13.2 Configuring Fulfillment

Identity Governance provides three default options for fulfillment targets for provisioning the changeset items from a review: Identity Manager automated, Identity Manager workflow, and Manual (a user or group). You can also integrate and automate Identity Governance fulfillment with your service desk system by adding and configuring a connector to your service desk system in Identity Governance Fulfillment Configuration.

Identity Governance supports the following connectors for fulfillment to help enable fulfillment via common methods and connected systems. Each template can be customized to connect to associated data sources.

NOTE:Customization of templates might require additional knowledge of connected systems, and all modifications are the responsibility of the customer. For further guidance, contact support or professional services. For information about confiuring the provided templates, see Section 16.0, Understanding Variations in Collector and Fulfillment Target Configurations.

  • Active Directory LDAP

  • Azure AD MS Graph

  • BMC Remedy Incident

  • CSV

  • eDirectory LDAP

  • Generic HTTP

  • Identity Manager Dxcmd Fulfillment for Active Directory

  • IDM Entitlement

  • JDBC Generic DB

  • JDBC Oracle

  • JDBC PostgreSQL

  • JDBC SQL Server

  • MS Teams

  • REST Generic

  • REST Github

  • Salesforce

  • SCIM

  • ServiceNow Generic

  • ServiceNow Incident

  • ServiceNow Request

  • ServiceNow Task

  • SOAP Service

  • Workflow Service

For more information, see:

13.2.1 About Fulfillment Types

Identity Governance includes fulfillment types connectors for various service desk products to enable fulfillment integration with your incident management applications. When you connect to an application for fulfillment, you must configure the connector to map the data fields in the change item to the input fields of the application. In a typical service desk environment, all systems and applications that the service desk manages are input as configuration management items.

Identity Governance exposes the following data fields from each changeset item to the fulfillment target connectors:

changeItemId

A long value containing the internal change item number

changeSetId (optional)

A long value containing the internal changeset number

changeRequestType

A string value containing one of the following values:

NOTE:Supported change request types can vary based on your fulfillment target.

  • ADD_USER_TO_ACCOUNT

  • REMOVE_PERMISSION_ASSIGNMENT

  • REMOVE_ACCOUNT_ASSIGNMENT

  • MODIFY_PERMISSION_ASSIGNMENT

  • MODIFY_ACCOUNT_ASSIGNMENT

  • REMOVE_ACCOUNT

  • ADD_PERMISSION_TO_USER

  • ADD_APPLICATION_TO_USER

  • REMOVE_APPLICATION_FROM_USER

  • ADD_TECH_ROLE_TO_USER

  • REMOVE_ACCOUNT_PERMISSION

  • MODIFY_ACCOUNT

  • REMOVE_TECH_ROLE_ASSIGNMENT

  • REMOVE_BUS_ROLE_ASSIGNMENT

  • MODIFY_TECH_ROLE_ASSIGNMENT

fulfillmentInstructions (optional)

Instructions the reviewer and request approver provided for the fulfiller

flowdata

Data item mappings and definitions that are passed through from request workflow to fulfillment workflow

userName

Display name of the user that is the target of the change item

account (optional)

Identifier of the account

accountLogicalId (optional)

Logical system identifier of the account. This only applies to Identity Manager SAP User Management driver accounts.

accountProvId (optional)

The collected identifier that indicates the unique ID of the account

appName

Name of the application to which the permission being provisioned belongs

fulfillerName (optional)

Name of the fallback fulfillment user

reason

Generated description of the action being requested by the change item

requesterName

Display name of the reviewer who requested the change

permName

Name of the permission being provisioned

permProvAttr

Name of the target permission attribute being modified

permProvLogicalId (optional)

Logical system identifier of the permission being provisioned. This only applies to the Identity Manager SAP User Management driver permissions.

permProvId (optional)

The collected unique provisioning identifier of the permission

reviewReasonId (optional)

The internal long value for the reason

reviewReason (optional)

The reason text

userProfile (optional)

Attribute to provide context to the fulfiller on the recipient of the fulfillment item

requesterProfile (optional)

Attribute to provide context to the fulfiller on the requester of the fulfillment item

accountProfile (optional)

