Automated user account creation is one of multiple scenarios included in a more general automated administration system.

Automated user management works by monitoring one or more systems of record and waiting for changes to user profile data. Detected changes are then:

  1. Filtered, so that only changes within the scope of the system remain.
  2. Transformed, from the data format of the system of record, to the data format of the Identity and access management (IAM) system and of the target systems.
  3. Forwarded, from the IAM system to target systems.

Some examples of auto-provisioning/auto-deactivation are:

  1. Payroll staff create a record for a new hire in the HR application. The IAM system detects this change and submits a matching access request for a directory account, home directory, mail folder, application logins, etc.

  2. A termination date is set for an employee in an HR system. The IAM system detects this and sets the same date in the user's IAM profile. A batch process later detects that this date has lapsed and submits a deactivation request for the same user.

  3. A rogue administrator adds his accomplice's login account to the Domain Administrators security group. The IAM system detects this changed group membership, reverses it and sends an alert as a text message to a security officer.

Automatic Propagation of Changes in User Profile Data

Automatic Propagation of Changes in User Profile Data

Hitachi ID Identity Manager can monitor one or more systems of record on a periodic basis (e.g., every few hours), enumerating new, deleted and changed users. In the case of an HR application, for example, these changes may represent new hires, terminations and transfers. Auto-discovery is performed on all integrated systems and applications -- not just systems of record.

Changes detected by Hitachi ID Identity Manager are passed through a data filter, which removes users and accounts that are outside the scope of the deployed automation. For instance, in a scenario where Hitachi ID Identity Manager manages all users in one country, but the HR system is global, Hitachi ID Identity Manager would ignore changes to users in other countries.

All changes to a given user are aggregated into a single request. Business logic is executed against these requests, for example to fill in hidden attribute values or to select authorizers. This is best illustrated with some examples:

Detected change


Net result
New hire appears in HR data feed.

  • Lookup appropriate role based on the user's attributes, such as location and job code.
  • Submit a workflow request to Hitachi ID Identity Manager, to create a new user profile, with the HR-provided identity attributes and with resources specified by the role.

Attribute changes detected in HR

  • Detect changes to job code, manager, location or similar attributes in HR data.
  • Recalculate the user's user class memberships. If user classes change, recalculate which groups and roles should be auto-assigned. If this changes, submit workflow requests to assign and revoke roles and groups as appropriate.

Automatic adjustment of user roles, entitlements.
New phone number detected on white pages directory.

  • White pages has a higher priority for the phone number attribute than other systems.
  • Submit a change request to the Hitachi ID Identity Manager workflow manager, to change the phone number in the user's profile.
  • Once approved (most likely automatically), the new phone number is mapped to other login IDs belonging to the user and connectors are run to update this information on other systems.

Identity synchronization.
Change to termination date is detected on the HR system.

  • Using the identity synchronization mechanism described above, set this date on the user's profile.
  • A separate batch process periodically identifies users with today or earlier termination dates and submits requests to disable all accounts for every matching user.

Automated deactivation.
User disappears from system of record (HR).

  • Lookup all of a user's login IDs.
  • Submit a "disable all accounts" change request to the Hitachi ID Identity Manager workflow manager.
  • Given the source of the request (employee gone from HR), this type of change may be auto-approved.

Automated deactivation.
User was added to Administrators group on Active Directory domain.

  • Change is detected in real time.
  • Since the change was detected on AD, it follows that it was not initiated by Hitachi ID Identity Manager.
  • Submit two change requests to the workflow manager:
    • Remove the user from the Administrators group (auto-approved).
    • Add the user back to the Administrators group (once approved).
  • Create a security incident in the help desk system.

Detect and reverse unauthorized privilege escalation.

Return to Identity Management Concepts