Identity Governance provides three default options for fulfillment targets for provisioning the changeset items from a review: Identity Manager automated, Identity Manager workflow, and manual (a user or group). You can also integrate and automate Identity Governance fulfillment with your service desk system by adding and configuring a connector to your service desk system in Identity Governance Fulfillment Configuration. Identity Governance supports the following fulfillment targets:
Active Directory LDAP
BMC Remedy Incident
CSV
eDirectory LDAP
Generic HTTP
Identity Manager Dxcmd Fulfillment for Active Directory
REST Service
ServiceNow Generic
ServiceNow Incident
ServiceNow Request
SOAP Service
To configure fulfillment methods:
Log in to Identity Governance as a user with global, fulfillment, or bootstrap administrator authorization assignment.
Select Fulfillment > Configuration.
(Conditional) Select a fulfillment target.
or
If you want to add a fulfillment target, select + and complete the required fields in the template. When adding fulfillment targets, you must configure service parameters to connect Identity Governance to your fulfillment service, and then configure mappings to create an appropriate fulfillment request. When viewing the list of mapped attributes for a field, you could see some items not available to select and marked with a strike-through line across the text. An Identity Governance administrator must enable these attributes in Configuration > Context Fulfillment Attributes.
NOTE:You can download the fulfillment target templates, edit them, and upload them to Identity Governance instead of configuring the service parameters and mappings in the application. For more information, see Section 9.3, Customizing Fulfillment Target Templates.
Make any additional updates for the selected fulfillment target, such as fulfillment response mapping and specifying change request types, and select Save.
Select Fulfillment > Configuration and select the Application setup tab.
(Optional) If you want to use the same fulfillment method for multiple applications, you can select and configure them using the Fulfillment Target selector at the top of the page.
For each application, select the fulfillment method in the Fulfillment Target column. The Change Request Type column updates to show whether the fulfillment target handles all change request types or some types for this application.
(Optional) Select customize to change the default configuration for any fulfillment method you want to customize for a given application. Identity Governance adds an icon to each application row showing that you have customized the fulfillment configuration and providing an easy way to restore default values.
Select the Catalog update setup tab and select the fulfillment method for each type of catalog update request initiator you have in place.
Select Save Fulfillment Configuration using the icon at the top of the tab when you have made changes.
You can configure each application to use multiple fulfillment targets. For example, you might have one system that processes all requests to add access and a different system that processes all requests to remove access.
Log in to Identity Governance as a user with global, fulfillment, or bootstrap administrator authorization assignment.
Select Fulfillment > Configuration and select the Application setup tab.
Select the green plus sign (+) next to the fulfillment target where you want to specify multiple targets.
Select the target you want to process change requests in each row for the application. You can use the same fulfillment target and customize each row to process different requests, or you can use a different target for certain requests.
NOTE:To assist the Fulfillment Administrator in making sure that the configured fulfillment targets handle all change request types, Identity Governance shows which change request types are configured next to each fulfillment target. If a target does not support any of the change request types, those unsupported types display in red text.
After making changes, select the save icon at the top of the tab to save your settings.
You can transform the incoming data from fulfillment targets to have Identity Governance display more meaningful information. For example, instead of displaying only the incident number from your fulfillment system, you could display additional text, such as “Incident number 123456 was created in ServiceNow” in Identity Governance.
The transforms are done through Nashorn-compatible Javascript in the Fulfillment Response mapping section of the fulfillment target configuration. Within the Javascript, you can access the incoming value by creating a variable name inputValue. After manipulating the incoming value, you can return the value to Identity Governance by assigning the value to a variable name outputValue.
The following example transforms the incoming value, which is a tracking number from the connected system to Incident number 123456 created in ServiceNow in the Identity Governance displays.
outputValue = 'Incident number ' + inputValue + ' created in ServiceNow'
To change fulfillment target response mapping:
Log in to Identity Governance as a user with global, fulfillment, or bootstrap administrator authorization assignment.
Under Fulfillment > Configuration, select an existing fulfillment target or create a new one.
Expand the Fulfillment Response mapping section and select the braces ({ }) next to the attribute you want to transform.
NOTE:Two dots between the braces ({..}) denotes that a transform script exists for an attribute.
Enter or edit the existing transform script in one of the following ways:
Paste a script in the text field
Select Advanced Edit to open a script editor
Select Browse to upload a script file
Save the fulfillment target.
