Introduction:

Provisioning is an act of using a person’s account information and entitlements from IDM and creating that person’s profile in the target systems and assigning that person's respected permissions.Following successful approval of the request, the fulfillment process runs to complete the request either via automated or manual processes

Provisioning Use Case:

Manual Fulfillment

Use Case

Manual Fulfillment

Brief Description

Provisioning is the process of taking a person’s account information to create a person’s profile in a target system and taking the person’s entitlements and setting corresponding permissions in a target system. Provisioning would include the creation and modification of accounts and permissions in the target system.

Actors

  • IDM

  • Requester
  • Approver
  • Fulfiller
  • Target System

Trigger Events

  • The request is sent to the fulfiller

  • Request submitted for the connected system has been approved

Preconditions

  • Catalog item is not already provisioned to the User

Post-Conditions

Success

  • Desired catalog item gets provisioned to the user and corresponding entitlement/account created in the target system
  • Task status changed to 'Completed'
  • Notification is sent to the beneficiary and requester

Fail

  • Desired catalog item doesn't get provisioned to the user and corresponding entitlement/account doesn't create in the target system
Basic Flow

The basic flow for the provisioning process of the disconnected user is explained in the below activity diagram:

  • The user submits the request by clicking on the create request link
  • The user creates a request and submits it for approval
  • Approver approves the request
  • Fulfiller receives the request for manual provisioning
  • Fulfiller claim the request and completes manual fulfillment
  • The request gets provisioned into the target system

Automated Fulfillment

Use Case

Automated Fulfillment

Brief Description

Provisioning is the process of taking a person’s account information to create a person’s profile in a target system and taking the person’s entitlements and setting corresponding permissions in a target system. Provisioning would include the creation and modification of accounts and permissions in the target system.

Actors

  • IDM

  • Requester
  • Approver
  • Fulfiller
  • Target System

Trigger Events

  • The request is sent to the fulfiller

  • Request submitted for the connected system has been approved

Preconditions

  • Catalog item is not already provisioned to the User

Post-Conditions

Success

  • Desired catalog item gets provisioned to the user and corresponding entitlement/account created in the target system
  • Task status changed to 'Completed'
  • Notification is sent to the beneficiary and requester

Fail

  • Desired catalog item doesn't get provisioned to the user and corresponding entitlement/account doesn't create in the target system
Basic Flow

The basic flow for the provisioning process of the connected user is explained in the below activity diagram:

  • The user submits the request by clicking on the create request link
  • The user creates a request and submits it for approval
  • Approver approves the request
  • OIM Connector receives the connection details from IT resource
  • OIM Connector automatically provisions the request into the target system


New user provisioning - Company DS

Use Case

New user provisioning - Company DS

Brief Description

IDM assigns roles to user identity and provisions core target system accounts based on the user's organization and Computer Access Flag from the HRMS record

Actors

  • IDM

  • HRMS
  • Company DS

Trigger Events

  • New User is created in HRMS

Preconditions

  • Active user in IDM created with Create User Process
  • Core-Connected systems are set up and integrated with OIM

Post-Conditions

Success

  • IDM grant or disable access on the associated target system
  • All associated accounts and entitlements where rightly modified

Fail

  • IDM could not grant or disable access to the associated target system
  • All/ some entitlements and accounts were not rightly modified
Basic Flow

The process is as follows:

  • New User-created by data from HRMS
  • IDM assigns roles to user identity and provisions core target system accounts
  • IDM triggers provisioning in Core-Connected Systems

Below provisioning is done manually/ automatically by IDM:

  • Company DS (Active Directory) 
    • Entitlements (AD Groups) granted 
    • AD Attributes 
    • Password 
    • Home Drive created 
    • Office365 

New user provisioning - Exchange Online

Use Case

New user provisioning - Exchange Online

Brief Description

IDM assigns roles to user identity and provisions core target system accounts based on the user's organization and Computer Access Flag from the HRMS record

