Permissions represent the accounts, roles, and resources that apply to users. Your organization might automatically assign permissions or users might need to request them. For example, a user might receive a computer as part of the job, but then need to request access to a specific software application. Users request permissions through the Dashboard. Some requests require approval from a single individual; others require approval from several individuals. In some instances, a request can be fulfilled without any approvals.
Following are the different ways of providing permissions to your users with an appropriate Administrator rights:
Assigning permissions directly to users: You can assign a resource or a role to any user in the system.
To assign roles, go to Administration > Roles and select the role that you want to assign. For more information, see Assigning Roles to Users.
To assign resources, go to Administration > Resources and select the resource that you want to assign. For more information, see Assigning Resource to Users.
Approving user requests: When a user requests for any permission, based on the approval/revocation process defined for the requested permission, a corresponding task appears in the tasks list of approvers. If you are one of those approvers, you can approve the request that allows the user to use the requested permission.
For more information about approval or revocation process, see Changing the Approval or Revocation Process.
If user requests for a role that conflicts with the current role, SoD policy applied to the conflicting role must be resolved. This invokes the SoD approval flow, if any. Based on the SoD approval flow, SoD approvers see the corresponding task in their tasks list. On approving this task they can allow user to use the requested permission. For more information, see Section 17.0, Separation of Duties Constraints.
Provisioning based on workflow: A process that coordinates the approval or revocation of a request for permissions is called as workflow. Each workflow can have automatic or manual triggers and can include email notifications.
Workflows take into account the methods required for approving and revoking a role or resource. For example, the SAP software application might require two levels of approval: first from the user’s manager and second from the resource manager for the application.
For more information, see Understanding Workflow-Based Provisioning.
Workflow-based provisioning allows you to initiate workflow processes to manage the approval and revocation of user access to your organization’s secure systems.
Identity Manager Dashboard allows users to make provisioning requests (Access > Request). When a provisioning request requires approval from one or more individuals in an organization, the request starts one or more workflows. The workflows coordinate the approvals needed to fulfill the request. Some provisioning requests require approval from a single individual; others require approval from several individuals. In some instances, a request can be fulfilled without any approvals.
By default, the New Requests page does not display any provisioning requests. To configure a provisioning request, a designer familiar with your business needs creates a provisioning request definition, which binds the resource to a workflow.
The designer can configure workflows that proceed in one of the following ways:
Sequential fashion, with each approval step being performed in order
Parallel fashion, which allows more than one user to act on a workflow task concurrently
Identity Manager provides a set of Eclipse-based tools for designing the data and the flow of control within the workflows. In addition, Identity Manager provides a set of Web-based tools that allow users to view existing provisioning requests and manage workflows that are in process. For more information, see Design Constraints
The Provisioning Administrator is responsible for managing the workflow-based provisioning features of identity applications. For more information, see Section 2.0, Types of User Categories in Identity Applications.
The Dashboard includes Helpdesk to help users troubleshoot any issues while performing their tasks in Identity Manager.
Some of the tasks that Helpdesk can perform are:
Reassign an approval request that is unattended for a long time
Browse all tasks or filter tasks for a selected user
Request permissions on behalf of other users
Users can contact Helpdesk by using the Helpdesk email ID, contact number, or raise a Helpdesk ticket. When a client user raises a ticket, the Helpdesk user receives a notification on the Dashboard. By default, Helpdesk is not configured. Administrators need to configure Helpdesk for the clients configured in the system.
After setting up a Helpdesk, the administrator can customize the Helpdesk information for the clients from the Dashboard client settings. To set up a Helpdesk and configure the Helpdesk information, see Configuring a Client Helpdesk.