For Identity Manager automated, Identity Manager workflow, and manual fulfillment methods, Identity Governance evaluates and fulfills the change items without the need for extensive configuration. When specifying one of the default methods of fulfillment, observe the following considerations:
Applies only when you integrate Identity Governance with Identity Manager.
Specify whether you want to use automated provisioning with manual fulfillment or a workflow as the fallback method. Then specify the values associated with the fallback method. For more information, see Section 9.5.3, Automatically Fulfilling the Changeset.
Applies only when you integrate Identity Governance with Identity Manager.
Specify the name of a workflow that already exists in Identity Manager. The workflow needs to have inputs for the following fields:
String: changesetId
String: appId
To connect to the external provisioning system, specify the workflow settings in the Identity Governance Configuration Utility. For more information, see External Provisioning System.
For more information about the workflow process, see Section 9.5.2, Using Workflows to Fulfill the Changeset.
Specify an individual or group of individuals to serve as the fulfiller. For more information about manual fulfillment, see Section 9.5.1, Manually Fulfilling the Changeset.
To have Identity Governance email reminders to the fulfillers, ensure that you configure email notifications. For more information about configuring notifications, see Notification System. For more information about customizing emails, see Section 2.1, Customizing the Email Notification Templates.
Identity Governance includes connectors to various service desk products to enable fulfillment integration with your incident management applications. When you connect to an application for fulfillment, you must configure the connector to map the data fields in the change item to the input fields of the application. In a typical service desk environment, all systems and applications that the service desk manages are input as configuration management items.
The Identity Governance Fulfillment target configuration allows you to customize your incidents for these various systems. When you create a service desk fulfillment target in Identity Governance, you provide the connection information and credentials for the target system as well as a default configuration specifying the fields you want Identity Governance to populate in your incidents. After you assign a target fulfillment system to an application, you can then customize that default configuration to appropriately map the application configuration item, assignment group, severity, and other fields for that specific application.
Identity Governance exposes the following data fields from each changeset item to the fulfillment target connectors:
A long value containing the internal change item number
A long value containing the internal changeset number
A string value containing one of the following values:
REMOVE_ACCOUNT_PERMISSION
ADD_USER_TO_ACCOUNT
REMOVE_PERMISSION_ASSIGNMENT
REMOVE_ACCOUNT_ASSIGNMENT
REMOVE_ACCOUNT
ADD_PERMISSION_TO_USER
ADD_APPLICATION_TO_USER
ADD_TECH_ROLE_TO_USER
MODIFY_PERMISSION_ASSIGNMENT
MODIFY_ACCOUNT_ASSIGNMENT
MODIFY_ACCOUNT
REMOVE_APPLICATION_FROM_USER
Instructions the reviewer provided for the fulfiller
Display name of the user that is the target of the change item
Identifier of the account
Logical system identifier of the account. This only applies to Identity Manager SAP User Management driver accounts.
The collected identifier that indicates the unique ID of the account
Name of the application to which the permission being provisioned belongs
Name of the fallback fulfillment user
Generated description of the action being requested by the change item
Display name of the reviewer who requested the change
Name of the permission being provisioned
Name of the target permission attribute being modified
Logical system identifier of the permission being provisioned. This only applies to the Identity Manager SAP User Management driver permissions.
The collected unique provisioning identifier of the permission
The internal long value for the reason
The reason text
Attribute to provide context to the fulfiller on the recipient of the fulfillment item
Attribute to provide context to the fulfiller on the requester of the fulfillment item
Attribute to provide context to the fulfiller on the account if the fulfillment item is an account
Attribute to provide context to the fulfiller on the permission if the fulfillment item is a permission
The following shows a sample change item payload:
{
"accountProvId": "d2a293ff-71c5-492f-9415-e08830b635b2",
"changeItemId": 8300,
"changeRequestType": "REMOVE_PERMISSION_ASSIGNMENT",
"userName": "Abby Spencer",
"accountName": "aspencer",
"account": "CN=Abby Spencer,OU=Users,OU=MyServer,DC=mydc,DC=mycompany,DC=com",
"appName": "Money Honey Financials",
"reason": "REMOVE_PERMISSION_ASSIGNMENT remove permission Marketing Portal requested by Aaron Corry while certifying Money Honey Financials",
"requesterName": "Andrew Astin",
"permName": "Marketing Portal",
"permProvAttr": "member",
"permProvId": "e07db779-5c30-44d2-bc0c-6dfa30cfa6af"
}
Mapping Identity Governance change item data to target application data fields is similar to configuring data source collectors. This includes support for static-value mapping and per-field data transformation. For more information, see Section 2.2, Customizing the Collector Templates for Data Sources.
