An authorization workflow is a process whereby business stake-holders are asked to review and either approve or reject a security change request. Authorizers are typically invited to act via e-mail and respond via an authenticated, secure web form.
Change requests should be accepted and approved only if they are consistent with business requirements. This is typically done in two steps:
- Request validation:
Automatic inspection of a request to check whether it violates any business rules. For example, requests should not trigger violations of SoD rules, should not specify invalid department or location codes, etc.
- Request authorization:
Trivial requests, such as self-service updates to a user's phone number, can be processed immediately.
Requests that originate from a trusted system or person -- for example, requests that are based on an authoritative data feed from a human resources system (HR feed) or that are entered by a very trustworthy person -- for example, the CFO, may not require further authorization.
All other requests should be reviewed by business stake-holders before they are fulfilled.
Hitachi ID Identity Manager incorporates a purpose-built workflow engine. The built-in workflow engine is designed to get quick and reliable feedback from groups of business users, who may be individually unreliable. It supports:
- Concurrent invitations to multiple users to review a request.
- Approval by N of M authorizers (N is fewer than M).
- Automatic reminders to non-responsive authorizers.
- Escalation from non-responsive authorizers to their alternates.
- Scheduled delegation of approval responsibility from unavailable to alternate approvers.