Provisioning Process

Provisioning is the process of taking a person’s account information to create a person’s profile in a target system and taking the person’s entitlements and setting corresponding permissions in a target system. Provisioning would include the creation and modification of accounts and permissions in the target system.

• IDM

• Requester
• Approver
• Fulfiller
• Target System

• The request is sent to the fulfiller

• Request submitted for the connected system has been approved

• Catalog item is not already provisioned to the User

Success

• Desired catalog item gets provisioned to the user and corresponding entitlement/account created in the target system
• Task status changed to 'Completed'
• Notification is sent to the beneficiary and requester

Fail

• Desired catalog item doesn't get provisioned to the user and corresponding entitlement/account doesn't create in the target system

The basic flow for the provisioning process of the disconnected user is explained in the below activity diagram:

• The user submits the request by clicking on the create request link
• The user creates a request and submits it for approval
• Approver approves the request
• Fulfiller receives the request for manual provisioning
• Fulfiller claim the request and completes manual fulfillment
• The request gets provisioned into the target system

Provisioning is the process of taking a person’s account information to create a person’s profile in a target system and taking the person’s entitlements and setting corresponding permissions in a target system. Provisioning would include the creation and modification of accounts and permissions in the target system.

• IDM

• Requester
• Approver
• Fulfiller
• Target System

• The request is sent to the fulfiller

• Request submitted for the connected system has been approved

• Catalog item is not already provisioned to the User

Success

• Desired catalog item gets provisioned to the user and corresponding entitlement/account created in the target system
• Task status changed to 'Completed'
• Notification is sent to the beneficiary and requester

Fail

• Desired catalog item doesn't get provisioned to the user and corresponding entitlement/account doesn't create in the target system

The basic flow for the provisioning process of the connected user is explained in the below activity diagram:

• The user submits the request by clicking on the create request link
• The user creates a request and submits it for approval
• Approver approves the request
• OIM Connector receives the connection details from IT resource
• OIM Connector automatically provisions the request into the target system

IDM assigns roles to user identity and provisions core target system accounts based on the user's organization and Computer Access Flag from the HRMS record

• IDM

• HRMS
• Company DS

• New User is created in HRMS

• Active user in IDM created with Create User Process
• Core-Connected systems are set up and integrated with OIM

Success

• IDM grant or disable access on the associated target system
• All associated accounts and entitlements where rightly modified

Fail

• IDM could not grant or disable access to the associated target system
• All/ some entitlements and accounts were not rightly modified

The process is as follows:

• New User-created by data from HRMS
• IDM assigns roles to user identity and provisions core target system accounts
• IDM triggers provisioning in Core-Connected Systems

Below provisioning is done manually/ automatically by IDM:

• Company DS (Active Directory) 
  
  • Entitlements (AD Groups) granted 
  • AD Attributes 
  • Password 
  • Home Drive created 
  • Office365 

IDM assigns roles to user identity and provisions core target system accounts based on the user's organization and Computer Access Flag from the HRMS record

• IDM

• HRMS
• Exchange Online

• New User is created in HRMS

• Active user in IDM created with Create User Process
• Core-Connected systems are set up and integrated with OIM

Success

• IDM grant or disable access on the associated target system
• All associated accounts and entitlements where rightly modified

Fail

• IDM could not grant or disable access to the associated target system
• All/ some entitlements and accounts were not rightly modified

The process is as follows:

• New User-created by data from HRMS
• IDM assigns roles to user identity and provisions core target system accounts
• IDM triggers provisioning in Core-Connected Systems

Below provisioning is done manually/ automatically by IDM:

• Exchange 
• Exchange Online 
  
  • Email address created based on Owning Org \ Location 
  • Archive assigned 
  • Skype account created 

IDM assigns roles to user identity and provisions core target system accounts based on the user's organization and Computer Access Flag from the HRMS record

• IDM

• HRMS
• CCure

• New User is created in HRMS

• Active user in IDM created with Create User Process
• Core-Connected systems are set up and integrated with OIM

Success

• IDM grant or disable access on the associated target system
• All associated accounts and entitlements where rightly modified

Fail

• IDM could not grant or disable access to the associated target system
• All/ some entitlements and accounts were not rightly modified

The process is as follows:

• New User-created by data from HRMS
• IDM assigns roles to user identity and provisions core target system accounts
• IDM triggers provisioning in Core-Connected Systems

Below provisioning is done manually/ automatically by IDM:

• CCure 

IDM assigns roles to user identity and provisions core target system accounts based on the user's organization and Computer Access Flag from the HRMS record

