Identity Governance provides three default options for fulfillment targets for provisioning the changeset items from a review: Identity Manager automated, Identity Manager workflow, and Manual (a user or group). You can also integrate and automate Identity Governance fulfillment with your service desk system by adding and configuring a connector to your service desk system in Identity Governance Fulfillment Configuration.
Identity Governance supports the following connectors for fulfillment to help enable fulfillment via common methods and connected systems. Each template can be customized to connect to associated data sources.
NOTE:Customization of templates might require additional knowledge of connected systems, and all modifications are the responsibility of the customer. For further guidance, contact support or professional services.
Active Directory LDAP
BMC Remedy Incident
CSV
eDirectory LDAP
Generic HTTP
GitHub
Identity Manager Dxcmd Fulfillment for Active Directory
IDM Entitlement
JDBC Generic DB
JDBC Oracle
JDBC PostgreSQL
JDBC SQL Server
REST Generic
Salesforce
SCIM
ServiceNow Generic
ServiceNow Incident
ServiceNow Request
SOAP Service
Workflow Service
NOTE:Before you configure a fulfillment target with either an Active Directory LDAP fulfillment type or an eDirectory LDAP fulfillment type, you must ensure Active Directory collects the attributes required for fulfillment. To verify Active Directory or eDirectory LDAP collection, log into Identity Governance and then click Data Sources > Application Definition Sources.
For more information, see:
Identity Governance includes fulfillment types connectors for various service desk products to enable fulfillment integration with your incident management applications. When you connect to an application for fulfillment, you must configure the connector to map the data fields in the change item to the input fields of the application. In a typical service desk environment, all systems and applications that the service desk manages are input as configuration management items.
Identity Governance exposes the following data fields from each changeset item to the fulfillment target connectors:
A long value containing the internal change item number
A long value containing the internal changeset number
A string value containing one of the following values:
NOTE:Supported change request types can vary based on your fulfillment target.
ADD_USER_TO_ACCOUNT
REMOVE_PERMISSION_ASSIGNMENT
REMOVE_ACCOUNT_ASSIGNMENT
MODIFY_PERMISSION_ASSIGNMENT
MODIFY_ACCOUNT_ASSIGNMENT
REMOVE_ACCOUNT
ADD_PERMISSION_TO_USER
ADD_APPLICATION_TO_USER
REMOVE_APPLICATION_FROM_USER
ADD_TECH_ROLE_TO_USER
REMOVE_ACCOUNT_PERMISSION
MODIFY_ACCOUNT
REMOVE_TECH_ROLE_ASSIGNMENT
REMOVE_BUS_ROLE_ASSIGNMENT
MODIFY_TECH_ROLE_ASSIGNMENT
Instructions the reviewer and request approver provided for the fulfiller
Data item mappings and definitions that are passed through from request workflow to fulfillment workflow
Display name of the user that is the target of the change item
Identifier of the account
Logical system identifier of the account. This only applies to Identity Manager SAP User Management driver accounts.
The collected identifier that indicates the unique ID of the account
Name of the application to which the permission being provisioned belongs
Name of the fallback fulfillment user
Generated description of the action being requested by the change item
Display name of the reviewer who requested the change
Name of the permission being provisioned
Name of the target permission attribute being modified
Logical system identifier of the permission being provisioned. This only applies to the Identity Manager SAP User Management driver permissions.
