Introduction:
Provisioning is an act of using a person’s account information and entitlements from IDM and creating that person’s profile in the target systems and assigning that person's respected permissions.
Following successful approval of the request, the fulfillment process runs to complete the request either via automated or manual processes
Provisioning Use Case:
Manual Fulfillment
Use Case | Manual Fulfillment |
---|
Brief Description | Provisioning is the process of taking a person’s account information to create a person’s profile in a target system and taking the person’s entitlements and setting corresponding permissions in a target system. Provisioning would include the creation and modification of accounts and permissions in the target system. |
---|
Actors | IDM - Requester
- Approver
- Fulfiller
- Target System
|
---|
Trigger Events | |
---|
Preconditions | - Catalog item is not already provisioned to the User
|
---|
Post-Conditions | Success - Desired catalog item gets provisioned to the user and corresponding entitlement/account created in the target system
- Task status changed to 'Completed'
- Notification is sent to the beneficiary and requester
Fail - Desired catalog item doesn't get provisioned to the user and corresponding entitlement/account doesn't create in the target system
|
---|
Basic Flow | The basic flow for the provisioning process of the disconnected user is explained in the below activity diagram: - The user submits the request by clicking on the create request link
- The user creates a request and submits it for approval
- Approver approves the request
- Fulfiller receives the request for manual provisioning
- Fulfiller claim the request and completes manual fulfillment
- The request gets provisioned into the target system
|
---|
Automated Fulfillment
Use Case | Automated Fulfillment |
---|
Brief Description | Provisioning is the process of taking a person’s account information to create a person’s profile in a target system and taking the person’s entitlements and setting corresponding permissions in a target system. Provisioning would include the creation and modification of accounts and permissions in the target system. |
---|
Actors | IDM - Requester
- Approver
- Fulfiller
- Target System
|
---|
Trigger Events | |
---|
Preconditions | - Catalog item is not already provisioned to the User
|
---|
Post-Conditions | Success - Desired catalog item gets provisioned to the user and corresponding entitlement/account created in the target system
- Task status changed to 'Completed'
- Notification is sent to the beneficiary and requester
Fail - Desired catalog item doesn't get provisioned to the user and corresponding entitlement/account doesn't create in the target system
|
---|
Basic Flow | The basic flow for the provisioning process of the connected user is explained in the below activity diagram: - The user submits the request by clicking on the create request link
- The user creates a request and submits it for approval
- Approver approves the request
- OIM Connector receives the connection details from IT resource
- OIM Connector automatically provisions the request into the target system
|
---|
New user provisioning - Company DS
Use Case | New user provisioning - Company DS |
---|
Brief Description | IDM assigns roles to user identity and provisions core target system accounts based on the user's organization and Computer Access Flag from the HRMS record |
---|
Actors | |
---|
Trigger Events | |
---|
Preconditions | - Active user in IDM created with Create User Process
- Core-Connected systems are set up and integrated with OIM
|
---|
Post-Conditions | Success - IDM grant or disable access on the associated target system
- All associated accounts and entitlements where rightly modified
Fail - IDM could not grant or disable access to the associated target system
- All/ some entitlements and accounts were not rightly modified
|
---|
Basic Flow | The process is as follows: - New User-created by data from HRMS
- IDM assigns roles to user identity and provisions core target system accounts
- IDM triggers provisioning in Core-Connected Systems
Below provisioning is done manually/ automatically by IDM: - Company DS (Active Directory)
- Entitlements (AD Groups) granted
- AD Attributes
- Password
- Home Drive created
- Office365
|
---|
New user provisioning - Exchange Online
Use Case | New user provisioning - Exchange Online |
---|
Brief Description | IDM assigns roles to user identity and provisions core target system accounts based on the user's organization and Computer Access Flag from the HRMS record |
---|
Actors | |
---|
Trigger Events | |
---|
Preconditions | - Active user in IDM created with Create User Process
- Core-Connected systems are set up and integrated with OIM
|
---|
Post-Conditions | Success - IDM grant or disable access on the associated target system
- All associated accounts and entitlements where rightly modified
Fail - IDM could not grant or disable access to the associated target system
- All/ some entitlements and accounts were not rightly modified
|
---|
Basic Flow | The process is as follows: - New User-created by data from HRMS
- IDM assigns roles to user identity and provisions core target system accounts
- IDM triggers provisioning in Core-Connected Systems
Below provisioning is done manually/ automatically by IDM: - Exchange
- Exchange Online
- Email address created based on Owning Org \ Location
- Archive assigned
- Skype account created
|
---|
New user provisioning - Badging System (CCure)
Use Case | New user provisioning |
---|
Brief Description | IDM assigns roles to user identity and provisions core target system accounts based on the user's organization and Computer Access Flag from the HRMS record |
---|
Actors | |
---|
Trigger Events | |
---|
Preconditions | - Active user in IDM created with Create User Process
- Core-Connected systems are set up and integrated with OIM
|
---|
Post-Conditions | Success - IDM grant or disable access on the associated target system
- All associated accounts and entitlements where rightly modified
Fail - IDM could not grant or disable access to the associated target system
- All/ some entitlements and accounts were not rightly modified
|
---|
Basic Flow | The process is as follows: - New User-created by data from HRMS
- IDM assigns roles to user identity and provisions core target system accounts
- IDM triggers provisioning in Core-Connected Systems
Below provisioning is done manually/ automatically by IDM: |
---|
New user provisioning - LDAP
Use Case | New user provisioning - LDAP |
---|
Brief Description | IDM assigns roles to user identity and provisions core target system accounts based on the user's organization and Computer Access Flag from the HRMS record |
