A request portal is a user interface where requesters can sign in and fill in request forms that pertain to identity data or security entitlements. All identity and access requests have at least one recipient -- who may be the same as the recipient (i.e., a self-service request) or someone else (i.e., a delegated request).
Examples of requests that may be entered into a request portal may include:
- Update personal contact information.
- Changes to a user's name, department, location or manager.
- Request access to an application, share or folder.
- Change membership in a security group or mail distribution list.
- Request creation of a new user profile (e.g., new hire).
- Scheduled or immediate access termination.
In practice, identity and access request portals may incorporate quite complex business logic, for example to control what recipients are visible to a given requester, what kinds of requests are available for a given requester/recipient combination, what identity attributes of a given recipient are visible to and/or editable by a given requester, to validate some and calculate other form inputs, to send requests to appropriate people to approve or reject and more.
- Users can manage their own credentials -- choosing new passwords and PINs for integrated systems and applications, populating security questions, etc.
- Self-service profile updates:
- Making corrections to identity attributes.
- Entering information such as home contact information.
- Requesting organizational changes, such as transfers to a new location, department or manager.
- Name changes.
- Scheduling leaves of absence.
- Scheduled deactivation.
- Access requests for themselves or on behalf of others:
- Group membership.
- Role assignment.
- Login IDs on systems or applications.
- Access to shares, folders, SharePoint sites or other resources.
- Onboarding (e.g., for contractors or other non-SoR users).
- Urgent termination.
- Group management:
- Create new groups on target systems.
- Modify groups (change description, owner, metadata, etc.).
- Manipulate group membership (add/remove one or more accounts or child groups).
- Delete no-longer-needed groups.
- Request management:
- Delegate authority, temporarily or permanently.
- Approve, delegate or reject requests.
- Withdraw previously submitted requests.
- Monitor and manage the request queue.
- White pages / directory search:
- Find another user by entering their name, department, manager, etc.
- Browse the org-chart structure.
This portal is completely policy driven. For example, what options a user gets, what other users he can find or make requests on behalf of and what identity information one user can see in another's profile is controlled by rules. Rules may be simple roles ("all users with attribute X and membership in group Y can perform action Z"). More powerful rules are based on relationships ("user A can request operation B in relation to user C if user A is in group G and users A and B are in the same department.")
Requests submitted through this portal are subject to validation logic (e.g., rules such as "is the city in the user's address consistent with the state or province?") and to approvals. Requests are routed to zero or more authorizers, where approval by some or all of the assigned users is required. The choice of authorizers is likewise policy based, via rules that match on the requester, recipient and operations.