An authorization workflow is a process whereby business stake-holders are asked to review and either approve or reject a security change request. Authorizers are typically invited to act via e-mail and respond via an authenticated, secure web form.
Access requests should be accepted and approved only if they are consistent with business requirements. This is typically done in two steps:
Automatic inspection of a request to check whether it violates any business rules. For example, requests should not trigger violations of SoD rules, should not specify invalid department or location codes, etc.
Trivial requests, such as self-service updates to a user's phone number, can be processed immediately.
Requests that originate from a trusted system or person -- for example, requests that are based on an authoritative data feed from a human resources system (HR feed) or that are entered by a very trustworthy person -- for example, the CFO, may not require further authorization.
All other requests should be reviewed by business stake-holders before they are fulfilled. These may be managers, security staff, resource owners, policy owners, etc.
Hitachi ID Identity Manager incorporates a purpose-built workflow engine. The _PRODUCT workflow engine is designed to get quick and reliable feedback from groups of business users, who may be individually unreliable. This is accomplished with: