The objective of Identity Express is to minimize the time,
cost and risk of IAM system deployment. Instead of
spending months with consultants to document existing processes,
adjust them and then implement automation on a "clean slate" system,
Hitachi ID recommends discarding old, inefficient processes, adopting
best practices and implementing a full set of IAM processes in just
a few days. Identity Express can reduce the total cost of
IAM system deployment by 80% to 90%.
Hitachi ID Identity Express: Corporate Edition is a pre-configured set of business processes
and policies which implement best practices for managing
the identities, security entitlements and credentials of internal users
in corporations and similar organizations. In most organizations,
these internal users are employees and contractors.
Replacing legacy IAM processes with Identity Express
has the following advantages over custom IAM implementations:
Optimized IAM processes: The business processes codified
in Identity Express have been optimized for fast service and
robust internal controls, improving on the legacy processes in
Complete functionality: When implementing a custom IAM
system, organizations can only automate one or two processes at a time.
Most start with onboarding, deactivation or access reviews and
only later automate transfers, leaves of absence, name changes,
rehire detection, etc. In contrast, Identity Express allows organizations
to automate a comprehensive set of identity lifecycle processes
Efficient implementation: By adopting a pre-configured
set of processes and policies, organizations
minimize deployment risk, reduce implementation cost and shorten
time to value.
Scope of automation
Identity Express: Corporate Edition automates best-practice processes for managing
identities, security entitlements and credentials in a
corporation or similar organization. It is suitable for any
organization that fits the following profile:
Its workforce largely consists of employees.
Employees are tracked in one or more human resources (HR) systems.
The workforce also includes other categories of people -- contractors,
These other types are usually not tracked in HR.
Employees and some contractors are assigned corporate, centrally
managed PCs, which are members of an Active Directory
Most users also have a home directory on a file
server and an e-mail account / mail folder,
typically on Office 365 or Exchange.
Basic access rights (AD, Exchange, home directory) assigned to all
users are uniform and predictable based on user type, location, etc.
Additional access rights depend on the user's department, job
code, location or projects and may be more difficult to predict.
Identities and security entitlements in these organizations
can be managed using the following processes:
Employee access is automatically granted and revoked based on
changes detected in one or more systems of record (SoR), typically HR.
Non-employee access is granted and revoked in response to requests
entered on the IAM portal.
Access can be deactivated urgently if needed (terminations).
Users may be transferred across locations, departments and between
managers, as a result of either requests or changes in an SoR.
User types may change, for example between employee and contractor.
User names may change (marital status, etc.).
Users may take leaves of absence, for example due to maternity.
The system accepts, authorizes and manages fulfilment of requests
for access, for example to add login accounts or to add users to
User access is reviewed and, where it was inappropriate, revoked
both on a periodic basis and in response to events such as transfers.
Change management processes are subject to a variety of
policies relating to access changes and identity information:
Who can see what information, about whom?
Archive of e-mail folders and home directory contents, post-termination.
Segregation of duties
What rights should not be combined?
Who should approve what access?
How to construct unique, persistent login IDs, e-mail addresses, etc.
In what directory OU to create accounts,
on what filesystem to create home directories, in what mail database
to create a mail folder?
Whether people who have left the organization may return and
if so whether to re-activate their old profile or create a new one.
How to compose adequately secure passwords.
How users sign into the IAM system, both under normal circumstances
and in the event that they forgot their password.
Integrations and manual fulfillment
Included target systems
Identity Express: Corporate Edition includes a number of default integrations.
Organizations use these as a starting set and add or replace target
systems and applications as required:
A data feed from human resources (HR) to trigger automatic
setup, modification and deactivation processes.
There is no assumption that all the data from HR is
correct. Manager/subordinate relationships, department codes,
contact information and more may be obsolete or incorrect.
Changes to HR data, especially new hires and removal of employees
from HR, are assumed to be accurate when they are detected and
do trigger changes to user access.
A single Active Directory domain.
A single Exchange e-mail domain.
Windows file servers, where home directories are managed.
Additional target systems and applications
Initially, Identity Express: Corporate Edition can invite access administrators to
manually fulfill authorized access requests on not-yet-integrated
systems and applications. Over time, integrations should be added,
prioritizing based on request volume, to reduce the workload for
access administrator staff.
Integration with an incident management system is also supported in Identity Express: Corporate Edition,
but is not configured out-of-the-box, as no two IT service management
(ITSM) systems are alike. When ITSM integration is added, it is
Automatically create service incidents to reflect events such as
account creation and password resets, for consolidated record
keeping and analytics.
Allow users to request access for new hires and initiate terminations
through the ITSM portal, with logical access provisioned or
deactivated via Identity Manager.
Note that fine-grained access requests via ITSM are not
recommended, as this would require implementing sophisticated
segregation of duties policies, data filters, privacy
protection, etc. This quickly becomes a large, complex exercise
whose only deliverable is to re-implement the existing, working Identity Manager
request UI on the ITSM platform.