4.2 Workflow, Roles, Attestation, and Self-Service

Identity Manager provides a specialized application, the User Application, that provides approval workflows, role assignments, attestation, and identity self-service.

The standard User Application is included with Identity Manager. The standard version provides password self-service to help users remember or reset forgotten passwords, organization charts to manage user directory information, user management functionality that enables creation of users in the Identity Vault, and basic identity self-service such as management of user profile information.

The User Application Roles Based Provisioning Module is a part of Identity Manager 4.0.2 Advanced Edition. A standard User Application with advanced self-service, approval workflow, roles-based provisioning, Separation of Duties constraints, and attestation capabilities is included. The Identity Manager 4.0.2 Advanced Edition contains both the standard and the roles based provisioning module capabilities.

Figure 4-3 Identity Manager User Application

The following sections provide descriptions of each of these components and explain the concepts you should understand to effectively implement and manage the components:

4.2.1 Components

User Application: The User Application is a browser-based Web application that gives users and business administrators the ability to perform a variety of identity self-service and roles provisioning tasks, including managing passwords and identity data, initiating and monitoring provisioning and role assignment requests, managing the approval process for provisioning requests, and verifying attestation reports. It includes the workflow engine that controls the routing of requests through the appropriate approval process.

User Application Driver: The User Application driver stores configuration information and notifies the User Application whenever changes occur in the Identity Vault. It can also be configured to allow events in the Identity Vault to trigger workflows and to report success or failure of a workflow’s provisioning activity to the User Application so that users can view the final status of their requests.

Role and Resource Service Driver: The Role and Resource Service driver manages all role and resource assignments, starts workflows for role and resource assignment requests that require approval, and maintains indirect role assignments according to group and container memberships. The driver also grants and revokes entitlements for users based on their role memberships, and performs cleanup procedures for requests that have been completed.

4.2.2 Key Concepts

Workflow-based Provisioning: Workflow-based provisioning provides a way for users to request access to resources. A provisioning request is routed through a predefined workflow that might include approval from one or more individuals. If all approvals are granted, the user receives access to the resource. Provisioning requests can also be initiated indirectly in response to events occurring in the Identity Vault. For example, adding a user to a group might initiate a request to have the user granted access to a specific resource.

Roles Based Provisioning: Roles based provisioning provides a way for users to receive access to specific resources based upon the roles assigned to them. Users can be assigned one or more roles. If a role assignment requires approval, the assignment request starts a workflow.

Separation of Duties: To prevent users from being assigned to conflicting roles, the User Application Roles Based Provisioning Module provides a Separation of Duties feature. You can establish Separation of Duties constraints that define which roles are considered to be in conflict. When roles conflict, Separation of Duties approvers can approve or deny any exceptions to the constraints. Approved exceptions are recorded as Separation of Duties violations and can be reviewed through the attestation process described below.

Roles Management: Management of roles must be done by individuals assigned to the Roles Module Administrator and Roles Manager system roles.

The Roles Module Administrator creates new roles, modifies existing roles, and removes roles; modifies relationships between roles; grants or revokes role assignments for users; and creates, modifies, and removes Separation of Duties constraints.

The Roles Manager can do the same things as the Roles Module Administrator with the exception of managing Separation of Duties constraints, configuring the Roles system, and running all reports. The Roles Module Administrator has unlimited scope within the Roles system, but the Roles Manager scope is limited to specifically-designated users, groups, and roles.

Attestation: Role assignments determine a user’s access to resources within your organization, and incorrect assignments could jeopardize compliance with both corporate and government regulations. Identity Manager helps you validate the correctness of role assignments through an attestation process. Using this process, individual users can validate their own profile information and Roles Managers can validate role assignments and Separation of Duties violations.