Next PDF

swipe to navigate

Reference implementations

As described in the previous section, IAM J/M/L processes can be quite complex. In practice, organizations who try to automate them may:

  1. Fail to identify all the relevant edge cases -- they then automate overly simple versions of their IAM processes and encounter problem edge cases in the real world. They will iterate, adding edge cases (discover, design, code, test, deploy, retest) but after a few iterations, may conclude that the problem is too large or complex and abort their attempt to automate J/M/L processes.

  2. Capture a reasonably complete set of process requirements up front, but then spend an inordinate amount of time in design, coding and testing. A realistic cost estimate may lead to abandoning the process automation before it gets very far.

Hitachi ID Systems has been engaged with customers in IAM deployments for over 15 years. As a result, we have seen the above patterns often and concluded that a fully custom approach to old-process discovery, new-process design, coding and testing are simply not feasible. This bespoke approach is effectively pre-industrial -- failing to leverage standardization to improve quality and reduce cost.

Reference implementations are an alternative to fully custom process automation. In this approach, first an IAM implementation pattern is identified, such as the B2E or B2B patterns described earlier. Next, a set of best-practices processes are designed for the pattern at hand. Extensive investment is made in process design, to make it as robust and detailed as possible. Processes are implemented along with new versions of the IAM software, rather than "in the field" while attempting to implement the software into a customer environment. This has the effect of shifting cost and risk away from consultants to product engineering.

Hitachi ID IAM reference implementations are branded Hitachi ID Identity Express. They are composed of components, which encapsulate product configuration data, policy evaluation engines, policy rules and artifacts such as request screens, reports or dashboards. Components are related to one another through dependencies, similar to RPM or DEB packages in the Linux world. Components include data and code migration paths from one version to the next, making Identity Express not only easy to deploy but practical to migrate between environments (development, production, etc.) and across versions.

Hitachi ID currently offers two main reference implementations: Hitachi ID Identity Express: Workforce Edition and Hitachi ID Identity Express: Partner Portal Edition. These encapsulate best practices for the workforce and partner patterns, respectively. Hitachi ID is working on additional patterns.

Identity Express: Workforce Edition processes

Identity Express: Workforce Edition is a reference implementation of Hitachi ID Identity Manager and Hitachi ID Password Manager, designed to automate changes to identities, entitlements and credentials of a workforce, typically consisting of employees and contractors.

Identity Express: Workforce Edition includes the following baseline integrations:

  1. A SQL database that acts as a source of record for employees.
  2. A second SQL database that provides personally identifying information about users (mother's maiden name, driver's license, SSN/SIN, etc.). Note that these two can be views into the same database if required.
  3. A single Active Directory domain.
  4. A single Exchange mail domain, with multiple mail servers.
  5. A set of filesystems where home directories are managed.

Substitutions for the above integrations are possible, at the expense of somewhat longer implementation effort.

Additions to the above integrations are almost always provided -- the above set is simply the minimum required set of integrations, without which many processes break down.

Building on these integrations, Identity Express automates an extensive list of business processes, including:

  1. Onboarding new users:
    1. Based on their appearance in the system of record (HR driven for employees).
    2. Based on requests entered into the Hitachi ID Identity and Access Management Suite request portal, typically managers asking for access on behalf of new contractors and vendors.
  2. A sophisticated and secure process for setting initial passwords for new users and for "day 1" user profile activation:
    1. Newly created accounts are assigned random passwords, which are discarded by the system.
    2. New users can sign into the system from the login prompt of a Windows computer using a "password reset" UI element.
    3. New users enter their identifier (provided via message to personal e-mail or via communication to the new user's manager) and are prompted to (a) answer a series of personal questions (PII data captured during onboarding) and/or (b) enter a random PIN that was sent to their mobile phone.
    4. New users are then walked through the following enrollment process:
      1. Fill in a profile of security questions for future use (PII is only used once).
      2. Read and accept one or more corporate policy documents (acceptable use policy, HR policies, etc.).
      3. Select an initial password for the user's AD and any other accounts.
    5. The new user then shuts down the kiosk-mode web browser through which all these "day 1" activities took place and can sign into their PC normally, with their AD login ID and newly chosen password.
  3. Scheduled access deactivation, in the same manner as above, including:
    1. Advance warning to the user's manager, offering an opportunity to move the scheduled termination date.
    2. Disabling access (but not deleting anything) on the termination date.
    3. A "re-enable" request form for managers who failed to defer termination in advance, but who need to do so after the fact.
    4. Archiving, including of home directories, mail folders, moving the user to a new OU, removing all group memberships and attaching new (e.g., "disabled users") group memberships, some number of days after deactivation.
    5. Deletion of accounts (but not identities inside Hitachi ID Suite) at some later still date.
  4. Urgent deactivation for all user types, where required.
  5. Rehire detection, so that when an attempt is made to onboard a "new" user who actually matches the identity of an old user:
    1. The request is blocked.
    2. If the old user profile was marked as "do not allow back," the process is terminated.
    3. If the old user profile was marked as "allow to return," a reactivation process is initiated instead.
  6. Leave of absence, triggered by both the SoR and by the request portal, on both departure and return dates.
  7. Access certification of user identities, manager/subordinate relationships and entitlements, both periodically and triggered by events such as user transfers.
  8. Portal requests and approvals for transfers, reorgs and relocations, including automatically triggered certification, reassignment of mail folders and home directories (if relocated), approval by new manager (if transferred), move to a new directory OU (if appropriate), etc.
  9. Self-service and delegated requests to update identity and contact information.
  10. Self-service and delegated requests for new entitlements, such as requests for group membership, for share/folder access and for SharePoint site/library access.
  11. Use of the system as a corporate white pages directory, with access controls limiting what one user can see of and request on behalf of another user. These access controls depend on how the requester and recipient users are related, rather than merely on the role of the requester.
  12. Password management includes:
    1. Managed collection (i.e., automated invitations and reminders, sent at a controlled pace) for security question data from users.
    2. Password expiration early warning.
    3. Password synchronization (if more than just a single AD domain is integrated), triggered both by native Windows password changes and the Hitachi ID Suite web UI.
    4. Self-service password reset, accessed via web browser or PC login prompt and authenticated using security questions and/or SMS/PIN to the user's mobile phone.
  13. Support for photographs of users as an identity attribute (URL to JPG).
  14. Many built-in reports.