Attribute to provide context to the fulfiller on the account if the fulfillment item is an account

permissionProfile (optional)

Attribute to provide context to the fulfiller on the permission if the fulfillment item is a permission

The following shows a sample change item payload:

{
    "accountProvId": "d2a293ff-71c5-492f-9415-e08830b635b2",
    "changeItemId": 8300,
    "changeRequestType": "REMOVE_PERMISSION_ASSIGNMENT",
    "userName": "Abby Spencer",
    "accountName": "aspencer",
    "account": "CN=Abby Spencer,OU=Users,OU=MyServer,DC=mydc,DC=mycompany,DC=com",
    "appName": "Money Honey Financials",
    "reason": "REMOVE_PERMISSION_ASSIGNMENT remove permission Marketing Portal requested by Aaron Corry while certifying Money Honey Financials",
    "requesterName": "Andrew Astin",
    "permName": "Marketing Portal",
    "permProvAttr": "member",
    "permProvId": "e07db779-5c30-44d2-bc0c-6dfa30cfa6af"
}

Fulfillment types use preconfigured templates that map the Identity Governance change item data and application-specific static values into various attributes in the SOAP XML payload. The WSDL from your service catalog request management application indicates any value constraints for input fields. The fulfillment target service can populate all valid fields in the service desk interface, so if you want to extend the set of fields that the Identity Governance template populates or modify the default mappings of the template, contact your NetIQ technical support representative for details.

The service parameters and other fulfillment target configuration fields vary, depending on the fulfillment type selected for a fulfillment target, and Identity Governance provides default values for many of the fields, but you can choose to customize field values.

For example, the “BMC Remedy Incident” fulfillment type uses the HPD_IncidentInterface_Create SOAP service Helpdesk_Submit_Service method for creating incidents in the Remedy application. For example, http://your-service-host/arsys/WSDL/public/your_server/HPD_IncidentInterface_Create_WS. In addition, Fulfillment Item configuration mapping displays the fields listed in the table below.

BMC Remedy Incident Field

Identity Governance Mapping

Service_Type

“User Service Request” (required)

Reported_Source

“Direct Input” (required)

Status

“New” (required)

Action

“CREATE” (required)

Urgency

“3-Medium” (required)

Impact

“3-Moderate/Limited” (required)

First_Name

(required)

Last_Name

(required)

Notes

Reason, appName, username, account (ecmascript transformation provided)

Summary

changeRequestType

HPD_CI_ReconID

Mapping Identity Governance change item data to target application data fields is similar to configuring data source collectors. This includes support for static value mapping and per-field data transformation. Regardless of the fulfillment type you select, you must place quotes around the static values used for fulfillment type configuration.

Since the implementation of any particular service desk application varies widely for each customer, it may be useful to manually create sample incidents using the application user interfaces to validate the desired inputs for each fulfillment target.

13.2.2 Configuring System Fulfillment Targets

Identity Governance provides three default fulfillment targets: Identity Manager automated, Identity Manager workflow, and manual fulfillment targets. For these fulfillment targets, Identity Governance evaluates and fulfills the change items without the need for extensive configuration. When you are specifying one of the default methods of fulfillment, do the following:

Manual

Specify an individual or group of individuals to serve as the fulfiller. For more information about manual fulfillment, see Section 13.6.1, Manually Fulfilling the Changeset.

For information about customizing emails to fulfillers, see Section 4.4, Customizing Email Notification Templates.

Identity Manager Workflow

Applies only when you integrate Identity Governance with Identity Manager.

Specify the name of a workflow that already exists in Identity Manager. The Identity Manager workflow must have inputs for the following fields:

  • String: changesetId

  • String: appId

To connect to the external provisioning system from Identity Governance, click Configuration > Identity Manager System Connection . For example:

URL
http://$test:8543/IDMProv
User ID
globaladmin
Password
adminpassword

For more information about the workflow process, see Section 13.6.2, Using Workflows to Fulfill the Changeset.

Identity Manager Automated

Applies only when you integrate Identity Governance with Identity Manager.

Specify whether you want to use automated provisioning with manual fulfillment or a workflow as the fallback method, then specify the values associated with the fallback method. For more information, see Section 13.6.3, Automatically Fulfilling the Changeset.

