Hitachi ID Bravura Identity can monitor one or more systems of record on a periodic basis (e.g., every few hours), enumerating new, deleted and changed users. In the case of an HR application, for example, these changes may represent new hires, terminations and transfers. Auto-discovery is performed on all integrated systems and applications -- not just systems of record.
Changes detected by Bravura Identity are passed through a data filter, which removes users and accounts that are outside the scope of the deployed automation. For instance, in a scenario where Bravura Identity manages all users in one country, but the HR system is global, Bravura Identity would ignore changes to users in other countries.
All changes to a given user are aggregated into a single request. Business logic is executed against these requests, for example to fill in hidden attribute values or to select authorizers. This is best illustrated with some examples:
Detected change
|
Actions
|
Net result |
---|---|---|
New hire appears in HR data feed.
|
|
Auto-provisioning. |
Attribute changes detected in HR
|
|
Automatic adjustment of user roles, entitlements. |
New phone number detected on white pages directory.
|
|
Identity synchronization. |
Change to termination date is detected on the HR system.
|
|
Automated deactivation. |
User disappears from system of record (HR).
|
|
Automated deactivation. |
User was added to Administrators group on Active Directory domain.
|
|
Detect and reverse unauthorized privilege escalation. |
Conceptual Data Flows
Data flow in the auto-provisioning process
Content:
- HR creates new employees in the HR system.
- HiIM detects the changes and requests network and application access.
- Managers approve requests and new accounts are created.
Key concepts:
- Leverage HR input to automatically create and delete logical access.
- Manager approval can be used if HR is not totally authoritative.
Data flow in the scheduled deactivation process
Content:
- A termination date is scheduled for a contractor.
- HiIM reminds the manager that the date can be changed before it passes.
- Access is automatically disabled on the termination date.
- Accounts are deleted at a later date.
Key concepts:
- Lifecycle events, such as hires and terminations, can be scheduled.
- Sequences of events, such as advance warnings before the termination date and actual deletion at a later date, are also automated.
Watch Movies
Automatic provisioning of new hires: from HR to first login
Content:
- A new employee is added to an HR application.
- A batch process is triggered manually (just for demos -- normally it is scheduled).
- Accounts for the new user are automatically created on AD and elsewhere.
Key concepts:
- Automation is typically a batch process that runs at least once daily.
- Business logic determines what to do when user records are added to, removed from or changed on each system of record.
- Most suitable for coarse-grained (i.e., hire/fire) changes detected on HR systems.
- Can also automate synchronization of identity attributes between systems.
First login for new contractor
Content:
- A newly hired contractor signs in by answering security questions based on PII data (driver's license, mother's maiden name, date of birth, etc.).
- A random PIN may also be sent to the user's phone or personal e-mail address.
- Once authenticated, the user must complete a profile of security questions / answers.
- The user resets his own password -- there was never a known, shared password value.
- The user may be asked to review and accept policy documents at first login.
Key concepts:
- Eliminate the need for predictable initial password.
- Capture security questions at first login.
- Get new users to read and accept policy documents.
A manager defers a subordinate's scheduled termination date
Content:
- After termination was scheduled, but before it was completed, it can still be deferred.
- The manager of a user scheduled for deactivation is automatically invited to review and possibly defer the termination date.
Key concepts:
- Batch processes send advance warnings of scheduled events like termination.
- Users can follow an embedded link and make appropriate changes, if required.