• Site Map
• Contact Us

• Home
• Our Company
  • Customers
  • Careers
  • Contact Us
  • RSS & Blogs
• Products
  • Identity Manager
  • Password Manager
  • Group Manager
  • Privileged Password Manager
  • Download evaluation
  • Releases
  • CC Certification
• Solutions
  • Reduce IT Support Cost
  • Improve User Service
  • Security, Governance and Regulatory Compliance
• Support
  • Customer Portal
  • Request Support Help
• Services
  • Solution Delivery Services
  • Solution Delivery Process
  • Education
  • Upgrades
  • AdMax Program
  • Outsourced IdM Administrator Service
  • Guarantee
• News &  Events
  • Press Releases
  • Press Coverage
  • Upcoming Events
  • Archived Webinars
• Resource Center
  • White Papers
  • Independent Reviews
  • Brochures
  • Slide Decks
  • Case Studies
  • Regulatory Compliance
  • Certifications
  • Community
• Partners
  • Technology Partners
  • Certified Resellers
  • System Integrators and Consultants
  • Managed Service Providers
  • Public Sector
  • Partner Portal
  • Partner Programs

Features Self-Service Workflow

Self Service Workflow

Identity Manager's workflow automation engine streamlines the process of requesting and authorizing the creation of new accounts, as well as other security changes such as add/remove group membership, change attribute value, rename or move user, delete or deactivate user and so on.

The Identity Manager workflow engine uses secure web input (HTTPS) and prompts authorizers for input using e-mail (normally SMTP).

The workflow automation engine works as follows:

• Request input:
  • Users can authenticate to the system and make change requests.
  • Change requests are formulated as changes to user profiles -- the requester's own (self-service) or another user's (the recipient).
  • Change requests may be to change data attributes, add new accounts, add or remove group memberships, enable accounts or disable accounts. In other words, changes are formulated as changes to user profiles, in relation to the recipient user's current state.
  • Plug-in programs can limit or alter requests -- for example by limiting who can submit a request, by limiting what requesters can ask for, by validating or filling in fields in a request, or by assigning a login ID to new accounts.
  • Requests may be for changes to identity attributes or to add or remove single login accounts, collections of privileges (roles) or physical objects (e.g., tokens, building access badges, etc.).

• Request routing:
  • Requests are automatically routed to appropriate authorizers, which are selected based on the identity of the requester and based on the roles and templates requested.
  • All authorizers are prompted to respond concurrently. Authorizers may delegate alternates in their absence.
  • In most cases, a response is only required from a subset of the authorizers -- for example, any one of three people can approve access to a system.
  • Authorizers are notified by e-mail that their input is required. They click on a URL embedded in the e-mail to respond.
  • Authorizers may be prompted to respond repeatedly if no response is received within a defined period. Requests that are pending response for too long may be escalated to new authorizers or to an incident management system.

• Authorization:
  • Authorizers review requests using a web form, over a secure connection (HTTPS).

• Executing approved requests:
  • Once adequate authorization has been collected, Identity Manager can automatically create login IDs, update existing IDs or request action from system administrators and others using e-mail and incident management system integration.

The Identity Manager workflow system can integrate with a variety of existing infrastructure:

• Change requests may be submitted by other systems -- for example, home-grown or vertical market workflow systems -- using a well defined SOAP service.

• Change requests may be submitted by the Identity Manager automated administration system, which in turn draws data from both systems of records and managed target systems.

• User-entered change requests are validated by plug-in programs, which can draw on code validation tables in existing databases (e.g., using SQL) and on identity attributes and organization chart data in existing directories (e.g., using LDAP).

• Authorizers for new change requests can be selected by a plug-in program and for example can be drawn from the organization chart in an existing LDAP directory.

• Appropriate business users (normally managers and system owners) are asked to authorize change requests, by e-mail.

• Problems -- such as failure by authorizers to respond to requests -- can be escalated to an incident management system (e.g., BMC/Remedy, HP/Service Manager).

© Hitachi ID Systems, Inc. . All rights reserved.