Recording Provisioning Requests

You can create provisioning requests in IdentityIQ using any of the following actions or activities:

• Certifications

• Policy Violations

• Identity-Refresh-Driven Assignments

• Lifecycle Manager Requests

• Lifecycle Event-Driven Provisioning

Provisioning requests create a provisioning plan that the Provision Broker can analyze and process. In all cases, except certification and policy violation-generated requests, provisioning requests create a Workflow case. The Workflow case manages the processing of the provisioning request based on a defined Workflow. See also Processing Provisioning Requests.[Link required]

Certifications

During a Certification Access Review, certifiers review the system entitlements granted to sets of identities. Access can be approved or revoked for an identity. This certification process can result in:

• Certificate Remediation – when an identity's access to a system is determined to be inappropriate for their job function, the certifier can revoke the entitlement through the Certification Access Review. This process creates a remediation provisioning request in IdentityIQ to remove that access from the source application.

• Provisioning through Certifications – when a business role is approved for an identity and that role includes required IT roles the identity does not have, the certifier is prompted to select whether the missing roles must be provisioned for the identity or whether the business role must be approved without provisioning the missing roles. If the certifier elects to provision the missing roles, a provisioning request is created.

Note

This provisioning option is only presented during the Access Review if the option Enable Provisioning of Missing Role Requirements is selected in the certification specification.

All revocations and provisioning requests from a specific access review are combined into a single provisioning plan and processed together except in certifications where revocations are processed immediately, such as certifications with the Process Revokes Immediately setting selected.

Policy Violations

Policies defined in IdentityIQ enable the system to evaluate an identity's access or activities and report any inconsistencies with company policies. Violations are reported to the violation owner, often the identity's manager, or the appropriate application owner. The violation owner can then permit an exception or initiate a remediation request. The following types of policy violation remediations are available:

• Policy Violation Remediations for SOD Policy Violations[link needed]

• Policy Violation Remediations for Non-SOD Policy Violations[Link needed]

Policy Violation Remediations for SOD Policy Violations

Only remediations for role or entitlement Separation of Duties (SOD) violations generate a provisioning request to revoke the invalid access. For example, when a manager evaluates an identity's SOD violations and determines that one of the accesses for the identity must be removed, the manager can request the revocation of the invalid access.

You can create policy violation remediation requests from:

• Policy owner's Policy Violation page that you can from Manage > Policy Violations page.

• Certification on which the violation is noted.

Policy Violation Remediations for Non-SOD Policy Violations

Note

By default, you cannot remediate non-SOD policy violations with a certification or in the policy violation window.

You can perform the following actions to enable certification remediate and generate a Work Item:

1. Edit the XML for any policy to include remediated as one of its certificationActions values to enable certification remediation on that policy type.

2. Select the remediation option for the violation in a certification to automatically create a Work Item that informs the appropriate party of the need to manually correct the violation.

Identity-Refresh-Driven Assignments

You can use the following options on an Identity Refresh task to generate provisioning requests for identities:

• Refresh assigned, detected roles and promote additional entitlements – creates provisioning requests for IdentityIQ to add roles in Identity Cube.

• Provision assignments – creates provisioning requests that apply to external applications.

The following table describes these options in more detail:

Option	Description
Refresh assigned, detected roles and promote additional entitlements	Runs the defined assignment rules for roles and examines role detection profiles to update the Assigned and Detected role lists for the identity. This option does NOT provision access in external system
	Generates provisioning requests to add entitlements required by the currently assigned roles, which can include: Entitlements for newly assigned roles Entitlements missing from previously assigned roles. If a role was previously assigned through an automatic assignment rule and the rule no longer returns true, provisioning requests are generated to remove the entitlements that the role requires. If another assigned role requires those entitlements, they are not removed.

Note

By default, the entitlements associated with a role are deprovisioned when the role is removed from an identity. The Disable deprovisioning of deassigned roles option overrides that default and leaves the entitlements intact for the identity while the role is removed.

Lifecycle Manager Requests

Lifecycle Manager is a separately licensed portion of the IdentityIQ product that is designed to manage entitlements using provisioning requests. Based on their manager status and how the Lifecycle Manager is configured, users can make requests for themselves or for other identities.

In a typical configuration:

Managers can make requests for their direct reports.

Help desk users can make requests for themselves and others.

Any user can make requests for themselves.

Lifecycle Manager Toolbar

When Lifecycle Manager is enabled, the Lifecycle Manager toolbar displays at the top of the IdentityIQ view and supports the following actions:

Request Access

Request Access includes Role and Entitlement requests. If you are working with a single user, a third tab, Current Access displays that you can use to request the removal of Roles or Entitlements. Use the Lifecycle Manager Request Roles feature to generate requests that:

• Add the appropriate role to the specified identities.

• Provision the entitlements the role requires.

• Provision permitted roles, if added to the request when prompted.

• Deprovision by removing roles from an identity
  
  This option generates a provisioning request to remove the role assignment from the identities and the entitlements the role requires if another role does not need the entitlements.

Use the Lifecycle Manager Request Entitlements feature to generate requests to:

• Add the entitlement to the specified identity.

• Revoke an identity's current entitlements.
  
  This option generates a provisioning request that removes the access from the source application or applications.

By default, when you request a new entitlement on an application and the user already has an account on that application, the entitlement is added to the existing account. If needed, you can create a separate account for specific entitlements.

To create multiple accounts for a single identity on an application or to add an entitlement to a specific existing account when several are available:

1. Navigate to the Lifecycle Manager configuration Additional Options page.

2. In the General Options section, select an application included in the list for Applications that support additional account requests.

3. For the Account selection, select the option to create a new account or the option to add the entitlement to an existing account that the identity already has.