• IDM

• HRMS

• New User is created in HRMS

• Active user in IDM created with Create User Process
• Core-Connected systems are set up and integrated with OIM

Success

• IDM grant or disable access on the associated target system
• All associated accounts and entitlements where rightly modified

Fail

• IDM could not grant or disable access to the associated target system
• All/ some entitlements and accounts were not rightly modified

The process is as follows:

• New User-created by data from HRMS
• IDM assigns roles to user identity and provisions core target system accounts
• IDM triggers provisioning in Core-Connected Systems

Below provisioning is done manually/ automatically by IDM:

• LDAP 

IDM assigns roles to user identity and provisions core target system accounts based on the user's organization and Computer Access Flag from the HRMS record

• IDM

• HRMS
• Mainframe

• New User is created in HRMS

• Active user in IDM created with Create User Process
• Core-Connected systems are set up and integrated with OIM

Success

• IDM grant or disable access on the associated target system
• All associated accounts and entitlements where rightly modified

Fail

• IDM could not grant or disable access to the associated target system
• All/ some entitlements and accounts were not rightly modified

The process is as follows:

• New User-created by data from HRMS
• IDM assigns roles to user identity and provisions core target system accounts
• IDM triggers provisioning in Core-Connected Systems

Below provisioning is done manually/ automatically by IDM:

• Mainframe RACF West 
  
  • User group added based on Organization \ Membership Rules 
  • West mainframe password created
• The user's designated manager receives an email notification upon the creation of a new West Mainframe account.

Deprovisioning is the process of revoking a person’s account/ entitlement/ role information in a target system and changing corresponding permissions in a target system.

• IDM

• Requester
• Fulfiller
• Target System

• The request is sent to the fulfiller

• Catalog item is not already provisioned to the User

Success

• Revoking accounts disables or deletes the accounts, which removes the entitlements assigned to the account.
• Revoking roles removes the user member from the role.
• Revoking a user disables\deletes the user and removes all assigned privileges

Fail

• Desired catalog item doesn't get de-provisioned and corresponding entitlement/account doesn't get removed from the target system

The basic flow for the provisioning process of the disconnected user is explained below:

Self-Service:

• The requester logs into IDM and locates role, entitlement, or account from profile to be removed, selects revoke\remove, and submits the request
• The user submits the request by clicking on revoke access
• IDM generates a request ID and sends the request to the approver for approval
• Once approved, IDM proceeds the request to fulfillment.
• Fulfiller receives the request for manual de-provisioning
• Fulfiller claim the request and completes manual fulfillment
• Once fulfillment is completed, IDM removes access or catalog item from the user profile
• IDM sends a notification to the requester and manager that the request is complete.

Deprovisioning is the process of revoking a person’s account/ entitlement/ role information in a target system and changing corresponding permissions in a target system.

• IDM

• Certifier
• Fulfiller
• Target System

• The request is sent to the fulfiller

• Catalog item is not already provisioned to the User

Success

• Revoking accounts disables or deletes the accounts, which removes the entitlements assigned to the account.
• Revoking roles removes the user member from the role.
• Revoking a user disables\deletes the user and removes all assigned privileges

Fail

• Desired catalog item doesn't get de-provisioned and corresponding entitlement/account doesn't get removed from the target system

The basic flow for the provisioning process of the disconnected user is explained below:

Certification Review:

• A certifier (role member(s), manager, or certifier owner) selects Revoke during the Certification Review process.
• A Request ID is generated to remove the access by IDM
• The request is moved to fulfillment by IDM
• An incomplete certification request which was not completed also triggers a request ID creation and process to remove the access for fulfillment by IDM

Deprovisioning is the process of revoking a person’s account/ entitlement/ role information in a target system and changing corresponding permissions in a target system.

• IDM

• Requester
• Target System

• The request is sent to the fulfiller

• Catalog item is not already provisioned to the User

Success

• Revoking accounts disables or deletes the accounts, which removes the entitlements assigned to the account.
• Revoking roles removes the user member from the role.
• Revoking a user disables\deletes the user and removes all assigned privileges

Fail

• Desired catalog item doesn't get de-provisioned and corresponding entitlement/account doesn't get removed from the target system

The basic flow for the provisioning process of the disconnected user is explained below:

Access Policy:

• A request is submitted by the user to remove a role on a user's profile that requires an Access Policy trigger
• The request ID is generated by IDM
• Access policy triggers removal of entitlements on the user profile
• A scheduled job is run by IDM to evaluate role changes
• For a role that has an access policy assigned to it, a request ID is generated to process the removal by IDM