13.2.3 Understanding Service Desk and Other Fulfillment Targets

In addition to the default fulfillement targets, Identity Governance provides service desk and other fulfillment target templates that enable you to use other fulfillment methods for various systems. When you create a service desk or other fulfillment target in Identity Governance, you provide the connection information and credentials for the target system, as well as a default configuration specifying the fields you want Identity Governance to populate in your incidents. After you assign a target fulfillment system to an application, you can then customize that default configuration to appropriately map the application configuration item, assignment group, severity, and other fields for that specific application.

To know how to configure service desk and other fulfillment targets, see Section 13.2.4, Configuring Service Desk and Other Fulfillment Targets. For variations reagrding specific systems, see Section 16.0, Understanding Variations in Collector and Fulfillment Target Configurations.

About Azure AD MS Graph Fulfillment

Identity Governance uses the Azure AD MS Graph fulfiller to automatically assign or remove permission from user accounts and add or remove members from Microsoft 365 and Security groups. Identity Governance does not support adding or removing members from Distribution List and Mail-enabled Security type of groups because Mail-enabled and distribution groups cannot be managed by Microsoft Graph group APIs.

The template supports the following fulfillment change requests:

  • ADD_APPLICATION_TO_USER

  • ADD_PERMISSION_TO_USER

  • REMOVE_ACCOUNT_PERMISSION

  • REMOVE_PERMISSION_ASSIGNMENT

  • REMOVE_ACCOUNT

  • REMOVE_APPLICATION_FROM_USER

  • REMOVE_ACCOUNT_ASSIGNMENT

The Azure MS Graph fulfiller has default mapping for some mandatory attributes. The Azure application requires these mandatory attributes to create an account. For the fulfillment to process successfully, you must add these mandatory attributes to the Fulfillment Context attribute. The following table provides the list of attributes.

Fulfillment Context Attributes

Attributes

Recipient

  • User ID from Source

  • Last Name

  • First Name

  • Full Name

  • Email

  • Employee Status

Account

  • Account ID from Source

  • Account Disabled

Permission

  • Permission Type

  • Permission ID from Source

NOTE:We recommend that while adding users to the Azure application, you provide a unique mailNickName for each user. The purpose of this is to prevent the error that can occur when you try to add users with the same first and last name. The ECMA script includes the logic for creating the unique mailNickName, but you can customize it as per your requirement.

In addition to this list of attributes, you can configure other attributes in the collector template such as department, title, job codes, or workforce ID to match the requirements of your application. However, you must add them to the Fulfillment Context attribute, and also while configuring the fulfiller, go to Fulfillment item configuration and mapping click the {..}, then edit the transform script for User Profile.

In the transform script, you have to add the native application key as outUserProfile and add the corresponding fulfillment context attribute key in outUserProfile value. For example, for the attribute Workforce ID, edit the transform script to:

if(inUserProfile.workforceId) outUserProfile["employeeId"] = inUserProfile.workforceId

NOTE:If you want to specify Workforce ID as the attribute for matching identities to accounts and permissions, then while configuring the collector template you must map Workforce ID to the native ID value, for example, employeeId and set it as the matching rule.

Identity Governance uses the Azure AD MS Graph fulfiller to provision and deprovision users as a group from the SharePoint Team site. The following change requests are supported:

  • ADD_PERMISSION_TO_USER

  • REMOVE_ACCOUNT_PERMISSION

  • REMOVE_ PERMISSION_ASSIGNMENT

About Microsoft Teams Fulfillment

If you have the appropriate permissions in Azure Active Directory, you can fulfill the following change requests:

  • ADD PERMISSION TO USER

  • REMOVE ACCOUNT PERMISSION

  • REMOVE PERMISSION ASSIGNMENT

You can add or remove a member only from a private channel. But before adding a member to a channel, make sure the member is already a part of the team. When you add a user to a team, the Microsoft Teams fulfiller adds the user automatically to all standard channels under the team, as a member.

NOTE:To avoid unexpected behavior from the application, it is recommended not to add a team and a channel member in the same request.

