Introduction

This document outlines the new and improved features of the 11.1 release of Hitachi ID Identity and Access Management Suite. Version 11.1 was released to Hitachi ID Systems customers on 2018-01-24.

Scope of the 11.1 release

The Hitachi ID Suite 11.1 release includes all Hitachi ID products:

  1. Hitachi ID Identity Manager -- User provisioning, RBAC, SoD and access certification.
  2. Hitachi ID Password Manager -- Self service management of passwords, PINs and encryption keys.
  3. Hitachi ID Privileged Access Manager -- Secure administrator and service accounts.

These products can be deployed separately or together, in the following combinations:

  1. Identity Manager alone.
    Note: this includes Hitachi ID Group Manager and Hitachi ID Access Certifier.
  2. Password Manager alone.
    Note: this includes Hitachi ID Telephone Password Manager.
  3. Identity Manager and Password Manager in a shared instance.
  4. Privileged Access Manager alone.
  5. Group Manager -- a subset of Identity Manager strictly for group management.

Other combinations are technically possible but not actively tested.

What's new in 11.1

Hitachi ID Suite 11.0 is a major new release. It includes hundreds of minor improvements and bug fixes in addition to the following major capabilities:

  • Enhancements across the entire Hitachi ID Suite:

    1. Real-time monitoring of Active Directory for changes, to avoid the need for batch-oriented auto-discovery on this target system type:

      • This makes it practical to integrate AD domains with millions of accounts.
      • By shrinking the time required to discover accounts and groups on AD, more time is made available for discovery on other systems. This makes it practical to run auto-discovery on all other integrations every hour or two, for example.

    2. Support for extracting and archiving audit or historical data, such as logs or request history. Using this, policy can be defined to determine when to archive and when to delete records, to prevent an explosion of retained data and consequent storage and performance problems.

    3. A built-in Security Assertions Markup Language (SAML) service provider (SP) , suitable for integration with federated access systems or strong authentication platforms.

    4. A REST API, suitable for searching for objects in Hitachi ID Suite and for submitting pre-defined requests into the workflow queue.

    5. Please see (2) for details about suite-wide improvements.

  • Identity Manager:

    1. Full lifecycle management of group objects across all integrated target system types. This includes:
      • Expiry dates on group objects.
      • Groups with maximum membership.
      • Groups whose members are automatically-assigned.
      • Groups with membership set via a request/approval process.
      • White-list and black-list members in groups whose membership is calculated.

    2. Attributes are assignable to the linkage between accounts or users on the one hand and entitlements on the other. This will enable simpler representation of when, where and why the entitlement was first assigned or discovered and when it is scheduled to be revoked.

    3. A resource browser and editor, where authorized staff can search for and add meta data to managed groups. This will be extended to roles, groups, SoD policies and other object types in subsequent releases.

    4. Please see (3) for details about improvements in IM in 11.0.

  • Privileged Access Manager:

    1. Analytical reports for the SSH web of trust, for example to identify accounts which are directly or indirectly trusted by many other accounts, and so represent elevated risk, or accounts which directly or indirectly trust many other accounts, so are not well secured.

    2. Access disclosure via extensions to the Microsoft Edge browser (previous releases supported Firefox, Chrome and Internet Explorer, as Edge had no support for browser extensions).

    3. The ability to terminate an active privileged login session in real time, from the UI used to watch activity in that session (previously a separate UI was used to disconnect active sessions).

    4. Please see (4) for details about improvements in PAM in 11.0.

  • Password Manager:

    1. When a user signs into Password Manager, a policy based on their identity, group memberships, location, device type, time of day, etc. determines whether and for how long to sustain their session. This makes it possible, for example, to offer low risk users single sign-on while higher risk users or logins from high risk locations require fresh authentication on every access attempt.
    2. The ability to update locally cached passwords after a successful web-accessed password change, when the user accesses Password Manager using the Edge web browser. This was not possible before as it requires a browser extension, which Edge did not support until recently.

    3. Please see (5) for details about improvements in PM in 11.0.

Hitachi ID Suite 11.1 screen shots

Configuration export by time/date range

Migration tools are provided with Hitachi ID Suite to extract the configuration of a running system into files and to import those files back into another running system. With 11.1, these tools have been updated:

  1. The file format is now JSON rather than XML.
  2. Export tools can select configuration changes by time and date range. Note that this entailed changes to the entire product as all commits to the database must be time-stamped.


Exporting configuration from a time/date range (Click to enlarge)

Exporting configuration from a time/date range

Improved usability in access certification

A variety of user interface enhancements have been made to access certification screens. This includes an option to insert instructions to certifiers who begin their review, better highlighting of what changed when a review is of profile attributes, capturing and displaying entitlement change history and indicating to reviewers which entitlements are consistent with a given user's peers and which ones are unusual.

Peer groups are defined using identity attributes. For example, users who share location and department codes might be designated as sharing a peer group. Both the request and review UIs leverage peer groups to help requesters and reviewers, respectively, make informed decisions.


Offer reviewers instructions when they start working on a certification segment (Click to enlarge)

Offer reviewers instructions when they start working on a certification segment


Pop-up display of the change history of an entitlement (Click to enlarge)

Pop-up display of the change history of an entitlement


Highlight which attributes have been modified in the review (Click to enlarge)

Highlight which attributes have been modified in the review


Score entitlements based on consistency with peers, drawing attention to those that are unusual (Click to enlarge)

Score entitlements based on consistency with peers, drawing attention to those that are unusual

Recommending entitlements to requesters

The same peer groups that identify out-of-pattern entitlements to reviewers can also be used to recommend likely-desired entitlements to requesters. Entitlements that are popular among a given user's peers but not yet assigned to that user are displayed first in the list of available, requestable items.


Score entitlements based on popularity among the peer group and display high-probability items first (Click to enlarge)

Score entitlements based on popularity among the peer group and display high-probability items first

Updated mobile activation UI/UX

The user interface of Hitachi ID Mobile Access, used both to initially activate the app and later to navigate through either using the app as an authentication factor to sign into the Hitachi ID Suite UI on a PC or as a remote UI rendered on the smart phone, has been updated.


Initial launch -- prior to enrolling a user profile with Mobile Access (Click to enlarge)

Initial launch -- prior to enrolling a user profile with Mobile Access


Activating Mobile Access by scanning a QR code on the PC. (Click to enlarge)

Activating Mobile Access by scanning a QR code on the PC.