Scope of the 11.1 release
The Hitachi ID Suite 11.1 release includes all Hitachi ID products:
- Hitachi ID Identity Manager -- User provisioning, RBAC, SoD and access certification.
- Hitachi ID Password Manager -- Self service management of passwords, PINs and encryption keys.
- Hitachi ID Privileged Access Manager -- Secure administrator and service accounts.
These products can be deployed separately or together, in the following combinations:
- Identity Manager alone.
Note: this includes Hitachi ID Group Manager and Hitachi ID Access Certifier.
- Password Manager alone.
Note: this includes Hitachi ID Telephone Password Manager.
- Identity Manager and Password Manager in a shared instance.
- Privileged Access Manager alone.
- Group Manager -- a subset of Identity Manager strictly for group management.
Other combinations are technically possible but not actively tested.
What's new in 11.1
- Enhancements across the entire Hitachi ID Suite:
- Real-time monitoring of Active Directory for changes, to avoid
the need for batch-oriented auto-discovery on this target
- This makes it practical to integrate AD domains with millions of accounts.
- By shrinking the time required to discover accounts and groups on AD, more time is made available for discovery on other systems. This makes it practical to run auto-discovery on all other integrations every hour or two, for example.
- Support for extracting and archiving audit or historical data,
such as logs or request history. Using this, policy can be defined
to determine when to archive and when to delete records, to
prevent an explosion of retained data and consequent storage
and performance problems.
- A built-in Security Assertions Markup Language (SAML) service provider (SP) , suitable for integration with federated
access systems or strong authentication platforms.
- A REST API, suitable for searching for objects in Hitachi ID Suite
and for submitting pre-defined requests into the workflow queue.
- Please see (2) for details about
- Real-time monitoring of Active Directory for changes, to avoid the need for batch-oriented auto-discovery on this target system type:
- Identity Manager:
- Full lifecycle management of group objects across all
integrated target system types. This includes:
- Expiry dates on group objects.
- Groups with maximum membership.
- Groups whose members are automatically-assigned.
- Groups with membership set via a request/approval process.
- White-list and black-list members in groups whose membership is calculated.
- Attributes are assignable to the linkage between accounts or
users on the one hand and entitlements on the other. This will
enable simpler representation of when, where and why the entitlement
was first assigned or discovered and when it is scheduled
to be revoked.
- A resource browser and editor, where authorized staff can
search for and add meta data to managed groups. This will be
extended to roles, groups, SoD policies and other object types in
- Please see (3) for details about
improvements in IM in 11.0.
- Full lifecycle management of group objects across all integrated target system types. This includes:
- Privileged Access Manager:
- Analytical reports for the SSH web of trust, for example to
identify accounts which are directly or indirectly trusted
by many other accounts, and so represent elevated risk, or
accounts which directly or indirectly trust many other accounts,
so are not well secured.
- Access disclosure via extensions to the Microsoft Edge browser
(previous releases supported Firefox, Chrome and Internet Explorer,
as Edge had no support for browser extensions).
- The ability to terminate an active privileged login session
in real time, from the UI used to watch activity in that session
(previously a separate UI was used to disconnect active sessions).
- Please see (4) for details about
improvements in PAM in 11.0.
- Analytical reports for the SSH web of trust, for example to identify accounts which are directly or indirectly trusted by many other accounts, and so represent elevated risk, or accounts which directly or indirectly trust many other accounts, so are not well secured.
- Password Manager:
- When a user signs into Password Manager, a policy based on their identity, group memberships, location, device type, time of day, etc. determines whether and for how long to sustain their session. This makes it possible, for example, to offer low risk users single sign-on while higher risk users or logins from high risk locations require fresh authentication on every access attempt.
- The ability to update locally cached passwords after a
successful web-accessed password change, when the user
accesses Password Manager using the Edge web browser. This was not
possible before as it requires a browser extension, which Edge
did not support until recently.
- Please see (5) for details about
improvements in PM in 11.0.
Hitachi ID Suite 11.1 screen shots
Configuration export by time/date range
Migration tools are provided with Hitachi ID Suite to extract the configuration of a running system into files and to import those files back into another running system. With 11.1, these tools have been updated:
- The file format is now JSON rather than XML.
- Export tools can select configuration changes by time and date range. Note that this entailed changes to the entire product as all commits to the database must be time-stamped.
Exporting configuration from a time/date range
Improved usability in access certification
A variety of user interface enhancements have been made to access certification screens. This includes an option to insert instructions to certifiers who begin their review, better highlighting of what changed when a review is of profile attributes, capturing and displaying entitlement change history and indicating to reviewers which entitlements are consistent with a given user's peers and which ones are unusual.
Peer groups are defined using identity attributes. For example, users who share location and department codes might be designated as sharing a peer group. Both the request and review UIs leverage peer groups to help requesters and reviewers, respectively, make informed decisions.
Offer reviewers instructions when they start working on a certification segment
Pop-up display of the change history of an entitlement
Highlight which attributes have been modified in the review
Score entitlements based on consistency with peers, drawing attention to those that are unusual
Recommending entitlements to requesters
The same peer groups that identify out-of-pattern entitlements to reviewers can also be used to recommend likely-desired entitlements to requesters. Entitlements that are popular among a given user's peers but not yet assigned to that user are displayed first in the list of available, requestable items.
Score entitlements based on popularity among the peer group and display high-probability items first
Updated mobile activation UI/UX
The user interface of Hitachi ID Mobile Access, used both to initially activate the app and later to navigate through either using the app as an authentication factor to sign into the Hitachi ID Suite UI on a PC or as a remote UI rendered on the smart phone, has been updated.
Initial launch -- prior to enrolling a user profile with Mobile Access
Activating Mobile Access by scanning a QR code on the PC.