The objective of Identity Express is to minimize initial and ongoing configuration of the Identity and access management (IAM) system -- which lowers cost and reduces time to deploy.

All functionality in Identity Express is configured through policy tables. For example, a table defines how identity attributes are to be validated and (re)formatted. Another table specifies how change requests entered into the Hitachi ID Suite portal are to be routed to authorizers. Additional tables provide rules to look up values for OU, home directory path, mail server and volume, etc. Other tables specify actions and time intervals for various parts of the access deactivation process.

The identity schema and managed entitlements are fully configurable, via the product administration web UI.

Identity Express: Partner Portal Edition processes

Identity Express: Partner Portal Edition is a reference implementation of Identity Manager and Password Manager, designed to automate changes to identities, entitlements and credentials of users affiliated with business partners.

Identity Express: Partner Portal Edition only requires two integrations: a managed directory, either Active Directory or LDAP, and an e-mail system, used to communicate with users. Building on these integrations, the reference implementation automates an extensive list of business processes, including:

  1. Delegated administration:
    1. Site administrators can create and delete partner organizations and users in those organizations.
    2. Partner administrators can create and delete users within their own organization.
  2. Delegated support allows partner administrators to reset passwords and clear lockouts for users in their own organization.
  3. Visibility control limits the users that any given user can see on the system. Regular users can only access their own profiles, partner administrators can access all users in their own organization and site administrators can access all user profiles.
  4. Self-service password reset / unlock minimizes the ongoing support burden placed on both site administrators and partner administrators.
  5. Two factor authentication is used in the login screen, requiring all users to provide:
    1. Initially: a browser fingerprint, or a PIN sent to the user's mobile phone or personal e-mail, or use of the Hitachi ID Mobile Access app on the user's phone; then
    2. Entering the user's directory password or answering security questions.
  6. Federated access enables partner-facing applications to leverage the aforementioned strong authentication in their own login screens.
  7. Managed enrollment invites and reminds users to answer security questions, enter their phone number and install the Mobile Access app on their phone.
  8. Periodic access certification invites site administrators to update the list of partner administrators and partner administrators to correct the list of users in their own organizations.

The objective of Identity Express is to minimize initial and ongoing configuration of the IAM system -- which lowers cost and reduces time to deploy. At the same time, two-factor authentication, federated access, access certification and password policies strengthen security in the partner portal.

The identity schema and managed entitlements are fully configurable, via the product administration web UI.


Replacing legacy IAM processes with Identity Express has the following advantages over custom IAM implementations:

  • Optimized IAM processes: The business processes codified in Identity Express have been optimized for fast service and robust internal controls, improving on the legacy processes in most organizations.

  • Complete functionality: When implementing a custom IAM system, organizations can only automate one or two processes at a time. Most start with onboarding, deactivation or access reviews and only later automate transfers, leaves of absence, name changes, rehire detection, etc. In contrast, Identity Express allows organizations to automate a comprehensive set of identity lifecycle processes up front.

  • Efficient implementation: By adopting a pre-configured set of processes and policies, organizations minimize deployment risk, reduce implementation cost and shorten time to value.

Next PDF

Comment via LinkedIn