14.6 Fulfilling Changesets

An application owner can configure the application source to require manual or automated fulfillment. When Identity Governance generates a changeset for fulfillment, Identity Governance determines which applications have change items. Depending on the specified fulfillment type for the application, Identity Governance performs one of the following actions:

Fulfillment administrators can configure the fulfillment target for an application, including configuring multiple fulfillment targets for an application based on change request types. For more information, see Section 14.2, Configuring Fulfillment.

14.6.1 Manually Fulfilling the Changeset

During the fulfillment stage of the review instance, Identity Governance creates a task for each review item that must be changed. The assigned fulfillers complete the requested changes in a domain-specific manner, based on the actual permission. The process of fulfilling the changes might occur over the span of many days and you might need to remove many permissions. To complete the process in a timely manner, Customer, Global, or Data Administrator can specify a group of users to serve as the Fulfiller. Users in the specified group can work concurrently to fulfill the changes.

Identity Governance provides change items, either through a completed review or SoD case review. Following are some examples of the change items:

  • Remove user from account (user access review), fulfilled by either removing the user from the account or removing the account

  • Modify user access with fulfillment instructions, fulfilled by following the reviewer’s instructions

  • Remove account (unmapped and mapped account review) fulfilled by removing the account

  • Remove permission assignment (user access review or SoD case), fulfilled by removing the permission assignment to the user

  • Assign user (unmapped and mapped account review), fulfilled by assigning user to account

  • Modify account with fulfillment instructions, fulfilled by following the reviewer’s instructions

    NOTE:Modify user access and modify account changesets might have a reason, and a user selection might also be required. For more information, see Configuring Reasons for Review Actions. For more information about specific change request types, and fulfillment status, see Configuring Fulfillment.

Identity Governance sends emails to the fulfillers to remind them that they have a manual fulfillment task. The email provides a link to the task. Administrators can customize the message in this reminder. For more information about customizing, see Section 3.4, Customizing Email Notification Templates.

For more information about performing fulfillment tasks, see Section 15.0, Instructions for Fulfillers.

14.6.2 Using Workflows to Fulfill the Changeset

If you integrate Identity Governance with Identity Manager, you can use a custom workflow to remove the permissions. You create the workflow in the identity applications. In Identity Manager, you specify global configuration values (GCVs) to store the connection parameters between the workflow and Identity Governance. The workflow also must have inputs specified in the following fields:

  • String: changesetId

  • String: appId

Identity Governance sends the changesetId and appID to the workflow to process the fulfillment tasks for the review’s changeset. The workflow parses the information in the changeset and completes the tasks. When the workflow finishes, Identity Manager informs Identity Governance, which then changes the status of the changes to complete.

For more information, see Configuring and Managing Provisioning Workflows in the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

To jump start your progress, use the included sample workflow as a starting point in creating your custom workflow to process the change request. Note there is also a companion download that defines the Global Config Values (GCV) that is used by the workflow to configure Identity Governance connection details.

To access the sample workflow:

  1. Go to Fulfillment > Configuration > Fulfillment Targets > Identity Manager workflow (system).

  2. In the Fulfillment Samples section, download a sample workflow.

  3. Import the sample workflow into Identity Manager Designer and deploy to Identity Manager Roles Based Provisioning Module (RBPM).

  4. Update the sample workflow to specific details in your environment, including the To do for Customer section of the workflow.

14.6.3 Automatically Fulfilling the Changeset

You can assign automated provisioning to any application source that derives from Identity Manager. After you complete a review, Identity Governance sends the requested changes to the Identity Manager Identity Vault. The permission type determines whether Identity Manager can automatically provision the requested change. In the identity applications for identity Manager, you specify whether a permission is a resource or a role. Identity Manager can automatically deprovision all resources because they are explicitly set for the user. Similarly, if a role is explicitly set, it can be deprovisioned. For example, the user has an nrfAssignedRole attribute pointing to that role. However, Identity Manager cannot deprovision roles that a user receives indirectly. For example, the user is a member of a container or group to which the role has been assigned.

NOTE:Identity Manager automated provisioning relies on the Provisioning ID value for an identity to be a valid distinguished name in the Identity Manager system. When using multiple identity sources that are merged, be sure you set the Identity Manager identity source as the authoritative source for the Provisioning ID attribute in your identity merging rules.

If deprovisioning can be done automatically, Identity Manager propagates those updates to the connected systems. For those roles that cannot be deprovisioned automatically, the fulfillment process includes a fallback method. You can specify that Identity Governance can revert to manual fulfillment or to using an Identity Manager workflow.