An application owner can configure the application source to require manual or automated fulfillment. When OpenText Identity Governance generates a changeset for fulfillment, OpenText Identity Governance determines which applications have change items. Depending on the specified fulfillment type for the application, OpenText Identity Governance performs one of the following actions:
Fulfillment administrators can configure the fulfillment target for an application, including configuring multiple fulfillment targets for an application based on change request types. For more information, see Section 13.2, Configuring Fulfillment.
During the fulfillment stage of the review instance, OpenText Identity Governance creates a task for each review item that must be changed. The assigned fulfillers complete the requested changes in a domain-specific manner, based on the actual permission. The process of fulfilling the changes might occur over the span of many days and you might need to remove many permissions. To complete the process in a timely manner, Customer, Global, or Data Administrator can specify a group of users to serve as the Fulfiller. Users in the specified group can work concurrently to fulfill the changes.
OpenText Identity Governance provides change items, either through a completed review or SoD case review. Following are some examples of the change items:
Remove user from account (user access review), fulfilled by either removing the user from the account or removing the account
Modify user access with fulfillment instructions, fulfilled by following the reviewer’s instructions
Remove account (unmapped and mapped account review) fulfilled by removing the account
Remove permission and inherited permissions (user access review), fulfilled by removing the permissions from the user
Assign user (unmapped and mapped account review), fulfilled by assigning user to account
Modify account with fulfillment instructions, fulfilled by following the reviewer’s instructions
NOTE:Modify user access and modify account changesets might have a reason, and a user selection might also be required. For more information, see Configuring Reasons for Review Actions. For more information about specific change request types, and fulfillment status, see Configuring Fulfillment.
OpenText Identity Governance sends emails to the fulfillers to remind them that they have a manual fulfillment task. The email provides a link to the task. Administrators can customize the message in this reminder. For more information about customizing, see Section 4.4, Customizing Email Notification Templates.
For more information about performing fulfillment tasks, see Section 14.0, Instructions for Fulfillers.
If you integrate OpenText Identity Governance with OpenText Identity Manager, you can use a custom workflow to remove the permissions. You create the workflow in the identity applications. In OpenText Identity Manager you specify global configuration values (GCVs) to store the connection parameters between the workflow and OpenText Identity Governance. The workflow also must have inputs specified in the following fields:
String: changesetId
String: appId
OpenText Identity Governance sends the changesetId and appID to the workflow to process the fulfillment tasks for the review’s changeset. The workflow parses the information in the changeset and completes the tasks. When the workflow finishes, OpenText Identity Manager informs OpenText Identity Governance, which then changes the status of the changes to complete.
For more information, see Configuring and Managing Provisioning Workflows
in the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.
To jump start your progress, use the included sample workflow as a starting point in creating your custom workflow to process the change request. Note there is also a companion download that defines the Global Config Values (GCV) that is used by the workflow to configure OpenText Identity Governance connection details.
To access the sample workflow:
Go to Fulfillment > Configuration > Fulfillment Targets > Identity Manager workflow (system).
In the Fulfillment Samples section, download a sample workflow.
Import the sample workflow into OpenText Identity Manager Designer and deploy to Identity Manager Roles Based Provisioning Module (RBPM).
Update the sample workflow to specific details in your environment, including the To do for Customer section of the workflow.
You can assign automated provisioning to any application source that derives from OpenText Identity Manager. After you complete a review, OpenText Identity Governance sends the requested changes to the OpenText Identity Manager Identity Vault. The permission type determines whether OpenText Identity Manager can automatically provision the requested change. In the identity applications for OpenText Identity Manager you specify whether a permission is a resource or a role. OpenText Identity Manager can automatically deprovision all resources because they are explicitly set for the user. Similarly, if a role is explicitly set, it can be deprovisioned. For example, the user has an nrfAssignedRole attribute pointing to that role. However, OpenText Identity Manager cannot deprovision roles that a user receives indirectly. For example, the user is a member of a container or group to which the role has been assigned.
NOTE:OpenText Identity Manager automated provisioning relies on the Provisioning ID value for an identity to be a valid distinguished name in the OpenText Identity Manager system. When using multiple identity sources that are merged, be sure you set the OpenText Identity Manager identity source as the authoritative source for the Provisioning ID attribute in your identity merging rules.
If deprovisioning can be done automatically, OpenText Identity Manager propagates those updates to the connected systems. For those roles that cannot be deprovisioned automatically, the fulfillment process includes a fallback method. You can specify that OpenText Identity Governance can revert to manual fulfillment or to using an OpenText Identity Manager workflow.