Identity Manager uses identity as the basis for authorizing users access to systems, applications, and databases. Each user’s unique identifier and each user’s roles come with specific access rights to identity data. For example, users who are identified as managers can access salary information about their direct reports, but not about other employees in their organization. With Identity Manager, you can delegate administrative duties to the people who should be responsible for them. For example, you can enable individual users to accomplish the following goals:
Manage their own personal data in the corporate directory. Rather than having you change a cell phone number, they can change it in one place and have it changed in all the systems you have synchronized through Identity Manager.
Change their passwords, set up a hint for forgotten passwords, and set up challenge questions and responses for forgotten passwords. Rather than asking you to reset a password because they have forgotten it, they can do it themselves after receiving a hint or responding to a challenge question.
Request access to resources such as databases, systems, and directories. Rather than calling you to request access to an application, they can select the application from a list of available resources.
In addition to self-service for individual users, Identity Manager provides self-service administration for functions (management, Help Desk, and so forth) that are responsible for assisting, monitoring, and approving user requests. For example, John uses the Identity Manager self-service feature to request access to the documents that he needs. John’s manager and the CFO receive the request through the self-service feature and can approve the request. The established approval workflow allows John to initiate and monitor the progress of his request and allows John’s manager and CFO to respond to his request. Approval of the request by John’s manager and the CFO triggers the provisioning of the Active Directory rights that John needs to access and view the financial documents.
Identity Manager also provides workflow capabilities to ensure that your provisioning processes involve the appropriate resource approvers. For example, assume that John, who has already been provisioned with an Active Directory account, needs access to some financial reports through Active Directory. This requires approval from both John’s immediate manager and the CFO. Fortunately, you have set up an approval workflow that routes John’s request to his manager and, after approval from his manager, to the CFO. Approval by the CFO triggers automatic provisioning of the Active Directory rights needed by John to access and view the financial documents.
You can initiate workflows automatically when a certain event occurs (for example, a new user is added to your HR system) or manually through a user request. To ensure that approvals take place in a timely manner, you can set up proxy approvers and approval teams.