Access Change Authorization - Hitachi ID Identity Manager
Any request submitted to the workflow system in Hitachi ID Identity Manager may have to be approved by an appropriate business user before being fulfilled. Authorizers are normally invited to act by e-mail and respond by clicking on an embedded URL, authenticating and reviewing a request in detail on a secure web portal.
The identity of authorizers and the number of authorizers required prior to fulfillment depend on Hitachi ID Systems customer-specific business rules:
- In a very simple configuration, all requests can be checked and approved
by a single team, such as a security group.
- In more typical deployments, groups of authorizers may be attached to a request because of their association with an entitlement that was requested or because of their relationship within the organization to either the requester or recipient specified in a request.
Regardless of what business logic is used to select authorizers, requests are routed to authorizers, who get an e-mail and periodic reminders, asking for review and approval. Authorizers click on an embedded URL in the e-mail, sign into Identity Manager with their own login ID and password, review the details of the requested change and either grant change approval or reject it.
Authorizers may temporarily or permanently delegate their responsibility -- for example when they leave for holidays or change job functions.
When an authorizer fails to respond to repeated invitations to act, new authorizer is automatically selected (escalation). Hitachi ID Systems customer business logic controls to whom escalated requests are routed.
Authorizers may be granted partial or total veto power over a request. With partial veto power, their rejection of a change will block just those parts of the change that they were associated with, but other components can still be approved by their own authorizers. Global veto allows an authorizer to cancel a whole request, for multiple resources.
While parallel change authorization is the norm, it is also possible to configure Identity Manager to require serial authorization, by attaching additional authorizers to a change request after an initial set of authorizers have either approved or rejected it.