Identity and access management (IAM) systems, sometimes also called user provisioning, access governance or identity governance and administration (IGA) systems, externalize the management of users, identity attributes and security entitlements out of individual systems and applications, into a shared infrastructure.
IAM systems make the creation, management and deactivation of login accounts, home directories, mail folders and security entitlements faster, less costly and more reliable. This is done by automating business processes for as onboarding, change requests and deactivation for each user community and by linking these processes to the systems and applications that have account repositories.
IAM systems generally implement one or more of the following processes:
Detect adds, changes and deletions in a system of record (SoR, such as HR) and make matching changes -- create accounts, grant/revoke access, etc. on integrated systems and applications.
- Self-service requests:
Enable users to update their own profiles (e.g., new home phone number) and to request new entitlements (e.g., access to an application or folder).
- Delegated administration:
Enable managers, application owners and other stake-holders to request changes to identities and entitlements within their scope of authority.
- Access certification:
Periodically invite managers and application or data owners to review users and security entitlements within their scope of authority, flagging inappropriate entries for removal.
- Identity synchronization:
Detect changes to attributes, such as phone numbers or department codes on one system and automatically copy to others.
- Authorization workflow:
Validate all proposed changes, regardless of their origin and invite business stake-holders to approve them before they are committed.
IAM systems generate value by applying the identity and entitlement changes produced by the above processes to account repositories, using connectors that can:
- List existing accounts and groups.
- Create new and delete existing accounts or groups.
- Read and write account or group attributes.
- Read and set flags, such as "account enabled/disabled," "account locked," "intruder lockout" or "group type."
- Change the login ID of an existing account (rename user).
- Read an account's groups or a group's members.
- Add accounts to or remove accounts from groups.
- Add child groups to or remove child groups from parent groups.
- Move accounts between directory organizational units (OUs).
Hitachi ID Identity Manager manages the lifecycles of identities, accounts, groups and entitlements. It includes:
- Automatically granting and revoking access, after detecting changes on systems of record.
- A web portal for access requests, profile updates and certification.
- Full lifecycle management for groups and roles on target systems.
- A workflow engine to invite people to approve requests, review access or complete tasks.
- Policy enforcement related to SoD, RBAC, risk scores, privacy protection and more.
- Reports, dashboards and analytics.
Hitachi ID Identity Manager includes connectors to manage users, groups and entitlements on over 120 kinds of systems and applications, on-premises and in the cloud.
These capabilities are accessed via a web portal, compatible with both full-screen browsers (PC, tablet) and smart-phones (via mobile app).