You can set up business roles to automatically request provisioning and deprovisioning of authorized resources for users in the business role. The business role must allow automatic fulfillment on the Owners and Administration tab. For more information, see Defining Business Roles. In addition, you must configure individual authorized resources to allow automatic granting or revoking of the resource.
Identity Governance evaluates whether the system needs to request automatic provisioning of an authorized resource when any of the following events occur:
A user has become a member of a business role.
A business role is modified to authorize a resource and republished.
A business role resource enters its validity period.
Identity Governance detects changes in business role membership when you publish identities, applications, and business roles. In addition, it periodically runs a task to check if authorized resources have entered their validity period.
When Identity Governance determines that a user has become authorized to have a resource for any of the above reasons, it issues a provisioning request for the user + resource if:
The resource authorization specifies automatic granting.
The user does not already have the resource.
NOTE:For applications, this means that the user does not currently have an account in the application.
There is no pending automatic change request for the resource to be granted to the user.
NOTE:A change request is considered pending until it is verified or fails verification for some reason.
Identity Governance evaluates whether the system needs to request automatic deprovisioning of a resource when any of the following events occur:
A user is no longer a member of a business role.
A business role is modified to no longer authorize a resource and is republished.
A business role is deactivated.
A business role is deleted.
A business role resource authorization exits its validity period.
Identity Governance detects changes in business role membership when you publish identities, applications, and business roles. It also periodically runs a task to check if authorized resources have exited their validity period.
The decision whether to issue a deprovisioning request deliberately has more controls than the decision whether to issue a provisioning request. The extra level of control is intended to prevent mistakes that could lead to accidental and unintended deprovisioning of critical resources for users. When the system detects that a business role no longer authorizes a resource for a particular user for any of the above reasons, it will do the following to determine if it should issue a deprovisioning request for the user + resource:
Determine if the user currently has the resource. If not, a deprovisioning request is not needed. For applications, a user has the resource if they have an account in the application.
Determine if there is a pending automatic deprovisioning request for the user + resource. If so, no new deprovisioning request will be issued. A change request is considered pending until it is verified or fails verification for some reason.
Determine if any other business roles currently authorize the resource for the user. If so, no deprovisioning request will be issued. Identity Governance does not issue automatic deprovisioning requests until the user has lost ALL of its authorizations for a resource. Other business roles might authorize the resource for various other users, but if none of the business roles authorize the resource for the user in question, they are not considered.
When Identity Governance determines that the user has lost its last authorization for a resource, it creates a list of business roles to consult to determine if a deprovisioning request should be issued. The system adds a business role to this list if it meets ALL of the following conditions:
Must have authorized the resource for the user at one time. There may be business roles that currently authorize or have previously authorized the resource for other users, but if they have never authorized it for the specific user in question, they are not relevant here.
Must have authorized the resource for the user in the not too distant past. If the user lost its authorization for the resource from a business role too long ago, we don't want to consider the business role. The auto revoke period that might be specified for the business role defines what period of time is too long ago. For more information, see Defining Business Roles. The auto revoke period is defined on the Owners and Administration tab.
Must be currently published, not deactivated or deleted. Deactivated or deleted business roles are not relevant here.
Must have a current authorization for the resource in question. Business roles that authorized the resource in the past but no longer authorize it are not relevant here.
Resource must be in the validity period specified by that authorization. Business roles that may have authorized the resource in the past but no longer do are not relevant here.
To issue a deprovisioning request, one or more business roles that meet ALL of these conditions must exist, and they must ALL currently specify automatic revoking for the resource in question. Otherwise, no deprovisioning request will be issued.