This scenario assumes the following:
You have installed and set up Identity Manager, the Identity Manager Roles Based Provisioning Module, and Access Manager.
The resource protected by Access Manager is based upon a credential of the user. In other words, the user is a member of a group, role, department, or so forth.
The workflow process grants the user the necessary entitlement to fulfill the Access Manager Permit policy.
Although it is not necessary, some form of single sign-on authentication (such as an Identity Injection policy or SAML assertion) can be defined for the Identity Manager User Application so that the user redirection to the workflow process is seamless and does not prompt for additional credentials.