Novell Doc: Identity Manager Roles Based Provisioning Module 3.7 User Application: Administration Guide

1.1 About the User Application

The Identity Manager User Application is the business user’s view into the information, resources, and capabilities of Identity Manager. The User Application is a browser-based Web application that gives the user the ability to perform a variety of identity self-service tasks. The User Application provides a complete roles-based provisioning solution, giving users the ability to initiate and manage provisioning and role-based requests and approvals. In addition, the User Application offers support for compliance features, giving an organization a way to ensure that personnel conform to relevant business laws and regulations.

The User Application enables you to address the following business needs:

Providing a convenient way to perform roles-based provisioning actions.

The User Application allows you to manage role definitions and role assignments within your organization. Role assignments can be mapped to resources within a company, such as user accounts, computers, and databases.

For details on setting up the Roles and Resources tab, see Section 2.10, Configuring the Roles and Resources Tab.
Ensuring that an organization has a method for verifying that personnel are fully aware of organizational policies and are taking steps to comply with these policies.

For details on setting up the Compliance tab, see Section 2.11, Configuring the Compliance Tab.
Providing user self-service, allowing a new user to self-register, and providing access to anonymous or guest users.

For more information, see Section IV, Portlet Reference.
Ensuring that access to corporate resources complies with organizational policies and that provisioning occurs within the context of the corporate security policy.

You can grant users access to identity data within the guidelines of corporate security policies.

For more information, see Section 2.2, Security.
Reducing the administrative burden of entering, updating, and deleting user information across all systems in the enterprise.

You can create customized workflows to provide a Web-based interface for users to manipulate distributed identity data triggering workflows as necessary.

For more information, see Section V, Configuring and Managing Provisioning Workflows.
Managing manual and automated provisioning of identities, services, resources, and assets, and supporting complex workflows.

You can implement manual provisioning by creating workflows that route provisioning requests to one or more authorities. For automated provisioning, you can configure the User Application to start workflows automatically in response to events occurring in the Identity Vault.

For more information, see Section V, Configuring and Managing Provisioning Workflows.

IMPORTANT:The User Application is an application and not a framework. The areas within the User Application that are supported to be modified are outlined within the product documentation. Modifications to areas not outlined within the product documentation are not supported.

1.1.1 About Identity Self-Service

Identity is the foundation of the User Application. The application uses identity as the basis for authorizing users access to systems, applications, and databases. Each user’s unique identifier—and each user’s roles—comes with specific access rights to identity data. For example, users who are identified as managers can access salary information about their direct reports, but not about other employees in their organization.

The Identity Self-Service tab within the application gives users a convenient way to display and work with identity information. It enables your organization to be more responsive by giving users access to the information they need whenever they need it. For example, users might use the Identity Self-Service tab to:

Manage their own user accounts directly
Look up other users and groups in the organization on demand
Visualize how those users and groups are related
List applications with which they are associated

The User Application Administrator is responsible for setting up the contents of the Identity Self-Service tab. What business users can see and do is typically determined by how the application has been configured, by their job requirements and level of authority.

1.1.2 About Roles-Based Provisioning

The purpose of the Roles and Resources tab within the User Application is to give you a convenient way to perform roles-based provisioning actions. These actions allow you to manage role definitions and role assignments within your organization. Role assignments can be mapped to resources within a company, such as user accounts, computers, and databases. For example, you might use the Roles and Resources tab to:

Make role requests for yourself or other users within your organization
Create roles and role relationships within the roles hierarchy
Create separation of duties (SoD) constraints to manage potential conflicts between role assignments
Look at reports that provide details about the current state of the Role Catalog and the roles currently assigned to users, groups, and containers

When a role assignment request requires permission from one or more individuals in an organization, the request starts a workflow. The workflow coordinates the approvals needed to fulfill the request. Some role assignment requests require approval from a single individual; others require approval from several individuals. In some instances, a request can be fulfilled without any approvals.

When a role assignment request results in a potential separation of duties conflict, the initiator has the option to override the separation of duties constraint, and provide a justification for making an exception to the constraint. In some cases, a separation of duties conflict can cause a workflow to start. The workflow coordinates the approvals needed to allow the separation of duties exception to take effect.

Your workflow designer and system administrator are responsible for setting up the contents of the Roles and Resources tab for you and the others in your organization. The flow of control for a roles-based workflow or separation of duties workflow, as well as the appearance of forms, can vary depending on how the approval definition for the workflow was defined in the Designer for Identity Manager. In addition, what you can see and do is typically determined by your job requirements and your level of authority.

For details on setting up the Role Subsystem, see Section 2.10, Configuring the Roles and Resources Tab. For details on using the Roles and Resources tab, see the discussion of the Roles and Resources tab in the Identity Manager User Application: User Guide.

1.1.3 About Resource-Based Provisioning

The purpose of the resource functionality within the User Application is to give you a convenient way to perform resource-based provisioning actions. These actions allow you to manage resource definitions and resource assignments within your organization. Resource assignments can be mapped to users or to roles within a company. For example, you might use resources to:

Make resource requests for yourself or other users within your organization
Create resources and map them to entitlements

When a resource assignment request requires permission from one or more individuals in an organization, the request starts a workflow. The workflow coordinates the approvals needed to fulfill the request. Some resource assignment requests require approval from a single individual; others require approval from several individuals. In some instances, a request can be fulfilled without any approvals.

