A change request is an object in an IAM system, which may have been submitted either by a human user filling in a request form on a request portal or by an automated process, which encapsulates a proposed change to create or modify an identity, to set or change identity attributes, to add or remove membership in security groups, or to assign or revoke a role.
Requests typically have at least two of the following participants:
- Mandatory: a requester -- the person filling in a request form.
- Mandatory: a recipient -- the person whose identity or account(s) will be created or modified.
- Optional: one or more authorizers -- who must review and either approve or reject the request.
- Optional: one or more implementers -- who must actually complete approved requests, in cases where an automated connector is not available to do so.
Requests also have a payload -- specifying what changes will be made to the recipient. The payload consists of operations that will be made on target systems. These operations may specify security groups that the recipient's accounts should be attached to or removed from and/or identity attributes to apply to the user's profile.