An authorization workflow is a process whereby business stake-holders are asked to review and either approve or reject a security change request. Authorizers are typically invited to act via e-mail and respond via an authenticated, secure web form.
Access requests should be accepted and approved only if they are consistent with business requirements. This is typically done in two steps:
- Request validation:
Automatic inspection of a request to check whether it violates any business rules. For example, requests should not trigger violations of SoD rules, should not specify invalid department or location codes, etc.
- Request authorization:
Trivial requests, such as self-service updates to a user's phone number, can be processed immediately.
Requests that originate from a trusted system or person -- for example, requests that are based on a system of record (e.g., such as HR) or that are entered by a very trustworthy person -- for example, the CFO, may not require further authorization.
All other requests should be reviewed by business stake-holders before they are fulfilled. These may be managers, security staff, resource owners, policy owners, etc.
Hitachi ID Identity Manager incorporates a purpose-built workflow engine. The IAM system workflow engine is designed to get quick and reliable feedback from groups of business users, who may be individually unreliable. This is accomplished with:
- Concurrent invitations to multiple users to review a request.
- Approval by N of M authorizers (N is fewer than M).
- Automatic reminders to non-responsive authorizers.
- Escalation from non-responsive authorizers to their alternates.
- Scheduled delegation of approval responsibility from unavailable to alternate approvers.
- Checking authorizers' out-of-office status and pre-emptively escalating requests if an OOO message has been set.
- Allowing authorizers to approve or reject requests from their mobile phone (from any location, at any time, without a VPN).