The collected unique provisioning identifier of the permission
The internal long value for the reason
The reason text
Attribute to provide context to the fulfiller on the recipient of the fulfillment item
Attribute to provide context to the fulfiller on the requester of the fulfillment item
Attribute to provide context to the fulfiller on the account if the fulfillment item is an account
Attribute to provide context to the fulfiller on the permission if the fulfillment item is a permission
The following shows a sample change item payload:
{
"accountProvId": "d2a293ff-71c5-492f-9415-e08830b635b2",
"changeItemId": 8300,
"changeRequestType": "REMOVE_PERMISSION_ASSIGNMENT",
"userName": "Abby Spencer",
"accountName": "aspencer",
"account": "CN=Abby Spencer,OU=Users,OU=MyServer,DC=mydc,DC=mycompany,DC=com",
"appName": "Money Honey Financials",
"reason": "REMOVE_PERMISSION_ASSIGNMENT remove permission Marketing Portal requested by Aaron Corry while certifying Money Honey Financials",
"requesterName": "Andrew Astin",
"permName": "Marketing Portal",
"permProvAttr": "member",
"permProvId": "e07db779-5c30-44d2-bc0c-6dfa30cfa6af"
}
Fulfillment types use preconfigured templates that map the Identity Governance change item data and application-specific static values into various attributes in the SOAP XML payload. The WSDL from your service catalog request management application indicates any value constraints for input fields. The fulfillment target service can populate all valid fields in the service desk interface, so if you want to extend the set of fields that the Identity Governance template populates or modify the default mappings of the template, contact your Micro Focus technical support representative for details.
The service parameters and other fulfillment target configuration fields vary, depending on the fulfillment type selected for a fulfillment target, and Identity Governance provides default values for many of the fields, but you can choose to customize field values.
For example, the “BMC Remedy Incident” fulfillment type uses the HPD_IncidentInterface_Create SOAP service Helpdesk_Submit_Service method for creating incidents in the Remedy application. For example, http://your-service-host/arsys/WSDL/public/your_server/HPD_IncidentInterface_Create_WS. In addition, Fulfillment Item configuration mapping displays the fields listed in the table below.
|
BMC Remedy Incident Field |
Identity Governance Mapping |
|---|---|
|
Service_Type |
“User Service Request” (required) |
|
Reported_Source |
“Direct Input” (required) |
|
Status |
“New” (required) |
|
Action |
“CREATE” (required) |
|
Urgency |
“3-Medium” (required) |
|
Impact |
“3-Moderate/Limited” (required) |
|
First_Name |
(required) |
|
Last_Name |
(required) |
|
Notes |
Reason, appName, username, account (ecmascript transformation provided) |
|
Summary |
changeRequestType |
|
HPD_CI_ReconID |
Mapping Identity Governance change item data to target application data fields is similar to configuring data source collectors. This includes support for static value mapping and per-field data transformation. Regardless of the fulfillment type you select, you must place quotes around the static values used for fulfillment type configuration.
Since the implementation of any particular service desk application varies widely for each customer, it may be useful to manually create sample incidents using the application user interfaces to validate the desired inputs for each fulfillment target.
For Identity Manager automated, Identity Manager workflow, and manual fulfillment targets, Identity Governance evaluates and fulfills the change items without the need for extensive configuration. When you are specifying one of the default methods of fulfillment, do the following:
Specify an individual or group of individuals to serve as the fulfiller. For more information about manual fulfillment, see Section 14.6.1, Manually Fulfilling the Changeset.
To have Identity Governance email reminders to the fulfillers, ensure that you configure email notifications using the Identity Governance Configuration Utility. For information about customizing emails to fulfillers, see Section 3.4, Customizing Email Notification Templates.
Applies only when you integrate Identity Governance with Identity Manager.
Specify the name of a workflow that already exists in Identity Manager. The Identity Manager workflow must have inputs for the following fields:
String: changesetId
String: appId
To connect to the external provisioning system from Identity Governance, click Configuration > Identity Manager System Connection (or you can use the Identity Governance Configuration Utility in the console mode). For example:
http://$test:8543/IDMProv
globaladmin
adminpassword
For information about the Configuration Utility procedures, see Using the Identity Governance Configuration Utility
in the Identity Governance 3.7 Installation and Configuration Guide. For more information about the workflow process, see Section 14.6.2, Using Workflows to Fulfill the Changeset.
Applies only when you integrate Identity Governance with Identity Manager.
Specify whether you want to use automated provisioning with manual fulfillment or a workflow as the fallback method, then specify the values associated with the fallback method. For more information, see Section 14.6.3, Automatically Fulfilling the Changeset.
The Identity Governance fulfillment target configuration allows you to customize your incidents for various systems. When you create a service desk or other fulfillment target in Identity Governance, you provide the connection information and credentials for the target system, as well as a default configuration specifying the fields you want Identity Governance to populate in your incidents. After you assign a target fulfillment system to an application, you can then customize that default configuration to appropriately map the application configuration item, assignment group, severity, and other fields for that specific application.
