• Site Map
• Contact Us

• Home
• Our Company
  • Customers
  • Careers
  • Contact Us
  • RSS & Blogs
• Products
  • Identity Manager
  • Password Manager
  • Group Manager
  • Privileged Password Manager
  • Download evaluation
  • Releases
  • CC Certification
• Solutions
  • Security, Governance and Regulatory Compliance
  • Reduce IT Support Cost
  • Improve User Service
• Support
  • Shipping products
  • Supported versions
  • Customer Portal
  • Create Incident
• Services
  • Solution Delivery Services
  • Solution Delivery Process
  • Education
  • Upgrades
  • AdMax Program
  • Outsourced IdM Administrator Service
  • Guarantee
• News &  Events
  • Press Releases
  • Press Coverage
  • Upcoming Events
  • Archived Webinars
• Resource Center
  • White Papers
  • Independent Reviews
  • Brochures
  • Slide Decks
  • Case Studies
  • Regulatory Compliance
  • Certifications
  • Community
• Partners
  • Technology Partners
  • Certified Resellers
  • System Integrators and Consultants
  • Managed Service Providers
  • Public Sector
  • Partner Portal
  • Partner Programs

Features Role Based Access Control

  

Role Based Access Control

Hitachi ID Identity Manager includes a complete infrastructure for managing user entitlements using roles -- i.e., RBAC (role-based access control):

• Define Roles:

  Administrators define roles in Identity Manager as collections of:

  • Login accounts on specified target systems.
  • Membership in groups on target systems.

• Role Hierarchy:

  In addition to entitlements on target systems, roles can include other roles. This allows organizations to define:

  • Technical roles, consisting of entitlements on target systems.
  • Business roles, consisting of other roles.

• Mandatory and Optional Components:

  Roles can contain both mandatory and optional entitlements. Users who are assigned a role will, in general, be assigned all of the mandatory elements in a role. In addition, users who have been assigned a role may request any of its optional components, which will be granted without need for additional approvals.

• Role Assignment:

  Users can be assigned zero or more roles:

  • Some users can be outside the scope of the RBAC infrastructure.
  • Other users can be assigned exactly one role, representing their singular job function.
  • Still other users can be assigned multiple roles, representing multiple job functions.

• Role-based Change Requests:

  Requests to create new user profiles can specify a role -- either instead of or in addition to other entitlements that the new user should be provisioned.

  Requests relating to preexisting users can include role changes. Role changes may cause entitlements to be added, removed or left in place.

• Approved Exceptions:

  Some users may have a legitimate reason to retain privileges beyond those called for in their assigned roles or may not need all of the privileges in that role. Identity Manager supports users who remain legitimately out of compliance, through approved exceptions.

• Controlled Enforcement:

  Users can be flagged for RBAC enforcement. This means that any entitlements they have in violation of their assigned roles -- either too many or too few -- can be detected and automatically remediated.

• Cascading Changes:

  When user profiles are changed out of band with Identity Manager, making them non-compliant with their assigned roles, or when role definitions are changed, making all member users non-compliant, an included RBAC enforcement engine can be run periodically (typically every 24 hours) to detect non-compliant users and automatically submit workflow change requests to bring users back into compliance.

  One of the use cases this supports is cascading role changes: a privileged user can change a role's definition and commit the change. On the next automated enforcement run, the RBAC automation engine will automatically submit workflow requests to bring users into compliance with the new role definition. These requests may be auto-approved (depending on Hitachi ID Systems customer's policy), which means that they may be applied to target systems immediately.

• Gradual Deployment:

  It is impractical to deploy RBAC enforcement to every one of a large population of users, all at once. To avoid this, Identity Manager supports gradual activation of users for RBAC enforcement, allowing time to educate users about the new system and troubleshoot errors in the RBAC model for a few users at a time.

• Role-Aware Access Certification:

  Identity Manager supports certification of user entitlements at several levels of granularity:

  • Fine-grained entitlements assigned to users -- many checkboxes, based on data pulled directly from target systems.
  • Roles assigned to users -- fewer checkboxes, representing groups of privileges.
  • Approved exceptions to the privileges predicted for a user by policy, where the policy may be role assignment or a segregation of duties rules.

© Hitachi ID Systems, Inc. . All rights reserved.