Suite 8.0 New Features
Webinar: Review of the 8.0 Release for Identity Manager and Password Manager
Press Release: Hitachi ID Systems Releases Hitachi ID Management Suite Version 8.0
HTML Presentation: What's New in v8
Scope of the 8.0 release
The Hitachi ID Management Suite 8.0 release includes both Hitachi ID Identity Manager and Hitachi ID Password Manager.
- The two products can be installed in a single instance.
- Alternately, the two products can be installed in their own instances, even on different servers, but present a integrated login screen and navigation menu to users.
- The entire user interface has been refreshed with a new look, new graphics, new stylesheets, and more -- to give a cleaner and more esthetically pleasing appearance.
- The underlying technology is significantly enhanced -- faster run-time performance, more efficient and fault-tolerant database replication and a true multi-master architecture, with multiple servers presenting a user interface, running the workflow server and more.
- Functional enhancements in 8.0 include:
- A new and innovative access control model.
- Totally redesigned search screens -- for users, groups, roles and more.
- Single-user and ad-hoc access certification.
- An entitlement catalog, with extensible attributes for resources such as roles and groups.
- Many new reports and dashboards, especially for analytics and workflow monitoring.
- New and refreshed connectors for on-premise and SaaS applications.
- Improved support for nested groups in Active Directory.
- Reduced need for scripting.
Brand New User Interface
The Hitachi ID Management Suite user interface has been significantly revamped. This includes both style changes and updated screens and layout.
Screenshot: Hitachi ID Management Suite - user profile screen
Screenshot: Hitachi ID Management Suite - view org chart
An innovative, new access control model
In previous releases of Hitachi ID Management Suite and in all other identity management products, a user's access rights depend on who he is and what groups he belongs to. For example, access to personally identifying information or to salary data might be restricted to HR staff. This is essentially role based access control (RBAC).
The problem with this model is that sometimes business requirements are more dynamic. For example, a manager should be able to see some confidential data pertaining to his subordinates, but not other users. An HR user might be allowed to see certain data relating to other users, but not himself. The real world is more nuanced than traditional access control models. RBAC is simply not sufficient.
Starting in Hitachi ID Management Suite 8.0, the access control model in all Hitachi ID Systems products depends on the relationship between a requester who wishes to view some data or perform an action and the recipient whose user profile is being accessed. This is a relationship-based access control model, where organizations define types of relationships and attach access rights to those relationships.
Relationships can specify multiple participants -- for example, a requester, a recipient, an authorizer, an implementer or a certifier. The relationship between these participants (reports-to, shared-group, same-location, same-department, etc. is easy to specify. Once a type of relationship has been defined, it can be used to control what one user can see of or do to another.
Relationship-based access control is new and only available from Hitachi ID Systems. It more naturally represents business needs than RBAC. It is easy to configure and eliminates the need for significant amounts of custom business logic.
Examples:
Read/write termination date |
|
Read/write termination date |
|
Read home address |
|
Read/write home address |
|
Read SSN, DoB |
|
Write SSN, DoB |
|
Relationships are defined interactively as shown below:
Screenshot: Hitachi ID Management Suite - relational user class
Advanced search
Hitachi ID Management Suite 8.0 includes a new search infrastructure for key objects -- users, groups, roles, etc. This search infrastructure is very flexible -- for example, one can search for ``even user in department X and location Y'' or ``every user whose scheduled termination date is in the next 30 days and is a member of the AD Administrators group.''.
More importantly, the search engine is aware of access controls and will censor its results. For example, if a manager searches for all users with a near-term scheduled termination, the search engine will return only those users whose termination date the manager would normally be allowed to see (for example, his direct or indirect reports).
This privacy-preserving attribute of the search engine is essential if sensitive data is to be managed by Hitachi ID Management Suite.
Examples:
- User with surname=X, in group Y on target Z, with last login before W.
- Security group with name contains X in OU Y on target Z.
- Active user with scheduled termination date before next Saturday.
- Inactive user with name=X, surname=Y and DoB=Z (check for a rehire?).
The search engine is shown below:
Screenshot: Hitachi ID Management Suite - advanced search
Ad-hoc and single-user certification
Access certification in Hitachi ID Management Suite has been significantly enhanced.
- One user can recertify the security entitlements associated with another user in an ad-hoc basis. Using relationship-based access controls, this is intended to allow managers to recertify their subordinates, for example.
- Users can recertify themselves. This is useful if a user wants to "clean up" their profile and remove entitlements that might link the user to responsibilities he no longer has, for example.
- Recertification can be triggered by events. For example, a transfer can trigger a recertification of a user by his old and/or new manager.
- Management of the access certification process can be delegated, for example to security officers (rather than product administrators).
Screenshot: Hitachi ID Management Suite - single user certification
Extensible resource schema
In previous Hitachi ID Management Suite releases, resources such as roles and groups were described using a fixed set of attributes -- name, description, location, type, authroizers, etc. In Hitachi ID Management Suite 8.0, this schema is extensible.
Attributes can be defined per type of resource:
- Target systems.
- Managed groups.
- Roles, SoD policies.
- Inventory object classes.
Attributes may represent any business information, including:
- Ownership.
- Physical location.
- Department/division.
- Risk score.
New screens, access controls and API functions are included to view, modify and search on these attributes.
Hitachi ID Systems is working on linking these resource attributes to a variety of components of Hitachi ID Management Suite in future releases. This includes creating and deleting groups on target systems, synchronizing attributes such as description and ownership between Hitachi ID Management Suite and target systems, selecting entitlements to certify using their attributes and more.
Screenshot: Hitachi ID Management Suite - resource attributes
Reports: workflow and analytics
Hitachi ID Identity Manager 8.0 introduces many new reports and some new dashboards. The infrastructure used to generate and deliver reports has also been enhanced since the 6.2.x release series.
Workflow |
Analytics |
General |
|---|---|---|
|
|
|
Screenshot: Hitachi ID Management Suite - workflow reports
New and updated connectors
New |
Updated |
|---|---|
|
|
Faster deployments
- Hitachi ID Systems is constantly working to lower TCO.
- More built-in features mean less coding and faster ROI.
- A reference build lets new customers start with a working system rather than a blank slate.
Built-in features |
Reference build |
|---|---|
|
|