ID-Access Overview
ID-Synch® includes a unique technology for managing user membership in security groups. This technology is called ID-Access®. You can learn more about ID-Access in its own web site: ID-Access.org.
Overview:
ID-Access is software from Hitachi ID for managing membership in groups, where groups exist on ID-Access target systems -- principally Active Directory. It allows users to initiate security change requests -- principally requests to join or exit network operating system security groups -- in a self-service manner, without the need for users to understand the underlying security infrastructure.
ID-Access can administer user access to folders, printers, distribution lists and other network resources whose access control mechanism leverages user groups.
Features:
ID-Access is a component of Hitachi ID Management Suite® designed to streamline user requests to network resources.
Using ID-Access, users sign into a secure web application and request new access to a network resource, such as a share, folder, printer or mail distribution list. From the ID-Access web form, users first select a resource container (examples: share; directory OU) and then use a tree view to browse for a specific resource (examples: folder, mail DL). Once they have selected a resource, users simply submit the request.
Once the user has selected a resource, ID-Access:
- Dynamically maps the user resource selection to a specific managed
target system and to a security group on that system.
- Determines whether the security group is already under ID-Access
access control and if not automatically adds the group to its
workflow system.
- Checks whether at least one authorizer is already available for
the group and if not automatically extracts a new authorizer list from
the managed system itself (e.g., identifies the group's owners).
- Initiates a workflow request, asking the appropriate authorizer(s) whether the user should be allowed to join the group in question.
The ID-Access workflow system automatically tracks change authorization and adds the user to the requested group if and when the proposed change is approved.
Benefits:
ID-Access:
- Is ideal for contractors or employees who are given short term assignments and need to be quickly provisioned with security privileges that pertain to their new assignment or project.
- Reduces workload on IT administrators by offloading group membership management to users.
- Improves productivity for all users who need to access network resources to which they did not previously have rights.
Technology:
ID-Access can be used to manage many different types of resources. A plug-in program binds ID-Access to a specific type of resource, such as Windows shares, whose access is mediated by membership in an Active Directory group. Other resources include network printers and mail distribution lists.
The description is best clarified with a concrete example:
| User | ID-Access | Resource-Type Plug-in | Target System | |
| 1 | Sign in using a network login ID and password. | Validate credentials | ||
| 2 | Initiate a new resource-access request. | |||
| 3 | Display a list of descriptive names for configured Windows file servers and shares. | |||
| 4 | Select a share. | |||
| 5 | Display a tree view of folders in the selected shares | |||
| 6 | Browse for and select a folder where access is desired. | Interactive tree view display | Iteratively provide a list of sub-directories from the selected share. | |
| 7 | Select a set of privileges and an authorizer to request. | ..Display and user input.. | Provide a list of groups that have privileges on the share and the security privileges each one has been assigned. (read-only? read-write? etc.) One or more owners (authorizers) are provided for each group. | |
| 8 | Workflow to track change authorization | |||
| 9 | (Change approved) Run agent to update the user's group membership. Send a confirmation e-mail to the user and to all owner/authorizers. | Updated privileges. User can now access the folder. |
Easy setup:
ID-Access is very simple to set up and administer. For example, to configure it to manage group membership in Active Directory, to enable users to gain access to group-controlled file folders, one need only:
- Set up Active Directory as a ID-Synch target system.
- Enter the base UNC for each share in which ID-Access will manage access.
- Ensure that the owner field is correctly populated on each AD user group.