1.1 Understanding the Workflow Process

Access Review collects data from a wide variety of identity and application sources. Identity sources, such as SAP User Management and the Identity Vault in Identity Manager, provide the attributes of a user’s identity. Application sources, such as Salesforce.com, provide account and permission information. Some of the account and permission information might be gathered from systems that are not already connected to identities in Identity Manager.

Access Review helps you join the imported account, permission, and attribute data into a unified identity. Then you review and certify whether each unified identity should have the assigned resources. If permission assignments change, Access Review helps you fulfill the changes by creating manual tasks or initiating provisioning workflows in Identity Manager.

Using an account in Identity Manager, the transfers a snapshot of the permissions and permission assignments from the Access Review database to Identity Manager. This process creates assignment actions for Identity Manager to set the actual state of the affected permissions without the need for user intervention.

You can also configure the driver to create new user accounts in Identity Manager based on identities published from Access Review. After adding the accounts, the driver reports the DN and tree name of the newly created users to Identity Manager.

NetIQ recommends that you create a dedicated system account in the identity applications for the driver. A system account provides the following advantages:

When receiving the data from the Access Review driver, Identity Manager populates the Identity Vault with the user identities and adds account and permission information to the identity applications catalog. Because Access Review collects data from more sources than might be connected to Identity Manager, the catalog now has identities, permissions, and accounts that represent a larger picture of your identity and access environment.

In the catalog, Identity Manager administrators can create roles and permissions associated with the application sources that Access Review collected. Then users can manage their unified identity and request access to other resources in the catalog even if those applications are not directly connected to Identity Manager. To process user requests, administrators can configure workflows. You can also use workflows to fulfill the change requests generated by a review in Access Review.