14.1 Understanding the Fulfillment Process

Identity Governance collects information from a variety of identity and application data sources in your environment. It allows your organization to periodically review and verify that users have only the level of access that they need to do their jobs. The review process, requests for access, business role definition changes, and remediation of policy violations result in a list of changes, or changeset, that are then implemented. Identity Governance refers to the implementation process of a changeset as fulfillment.

14.1.1 Managing the Fulfillment Process

Fulfillment target configuration, application setup, and catalog update setup by the Customer, Global, or Fulfillment Administrator drives how requested changes are fulfilled. The changes can be fulfilled manually, by a help desk service, or sent to Identity Manager, which automatically makes the changes or initiates external workflows. For manual fulfillment processes, the Customer, Global, or Fulfillment administrator specifies individuals or groups as fulfillers responsible for making the requested changes. For example, your Help Desk group might be assigned to fulfill the changeset.

Fulfillment Administrators also monitor the fulfillment process, and reassign manual fulfillment items if needed. Identity Governance provides the following status conditions for fulfillment items:

  • Error or time out

  • Fulfilled

  • Pending fulfillment

  • Verified

  • Ignored

  • Retry

When the fulfiller confirms the fulfillment activities, Identity Governance updates the status of the fulfillment item. After the administrator collects and publishes application sources, Identity Governance again updates the status of these fulfillment items. Customer, Global, and Fulfillment Administrators and Auditors can access the Fulfillment Status page to view the status of all fulfillment items. For more information about fulfillment targets and fulfillment status, see Section 13.0, Setting up Fulfillment Targets and Fulfilling Changesets.

14.1.2 Understanding the Fulfiller Authorization

As part of the review, managers might change the permissions assigned to individuals in your organization. Access requests, business role definition changes, and user catalog changes can also generate change requests. Only Customer, Global, or Fulfillment Administrators can assign Fulfillers to complete fulfillment.

As a Fulfiller, you can:

  • Sort items by column (the available columns depend on the tab you are accessing)

  • Add a comment to a task individually

  • Add comment to tasks in a batch by selecting all or multiple tasks, or by filtering tasks by specifying search criteria and selecting all or multiple tasks in the filtered list

  • View the details of an item at the list level, including:

    • Where the change request originated

    • Potential SoD violations if any

    • Attribute value or supervisor changes

    • Reason for the request by clicking on the task link

  • Reassign your tasks to a different user

  • Make the changes to the user account in the affected application

  • Declare your tasks complete in Identity Governance