Actors

  • IDM

  • HRMS
  • Exchange Online

Trigger Events

  • New User is created in HRMS

Preconditions

  • Active user in IDM created with Create User Process
  • Core-Connected systems are set up and integrated with OIM

Post-Conditions

Success

  • IDM grant or disable access on the associated target system
  • All associated accounts and entitlements where rightly modified

Fail

  • IDM could not grant or disable access to the associated target system
  • All/ some entitlements and accounts were not rightly modified
Basic Flow

The process is as follows:

  • New User-created by data from HRMS
  • IDM assigns roles to user identity and provisions core target system accounts
  • IDM triggers provisioning in Core-Connected Systems

Below provisioning is done manually/ automatically by IDM:

  • Exchange 
  • Exchange Online 
    • Email address created based on Owning Org \ Location 
    • Archive assigned 
    • Skype account created 

New user provisioning - Badging System (CCure)

Use Case

New user provisioning 

Brief Description

IDM assigns roles to user identity and provisions core target system accounts based on the user's organization and Computer Access Flag from the HRMS record

Actors

  • IDM

  • HRMS
  • CCure

Trigger Events

  • New User is created in HRMS

Preconditions

  • Active user in IDM created with Create User Process
  • Core-Connected systems are set up and integrated with OIM

Post-Conditions

Success

  • IDM grant or disable access on the associated target system
  • All associated accounts and entitlements where rightly modified

Fail

  • IDM could not grant or disable access to the associated target system
  • All/ some entitlements and accounts were not rightly modified
Basic Flow

The process is as follows:

  • New User-created by data from HRMS
  • IDM assigns roles to user identity and provisions core target system accounts
  • IDM triggers provisioning in Core-Connected Systems

Below provisioning is done manually/ automatically by IDM:

  • CCure 

New user provisioning - LDAP

Use Case

New user provisioning - LDAP

Brief Description

IDM assigns roles to user identity and provisions core target system accounts based on the user's organization and Computer Access Flag from the HRMS record

Actors

  • IDM

  • HRMS

Trigger Events

  • New User is created in HRMS

Preconditions

  • Active user in IDM created with Create User Process
  • Core-Connected systems are set up and integrated with OIM

Post-Conditions

Success

  • IDM grant or disable access on the associated target system
  • All associated accounts and entitlements where rightly modified

Fail

  • IDM could not grant or disable access to the associated target system
  • All/ some entitlements and accounts were not rightly modified
Basic Flow

The process is as follows:

  • New User-created by data from HRMS
  • IDM assigns roles to user identity and provisions core target system accounts
  • IDM triggers provisioning in Core-Connected Systems

Below provisioning is done manually/ automatically by IDM:

  • LDAP 

New user provisioning - Mainframe

Use Case

New user provisioning - Mainframe

Brief Description

IDM assigns roles to user identity and provisions core target system accounts based on the user's organization and Computer Access Flag from the HRMS record

Actors

  • IDM

  • HRMS
  • Mainframe

Trigger Events

  • New User is created in HRMS

Preconditions

  • Active user in IDM created with Create User Process
  • Core-Connected systems are set up and integrated with OIM

Post-Conditions

Success

  • IDM grant or disable access on the associated target system
  • All associated accounts and entitlements where rightly modified

Fail

  • IDM could not grant or disable access to the associated target system
  • All/ some entitlements and accounts were not rightly modified
Basic Flow

The process is as follows:

  • New User-created by data from HRMS
  • IDM assigns roles to user identity and provisions core target system accounts
  • IDM triggers provisioning in Core-Connected Systems

Below provisioning is done manually/ automatically by IDM:

  • Mainframe RACF West 
    • User group added based on Organization \ Membership Rules 
    • West mainframe password created
  • The user's designated manager receives an email notification upon the creation of a new West Mainframe account.

Deprovisioning Use Case:

Revocation and Deprovisioning - Self Service

Use Case

Revocation and Deprovisioning - Self Service

Brief Description

Deprovisioning is the process of revoking a person’s account/ entitlement/ role information in a target system and changing corresponding permissions in a target system.

