Group lifecycle management
Hitachi ID Identity Manager supports full lifecycle management of group objects, including:
- Discovering all group objects on all target systems (this actually has available for many years).
- Capturing and updating metadata about groups -- risk scores, business unit, owner (when not available on target system), etc.
- Requests to create, move, modify or delete groups across multiple target systems, including rich metadata.
- Automatically calculating the membership of some groups (also in older versions).
- Requests for membership in other groups, including:
- A filtered search interface to all available groups. Policy determines what groups a given user can see in search results when formulating a request for a given recipient.
- The ability to compare group memberships between a recipient and model user, so as to more easily select a relevant entitlement.
- Recommendations for a given user, by seeing what groups that user's peer have that the user does not (yet).
- Controls over group membership, including maximum size, white lists (users who must be members) and black lists (users or classifications who must not be members).
Group membership management
Identity Manager can manage membership in existing groups and automatically detects new groups, which can subsequently be enabled (manually or automatically) for Identity Manager management.
Group membership management can be driven by multiple processes, including:
- Calculated membership (typically based on identity attributes);
- Self-service and delegated requests, with or without approval;
- Access certification (event-triggered and scheduled);
- Role based assignment (assign roles, automatically assign/revoke groups in those roles);
- Segregation of duties policy (between groups, roles, accounts);
- Out-of-band change detection (followed by alert or undo);
- Reporting (ad-hoc and scheduled).
Requests for group membership are often difficult for users to articulate. Users want to access a "thing" -- a share, folder, application or screen and they may not understand that this access right is linked to a group, or what group is needed. Identity Manager addresses this fundamental usability problem with a set of capabilities:
- Groups can be aggregated into roles, with more business-friendly names and descriptions. Users can be assigned roles automatically (for example, based on identity attributes) or may request roles for themselves or others.
- A search mechanism is provided for groups, allowing a requester to find a suitable group by guessing keywords in its name or description.
- A requester may be permitted to compare the group memberships of an intended recipient with the group memberships already held by a model user. The requester can then select some or all of the groups that the model has but which the recipient does not yet have.
- "Access denied" errors on key systems, such as the Windows client (when trying to open share, folders, etc.) or a SharePoint site can be intercepted. An alternate user interface is presented to the user, with a link to the appropriate group-request page.
Group membership changes can also be formulated from the perspective of groups, rather than users. i.e., "add these users to these groups" or "remove this child group from this parent group."