Auto Discovery of Users and Entitlements
Access certification is based on real, measured security entitlements -- not just the security rights that an identity and access management system predicts that users should have.
(1) Hitachi ID Access Certifier includes an auto-discovery engine, which typically extracts information about users and groups from target systems nightly.
- An auto-discovery engine extracts a full inventory of login IDs
from each target system, nightly.
- The auto-discovery engine extracts a list of all available groups from each target system, nightly.
- For groups that have been designated as "managed," the
auto-discovery engine also extracts full group membership
from the target systems.
- The auto-discovery engine automatically creates, updates and removes
user profiles in the Access Certifier identity cache, based on the appearance
of user accounts on systems that are considered
authoritative sources of Access Certifier IDs.
- Information such as last-login-date is used to identify dormant
accounts, globally.
- Identity attributes configured as "managed" in Access Certifier are read from each target system, into the Access Certifier identity cache.
Auto-discovery is incremental on systems that support this -- such as Active Directory and most other LDAP directories. A full extract is produced on systems where incremental listing is not supported, and a delta is calculated on the Access Certifier server before being loaded into the Access Certifier database.