To know how to configure service desk and other fulfillment targets, see Section 14.2.4, Configuring Service Desk and Other Fulfillment Targets.
If a user is present in Identity Governance, but is not present in either Active Directory or eDirectory, you can configure the fulfillment target to create an account through the respective fulfillment targets.
To perform this action, in Step 4.b, you must provide values for the first name, last name, title, and workforceID fields.
In addition, when you configure Fulfillment item configuration and mapping, click {...}, then edit the transform script for Account name generation payload to connect to the correct Active Directory or eDirectory server for the user.
Identity Governance uses the GitHub fulfiller is used to add or remove members from an organization, or a team, or add or remove a collaborator from a repository. When a user is added to an organization or a team the default role assigned is of a ‘member’, and for a repository, it is ‘read’. However, members can log in to the GitHub application and change the roles as per their requirements.
A user can get access to a repository directly as a collaborator, or when they are members of an organization or a team. As members, they automatically inherit the permission to access the organization and team repositories. So, when you want to remove a collaborator from a repository, or a member from a team, ensure the repository permission is not inherited from an organization or a team. For the fulfillment verification to be successful, you must remove the member from the parent organization or team so that they lose the child permission, which means, the repository permission.
NOTE:The term ‘collaborator’ is specific to GitHub and it is someone who is given access to a repository directly. For more information, see the GitHub Docs.
The GitHub fulfiller supports the following change requests:
ADD PERMISSION TO USER
REMOVE PERMISSION ASSIGNMENT
REMOVE PERMISSION FROM ACCOUNT
For the fulfillment to process successfully you must add these mandatory attributes to Fulfillment Context attribute. The following table provides the list of attributes.
|
Fulfillment Context Attributes |
Attributes |
|---|---|
|
Account |
|
|
Permission |
|
The Identity Governance uses the REST Generic fulfiller is used for fulfilling requests for any REST- based application using REST endpoints. This fulfiller also supports OAuth 2.0. The REST Generic fulfillment template allows you to customize the template. While configuring the Fulfillment Item configuration and mapping, click {..} for Content, then specify the service_method and the http_body.
This fulfillment target creates a CSV file in the specified directory that contains the attributes you configured in the fulfillment target.
The Identity Governance Salesforce Fulfillment template provides a transformation policy that:
Executes a query for a single existing user and creates a new Salesforce User if needed
Assigns or revokes the following permission types: UserRole, Profile, PackageLicense, PermissionSetLicense, PermissionSet, and PermissionSetGroup
In order to assign some PermissionSet or PermissionSetGroup permissions, it might be necessary to assign an appropriate license first. We therefore recommend that you assign all licenses before you assign other permission types.
The default transformation policy also includes fulfillment attributes required for fulfillment operations. One required User attribute is ProfileId, which must contain the native ID value of a Profile permission. Since all Salesforce Users must have a Profile assignment at all times, it is your responsibility to provide a default ID that can be used for new Users or to reset a User whose profile has been removed by Identity Governance fulfillment actions. This attribute ID should replace the ID of default profile string in the transformation policy.
Based on your operations, you might also need to specify additional Fulfillment Context attributes for userProfile and permissionProfile.
Identity Governance uses the System for Cross-domain Identity Management (SCIM) fulfiller template for managing identities, and fulfilling change requests for permissions and accounts, especially across SaaS products. Based on the SCIM protocol, the SCIM fulfiller has default attribute mapping that helps you fulfill requests. However, you can change these mappings to match the requirements of your application.
