed system, some users may be allowed account check-out (e.g., login to the shared Administrator account) while other users may be allowed group-set check-out (e.g., "become a member of the Administrators group").

Configuring a group set:

Image:  screen-shots/groupset-in-msp-nb
(Click to enlarge)

Configuring a group set within a managed system policy.

Image:  screen-shots/gs-inclusion-rule-nb
(Click to enlarge)

Specifying which groups to include using a rule.

Image:  screen-shots/which-acct-gets-grpmem-nb
(Click to enlarge)

Selecting a target system whose accounts will be assigned the groups.

Image:  screen-shots/gs-acls-nb
(Click to enlarge)

Granting access to check-out a group set.

Checking out a group set:

Image:  screen-shots/select-system-nb
(Click to enlarge)

Selecting a system on which to checkout a group set.

Image:  screen-shots/select-gs-nb
(Click to enlarge)

Selecting a group set.

Image:  screen-shots/request-details-nb
(Click to enlarge)

Authorizer view of the request.

Image:  screen-shots/gs-checkout-progress-nb
(Click to enlarge)

Request status showing completed, in-progress and failed group membership assignments.

Push/pull integration and simplified import rules

A single Local Workstation Service (LWS) package can be deployed to all clients, unlike in previous versions where separate MSI packages had to be created for every set of endpoints that shared a policy. In Privileged Access Manager 8.2, when a LWS system first "calls home," it is automatically attached to the appropriate policies based on import rules written in terms of attributes of the system, such as its hostname, OS, IP address, etc. • Data from the LWS system's security database (accounts, groups) and service infrastructure (SCM, Scheduler, DCOM, etc.) are then collected and periodically refreshed.

Import rules are simpler in Privileged Access Manager 8.2, no longer requiring complex expressions to be written. Instead, the product administrator specifies rules consisting of three elements: attribute, operation and value. For example, the attribute might be a hostname, the operation might be contains and the value might be prod. Multiple requirements are combined using all or any.

Configuring local workstation service (LWS) import rules:

Image:  screen-shots/create-local-admin-nb
(Click to enlarge)

The LWS can be instructed to create a new local account, which will be available for check-out by authorized users.

Image:  screen-shots/set-lws-discovery-options-nb
(Click to enlarge)

Policy determines what data about the local security database the LWS will "send home" to Privileged Access Manager.

Image:  screen-shots/lws-import-rule-requirements-nb
(Click to enlarge)

Import rules, based on attributes of the system where the local workstation service was installed, determine what policy the endpoint should be attached to.

Viewing data collected from LWS endpoints:

Image:  screen-shots/lws-discovered-accounts-nb
(Click to enlarge)

Once a system has self-registered, Privileged Access Manager can be used to see what local accounts exist in its security database.

Image:  screen-shots/lws-discovered-objects-nb
(Click to enlarge)

Privileged Access Manager also collects data about what services run on LWS-attached systems in the security context of a named account.

Support for network level authentication

The remote desktop protocol (RDP) control -- also known as the Terminal Services Client on Windows -- now supports Network Level Authentication. This newer authentication process, introduced in RDPv6, shifts the login process from server-side to client-side and is more efficient than earlier versions of RDP where the server actually prompted for login credentials.

Ability to unapprove checkouts

Privileged Access Manager 8.2 allows the authorizer of a workflow request for temporary access to a system to change his mind and revoke an already-approved and possibly already-established request. If the user in question had already launched a login session, that session will be disconnected.

Note that previous releases already supported revoking a user, which would terminate all of that user's sessions and block the user from signing into Privileged Access Manager. Whereas revoke was normally only appropriate in the event of an urgent termination, unapprove is a more fine-grained mechanism, suitable where someone asked for the wrong access, that request was mistakenly granted, and only the mistaken access request should be reversed.

New capabilities and improved usability in Identity Manager


Identity Manager 8.2 includes three main dashboards:

Image:  screen-shots/psa-license-enrollment-nb
(Click to enlarge)

License file statistics and user enrollment progress.

Image:  screen-shots/workflow-state-nb
(Click to enlarge)

Workflow request activity, including most active participants and oldest requests (possibly needing attention).

Image:  screen-shots/workflow-trend-nb
(Click to enlarge)

Workflow trend analysis, showing activity over time.

Image:  screen-shots/cert-progress-nb
(Click to enlarge)

Certification progress, showing what has been reviewed and what remains.

New workflow search

The mechanism used to search for workflow requests has been completely redesigned in the Hitachi ID Identity and Access Management Suite 8.2. Since workflow requests are used in both Privileged Access Manager and Identity Manager, this is really core infrastructure, but is most evident in Identity Manager. The new screen allows a requester to search for requests based on status, participants and dates, as shown below. Whether a request appears in the search results depends on access controls and on how the person performing the search is related to each request in the result set.

Image:  screen-shots/workflow-search-nb
(Click to enlarge)

New workflow request search screen.

Improved navigation

In previous releases, special functions relating to a user's profile, such as the ability to view the user's change history, to compare the user (as a recipient) with another user (a model) or to initiate a single-user recertification were accessed from the user's "Custom request" page. This meant that, to access these features, requesters had to be granted the right to submit custom requests. Starting with Identity Manager 8.2, these capabilities have all been replicated to the pre-defined request selection page, which means that a requester need not have the right to submit a custom request on behalf of a given recipient in order to access these features:

Image:  screen-shots/pdr-select-all-options-nb
(Click to enlarge)

New navigation to built-in requests, such as comparing entitlements between a model user and a recipient.

More friendly table editor

Hitachi ID Systems deployments increasingly leverage "external" tables -- stored as SQLite tables and edited using the "DBE" table editor -- to hold policy rules and lookup data. For example, the Hitachi ID Identity and Access Management Suite reference implementation stores information such as attribute validation and reformatting rules, authorizer routing policies and lookup tables for OUs, home directory paths and mail servers in such external tables. To support this increased use, Hitachi ID Identity and Access Management Suite 8.2 includes a more user friendly table editor, with drop-downs for column values that have enumerated types in the database, validation for column values that refer to objects such as roles and groups inside the Hitachi ID Identity and Access Management Suite and better on-screen formatting.

Social platform integrations

Hitachi ID Systems customers are increasingly deploying instances of the Hitachi ID Identity and Access Management Suite to manage the identities of customers and partners, in an Internet-facing arrangement. In some cases, it may be more convenient or desirable to leverage an existing identity when onboarding a new user, rather than creating a new identity for that user. To support this, Identity Manager 8.2 now supports provisioning new users using a social-network driven process using the OAuth 2.0 protocol. Samples are included to show how the system is configured so that users can leverage their, or identities to quickly and conveniently create new profiles in Identity Manager. Once enrolled, users can sign into the Hitachi ID Identity and Access Management Suite using their social profiles -- with one less password to manage.

Image:  screen-shots/fb-login-nb
(Click to enlarge)

Integration with social platforms such as Facebook for business-to-consumer deployments.

CAPTCHA support

The corporate perimeter is fast disappearing and many Hitachi ID Systems customers are exposing their Hitachi ID Identity and Access Management Suite deployment to the Internet. To protect their user profiles against automated password-guessing and security-question-guessing attacks, it is helpful to introduce a CAPTCHA in the login sequence, to verify that the person attempting an authentication to the Hitachi ID Identity and Access Management Suite web portal is actually a human. Hitachi ID Identity and Access Management Suite 8.2 includes two sample CAPTCHA integrations, one for Google's reCAPTCHA and another for

Image:  screen-shots/ayah-nb
(Click to enlarge)

Integration with, to verify that the user is not a script.