Skip to main content

Authorization Workflow

Overview of Authorization Process

All change requests processed by Hitachi ID Identity Manager, regardless of whether they originated with the auto-provisioning engine, the identity synchronization engine, with self-service profile updates or with the delegated administration module may be subject to an authorization process before being completed. The Identity Manager workflow engine is designed to get quick and reliable feedback from groups of business users, who may be individually unreliable. This is accomplished with:

  • Concurrent invitations to multiple users to review a request.
  • Approval by N of M authorizers (N is fewer than M).
  • Automatic reminders to non-responsive authorizers.
  • Escalation from non-responsive authorizers to their alternates.
  • Scheduled delegation of approval responsibility from unavailable to alternate approvers.
  • Checking authorizers' out-of-office status and pre-emptively escalating requests if an OOO message has been set.
  • Allowing authorizers to approve or reject requests from their mobile phone (from any location, at any time, without a VPN).

Selecting the Right Authorizers

Requests may be submitted to the Identity Manager workflow engine using the included request web portal, by an automated process that monitors a system of record for changes, via a batch loader or through the inbound web services API.

Any request may require approval. Any operation on any managed resource (account/target system, group membership, role assignment) may have one or more authorizers assigned. These resource-linked authorizers are normally augmented by organizationally-linked authorizers, selected via business logic. This logic specifies how many approvers are required (possibly zero), who they are, etc.

A rules table is normally used to select participants for a workflow request. The request is compared to a series of rules and where a rule matches, participants, such as authorizers, are assigned, typically using a user class that relates the new participant to the requester or recipient. Rule matching may be based on the form that was used, the membership of the requester or recipient in a group, the type of operation requested, the initial or end-state risk score for the recipient, the entitlement(s) involved, etc.

Process Diagram


    Identity Manager Dynamic Workflow

Read More:

page top page top