1.4 Enabling Self-Service for Users

Identity Manager uses identity as the basis for authorizing users access to systems, applications, and databases. Each user’s roles managed in Identity Manager can come with specific access rights to connected applications. For example, users who are identified as managers can access salary information about their direct reports, but not about other employees in their organization. With Identity Manager, you can delegate administrative duties to the people who should be responsible for them. For example, you can enable individual users to accomplish the following goals:

  • Manage Personal Data: Users can view and edit their own personal data in the corporate directory by using the self-service interface of Identity Manager. The data is automatically changed in all the systems you have synchronized through Identity Manager. This reduces administrative overhead and provides users with control over their identity profiles.

  • Change Password: Users can change their passwords, set up a hint for forgotten passwords, and set up challenge questions and responses for forgotten passwords. Identity Manager includes a comprehensive set of password management services which increase security by enforcing consistent password policies across the organization. These also combine with self-service password reset capabilities to reduce the cost of password-related help desk calls.

  • Request Access: Users can request access to resources such as databases, systems, and directories. Rather than calling you to request access to an application, they can select the application from a list of available resources.

    In addition to self-service for individual users, Identity Manager provides self-service administration for functions (management, Help Desk, and so forth) that are responsible for assisting, monitoring, and approving user requests. For example, John uses the Identity Manager self-service feature to request access to the documents that he needs. John’s manager and the CFO receive the request through the self-service feature and can approve the request. The established approval workflow allows John to initiate and monitor the progress of his request and allows John’s manager and CFO to respond to his request. Approval of the request by John’s manager and the CFO triggers the provisioning of the Active Directory rights that John needs to access and view the financial documents.

    You can initiate workflows automatically when a certain event occurs (for example, a new employee is hired in the SAP HR application) or manually through a user request.