Actors

  • IDM

  • Requester
  • Fulfiller
  • Target System

Trigger Events

  • The request is sent to the fulfiller

Preconditions

  • Catalog item is not already provisioned to the User

Post-Conditions

Success

  • Revoking accounts disables or deletes the accounts, which removes the entitlements assigned to the account.
  • Revoking roles removes the user member from the role.
  • Revoking a user disables\deletes the user and removes all assigned privileges

Fail

  • Desired catalog item doesn't get de-provisioned and corresponding entitlement/account doesn't get removed from the target system
Basic Flow

The basic flow for the provisioning process of the disconnected user is explained below:

Self-Service:

  • The requester logs into IDM and locates role, entitlement, or account from profile to be removed, selects revoke\remove, and submits the request
  • The user submits the request by clicking on revoke access
  • IDM generates a request ID and sends the request to the approver for approval
  • Once approved, IDM proceeds the request to fulfillment.
  • Fulfiller receives the request for manual de-provisioning
  • Fulfiller claim the request and completes manual fulfillment
  • Once fulfillment is completed, IDM removes access or catalog item from the user profile
  • IDM sends a notification to the requester and manager that the request is complete.

Revocation and Deprovisioning -Certifier

Use Case

Revocation and Deprovisioning - Certifier

Brief Description

Deprovisioning is the process of revoking a person’s account/ entitlement/ role information in a target system and changing corresponding permissions in a target system.

Actors

  • IDM

  • Certifier
  • Fulfiller
  • Target System

Trigger Events

  • The request is sent to the fulfiller

Preconditions

  • Catalog item is not already provisioned to the User

Post-Conditions

Success

  • Revoking accounts disables or deletes the accounts, which removes the entitlements assigned to the account.
  • Revoking roles removes the user member from the role.
  • Revoking a user disables\deletes the user and removes all assigned privileges

Fail

  • Desired catalog item doesn't get de-provisioned and corresponding entitlement/account doesn't get removed from the target system
Basic Flow

The basic flow for the provisioning process of the disconnected user is explained below:

Certification Review:

  • A certifier (role member(s), manager, or certifier owner) selects Revoke during the Certification Review process.
  • A Request ID is generated to remove the access by IDM
  • The request is moved to fulfillment by IDM
  • An incomplete certification request which was not completed also triggers a request ID creation and process to remove the access for fulfillment by IDM

Revocation and Deprovisioning -Access Policy

Use Case

Revocation and Deprovisioning - Access Policy

Brief Description

Deprovisioning is the process of revoking a person’s account/ entitlement/ role information in a target system and changing corresponding permissions in a target system.

Actors

  • IDM

  • Requester
  • Target System

Trigger Events

  • The request is sent to the fulfiller

Preconditions

  • Catalog item is not already provisioned to the User

Post-Conditions

Success

  • Revoking accounts disables or deletes the accounts, which removes the entitlements assigned to the account.
  • Revoking roles removes the user member from the role.
  • Revoking a user disables\deletes the user and removes all assigned privileges

Fail

  • Desired catalog item doesn't get de-provisioned and corresponding entitlement/account doesn't get removed from the target system
Basic Flow

The basic flow for the provisioning process of the disconnected user is explained below:

Access Policy:

  • A request is submitted by the user to remove a role on a user's profile that requires an Access Policy trigger
  • The request ID is generated by IDM
  • Access policy triggers removal of entitlements on the user profile
  • A scheduled job is run by IDM to evaluate role changes
  • For a role that has an access policy assigned to it, a request ID is generated to process the removal by IDM

Other Use Cases

  • Create Account

  • Revoke Account

  • Update Account

  • Grant Entitlement

  • Revoke Entitlement

  • Reconcile Account

  • Reconcile Entitlements

  • Reconcile Entitlement Master

Process Flow Diagram

The below diagram shows the process activities of the disconnected system



The below diagram shows the process activities of the connected system