Configuring Work Reassignment
Work Reassignment allows access request reviews, certifications, and manual provisioning tasks assigned to a user to be reassigned to a different user. This is primarily used for:
- Temporarily redirecting work for users who are out of office, such as on vacation or sick leave
- Permanently redirecting work for users who should not be assigned these tasks at all, such as senior executives or service identities
Users can define reassignments for themselves, managers can add them for their team members, and administrators can configure them on any user’s behalf. Work assigned during the specified reassignment timeframes will be automatically reassigned to the designated user as it is created.
Enabling Work Reassignment
The work reassignment feature must be enabled for your site before any users will be able to add these configurations.
- Go to Admin > Global > System Settings.
- Select System Features.
- Select the checkbox for Work Reassignment to enable it.
If you later disable this feature, no additional reassignments will be performed, but already-reassigned work with remain with the new owners. Reassignment configurations will be retained but will not be applied until the feature is enabled again.
Setting Work Reassignments for Identities
Administrators can add work reassignment configurations for any identity.
- Go to Admin > Identities > Identity List and select the identity you want to configure work reassignment for.
- Select the Work Reassignment tab.
Choose the Work Item Type for the reassignment. You can only choose one work type at a time.
Only one reassignment configuration per work item type can exist at a time. Adding a new reassignment for the same work item type replaces an existing one.
From the Assign To list, choose the user who should receive the work reassignments.
- Specify a Start Date and Start Time when reassignment should begin.
- Specify an End Date and End Time for the reassignment to end. To omit an end date, select the No end date toggle; this makes the reassignment permanent until it is manually removed.
- Choose a Time Zone for your specified start and end times. This defaults to your browser's time zone.
Select Add Reassignment.
IdentityNow prevents users from adding work reassignments that create loops in reassignment chains. The error message presented shows all the people in the sequence so the user can work with them to resolve the problem.
The reassignment configuration appears in the Scheduled Reassignments list. To delete a reassignment configuration, select Delete on that row.
IdentityNow creates audit records when reassignments are created or deleted, capturing both the action and the user who performed it. Audit records also capture when automatic reassignments occur based on these configurations.
- When a reassignment ends or is deleted, previously reassigned items remain with the new owner.
- All reassignment configurations for a user are listed together, whether added by the user, their manager, or an admin. Any of these users can delete or replace reassignment configurations added by anyone.
- When work reassignments are performed, if a long chain of reassignments is discovered, automated reassignment stops after 4 reassignments, leaving the item with the 5th person in the chain. However, any necessary self-review prevention escalations are applied for that user.
Exception for Governance Groups
For access requests, when the assigned reviewer is a governance group, work reassignment are applied for each identity within the group. For certifications, however, if the assigned governance group contains multiple identities, reassignments configured for the members are not applied.
IdentityNow contains built-in processes for preventing a person from reviewing and approving their own access or requests. These are applied in the reassignment process.
- In access request review reassignment, self-approval prevention prevents reassignment to the requester and the access recipient.
- In certification reassignment, if the certification contains access belonging to the new certifier, self-certification prevention splits their access into a separate certification that is automatically reassigned to their manager, the campaign owner, or an admin.