---|
Actors | |
---|
Trigger Events | |
---|
Preconditions | - Active user in IDM created with Create User Process
- Core-Connected systems are set up and integrated with OIM
|
---|
Post-Conditions | Success - IDM grant or disable access on the associated target system
- All associated accounts and entitlements where rightly modified
Fail - IDM could not grant or disable access to the associated target system
- All/ some entitlements and accounts were not rightly modified
|
---|
Basic Flow | The process is as follows: - New User-created by data from HRMS
- IDM assigns roles to user identity and provisions core target system accounts
- IDM triggers provisioning in Core-Connected Systems
Below provisioning is done manually/ automatically by IDM: |
---|
New user provisioning - Mainframe
Use Case | New user provisioning - Mainframe |
---|
Brief Description | IDM assigns roles to user identity and provisions core target system accounts based on the user's organization and Computer Access Flag from the HRMS record |
---|
Actors | |
---|
Trigger Events | |
---|
Preconditions | - Active user in IDM created with Create User Process
- Core-Connected systems are set up and integrated with OIM
|
---|
Post-Conditions | Success - IDM grant or disable access on the associated target system
- All associated accounts and entitlements where rightly modified
Fail - IDM could not grant or disable access to the associated target system
- All/ some entitlements and accounts were not rightly modified
|
---|
Basic Flow | The process is as follows: - New User-created by data from HRMS
- IDM assigns roles to user identity and provisions core target system accounts
- IDM triggers provisioning in Core-Connected Systems
Below provisioning is done manually/ automatically by IDM: - Mainframe RACF West
- User group added based on Organization \ Membership Rules
- West mainframe password created
- The user's designated manager receives an email notification upon the creation of a new West Mainframe account.
|
---|
Deprovisioning Use Case:
Revocation and Deprovisioning - Self Service
Use Case | Revocation and Deprovisioning - Self Service |
---|
Brief Description | Deprovisioning is the process of revoking a person’s account/ entitlement/ role information in a target system and changing corresponding permissions in a target system. |
---|
Actors | IDM - Requester
- Fulfiller
- Target System
|
---|
Trigger Events | |
---|
Preconditions | - Catalog item is not already provisioned to the User
|
---|
Post-Conditions | Success - Revoking accounts disables or deletes the accounts, which removes the entitlements assigned to the account.
- Revoking roles removes the user member from the role.
- Revoking a user disables\deletes the user and removes all assigned privileges
Fail - Desired catalog item doesn't get de-provisioned and corresponding entitlement/account doesn't get removed from the target system
|
---|
Basic Flow | The basic flow for the provisioning process of the disconnected user is explained below: Self-Service: - The requester logs into IDM and locates role, entitlement, or account from profile to be removed, selects revoke\remove, and submits the request
- The user submits the request by clicking on revoke access
- IDM generates a request ID and sends the request to the approver for approval
- Once approved, IDM proceeds the request to fulfillment.
- Fulfiller receives the request for manual de-provisioning
- Fulfiller claim the request and completes manual fulfillment
- Once fulfillment is completed, IDM removes access or catalog item from the user profile
- IDM sends a notification to the requester and manager that the request is complete.
|
---|
Revocation and Deprovisioning -Certifier
Use Case | Revocation and Deprovisioning - Certifier |
---|
Brief Description | Deprovisioning is the process of revoking a person’s account/ entitlement/ role information in a target system and changing corresponding permissions in a target system. |
---|
Actors | IDM - Certifier
- Fulfiller
- Target System
|
---|
Trigger Events | |
---|
Preconditions | - Catalog item is not already provisioned to the User
|
---|
Post-Conditions | Success - Revoking accounts disables or deletes the accounts, which removes the entitlements assigned to the account.
- Revoking roles removes the user member from the role.
- Revoking a user disables\deletes the user and removes all assigned privileges
Fail - Desired catalog item doesn't get de-provisioned and corresponding entitlement/account doesn't get removed from the target system
|
---|
Basic Flow | The basic flow for the provisioning process of the disconnected user is explained below: Certification Review: - A certifier (role member(s), manager, or certifier owner) selects Revoke during the Certification Review process.
- A Request ID is generated to remove the access by IDM
- The request is moved to fulfillment by IDM
- An incomplete certification request which was not completed also triggers a request ID creation and process to remove the access for fulfillment by IDM
|
---|
Revocation and Deprovisioning -Access Policy
Use Case | Revocation and Deprovisioning - Access Policy |
---|
Brief Description | Deprovisioning is the process of revoking a person’s account/ entitlement/ role information in a target system and changing corresponding permissions in a target system. |
---|
Actors | IDM - Requester
- Target System
|
---|
Trigger Events | |
---|
Preconditions | - Catalog item is not already provisioned to the User
|
---|
Post-Conditions | Success - Revoking accounts disables or deletes the accounts, which removes the entitlements assigned to the account.
- Revoking roles removes the user member from the role.
- Revoking a user disables\deletes the user and removes all assigned privileges
Fail - Desired catalog item doesn't get de-provisioned and corresponding entitlement/account doesn't get removed from the target system
|
---|
Basic Flow | The basic flow for the provisioning process of the disconnected user is explained below: Access Policy: - A request is submitted by the user to remove a role on a user's profile that requires an Access Policy trigger
- The request ID is generated by IDM
- Access policy triggers removal of entitlements on the user profile
- A scheduled job is run by IDM to evaluate role changes
- For a role that has an access policy assigned to it, a request ID is generated to process the removal by IDM
|
---|
Other Use Cases
Process Flow Diagram
The below diagram shows the process activities of the disconnected system
The below diagram shows the process activities of the connected system