Overview of workflow
The Hitachi ID Identity Manager workflow automates general-purpose processes for three distinct identity management and access governance related functions. It allows Hitachi ID Systems customer to inject business rules (decision logic) into each of these three processes. The processes implemented by the Identity Manager workflow are:
- Authorization -- for requests that may have originated in the web portal, API, automation engine or Actionable Analytics.
- Implementation -- on systems where it is uneconomical or technically infeasible to automate integration, to invite people to complete tasks.
- Certification -- to invite business stake-holders to review users, entitlements and configuration of objects such as roles.
Human participants in workflow are often slow or unresponsive. Because timely and reliable response is required, a variety of strategies are included to improve human engagement. This includes:
- Inviting multiple participants concurrently.
- Allowing for consensus decisions.
- Sending reminders to non-responsive participants.
- Automatically escalating after multiple reminders.
- Escalating pre-emptively based on out-of-office status.
- Participation using smart phones.
To configure these processes, Hitachi ID customer edits rules in a handful of policy tables. Policies set default request attributes, validate user input, calculate values such as unique identifiers, select authorizers and reroute requests when authorizers fail to respond.
Workflow in Identity Manager
Identity Manager implements workflow with a policy-driven approach, which is much more reliable and manageable than one using flowcharts:
Response time / SLA:
Full authorization before action.
Soliciting input from (unreliable) humans
The Identity Manager workflow engine is designed to get quick and reliable feedback from groups of business users, who may be individually unreliable. This is accomplished with:
- Concurrent invitations to multiple users to review a request.
- Approval by N of M authorizers (N is fewer than M).
- Automatic reminders to non-responsive authorizers.
- Escalation from non-responsive authorizers to their alternates.
- Scheduled delegation of approval responsibility from unavailable to alternate approvers.
- Checking authorizers' out-of-office status and pre-emptively escalating requests if an OOO message has been set.
- Allowing authorizers to approve or reject requests from their mobile phone (from any location, at any time, without a VPN).