You can assign the user the role of an owner. To do so, you have to customize the request form and add ‘owner’ as Data Source Values and ‘roles’ as Label and publish the form. This will allow you to select the role as ‘owner’ when you request permission for the user. To know how to custom forms using Form Builder, see Creating a Request or Approval Form. Additionally while configuring Fulfillment item configuration and mapping in the template, you must add "flowdata" for the attribute Permission Profile. For example, add ["flowdata", "permissionProfile"].

NOTE:To assign a user as an owner you have to create custom forms for each team and channel separately.

For the fulfillment to process successfully, you must add the following attributes to the fulfillment context attribute:

Fulfillment Context Attributes

Attributes

Recipient

  • User ID from Source

  • Full Name

  • Employee Status

  • Last Name

  • First Name

  • Email

Account

  • Account ID from source

  • Account Disabled

Permission

  • Permission Type

  • Permission ID from Source

  • Permission Name

13.2.4 Configuring Service Desk and Other Fulfillment Targets

In addition to the system targets, Identity Governance provides default templates for various systems that authorized administrators can configure as their fulfiller. For example, you can integrate and automate Identity Governance fulfillment with your service desk system by configuring a connector to your service desk system in Identity Governance Fulfillment Configuration.

To configure service desk and other fulfillment targets:

  1. Log in to Identity Governance as a Bootstrap, Customer, or Fulfillment Administrator.

  2. Select Fulfillment > Configuration.

  3. To add a fulfillment target, select +. Ensure that you understand your connectors and special requirements if any before configuring your systems. For information about specific fulfillment targets, see Section 13.2.3, Understanding Service Desk and Other Fulfillment Targets.

  4. Complete the required fields.

    1. Configure service parameters to connect Identity Governance to your fulfillment service. If applicable, enable Cloud Bridge connection when fulfilling Identity Governance as a Service requests using on-premises fulfillment services. Note that if you make changes to these parameters, Identity Governance will prompt you to re-enter the password.

    2. Configure the fulfillment item and map attributes. Click the search icon to select edit data fields included for a parameter. For example, select Fulfillment Instructions for instructions from reviewers and approvers to be passed through to fulfillers. Select Flow Data for custom request and approval form information to be received by fulfillment systems. In addition, if required, click {...}, then edit the transform script or upload a script to map attributes. For examples, see Section 13.2.3, Understanding Service Desk and Other Fulfillment Targets.

      NOTE:When viewing the list of mapped attributes for a field, you could see some items not available to select and marked with a strike-through line across the text. You must enable these attributes in Configuration > Context Fulfillment Attributes in order to select them here.

  5. (Conditional) If you want to modify a fulfillment target, click its name in the Name column, and then make necessary changes.

    NOTE:Optionally, Customer or Data administrators can download the fulfillment target templates, edit them, and upload them to Identity Governance prior to fulfillment administrators configuring the service parameters and mappings in the application itself. For more information, see Section 13.4, Customizing Fulfillment Target Templates.

  6. Make any additional updates for the selected fulfillment target, such as fulfillment response mapping and specifying change request types, then click the Save icon.

  7. Select the Application Setup tab, and configure application fulfillment settings.

    1. To modify changesets for a specific application prior to fulfillment, see Section 13.2.6, Modifying Changesets Before Fulfillment.

    2. To configure multiple targets for your applications, see Section 13.2.7, Configuring Multiple Fulfillment Targets for Applications.

  8. Select the Catalog update setup tab and select the fulfillment target for each type of catalog update request initiator you have in place.

13.2.5 Upgrading Fulfillment Targets

Authorized administrators can upgrade fulfillment targets. When you import an old template, Identity Governance enables you to preserve your configurations and scripts and upgrade the fulfiller template to the latest version. When upgrading, you can compare the parameters of the two versions and make changes as needed. If you decide to use Cloud Bridge for data transfer, you must first create a data center or import the data center JSON file, then configure a data source connection. You can restore the previous template if needed.

To upgrade the fulfillment template:

  1. Under Fulfillment, select Configuration.

  2. Click Import a fulfillment target. If you import a fulfillment target that was created with an older version of the template, click the imported fulfillment target and expand the view.

