Hitachi ID Identity Manager - Introduction and Concepts

Introductory and advanced Identity Manager training is available.

Topics in this course include:


Install the software

Targets and auto-discovery

  • AD target (source of profiles)
  • OpenLDAP target (target only)
  • Linux target (target only)
  • Configure the system to omit disabled accounts
  • Run and troubleshoot psupdate
  • Log viewer

Configure identification and authentication (just use AD passwords)

Templates, groups and roles

  • Configure at least 1 template account on each target system
  • Configure all groups on AD as 'managed'
  • Configure some Linux groups as 'managed'
  • Configure 2-3 roles:
    • employee
    • contractor
    • some combination of entitlements

Minimal policies

  • Assigning new profile IDs (expression rather than plugin at this stage)
  • Introducing user classes
    • Single participant
    • Multi-participant (relationship based)
  • Access controls: who can request what?
  • Routing requests to authorizers:
    • attribute changes
    • user-create
    • new-template
    • role-assignment
  • Set ACLs:
    • one user can see another existing user
    • one user can create another

Show the basic user portal

  • Self-service requests
  • Request accounts/groups/roles
  • Update profile attributes
  • Delegated requests
  • Create new user
  • Modify existing

More on assigning unique IDs

  • Assigning e-mail addresses and other identifiers
  • Reserved IDs (assign, check, collisions, reports, maintenance)

Securing initial passwords

  • Requester-specified
  • Random values + self-service password reset
  • Random values + delegated password reset

Profile and account attributes

  • What data to track about users
  • Mapping profile to account attributes
    • Load from target
    • Override on target
  • Display sequence
  • Profile attribute groups
  • Validation
    • Scope and timing of validation (create, set, etc.)
    • Restricted values
    • Format restrictions
    • Plug-ins
  • Relationship-based access controls

Simplifying the user experience

  • Roles
  • PDRs
  • Resource requests (filesystem browser / NRCIFS / NRSHAREPOINT / etc.)
  • Shell extension

More robust authorization

  • Selecting authorizers (including plug-in this time)
  • Consensus (N of M) and veto power
  • Automatic reminder e-mails
  • Automatic escalation after non-response
  • Early escalation (e.g., if authorizer is out of office)
  • Reports and dashboards: what's going on in the workflow engine?
  • The roles of workflow and delegation managers

Security and controls

  • Reports
  • Access certification
    • Centrally managed
    • Scheduled
    • Ad-hoc
    • Single user
  • Segregation of duties policies
    • Defining and maintaining rules
    • Detective policy -- find existing violations
    • Preventive policy -- blocking new violations
    • Approved exceptions
  • Change tracking and history reporting


  • Concepts
  • HR-driven onboarding
  • HR-driven changes and deactivation
  • Detecting and responding to out-of-band changes to security rights
  • (e.g., new member in admins group)
  • Linking automation to pre-defined requests


  • Implementer-style target systems
  • Using the API to submit requests from a service catalog or similar system
    • onboarding new users (hw, sw, building access, logical access)
    • terminations (including asset recovery)

Reports, dashboards and surveillanceReports, dashboards and surveillance

  • Data quality and cleanup
  • Entitlements analysis and role mining
  • Monitoring access certification
  • Monitoring workflow usage
  • Auditing users and their security entitlements
  • Scheduling reports