Since the implementation of any particular service desk application varies widely for each customer, it may be useful to manually create sample incidents using the application user interfaces to validate the desired inputs for each fulfillment method.
The Identity Governance fulfillment connector for BMC Remedy uses the HPD_IncidentInterface_Create SOAP service Helpdesk_Submit_Service method for creating incidents in the Remedy application. For example, http://your-service-host/arsys/WSDL/public/your_server/HPD_IncidentInterface_Create_WS.
The connector uses a pre-configured template that maps the Identity Governance change item data and application-specific static values into various attributes in the SOAP XML payload. The WSDL from your incident management application indicates any value constraints for input fields. The fulfillment target service can populate all valid fields in the service desk interface, so if you want to extend the set of fields that the Identity Governance template populates or modify the default mappings of the template, contact your Micro Focus technical support representative for details.
IMPORTANT:The Remedy application requires several fields to create an incident. The template identifies fields that must be properly configured to ensure the ability to create incidents.
Use the following table to understand the Identity Governance mappings to the Remedy incident fields. Quotation marks surround static values. You can modify the static values provided in the template to conform with the options available in the target service desk application.
|
BMC Remedy Incident Field |
Identity Governance Mapping |
|---|---|
|
Service_Type |
"User Service Request" (required) |
|
Reported_Source |
"Direct Input" (required) |
|
Status |
"New" (required) |
|
Action |
"CREATE" (required) |
|
Urgency |
"3-Medium" (required) |
|
Impact |
"3-Moderate/Limited" (required) |
|
First_Name |
(required) |
|
Last_Name |
(required) |
|
Notes |
Reason, appName, username, account (ecmascript transformation provided) |
|
Summary |
changeRequestType |
|
HPD_CI_ReconID |
|
The Identity Governance fulfillment connector for ServiceNow Incident Management uses the Incident SOAP service insert method for creating incidents in the Incident Management application. For example, https://your-service-url/incident.do?WSDL.
The connector uses a pre-configured template that maps the Identity Governance change item data and application-specific static values into various attributes in the SOAP XML payload. The WSDL from your incident management application indicates any value constraints for input fields. The fulfillment target service can populate all valid fields in the service desk interface, so if you want to extend the set of fields that the Identity Governance template populates or modify the default mappings of the template, contact your Micro Focus technical support representative for details.
Use the following table to understand the Identity Governance mappings to the Incident Management incident fields. Quotation marks surround static values. You can modify the static values provided in the template to conform with the options available in the target service desk application.
|
ServiceNow Incident Field |
Identity Governance Mapping |
|---|---|
|
cmdb_ci |
appName |
|
assignment_group |
|
|
category |
"request" |
|
subcategory |
|
|
description |
reason, appName, userName, account (ecmascript transformation provided) |
|
contact_type |
"automated" |
|
short_description |
|
|
correlation_id |
changeItemId |
|
correlation_display |
“Access review or request fulfillment item” |
|
caller_id |
requesterName |
|
opened_by |
requesterName |
|
severity |
"2" |
|
urgency |
"2" |
|
impact |
"2" |
The Identity Governance fulfillment connector for ServiceNow Service Catalog Request Management uses the Service Catalog Request SOAP service insert method for creating requests in the Service Catalog application. For example, https://your-service-url/sc_request.do?WSDL.
The connector uses a pre-configured template that maps the Identity Governance change item data and application-specific static values into various attributes in the SOAP XML payload. The WSDL from your service catalog request management application indicates any value constraints for input fields. The fulfillment target service can populate all valid fields in the service desk interface, so if you want to extend the set of fields that the Identity Governance template populates or modify the default mappings of the template, contact your Micro Focus technical support representative for details.
Use the following table to understand the Identity Governance mappings to the Service Catalog Request Management incident fields. Quotation marks surround static values. You can modify the static values provided in the template to conform with the options available in the target service desk application.
|
ServiceNow Incident Field |
Identity Governance Mapping |
|---|---|
|
fulfillment type |
"request" |
|
cmdb_ci |
appName |
|
assignment_group |
|
|
description |
reason, appName, userName, account, fulfillmentInstructions (ecmascript transformation provided) |
|
contact_type |
"automated" |
|
request_state |
“requested” |
|
short_description |
|
|
correlation_id |
changeItemId |
|
correlation_display |
“Access review or request fulfillment item” |
|
requested_for |
userName |
|
opened_by |
requesterName |
|
priority |
"2" |
|
urgency |
"2" |
|
impact |
"2" |
The fulfillment status list allows you to view specific status categories, such as fulfillment items that have been fulfilled and fulfillment items that have ended in error or timeout conditions. The fulfillment status area also provides a way to retry, or resubmit, fulfillment items that did not succeed.
