• Site Map
• Contact Us

• Home
• Our Company
  • Customers
  • Careers
  • Contact Us
  • RSS & Blogs
• Products
  • Identity Manager
  • Password Manager
  • Group Manager
  • Privileged Password Manager
  • Download evaluation
  • Releases
  • CC Certification
• Solutions
  • Reduce IT Support Cost
  • Improve User Service
  • Security, Governance and Regulatory Compliance
• Support
  • Customer Portal
  • Request Support Help
• Services
  • Solution Delivery Services
  • Solution Delivery Process
  • Education
  • Upgrades
  • AdMax Program
  • Outsourced IdM Administrator Service
  • Guarantee
• News &  Events
  • Press Releases
  • Press Coverage
  • Upcoming Events
  • Archived Webinars
• Resource Center
  • White Papers
  • Independent Reviews
  • Brochures
  • Slide Decks
  • Case Studies
  • Regulatory Compliance
  • Certifications
  • Community
• Partners
  • Technology Partners
  • Certified Resellers
  • System Integrators and Consultants
  • Managed Service Providers
  • Public Sector
  • Partner Portal
  • Partner Programs

Features Consolidated and Delegated User Administration

Consolidated and Delegated User Administration

Consolidated User Administration

Identity Manager includes a consolidated user administration console, allowing global security administrators to look up the enterprise-wide access profile of any existing user and make cross-system updates, such as:

• List existing accounts and groups.
• Create new and delete existing accounts.
• Read and write identity attributes associated with a user object.
• Read and set flags, such as "account enabled/disabled," "account locked," and "intruder lockout."
• Change the login ID of an existing account (rename user).
• Read a user's group memberships.
• Read a list of a group's member users.
• Add an account to or remove an account from a group.
• Create, delete and set the attributes of a group.
• Move a user between directory organizational units (OUs).

The Identity Manager user interface is purely web-based. It draws "current state" information about each user from the built-in identity cache, which in turn may either contain data from the previous night's auto-discovery process or it may be configured to pull this information from an existing, external directory (typically LDAP or an database) in real-time.

All change requests are entered into this interface via HTML forms. Use of standards-compliant HTML means that the UI is accessible by users without client software, using any web browser (including PDAs, cell phone browsers, browsers for visually impaired users, etc.).

Identity Manager administrators may get limited access to the security administration console. First, their Identity Manager application profiles contain access control lists, which determine the operations they are allowed to run. Using this facility, it is easy to define different types of administrators, with different job functions, such as routine user management, urgent terminations and reporting.

Next, Identity Manager uses a plug-in architecture to allow organizations to define business rules that map users and resources to specific administrators. These plug-ins limit the user profiles, specific accounts, templates, and account groups that any given security administrator can bring up in the Identity Manager console.

These plug-ins make it possible to create delegated user administration structures, where decisions about who is, in fact, a delegated security administrator, what users that administrator can manage, and which of their accounts can be updated, are made dynamically. These access-control decisions are normally made by applying business logic (for example, does this person belong to the security administrators group? Is the user in question in the same department as the administrator?) with an existing data source such as LDAP, AD or an HR system.

The advantage of making delegation decisions in this way is that only the basic decision-making logic need be specified. Detailed information supporting delegation decisions does not have to be managed explicitly in Identity Manager, but is instead drawn from an existing data source.

Delegated User Administration

Local managers and IT resources can be assigned limited administrative privileges and will subsequently be able to directly manage some users, on some systems, with some types of updates. Delegated administration is implemented by allowing local administrators to sign into the global, consolidated user administration web interface, but limiting their access to user objects, target systems and operations using both ACLs and plug-in programs that act as data filters.

Users and managers can also submit change requests to the Identity Manager workflow system, which are subsequently authorized by appropriate business users and applied to target systems.

© Hitachi ID Systems, Inc. . All rights reserved.