Hitachi ID Access Certifier -- included in Hitachi ID Identity Manager -- enables organizations to review and clean up security entitlements with:
- Certification of users:
Access Certifier can invite managers to review a list of their direct subordinates and for each one -- certify that the subordinate still works for them, transfer the subordinate to their new manager or indicate that the user in question has left the organization and their access should be terminated.
- Certification of entitlements:
Access Certifier can invite both managers and the owners of roles, applications and security groups to review the entitlements which have been assigned to users and either certify that they remain appropriate or ask that they be revoked.
- Certification of exceptions to policy:
Identity Manager supports enforcement of two types of policy -- role based access control (RBAC) and segregation of duties (SoD). Access Certifier can be used to review approved exceptions to these policies and either certify that they remain appropriate or ask for the user in question to be brought back into compliance.
- Electronic signatures:
Access Certifier requires reviewers to sign off on their work. Signatures form a chain of accountability, acting as evidence that entitlements are still needed. The sign-off process also triggers workflow requests to revoke entitlements which reviewers indicated are no longer required.
- Certification by entitlement owners:
Application, group and role owners can be invited by Access Certifier to review lists of users with access to their entitlements.
- Certification by managers:
Access Certifier can be configured to invite every manager to review his direct subordinates and their entitlements. Managers are prevented from signing-off until managers that report to them have completed their own certification. This process creates downwards pressure on managers to complete their reviews.
- Authorization workflow:
Every user deactivation or access revocation request processed by Access Certifier is subject to an authorization process before being completed. The Access Certifier workflow manager is designed to get quick and reliable feedback from groups of business users, who may be individually unreliable. This is accomplished with:
- Concurrent invitations to multiple users to review a request.
- Approval by N of M authorizers (N is fewer than M).
- Automatic reminders to non-responsive authorizers.
- Escalation from non-responsive authorizers to their alternates.
- Scheduled delegation of approval responsibility from unavailable to alternate approvers.
- Checking authorizers' out-of-office status and pre-emptively escalating requests if an out-of-office (OOO) message has been set.
- Allowing authorizers to approve or reject requests from their mobile phone (from any location, at any time, without a VPN).
Access Certifier includes a rich set of built-in reports, designed to answer a variety of questions, such as:
- Who certified user X having entitlement Y and when?
- What users have entitlement Z?
- What entitlements does user W have?
- Which reviewers respond quickly and which procrastinate?
- What accounts have no known owner (orphaned)?
- What users have no accounts (empty profiles)?
- What accounts have no recent login activity (dormant)?
- What users have no active accounts (dormant)?
- Automated connectors and human implementers:
Access Certifier can be integrated with existing systems and applications using a rich set of over 130 included connectors. This allows it to automatically detect and deprovision entitlements across commonly available systems and applications.
Organizations may opt to integrate custom and vertical-market applications with Identity Manager by using the included flexible connectors. Alternately, the built-in "implementers" workflow can be used to invite human administrators to make approved changes to users and entitlements on those systems.
Screen shot: Review and clean up list of subordinates
Review and correct identity attributes, not just entitlements
Send multiple line items to a delegate
Deferred access revocation
Screen shot: Access Certifier progress dashboard