Log in to Identity Governance as a Global or Fulfillment administrator.
Select Fulfillment > Status.
Select all status categories you want to review.
(Optional) Select again any status categories you want to remove from the list.
(Optional) Select any fulfillment items that did not complete successfully, and then select Retry to resubmit them to the appropriate fulfiller.
The following details on fulfillment status conditions can help with troubleshooting fulfillment in your environment. A change item has 11 possible status conditions, listed below in the associated status column. The general status column shows the broad status categories that Identity Governance displays to users. The table includes details on each status and what actions, if any, you can take to move an item to a different status. No user action is required for some status conditions, either because they are intermediate states or terminal states.
|
General Status |
Summary |
Associated Status |
Entry Conditions |
Exit Conditions |
|---|---|---|---|---|
|
Error or timeout |
Provisioning was marked as complete, but the status after a collect and publish cycle shows the item as not fulfilled. |
Not fulfilled, verification error (NOT_VERIFIED) |
Change item marked as fulfilled but updated catalog shows that status to be incorrect. This can be valid when fulfillment target is an asynchronous process, such as Service Now. When Service Now opens a ticket, Identity Governance marks the change request item complete. However, the help desk might not have completed the update to the associated application. |
Examine the change item and take one of the following actions:
|
|
Fulfiller has marked item as Declined. |
Declined by (REFUSED) |
Manual fulfiller has marked and submitted item as Declined. |
Mark the item as Ignore. |
|
|
Change item was marked as being in error. |
Not fulfilled, verification error (ERROR) |
This status will not be reached by normal operation of the system. It is a transitory state on the way to automatic retry in case there was an error detected during fulfillment. However, an API endpoint can set the status to ERROR, so an external system might have caused the item to have this status. |
Intermediate status; no action needed. |
|
Change item has not been successfully verified at the end of verification expiration timeout. |
Not fulfilled, verification timed out (VERIFICATION_ TIMEOUT) |
If Identity Governance is set up to monitor verification timeouts and the change item has not been verified within that time, it moves to this status. By default, this value is set to 365 days. |
Mark the item as Ignore. |
|
Fulfilled |
Fulfillment is reported as complete. |
Fulfilled, pending verification (COMPLETED) |
Identity Governance has received communication that fulfillment has completed. This status might not mean the item is fulfilled. If the fulfillment target is an asynchronous process, such as Service Now, the status changes to completed when the asynchronous process opens a ticket, not when the tasks in the ticket have been fulfilled. |
After the next collect and publish cycle, Identity Governance verifies the item target matches the change item. If so, the item status changes to Verified. If not, the item status changes to Error. |
|
Pending fulfillment |
Fulfillment is in progress. |
Initializing (INITIALIZED, IN_PROGRESS) |
Change request item has been created. |
Intermediate status; no action needed. |
|
Fulfillment has been initiated. |
Pending fulfillment by, Sending for fulfillment by external workflow (PENDING) |
Identity Governance successfully communicates with provisioning workflow or adds change items to manual fulfiller queue. |
Change item is acted on by either an automated fulfillment system or a manual fulfiller. If fulfiller marks item as fulfilled, the item status changes to Fulfilled (COMPLETED). If the fulfiller marks the item as refused, the item status changes to Error (REFUSED). |
|
Verified |
Catalog shows item has been fulfilled. |
Verified (VERIFIED) |
Identity Governance verifies changes in catalog. |
Terminal status; no action needed. |
|
Ignored |
Fulfiller or review owner has ignored closed-loop verification. |
Verification ignored (VERIFICATION_ IGNORED) |
Fulfiller or review owner has selected Ignore for a change item that was in error or timeout status. |
Terminal status; no action needed. |
|
Retry |
The change item has had an error during fulfillment and is waiting for administrator action. |
Retry |
An error is detected during fulfillment. |
Global Administrator or Fulfillment Administrator selects Retry or Terminate for the item on the Fulfillment Requests page. |