Any request submitted to the workflow system in Hitachi ID Identity Manager may have to be approved by an appropriate business user before being fulfilled. Authorizers are normally invited to act by e-mail and respond by clicking on an embedded URL, authenticating and reviewing a request in detail on a secure web portal.
The identity of authorizers and the number of authorizers required prior to fulfillment depend on Hitachi ID Systems customer-specific business rules:
Regardless of what business logic is used to select authorizers, requests are routed to authorizers, who get an e-mail and periodic reminders, asking for review and approval. Authorizers click on an embedded URL in the e-mail, sign into Identity Manager with their own login ID and password, review the details of the requested change and either grant change approval or reject it.
Authorizers may temporarily or permanently delegate their responsibility -- for example when they leave for holidays or change job functions.
When an authorizer fails to respond to repeated invitations to act, new authorizer is automatically selected (escalation). Hitachi ID Systems customer business logic controls to whom escalated requests are routed.
Authorizers may be granted partial or total veto power over a request. With partial veto power, their rejection of a change will block just those parts of the change that they were associated with, but other components can still be approved by their own authorizers. Global veto allows an authorizer to cancel a whole request, for multiple resources.
While parallel change authorization is the norm, it is also possible to configure Identity Manager to require serial authorization, by attaching additional authorizers to a change request after an initial set of authorizers have either approved or rejected it.