IDHub User Types:
IDHub can be used by all stakeholders of an organization. Typically, all members of an organization need access to certain applications. Example: The CEO may need accounting and sales application access on a high level, whereas the door security and receptionist would need physical access to enter the organization through a touch-pad application. That being said, IDHub is primarily used by:
End-Users are generally employees or contractors who are using IDHub for requesting applications and managing their own access. Their primary functions:
Request access to organization resources for self and others
Review and follow-up on requested accesses
Add self proxies
Report a problem to support team members
An Administrator is an owner of all applications, roles, workflows, forms, notifications and service requests in an organization. They manage IDHub, configure applications, and workflows. Administrators define and authorize access to the correct Users. Users with the role “Administrator”, are the only IDHub users who have access to the Administrator Module. In the organization, they are typically either the business owners or IT owners, who develop the company strategies and justify the need for any particular resource (either applications or roles). From an IDHub perspective, these individuals control and prioritize the business IT operations, and are responsible for defining the access policies, and authorize and certify access to the resource. They have the authority to add applications to IDHub, which carry out specific tasks for the organization, and are used by End-Users. Their primary functions:
Setup email configuration
Manage applications, entitlements, roles, certifications, workflows, collections, email templates, and the registration process
View reports and analytics
Create custom forms
*Note: Administrators require SOME technical expertise to become familiar with the functions within IDHub user interface consoles, and to be able to navigate and manage the applications.
3. Access Manager:
Access Managers are generally employees who are policy makers for the organization and are responsible for managing access related changes within the applications. This privilege is provided to a user if they have access to the role "Access Manager". Their primary functions:
Approve custom forms, workflows, service requests, new user creations, user lifecycle modifications, and new certification definition creations and modifications
A Manager is an employee who works for the organization and who has approval functions for their direct subordinates. This type of user can perform the below functions:
All end-user accesses
Approve requests for direct subordinates
5. Approver Group User:
Approval Group Users are used for approving requests which have varying levels of approval. This means, depending how the approval process is set up, multiple people within the organization may need to approve the request before it is granted to the beneficiary. When this happens, you will need to login with different approver credentials to claim and approve the request. This type of user can perform the below functions:
All End-User functions
Approve requests for their specific approval group
6. Manual Fulfiller:
Manual Fulfillers are used when on-boarding disconnected applications. When an application is disconnected, a Manual Fulfiller would manually add the user to the application. They are typically IT personnel who are responsible for creating an account after the approval process of a request. This type of user can perform the below functions:
All End-User functions
Approve manual fulfillment requests for disconnect applications
*Note: Manual Fulfillers require HIGH technical expertise to become familiar with the functions within IDHub user interface consoles, and to be able to navigate and manage the applications.
Request Life Cycle Terms:
Users, their manager, or a higher level role within IDHub can initiate Requests for new access, roles, or entitlements. The individual who makes the initial Request is the Requestor.
The individual user that will be receiving access to an application, role, or an entitlement from a request.
3. Manager Approval:
This approval process requires a task to be approved by the beneficiary’s Manager.
4. Group Approval:
This approval process requires a task to be approved by the beneficiary’s manager and then by a group. If there are multiple groups added, tasks will be created for each group one after the other, immediately after manager approval, to complete the approval process for giving access to the beneficiary.
After an approval process is complete, the request moves to a “Fulfillment Process”. At the end of this process, an account is created for the beneficiary, by a Fulfiller.
The fulfillment process can be automatic or manual. When a fulfillment process is automatic, the Fulfiller is IDHub Connector. When a fulfillment process is manual, a task is created for a group. The groups are added during the application on-boarding process.
*Note: Post fulfillment, an account is created for the beneficiary, thus completing the Request Life Cycle
1. IDHub provides an option for system administrators to:
Connect applications to IDHub for seamless requests to accounts and permissions, with the application from the IDHub platform
Add disconnected applications within IDHub, along with a list of entitlements for each application that can be manually fulfilled by an IT team member
Onboard all the applications (both connected and disconnected) via a single file upload
2. After the application is customized to the organization's needs, End-Users can:
Request the application through a centralized catalog repository through a shopping cart experience
3. System administrators can use our custom connectors to connect to other applications and pull data into IDHub directly.
4. IDHub provides integrations for:
On premise web-based applications
On premise support for applications that expose APIs publicly for provisioning
On cloud apps for provisioning and de-provisioning (coming soon)
1. The system administrator can connect to any applications for which connectors are made, or API’s are exposed. The connection can be established by either:
Single application onboard (via wizard)
Bulk application onboard (via file upload)
In both the cases, the administrator should confirm the connection is established with a preexisting connector in IDHub, or a custom connector which is built by the support team.
2. IDHub requires credentials for the application to establish the link. IDHub stores the credentials and uses them to validate the connection. Once the key is validated, all attributes, information, and entitlements are pulled into IDHub and managed.
While configuring the application, set-up the application so that:
Attribute specific synchronization happens between IDHub and the application
Entitlement specific synchronization is present
Customize the user response form, which is specific to the application which the end-user completes every time they request for the application
Customize the workflow, in which it has its own level of approvals, with customized forms attached at each level as desired
An Application is a program, or a collection of programs, that help an organization's end-users perform specific tasks, and are used by the organization to help meet the business objectives. Each Application based on function, its importance, and the value it adds to the business, are assigned a criticality risk rating. Each Enterprise Application typically has a business and/or IT owner. These are some day-to-day software Applications that may be used by the organization:
Office Suite 365
Entitlements are defined as a set of privileges that govern user access to a system or application. They are a set of permissions that determine what a user can or cannot do. Entitlements are requested in an IDM, are provisioned (granted) in a target system, and represent permissions to enterprise resources. An entitlement can only be granted to a person who has an account in the target system. These are granular permissions within an application that give dedicated access to someone who has the Entitlement.
Example: Access to a Jira project as an End-User or a Read-Only access to a Google Sheet
Entitlements must be requested AFTER the connecting application is requested, otherwise there is no connection between the Entitlement and application
A Role is a form of digital identity, associated with permissions (entitlements) to applications or other organization resources, which define what the member of that Role can or cannot do within their access. A Role is a logical representation of a person's job responsibilities. This is a group that can perform 2 functions simultaneously:
Giving the members of specific Roles access to a bunch of applications and entitlements
Giving the members of specific Roles certain responsibilities to claim and approve tasks
Example: The access manager group approves on-boarding tasks
4. Role Management:
Role Management in IDHub is a set of tasks that are completed to create roles and maintain their definitions over time. This will include:
Define a new role for creation
Create role conditions for role assignment
Mapping of roles with applications and entitlements
Role maintenance & modification
Disabling of roles
Deprecating or retiring of roles
5. Service Requests:
Service Requests are common requests an organization may have, which are generic, and not specific to any Applications. They are custom, and can cater any request. Any User within the organization can request to create a new Service Request. Only Access Managers can approve the request.
Examples: Device Request, Office Maintenance, KeyCard Access
IDHub has 2 major modules (or identity applications):
This is for End-Users with these available functions:
View Own Profile
Approve & Fulfill tasks etc.
This is for Administrators with these available functions:
Onboard Application & Roles
Configure Certifications etc.
Note: Both of the modules together provide a robust IDM application to any organization that would like to use IDHub.