A workflow engine allows people and automated processes to request and authorize security changes directly, without involving security administrators. This is a key feature of any successful identity management and access governance system.
Configuring a workflow process can be challenging. As an IAM system is scaled up to support hundreds of target systems, with hundreds of kinds of updates supported on each one, the workflow engine must scale to appropriately validate and authorize thousands of types of transactions.
With a traditional workflow engine, this would require either thousands of flowcharts or thousands of state tables (either way -- unmanageable).
To mitigate the challenge of arithmetic explosion in the number of required workflow processes, the Hitachi ID Identity Manager workflow engine is dynamic, in the sense that a single, powerful state machine is used to track authorizations for every possible change (transaction) on every target system. Plug-in programs alter the behavior of the state machine, using business logic to validate inputs, route requests to the appropriate authorizers based on requested resources or the identity of the requesting principal and so on.
Rather than requiring organizations to define one flowchart for every supported type of user profile change on every target system, a single, built-in flowchart is used to track change authorization for every possible change type, on every system. Organizations are instead asked to define policies for a small number of control points in the master flowchart: input validation, authorizer routing, reminder timing and automatic escalation routing. The same workflow engine, implementing the same change authorization process, applies to every possible user update. Shared business logic ensures that appropriate decisions are made for validation and authorization in every case.
This approach eliminates the need for organizations to graphically draw out and maintain thousands of flowcharts (who wants to do that?), with blocks of business logic (programming) embedded in each one. Instead, Hitachi ID Systems customers use a programming language of their choice to write 4 or 5 blocks of general-purpose business logic, for tasks such as input validation, authorizer routing and escalation. The same logic applies globally, which makes dynamic workflow faster to develop, easier to maintain and clearer to audit.
Dynamic workflow is illustrated in Figure [link].
A dynamic workflow engine is significantly easier to set up and maintain than the alternative: traditional workflow engines where a graphical flow-chart or a state table is manually defined for each and every one of the thousands of possible transaction types.
Using its dynamic workflow engine, Identity Manager can be configured and deployed in weeks, rather than months or years. Furthermore, the dynamic workflow engine in Identity Manager requires minimal ongoing maintenance, resulting in a much lower TCO than a traditional workflow engine.