The following business rules govern the behavior of resources within the User Application:

Resources can only be assigned to a user. This does not preclude a resource being granted to users in a container or group based on implicit role assignment. However, the resource assignment will only be associated with a user.
Resources can be assigned in any of the following ways:
- Directly by a user through UI mechanisms
- Through a provisioning request
- Through a role request assignment
- Through a Rest or SOAP interface
The same resource can be granted to a user multiple times (if this capability has been enabled in the resource definition).
A resource definition can have no more then one entitlement bound to it.
A resource definition can have one or more same-entitlement references bound to it. This capability provides support for entitlements where the entitlement parameters represent provisionable accounts or permssions on the connected system.
Entitlement and decision support parameters can be specified at design time (static) or at request time (dynamic).

Your workflow designer and system administrator are responsible for setting up the User Application for you and the others in your organization. The flow of control for a resource-based workflow, as well as the appearance of forms, can vary depending on how the approval definition for the workflow was defined in the Designer for Identity Manager. In addition, what you can see and do is typically determined by your job requirements and your level of authority.

Resources

A resource is any digital entity such as a user account, computer, or database that a business user needs to be able to access. The User Application provides a convenient way for end users to request the resources they need. In addition, it provides tools that administrators can use to define resources.

Each resource is mapped to an entitlement. A resource definition can have no more than one entitlement bound to it. A resource definition can be bound to the same entitlement more than once, with different entitlement parameters for each resource.

Resource Requests

Resources can be assigned to users only. They cannot be assigned to groups or containers. However, if a role is assigned to a group or container, the users in the group or container may automatically be granted access to the resources associated with the role.

Resource requests may require approvals. The approval process for a resource may handled by a provisioning request definition, or by an external system by setting the status code on the resource request.

If a resource grant request is initiated by a role assignment then it is possible that the resource will not be granted, even though the role is provisioned. The most likely reason for this would be that the necessary approvals were not provided.

A resource request can grant a resource to a user or revoke a resource from a user.

Role and Resource Service Driver

The User Application uses the Role and Resource Service Driver to manage back-end processing of resources. For example, it manages all resource requests, starts workflows for resource requests, and initiates the provisioning process for resource requests.

Resource Request Process Flow

The following example shows the process flow for a resource assignment request. In this example, a user requests a resource that grants access to an SAP profile:

Figure 1-1 Process Flow for a Resource Request

The steps in the process are described below:

A user requests a resource within the User Application.
A User Request object is created in the Identity Vault.
The Role and Resource Service Driver processes the new request.
The Role and Resource Service Driver starts a workflow, and changes the request status.
The approval process is performed within the User Application. Upon completion of the approval process, the workflow activity changes the request status.
The Role and Resource Driver picks up the change in the status, and begins to provision the resource, if all of the necessary approvals have been provided.
The User Object attributes are updated to included the resource binding and approval information.
An entitlement request is made for the SAP Profile.
The SAP Driver processes the entitlement and creates the profile in SAP.

1.1.4 About Workflow-Based Provisioning

A key feature of the Identity Manager User Application is workflow-based provisioning, which enables you to initiate workflow processes to manage the approval and revocation of user access to your organization’s secure systems.

The User Application’s Work Dashboard tab gives users a convenient way to make workflow process requests. A provisioning request is a user or system action intended to initiate a process. Provisioning requests can be initiated directly by the user (through the Work Dashboard tab), or indirectly in response to events occurring in the Identity Vault.

When a provisioning request requires permission from one or more individuals in an organization, the request starts one or more workflows. The workflows coordinate the approvals needed to fulfill the request. Some provisioning requests require approval from a single individual; others require approval from several individuals. In some instances, a request can be fulfilled without any approvals.

By default, the Work Dashboard tab in the User Application does not display any provisioning requests. To configure a provisioning request a designer familiar with your business needs creates a provisioning request definition, which binds the resource to a workflow. The designer can configure workflows that proceed in a sequential fashion, with each approval step being performed in order, or workflows that proceed in a parallel fashion. A parallel workflow allows more than one user to act on a workflow task concurrently.

Identity Manager provides a set of Eclipse-based tools for designing the data and the flow of control within the workflows. In addition, Identity Manager provides a set of Web-based tools that provide the ability to view existing provisioning requests and manage workflows that are in process. For more information, see Section 1.4, Design and Configuration Tools.

The Provisioning Administrator is responsible for managing the workflow-based provisioning features of the User Application. For more information, see Section 1.3, User Application User Types.

1.1.5 About Compliance

Compliance is the process of ensuring that an organization conforms to relevant business laws and regulations. One of the key elements of compliance is attestation. Attestation gives an organization a method for verifying that personnel are fully aware of organizational policies and are taking steps to comply with these policies. By requesting that employees or administrators regularly attest to the accuracy of data, management ensures that personnel information such as user profiles, role assignments, and approved separation of duties (SoD) exceptions are up-to-date and in compliance.

To allow individuals within an organization to verify the accuracy of corporate data, a user makes an attestation request. This request in turn initiates one or more workflow processes. The workflow processes give the attesters an opportunity to attest to the correctness of the data. A separate workflow process is initiated for each attester. An attester is assigned a workflow task in the My Tasks list on the Requests & Approvals tab. To complete the workflow process, the attester opens the task, reviews the data, and attests that it is correct or incorrect.

The Roles Based Provisioning Module supports four types of attestation:

User profile
SoD violations
Role assignment
User assignment

For details on setting up the Compliance tab, see Section 2.11, Configuring the Compliance Tab. For details on using the Compliance tab, see the discussion of the Compliance tab in the Identity Manager User Application: User Guide.