Authorization Workflow - Hitachi ID Identity Manager
Overview of authorization process
All change requests processed by Hitachi ID Identity Manager, regardless of whether they originated with the auto-provisioning engine, the identity synchronization engine, with self-service profile updates or with the delegated administration module may be subject to an authorization process before being completed. The built-in workflow engine is designed to get quick and reliable feedback from groups of business users, who may be individually unreliable. It supports:
- Concurrent invitations to multiple users to review a request.
- Approval by N of M authorizers (N is fewer than M).
- Automatic reminders to non-responsive authorizers.
- Escalation from non-responsive authorizers to their alternates.
- Scheduled delegation of approval responsibility from unavailable to alternate approvers.
Selecting the right authorizers
Requests may be submitted to the Identity Manager workflow engine through a self-service web portal, by business logic implementing automated user (de)provisioning or through the Identity Manager SOAP API.
By default, all requests require authorization -- but business logic may override this and auto-approve requests.
Authorizers are selected automatically and may be chosen using OrgChart data (i.e,. managers of the requester or recipient), using resource owner data or through other means, such as lookups in an external database or directory.
Each group of authorizers consists of some N>=1 authorizers. Some number M<=N of the authorizers in each group must approve a request before it will be fulfilled by Identity Manager.