Hitachi ID Identity Manager
Course Content:
Introduction
Install the software
Targets and auto-discovery
- AD target (source of profiles)
- OpenLDAP target (target only)
- Linux target (target only)
- Configure the system to omit disabled accounts
- Run and troubleshoot psupdate
- Log viewer
Configure identification and authentication (just use AD passwords)
Templates, groups and roles
- Configure at least 1 template account on each target system
- Configure all groups on AD as 'managed'
- Configure some Linux groups as 'managed'
- Configure 2-3 roles:
- employee
- contractor
- some combination of entitlements
Minimal policies
- Assigning new profile IDs (expression rather than plugin at this stage)
- Introducing user classes
- Single participant
- Multi-participant (relationship based)
- Access controls: who can request what?
- Routing requests to authorizers:
- attribute changes
- user-create
- new-template
- role-assignment
- Set ACLs:
- one user can see another existing user
- one user can create another
Show the basic user portal
- Self-service requests
- Request accounts/groups/roles
- Update profile attributes
- Delegated requests
- Create new user
- Modify existing
More on assigning unique IDs
- Assigning e-mail addresses and other identifiers
- Reserved IDs (assign, check, collisions, reports, maintenance)
Securing initial passwords
- Requester-specified
- Random values + self-service password reset
- Random values + delegated password reset
Profile and account attributes
- What data to track about users
- Mapping profile to account attributes
- Load from target
- Override on target
- Display sequence
- Profile attribute groups
- Validation
- Scope and timing of validation (create, set, etc.)
- Restricted values
- Format restrictions
- Plug-ins
- Relationship-based access controls
Simplifying the user experience
- Roles
- PDRs
- Resource requests (filesystem browser / NRCIFS / NRSHAREPOINT / etc.)
- Shell extension
More robust authorization
- Selecting authorizers (including plug-in this time)
- Consensus (N of M) and veto power
- Automatic reminder e-mails
- Automatic escalation after non-response
- Early escalation (e.g., if authorizer is out of office)
- Reports and dashboards: what's going on in the workflow engine?
- The roles of workflow and delegation managers
Security and controls
- Reports
- Access certification
- Centrally managed
- Scheduled
- Ad-hoc
- Single user
- Segregation of duties policies
- Defining and maintaining rules
- Detective policy -- find existing violations
- Preventive policy -- blocking new violations
- Approved exceptions
- Change tracking and history reporting
Automation
- Concepts
- HR-driven onboarding
- HR-driven changes and deactivation
- Detecting and responding to out-of-band changes to security rights
- (e.g., new member in admins group)
- Linking automation to pre-defined requests
One-stop-shopping
- Implementer-style target systems
- Using the API to submit requests from a service catalog or similar system
- onboarding new users (hw, sw, building access, logical access)
- terminations (including asset recovery)
Reports, dashboards and surveillanceReports, dashboards and surveillance
- Data quality and cleanup
- Entitlements analysis and role mining
- Monitoring access certification
- Monitoring workflow usage
- Auditing users and their security entitlements
- Scheduling reports
