An authorization workflow is a process whereby business stake-holders are asked to review and either approve or reject a security change request. Authorizers are typically invited to act via e-mail and respond via an authenticated, secure web form.
A workflow engine allows business users and automated processes to request and authorize access changes. This is a key feature of any successful IAM system.
Users sign into a secure web application and submit change requests by selecting and filling in a suitable form. Requests are validated by the workflow engine and the requester may be required to make corrections.
Some parts of a request may be automatically filled in and may not even be visible to the requester. For example, the IAM system might automatically assign a standard login ID to all new accounts, assign a file server and mail server, select a directory OU and so on.
The workflow engine forwards valid requests to one or more authorizers. These are simply other users, chosen through the application of security policy. Example authorizers may include application owners and managers in the chain of command above the requester. Some requests may not require authorization at all.
Authorizers are normally invited to review and either approve or deny change requests by e-mail. A URL is embedded in the e-mail, which authorizers follow to a secure web application where they sign in, see request details and either approve or deny the request.
The workflow engine must allow for the possibility that authorizers will not respond in a timely manner -- by automatically sending reminders and escalating requests from unresponsive authorizers to other responsible users.
The workflow engine must also allow authorizers to actively delegate their responsibility, for example when they schedule time off or when they change jobs permanently.
Self-service and delegated updates to identities and entitlements are illustrated in Figure [link].
Hitachi ID Identity Manager incorporates a purpose-built workflow engine. The IAM system workflow engine is designed to get quick and reliable feedback from groups of business users, who may be individually unreliable. This is accomplished with:
- Concurrent invitations to multiple users to review a request.
- Approval by N of M authorizers (N is fewer than M).
- Automatic reminders to non-responsive authorizers.
- Escalation from non-responsive authorizers to their alternates.
- Scheduled delegation of approval responsibility from unavailable to alternate approvers.
- Checking authorizers' out-of-office status and pre-emptively escalating requests if an OOO message has been set.
- Allowing authorizers to approve or reject requests from their mobile phone (from any location, at any time, without a VPN).