Manage Accounts

Use the Manage Accounts feature to:

• Request accounts on additional applications – generates provisioning requests.

• Revoke or disable existing accounts – generates provisioning requests.

• Enable disabled accounts – generates provisioning requests to enable or disable accounts.

• Unlock locked accounts – generates provisioning request.

To use the Manage Accounts to request a new account:

1. Navigate to the Lifecycle Manager configuration Additional Options page.

2. In the Manage Accounts Options section, select an application included in the list of applications that support account-only requests.

3. For the Account selection, select the option to create a new account or the option to add the entitlement to an existing account held by the identity.

Note

You can also select the Manage Accounts option on the Lifecycle Options page for any group, they can enable, disable, and delete accounts for the existing accounts. The connector must support this action and the action must not be disabled through another setting on the Additional Options page.

Other Lifecycle Manager Options

Other Lifecycle Manager options include the following items:

• Create Identity – creates provisioning plans that update IdentityIQ. You can create a new IdentityIQ identity with a set of attributes that can be configured. The attributes that you can set or change are defined by a form that can be customized. New identities do not have accounts on any application.

• Edit Identity – creates provisioning plans that update IdentityIQ. You can modify attributes for an existing IdentityIQ identity. The attributes that you can set or change are defined by a form that can be customized.

Note

Life Cycle Events can cause provisioning outside of IdentityIQ or additional provisioning inside IdentityIQ. In addition. Attribute sync can also cause provisioning outside of IdentityIQ based on create or edit identity.

• Manage Passwords – resets passwords on target systems which involves a provisioning plan and provisioning action.

• View Identities – does not have provisioning-related functionality and is read-only.

Note

The set of identities for which these actions can be taken is based on the individual user's authority and the Lifecycle Manager configuration. The self-service, Request For Me, options do not include Create Identity.

Lifecycle Event-Driven Provisioning

With Lifecycle Manager enabled, Lifecycle Events can be configured in IdentityIQ to represent activities that occur during the normal course of a person's employment at a company. These activities include events such as joining the company, changing departments or managers, and leaving the company. The shorthand terms for these activities are Joiner, Mover, and Leaver.

When Lifecycle Manager is enabled, IdentityIQ contains four predefined Lifecycle Events.

Lifecycle Event	Trigger	Business Process Invoked
Joiner	Identity Creation	Lifecycle Event – Joiner
Leaver	Attribute Change: Inactive attribute change from false to true	Lifecycle Event – Leaver
Manager Transfer	Manager Change	Lifecycle Event – Manager Transfer
Reinstate	Attribute Change: Inactive attribute change from true to false	Lifecycle Event – Reinstate

By default, these events are disabled and must be enabled before the events can be triggered. Lifecycle Events are triggered by specific changes to an identity. These changes can include the following actions:

• Creation

• Manager transfer

• Attribute change

• Complex changes that an IdentityTrigger rule detects

The triggered Lifecycle Events invoke business processes, or workflows, that can contain provisioning actions.

Note

The terms Business Process and Workflow are synonymous. The IdentityIQ user interface refers to these terms as Business Processes which is the term business managers use most often. The IdentityIQ object model and XML use the term Workflows.

Manage Lifecycle Events and Actions

The Lifecycle Events and the default actions of each of the business process that the predefined Lifecycle Events invoke are listed below.

• Lifecycle Event – Joiner – prints the name of the identity to sysout. No actions are taken on the identity. This action is typically modified to provision birthright access for identities.

• Lifecycle Event – Leaver – creates and runs a provisioning plan to disable all accounts the leaving identity has.

• Lifecycle Event – Manager Transfer – prints names of the old and new manager to sysout. No actions are taken on identity or entitlements. This action is typically modified to generate a certification for the new manager to review the access an identity holds. This action can also be used to provision birthright access identified for members of new manager’s group.

• Lifecycle Event – Reinstate – creates and runs a provisioning plan to enable all previously disabled accounts that a returning identity had.

Lifecycle Events and Actions How-To Tasks

You can perform the following tasks for Lifecycle events and actions:

Note

Additional Lifecycle Events and workflows/business processes can be created as needed to support the business needs for each installation.

How To Edit Predefined Lifecycle Events

1. Navigate to Setup > Lifecycle Events page.

2. Right-click an entry and click Edit or double click an entry.

3. Make desired changes and click Save.

How To Create a New a Lifecycle Event

1. Navigate to Setup > Lifecycle Events page.

2. Click Add New Lifecycle Event.

3. Enter information for Lifecycle Event Options and Behavior.

4. Click Save.

How To Delete a Lifecycle Event

1. Navigate to Setup > Lifecycle Events page.

2. Right-click an entry and select Delete.

How To Modify Actions for Lifecycle Events

1. Navigate to Navigate to Setup > Business Process page.

2. Select the Process Designer tab.

3. Select a process from the Edit An Existing Process list.

Note

Typically only administrators can edit the Identity Cube information. This option is available through Identities > Identities Warehouse.

You can also access IdentityIQ Debug pages and modify actions through the XML Workflow.

See also Business Process Management.[Link needed]

Other Identity Cube® Modifications

In addition to the Lifecycle Manager pages, users with the right capabilities can access an administrative interface to make additional identity modifications. Navigate to the Identities > Identities Warehouse page.

Most of the information is read-only, but a provisioning plan is generated that updates an identity when you:

• Edit attribute values on the Attributes tab.

• Delete or Move account links from the Application Accounts tab.

• Change capabilities or assigned scopes on the User Rights tab.

If the triggering attributes for the identity have not changed, deleted roles that were assigned by rules are automatically reassigned to the identity during the next identity refresh. The reassignment is also processed as an identity refresh-driven provisioning request.