The SCIM fulfiller template allows you to edit the transform script to build the required payload for the change requests for generic fulfillment, user profiles, permissions, and accounts. The ECMA script includes comments that guide you through the payload generation process. After you generate the payload, Identity Governance sends the payload for fulfillment. The SCIM fulfiller generates the payload for the following change requests:
ADD_APPLICATION_TO_USER
ADD_PERMISSION_TO_USER
REMOVE_ACCOUNT_PERMISSION
REMOVE_PERMISSION_ASSIGNMENT
REMOVE_ACCOUNT
The IDM Entitlement fulfillment target supports only the following fulfillment change requests:
ADD_APPLICATION_TO_USER
ADD_PERMISSION_TO_USER
REMOVE_ACCOUNT_PERMISSION
REMOVE_PERMISSION_ASSIGNMENT
REMOVE_ACCOUNT
When a change request is sent to Identity Manager for fulfillment, the fulfiller modifies the User Attribute DirXML-EntitlementRef. The IDM engine then sends an event to the driver to ensure that the entitlement is fulfilled.
To successfully fulfill entitlement-related change requests:
Identities must have been collected from Identity Manager
Users must still be present in Identity Manager
All the fulfillment context attributes required for Recipient (User), Account, and Permission profiles must be specified
Identity Governance uses the JDBC, Oracle, SQL Server, and the PostgreSQL fulfillment templates to automatically fulfill change requests. Identity Governance uses the generic fulfillment template for all other databases, such as MySQL or SyBase. The appropriate third-party connector libraries must be installed on the Identity Governance server before you can use the JDBC generic fulfillment template. The generic template allows you to Edit the transform Script that builds the required payload to successfully process change requests.
The JDBC fulfillment template supports all change requests. The JDBC fulfillment is certified with the following database versions:
|
JDBC fulfillment type |
Supported version |
|---|---|
|
JDBC Oracle |
Oracle 19c |
|
JDBC PostgreSQL |
PostgreSQL 14 |
|
JDBC SQL Server |
MS SQL 2019 |
|
JDBC Generic DB |
MySQL 8.0.x |
Identity Governance uses the Workflow Service fulfillment target to get a workflow from the Workflow Service and run the workflow to fulfill changesets. You can either use an existing workflow, or create a workflow in Identity Governance. Identity Governance then sends the changeitemid to the Workflow Service to process the fulfillment.
NOTE:To edit the workflow, click Edit link next to the Workflow field to launch the Workflow Builder in the Workflow Administration Console. In the Workflow Builder, ensure the default IGA fulfillment request form is selected for the fulfillment request to complete. Using any other form for your fulfillment request might result in unpredictable behavior.
The Workflow Service identifies the entity, parses the information, and completes the task. The Workflow Service, however, does not inform Identity Governance when the task finishes. To check the fulfillment steps or fulfillment status, select Fulfillment > Status or Requests > Requests.
In addition to the system targets, Identity Governance provides default templates for various systems that authorized administrators can configure as their fulfiller. For example, you can integrate and automate Identity Governance fulfillment with your service desk system by configuring a connector to your service desk system in Identity Governance Fulfillment Configuration.
To configure service desk and other fulfillment targets:
Log in to Identity Governance as a Bootstrap, Customer, Global, or Fulfillment Administrator.
Select Fulfillment > Configuration.
To add a fulfillment target, select +. Ensure that you understand your connectors and special requirements if any before configuring your systems. For information about specific fulfillment targets, see Section 14.2.3, Understanding Service Desk and Other Fulfillment Targets.
Complete the required fields.
Configure service parameters to connect Identity Governance to your fulfillment service. If applicable, enable Cloud Bridge connection when fulfilling Identity Governance as a Service requests using on-premises fulfillment services.
NOTE:Micro Focus supports Cloud Bridge only in Identity Governance as a Service deployments.
Configure the fulfillment item and map attributes. Click the search icon to select edit data fields included for a parameter. For example, select Fulfillment Instructions for instructions from reviewers and approvers to be passed through to fulfillers. Select Flow Data for custom request and approval form information to be received by fulfillment systems. In addition, if required, click {...}, then edit the transform script or upload a script to map attributes. For examples, see Section 14.2.3, Understanding Service Desk and Other Fulfillment Targets.
NOTE:When viewing the list of mapped attributes for a field, you could see some items not available to select and marked with a strike-through line across the text. You must enable these attributes in Configuration > Context Fulfillment Attributes in order to select them here.
(Conditional) If you want to modify a fulfillment target, click its name in the Name column, and then make necessary changes.