  3. (Conditional) If you have upgraded Identity Governance, but have an older version of the fulfillment target, then select the existing target and expand the view.

  4. Make necessary changes and save.

  5. Click the fulfillment target from the Fulfillment Configuration page.

  6. Click Upgrade.

    1. Compare configurations and make changes as needed.

    2. Click Upgrade.

  7. (Optional) Restore to Template Version number if you want to revert to the older template.

Identity Governance continues to display the restore link until you dismiss the option.

13.2.6 Modifying Changesets Before Fulfillment

Changesets are automatically generated based on activities such as access requests, reviews, and role changes. Identity Governance enables administrators to modify the generated changeset using Javascript. For example, when a user who has no account requests permissions, you can modify the generated changeset to create an account for the user.

To modify changesets:

  1. Log in to Identity Governance as a Bootstrap, Customer, or Fulfillment Administrator.

  2. Select Fulfillment > Configuration and select the Application setup tab.

  3. Click Edit next to the application whose changesets you want to modify.

  4. Click + to create a script to modify changesets.

  5. Type the name and description.

  6. Use the sample Javascript script to analyze the changeset and modify the script, or import a script from a file.

  7. Click the Save icon and close the script window.

  8. Publish the script.

  9. Compare differences and edit the script if needed, then publish again.

  10. Repeat the above steps to add more scripts.

  11. Change the script execution order as needed.

13.2.7 Configuring Multiple Fulfillment Targets for Applications

Identity Governance enables administrators to configure one or more applications to use multiple fulfillment targets. For example, you might have one system that processes all requests to add access and a different system that processes all requests to remove access. Using application settings, you can add and modify access changesets to be processed by one system and remove access changesets to another.

To configure multiple fulfillment targets for one or more applications:

  1. Log in to Identity Governance as a Bootstrap, Customer, or Fulfillment Administrator.

  2. Select Fulfillment > Configuration and select the Application setup tab.

  3. To configure multiple fulfillment targets for a single application, click Edit next to the application for which you want to configure multiple fulfillment targets.

    or

    Select applications, then click Change fulfillment targets.

    NOTE:If you want to configure the same targets for all applications, select the check box in the column header.

  4. On the Application Setup window, click (+) to add one or more fulfillment targets to the application.

  5. Scroll to, and configure the new fulfillment target.

  6. Under the fulfillment target for which you want to process change requests, select Supported Change Requests, and select the types of change requests you want the target to process. You can use the same fulfillment target to process all requests, or you can use a different target for certain requests.

    NOTE:To assist the Fulfillment Administrator in making sure that the configured fulfillment targets handle all change request types, Identity Governance shows which change request types are configured next to each fulfillment target. If a target does not support any of the change request types, those unsupported types appear in red text.

  7. When you complete configuration, click Save.

13.2.8 Transforming Data from Fulfillment Targets

You can transform the incoming data from fulfillment targets to have Identity Governance display more meaningful information. For example, instead of displaying only the incident number from your fulfillment system, you could display additional text, such as “Incident number 123456 was created in ServiceNow” in Identity Governance.

The transforms are done through Nashorn-compatible Javascript in the Fulfillment Response mapping section of the fulfillment target configuration. Within the Javascript, you can access the incoming value by creating a variable name inputValue. After manipulating the incoming value, you can return the value to Identity Governance by assigning the value to a variable name outputValue.

The following example transforms the incoming value, which is a tracking number from the connected system to Incident number 123456 created in ServiceNow in the Identity Governance displays.

outputValue = 'Incident number ' + inputValue + ' created in ServiceNow'

To change fulfillment target response mapping:

  1. Log in to Identity Governance as a Bootstrap, Customer, or Fulfillment Administrator.

  2. Under Fulfillment > Configuration, select an existing fulfillment target or create a new one.

  3. Expand the Fulfillment Response mapping section and select the braces ({ }) next to the attribute you want to transform.

    NOTE:Two dots between the braces ({..}) denotes that a transform script exists for an attribute.

  4. Enter or edit the existing transform script in one of the following ways:

    • Select Edit and edit the script in the resulting popup window

    • Use the drop down control to either create a new script or edit an existing script

    • Select Or upload as script file to upload a script file

  5. Save the fulfillment target.