Introduction

This document outlines the new and improved features of the 11.1 release of Hitachi ID Identity and Access Management Suite. Version 11.1 was released to Hitachi ID Systems customers on 2018-01-24.

Scope of the 11.1 release

The Hitachi ID Suite 11.1 release includes all Hitachi ID products:

  1. Hitachi ID Identity Manager -- User provisioning, RBAC, SoD and access certification.
  2. Hitachi ID Password Manager -- Self service management of passwords, PINs and encryption keys.
  3. Hitachi ID Privileged Access Manager -- Secure administrator and service accounts.

These products can be deployed separately or together, in the following combinations:

  1. Identity Manager alone.
    Note: this includes Hitachi ID Group Manager and Hitachi ID Access Certifier.
  2. Password Manager alone.
    Note: this includes Hitachi ID Telephone Password Manager.
  3. Identity Manager and Password Manager in a shared instance.
  4. Privileged Access Manager alone.
  5. Group Manager -- a subset of Identity Manager strictly for group management.

Other combinations are technically possible but not actively tested.

What's new in 11.1

Hitachi ID Suite 11.1 is a minor new release. It includes many improvements and bug fixes including the following:

  • Enhancements across the entire Hitachi ID Suite:

    1. Updated migration tools to extract configuration changes from one product instance based on a date range (e.g., "export everything configured today") and import those changes into another instance. This will significantly aid migrations across development, test and production environments.

    2. Extensible method functions in the REST API, implemented on the Hitachi ID Suite server using a local/shared memory API and exposed as web services to remote callers.

    3. Expanded support for localization of text in configuration components.

    4. A new log censorship program suitable for sanitizing diagnostic logs by removing any PII before sending them to Hitachi ID to request technical support. This is especially helpful for organizations subject to GDPR.

    5. Simplified activation of Hitachi ID Mobile Access on smart phones.

    6. Please see (2) for details about suite-wide improvements in 11.1.

  • Identity Manager:

    1. A recommendation engine for group membership:
      1. Requesters can ask for recommendations when requesting groups for themselves or others.

      2. Reviewers are presented with a score indicating how consistent a given group assignment is, when comparing the user who has the group to their peers.

      Recommendations are based on peer groups -- sets of users who share the same values for key identity attributes, such as department or location codes.

    2. When a single reviewer is assigned multiple segments within a single campaign, the segments can be consolidated into a single invitation e-mail and single navigational link.

    3. Ability to display resource and entitlement attributes to reviewers in a certification campaign.

    4. Ability to incorporate instructions to reviewers in each campaign.

    5. Please see (3) for details about improvements in IM in 11.1.

  • Privileged Access Manager:

    1. A new PAM reference implementation, which incorporates a team structure for access control and delegates onboarding of systems and accounts to stake-holders such as application owners and system administrators.

    2. Authorized users can now download multiple session recordings at once, rather than one at a time.

    3. Please see (4) for details about improvements in PAM in 11.1.

  • Password Manager:

    1. Improved integration with the Cisco AnyConnect VPN for users who need to reset a locally cached password while off-site.

    2. Please see (5) for details about improvements in PM in 11.1.

Hitachi ID Suite 11.1 screen shots

Configuration export by time/date range

Migration tools are provided with Hitachi ID Suite to extract the configuration of a running system into files and to import those files back into another running system. With 11.1, these tools have been updated:

  1. The file format is now JSON rather than XML.
  2. Export tools can select configuration changes by time and date range. Note that this entailed changes to the entire product as all commits to the database must be time-stamped.


Exporting configuration from a time/date range


Improved usability in access certification

A variety of user interface enhancements have been made to access certification screens. This includes an option to insert instructions to certifiers who begin their review, better highlighting of what changed when a review is of profile attributes, capturing and displaying entitlement change history and indicating to reviewers which entitlements are consistent with a given user's peers and which ones are unusual.

Peer groups are defined using identity attributes. For example, users who share location and department codes might be designated as sharing a peer group. Both the request and review UIs leverage peer groups to help requesters and reviewers, respectively, make informed decisions.


Offer reviewers instructions when they start working on a certification segment



Pop-up display of the change history of an entitlement



Highlight which attributes have been modified in the review



Score entitlements based on consistency with peers, drawing attention to those that are unusual


Recommending entitlements to requesters

The same peer groups that identify out-of-pattern entitlements to reviewers can also be used to recommend likely-desired entitlements to requesters. Entitlements that are popular among a given user's peers but not yet assigned to that user are displayed first in the list of available, requestable items.


Score entitlements based on popularity among the peer group and display high-probability items first


Updated mobile activation UI/UX

The user interface of Mobile Access, used both to initially activate the app and later to navigate through either using the app as an authentication factor to sign into the Hitachi ID Suite UI on a PC or as a remote UI rendered on the smart phone, has been updated.


Initial launch -- prior to enrolling a user profile with Mobile Access



Activating Mobile Access by scanning a QR code on the PC.