Provisioning is the process of changing user access to systems and data in your enterprise. It can be initiated by users through actions such as access requests, certifications, or manager requests, or through automated configurations. Automated configurations include role assignments and lifecycle states that keep user access aligned with their business requirements.
The connection for each source determines whether provisioning triggered by lifecycle states is handled automatically or manually. Sources with a direct connection are provisioned automatically while flat-file sources require the source owner to complete a manual provisioning task assigned to them through IdentityNow's Task Manager.
Setting Up Provisioning
These configurations within IdentityNow are important drivers of the provisioning process.
- For each source, review and update the Create Account specification. When access is granted to a user who does not already have an account on the source, IdentityNow automatically creates an account for them using the attributes and values specified in this definition.
- Add any or all of these configurations to drive automated provisioning for your users.
- Attribute sync keeps account data in your sources in sync with identity data in IdentityNow.
- Lifecycle states automatically grant or revoke access based on users' employment status in the company.
- Roles grant or remove access based on users' job functions.
- Access profiles represent bundles of access that your roles and lifecycle states can grant.
- Where identities can have more than one account on a source, you can configure access profiles to determine which account receives access in automated provisioning.
- If you have the Access Request service, enable your roles and access profiles for access requests, setting up the required approval processes for each. You can also allow entitlements to be requested individually.
Always test new provisioning configurations in your sandbox environment before enabling them in production.
Errors and Retries
IdentityNow automatically recognizes
NoRouteToHostException error messages from source connectors as retryable errors. Connectors can also be configured with connector-specific retryable errors.
If provisioning to a direct-connect source fails with a retryable error, IdentityNow automatically retries the action. Each type of provisioning process in IdentityNow has its own defined frequency and count for automated retries. Refer to each process's documentation for those details.