The Identity Manager User Application is the business user’s view into the information, resources, and capabilities of Identity Manager. The User Application is a browser-based Web application that gives the user the ability to perform a variety of identity self-service tasks. The User Application provides a complete roles-based provisioning solution, giving users the ability to initiate and manage provisioning and role-based requests and approvals. In addition, the User Application offers support for compliance features, giving an organization a way to ensure that personnel conform to relevant business laws and regulations.
The User Application enables you to address the following business needs:
Providing a convenient way to perform roles-based provisioning actions.
The User Application allows you to manage role definitions and role assignments within your organization. Role assignments can be mapped to resources within a company, such as user accounts, computers, and databases.
For details on setting up the Role Tab, see Section 2.9, Configuring the Roles Tab.
Ensuring that an organization has a method for verifying that personnel are fully aware of organizational policies and are taking steps to comply with these policies.
For details on setting up the Compliance Tab, see Section 2.10, Configuring the Compliance Tab.
Providing user self-service, allowing a new user to self-register, and providing access to anonymous or guest users.
For more information, see Section IV, Portlet Reference.
Ensuring that access to corporate resources complies with organizational policies and that provisioning occurs within the context of the corporate security policy.
You can grant users access to identity data within the guidelines of corporate security policies.
For more information, see Section 2.2, Security.
Reducing the administrative burden of entering, updating, and deleting user information across all systems in the enterprise.
You can create customized workflows to provide a Web-based interface for users to manipulate distributed identity data triggering workflows as necessary.
For more information, see Section V, Configuring and Managing Provisioning Workflows.
Managing manual and automated provisioning of identities, services, resources, and assets, and supporting complex workflows.
You can implement manual provisioning by creating workflows that route provisioning requests to one or more authorities. For automated provisioning, you can configure the User Application to start workflows automatically in response to events occurring in the Identity Vault.
For more information, see Section V, Configuring and Managing Provisioning Workflows.
IMPORTANT:The User Application is an application and not a framework. The areas within the User Application that are supported to be modified are outlined within the product documentation. Modifications to areas not outlined within the product documentation are not supported.
Identity is the foundation of the User Application. The application uses identity as the basis for authorizing users access to systems, applications, and databases. Each user’s unique identifier—and each user’s roles—comes with specific access rights to identity data. For example, users who are identified as managers can access salary information about their direct reports, but not about other employees in their organization.
The tab within the application gives users a convenient way to display and work with identity information. It enables your organization to be more responsive by giving users access to the information they need whenever they need it. For example, users might use the tab to:
Manage their own user accounts directly
Look up other users and groups in the organization on demand
Visualize how those users and groups are related
List applications with which they are associated
The User Application Administrator is responsible for setting up the contents of the tab. What business users can see and do is typically determined by how the application has been configured, by their job requirements and level of authority.
A key feature of the Identity Manager User Application is workflow-based provisioning, which enables you to automate the approval and revocation of user access to your organization’s secure resources. Resources can include digital entities such as user accounts, computers, and databases.
The User Application’s tab gives users a convenient way to make requests for resources. A provisioning request is a user or system action intended to grant or revoke resources. Provisioning requests can be initiated directly by the user (through the tab), or indirectly in response to events occurring in the Identity Vault.
When a provisioning request requires permission from one or more individuals in an organization, the request starts one or more workflows. The workflows coordinate the approvals needed to fulfill the request. Some provisioning requests require approval from a single individual; others require approval from several individuals. In some instances, a request can be fulfilled without any approvals. A successful provisioning request results in a . Provisioned resources are mapped to Identity Manager entitlements.
By default, the tab in the User Application does not display any provisioning requests. To configure a provisioning request a designer familiar with your business needs creates a provisioning request definition, which binds the resource to a workflow. The designer can configure workflows that proceed in a sequential fashion, with each approval step being performed in order, or workflows that proceed in a parallel fashion. A parallel workflow allows more than one user to act on a workflow task concurrently.
Identity Manager provides a set of Eclipse-based tools for designing the data and the flow of control within the workflows. In addition, Identity Manager provides a set of Web-based tools that provide the ability to configure existing provisioning requests, manage workflows that are in process, and define teams and team rights. For more information, see Section 1.4, Design and Configuration Tools.
The Provisioning Application Administrator is responsible for managing the workflow-based provisioning features of the User Application. For more information, see Section 1.3, User Application User Types.
The purpose of the tab within the User Application is to give you a convenient way to perform roles-based provisioning actions. These actions allow you to manage role definitions and role assignments within your organization. Role assignments can be mapped to resources within a company, such as user accounts, computers, and databases. For example, you might use the tab to:
Make role requests for yourself or other users within your organization
Create roles and role relationships within the roles hierarchy
Create separation of duties (SoD) constraints to manage potential conflicts between role assignments
Look at reports that provide details about the current state of the Role Catalog and the roles currently assigned to users, groups, and containers
When a role assignment request requires permission from one or more individuals in an organization, the request starts a workflow. The workflow coordinates the approvals needed to fulfill the request. Some role assignment requests require approval from a single individual; others require approval from several individuals. In some instances, a request can be fulfilled without any approvals.
When a role assignment request results in a potential separation of duties conflict, the initiator has the option to override the separation of duties constraint, and provide a justification for making an exception to the constraint. In some cases, a separation of duties conflict can cause a workflow to start. The workflow coordinates the approvals needed to allow the separation of duties exception to take effect.
Your workflow designer and system administrator are responsible for setting up the contents of the tab for you and the others in your organization. The flow of control for a roles-based workflow or separation of duties workflow, as well as the appearance of forms, can vary depending on how the approval definition for the workflow was defined in the Designer for Identity Manager. In addition, what you can see and do is typically determined by your job requirements and your level of authority.
For details on setting up the Role Subsystem, see Section 2.9, Configuring the Roles Tab. For details on using the tab, see the discussion of the Roles tab in the Identity Manager User Application: User Guide.
Compliance is the process of ensuring that an organization conforms to relevant business laws and regulations. One of the key elements of compliance is attestation. Attestation gives an organization a method for verifying that personnel are fully aware of organizational policies and are taking steps to comply with these policies. By requesting that employees or administrators regularly attest to the accuracy of data, management ensures that personnel information such as user profiles, role assignments, and approved separation of duties (SoD) exceptions are up-to-date and in compliance.
To allow individuals within an organization to verify the accuracy of corporate data, a user makes an attestation request. This request in turn initiates one or more workflow processes. The workflow processes give the attesters an opportunity to attest to the correctness of the data. A separate workflow process is initiated for each attester. An attester is assigned a workflow task in the list on the tab. To complete the workflow process, the attester opens the task, reviews the data, and attests that it is correct or incorrect.
The Roles Based Provisioning Module supports four types of attestation:
User profile
SoD violations
Role assignment
User assignment
For details on setting up the Compliance Tab, see Section 2.10, Configuring the Compliance Tab. For details on using the tab, see the discussion of the Compliance tab in the Identity Manager User Application: User Guide.