An interview is held with the primary project stake-holders to
identify the key business objectives for Hitachi ID Management Suite deployment.
These objectives are prioritized and metrics are defined that will
later be used to characterize success or identify problems.
Project objectives normally include reducing operating costs,
improving service SLA, enhancing security and regulatory or policy
Metrics may include reduced help desk call volume (e.g., percent
reduction or target monthly numbers), improved speed for provisioning
new users or responding to access change requests, etc.
A short (normally 1-2 page) document formally defining business
objectives is provided at the end of this phase.
A needs analysis phase is undertaken to review current
Hitachi ID Systems customer identity and access management business processes, identify
new processes that the project should implement and define
technical details to implement the new processes.
In large or complex deployments, this phase may be broken down
into an initial review, which identifies high-level objectives and
generates a time and cost estimate for a second phase and a
subsequent detailed analysis, which collects detailed information
about data flows, attribute mappings, change authorization, role
definition, etc. In this case, a summary process analysis document
is produced in the first phase and detailed documents are
produced in the second phase.
The needs analysis phase produces two documents:
- A process analysis document, which includes:
- A list of current processes used to set up new staff
with access, to update identity attributes and security
entitlements as business needs change, to terminate access
and to manage passwords.
- A list of desired processes that the Hitachi ID Management Suite implementation
will enable. This may include:
- Automatic propagation of user data from systems of record
to target systems.
- Self-service workflow to allow users to request and
authorize access changes.
- Consolidated and delegated user administration.
- Consolidated reporting on access rights and access change
- Password synchronization, self-service reset and assisted
- Processes to collect new data from the user population,
such as security questions for authentication, demographic
information, login ID reconciliation or biometric samples.
- User notification for events such as upcoming password
expiration, user profile changes, etc.
- A logical architecture, which shows how systems and
external processes interact to implement the above
- A technology analysis document, which includes:
- A network architecture illustrating how Hitachi ID Management Suite will
tie into existing IT infrastructure.
- Integration details for each and every system with which
Hitachi ID Management Suite will exchange data.
- Attribute mappings, correlating user profile attributes
between systems of record, change requests and target
- Process details, including business logic for change
propagation, input validation for the self-service workflow
system, authorizer routing rules, login ID assignment
standards, procedures for delegation and automated escalation
of authorization responsibility, etc.
Installation and configuration
Hitachi ID Systems engineers normally install
Hitachi ID Management Suite either on-site or
using remote control over a VPN. The installation phase normally
includes installation of the software on each server, activation of
software, data and configuration replication where appropriate,
configuration of every business process and technical detail
identified in the Technology Analysis document and the Project
Planning document and initial testing to validate that everything
that was installed and configured works.
Many Hitachi ID Systems customers choose to deploy functionality
Hitachi ID Password Manager (formerly P-Synch) can be deployed incrementally based on a variety of
- Target systems.
Gradual deployment is recommended and normally tied to users -- for example,
activate N users per day and ask them to register.
Where gradual deployment is used, users are classified into three
groups: available, activated and enrolled. Users are automatically
created in the available group based on their existence on
one or more target systems. Users are automatically moved from
activated by a nightly batch process, which
also prompts newly activated users to self-register. Once users
register, they are automatically changed to enrolled status.
The rate of moving users from available
status can be centrally controlled and can be adaptive, for example
depending on the current number of activated but as-yet not
Hitachi ID Identity Manager can be deployed incrementally based on a variety of
- User populations -- by role, classification or geography.
- Target systems and within target systems, account types,
attributes under management, NOS groups under management, etc.
- Features (i.e., automatic change propagation, self-service workflow,
consolidated administration console and delegated administration
Incremental, iterative deployment is recommended: deliver early and
often, to minimize project risk. Avoid attempts to characterize all
system requirements early -- this typically is hard to do and requirements
change over time.
Normally key target systems are deployed initially, along with consolidated
administration. Next, automated change propagation is configured and finally
self-service security requests / approvals workflow. Delegated
administration is normally implemented right after consolidated
The precise sequence and schedule of feature, target and business
logic implementation will depend on a detailed project design,
to be completed jointly with Hitachi ID Systems customer.
Once in production deployment, Identity Manager is normally extended to
include ever-more target systems, attributes, template accounts, roles,
NOS groups, authorizers, etc. This growth is organic and ongoing --
it is unlikely to cease while Identity Manager is in use.
Where existing tools and processes are being replaced, they are normally
replaced one-by-one, as new capabilities are deployed, pilot-tested,
validated and rolled-out.
After installing Hitachi ID Management Suite,
Hitachi ID Systems engineers produce a
"Site Report," which outlines everything that was installed