NOTE:Optionally, Customer, Global, or Data administrators can download the fulfillment target templates, edit them, and upload them to Identity Governance prior to fulfillment administrators configuring the service parameters and mappings in the application itself. For more information, see Section 14.4, Customizing Fulfillment Target Templates.
Make any additional updates for the selected fulfillment target, such as fulfillment response mapping and specifying change request types, then click the Save icon.
Select the Application Setup tab, and configure application fulfillment settings.
To modify changesets for a specific application prior to fulfillment, see Section 14.2.5, Modifying Changesets Before Fulfillment.
To configure multiple targets for your applications, see Section 14.2.6, Configuring Multiple Fulfillment Targets for Applications.
Select the Catalog update setup tab and select the fulfillment target for each type of catalog update request initiator you have in place.
Changesets are automatically generated based on activities such as access requests, reviews, and role changes. Identity Governance enables administrators to modify the generated changeset using Javascript. For example, when a user who has no account requests permissions, you can modify the generated changeset to create an account for the user.
To modify changesets:
Log in to Identity Governance as a Bootstrap, Customer, Global, or Fulfillment Administrator.
Select Fulfillment > Configuration and select the Application setup tab.
Click Edit next to the application whose changesets you want to modify.
Click + to create a script to modify changesets.
Type the name and description.
Use the sample Javascript script to analyze the changeset and modify the script, or import a script from a file.
Click the Save icon and close the script window.
Publish the script.
Compare differences and edit the script if needed, then publish again.
Repeat the above steps to add more scripts.
Change the script execution order as needed.
Identity Governance enables administrators to configure one or more applications to use multiple fulfillment targets. For example, you might have one system that processes all requests to add access and a different system that processes all requests to remove access. Using application settings, you can add and modify access changesets to be processed by one system and remove access changesets to another.
To configure multiple fulfillment targets for one or more applications:
Log in to Identity Governance as a Bootstrap, Customer, Global, or Fulfillment Administrator.
Select Fulfillment > Configuration and select the Application setup tab.
To configure multiple fulfillment targets for a single application, click Edit next to the application for which you want to configure multiple fulfillment targets.
or
Select applications, then click Change fulfillment targets.
NOTE:If you want to configure the same targets for all applications, select the check box in the column header.
On the Application Setup window, click (+) to add one or more fulfillment targets to the application.
Scroll to, and configure the new fulfillment target.
Under the fulfillment target for which you want to process change requests, select Supported Change Requests, and select the types of change requests you want the target to process. You can use the same fulfillment target to process all requests, or you can use a different target for certain requests.
NOTE:To assist the Fulfillment Administrator in making sure that the configured fulfillment targets handle all change request types, Identity Governance shows which change request types are configured next to each fulfillment target. If a target does not support any of the change request types, those unsupported types appear in red text.
When you complete configuration, click Save.
You can transform the incoming data from fulfillment targets to have Identity Governance display more meaningful information. For example, instead of displaying only the incident number from your fulfillment system, you could display additional text, such as “Incident number 123456 was created in ServiceNow” in Identity Governance.
The transforms are done through Nashorn-compatible Javascript in the Fulfillment Response mapping section of the fulfillment target configuration. Within the Javascript, you can access the incoming value by creating a variable name inputValue. After manipulating the incoming value, you can return the value to Identity Governance by assigning the value to a variable name outputValue.
The following example transforms the incoming value, which is a tracking number from the connected system to Incident number 123456 created in ServiceNow in the Identity Governance displays.
outputValue = 'Incident number ' + inputValue + ' created in ServiceNow'
To change fulfillment target response mapping:
Log in to Identity Governance as a Bootstrap, Customer, Global, or Fulfillment Administrator.
Under Fulfillment > Configuration, select an existing fulfillment target or create a new one.
Expand the Fulfillment Response mapping section and select the braces ({ }) next to the attribute you want to transform.
NOTE:Two dots between the braces ({..}) denotes that a transform script exists for an attribute.
Enter or edit the existing transform script in one of the following ways:
Select Edit and edit the script in the resulting popup window
Use the drop down control to either create a new script or edit an existing script
Select Or upload as script file to upload a script file
Save the fulfillment target.