Features Application-Centric Certification

Application-Centric Certification

ID-Certify® can be configured to request reviews of user accounts and security group memberships within individual applications, by those applications' owners. Application owners are prompted and reminded to perform these reviews by the ID-Certify workflow engine.

The ID-Certify process for Application-centric certification works as follows:

• ID-Certify periodically (e.g., quarterly or biannually according to corporate policy) requires application owners to review a list of users that have login accounts to their applications and their security group memberships within those applications. Reviews are performed one application at a time.

• Application owners respond by signing into ID-Certify using their network or directory login ID and password, to start their certification process.

• Application owners first review a list of users with login accounts to their application and flag for later removal users who should no longer have access.

• For each remaining users, application owners review sensitive security group memberships and flag inappropriate group memberships for later removal.

• Group memberships are identified by ID, a descriptive name and optionally a link to an HTML page containing an arbitrarily verbose description of the group's business function.

• Application owners complete the review process and provide an electronic signature after reading a statement to the effect that their access review is complete and they certify that the remaining login accounts and group memberships are appropriate.

• After an application owner completes his review and certification, any proposed changes (deactivated accounts, eliminated group memberships) are bundled into security change requests and submitted to the ID-Certify workflow engine. These requests will normally require further authorization, for instance from each user's manager.

• It should be noted that application-centric certification is appropriate to applications with modest numbers of users, such that the application owner recognizes the users personally and has some idea of what access rights are appropriate for each user. Larger applications and systems that span the entire organization are more appropriately supported by:
  • Org-centric certification.
  • Group-centric certification (for user groups of modest size).
  • App-centric certification, where the application can be segmented into sub-components, each with its own owner.

© Hitachi ID Systems, Inc. 2008. All rights reserved.