In many organizations, directories such as LDAP and AD have too many groups. Groups are used to assign access rights, as mail distribution lists or both. When there are lots of groups:
- It's hard to tell what a given user has access to, and whether those access rights are appropriate.
- Assigning the right groups to users, when they first join an organization or after they move to a new role or department, is difficult.
- Users don't know which groups to ask for, when they need additional access rights.
- There are rarely effective processes to remove users from groups or delete groups entirely. This means that groups only multiply and become less manageable over time.
While each group normally represents a business function, groups are managed by IT rather than business users, which adds cost, confusion and delay to change processes.
Hitachi ID Identity Manager Solution
- Managed by business users:
Identity Manager moves group management on Active Directory, LDAP and other systems out of IT and into the hands of business users. Users create, modify or delete groups and add or remove members.
- More efficient:
Identity Manager reduces the cost of group administration by moving processes to create, populate and delete groups out of manual IT tasks and into a combination of unattended/automated processes and self-service, in the hands of business users.
- Agile processes:
Identity Manager reduces delay in group changes by creating and removing groups automatically in response to data feeds, by attaching users to groups based on rules and by moving manual change requests to a self-service portal and automated approval workflows.
- Internal controls:
Identity Manager addresses risks due to inappropriate group memberships and excess permissions by detecting and reversing unauthorized/out-of-band changes, by subjecting group memberships to segregation of duties (SoD) rules, by inviting stake-holders to authorize changes and by engaging with group owners, managers or other stake-holders to review and correct group memberships.
- Accurate model:
Identity Manager correctly models group hierarchy and can assign, revoke and analyze parent/child group relationships.
Hitachi ID Identity Manager supports the automation of full group lifecycle management.