Provisioning Role Event Processing Order

Contents
Some default
Identity Manager
tasks include
events
, actions that
Identity Manager
performs to complete a task, that determines provisioning role membership. For example, the default Modify User task includes the AssignProvisioningRoleEvent and the RevokeProvisioningRoleEvent. Assigning or revoking a provisioning role may add or remove an account on an endpoint. In some cases, the endpoint may require that all Add actions occur before Remove actions.
To make
Identity Manager
process Add actions first, you enable the Accumulation of Provisioning Role Membership Events setting in the Management Console. When this setting is enabled,
Identity Manager
accumulates all of the Add and Remove actions into a single event, called the AccumulatedProvisioningRolesEvent. For example, if the Modify User task assigns a user to three provisioning roles and removes that user from two other provisioning roles, an AccumulatedProvisioningRolesEvent will be generated which contains five actions: 3 Add actions and 2 remove actions.
When this event executes, all Add actions are combined into a single operation and sent to the Provisioning Server for processing. Once processing of the Add actions completes,
Identity Manager
combines the Remove actions into a single operation and sends that operation to the Provisioning Server.
Enabling this setting affects the following
Identity Manager
functionality:
  • Provisioning Roles Tab in User Tasks
    When an administrator adds or removes a user from a provisioning role using the Provisioning Roles tab,
    Identity Manager
    accumulates those actions into a single event.
  • Identity Policies
    All provisioning role membership events (AssignProvisioningRoleEvent or RevokeProvisioningRoleEvent ) that are generated as a result of an Identity Policy evaluation are accumulated into a single AccumulatedProvisioningRolesEvent.
    Identity Manager
    executes this event like any other secondary event. For example, consider an identity policy set that includes two identity policies: Policy A revokes membership in the Provisioning Role A and Policy B makes users members of Provisioning Role B. If
    Identity Manager
    determines that a user no longer satisfies Policy A, but now satisfies PolicyB, an AccumulatedProvisioningRolesEvent that contains two actions (one for the remove action and one for the add action) is generated. The Add action is executed first and then the Remove action is executed.
  • View Submitted Tasks
    To view the status of the AccumulatedProvisioningRolesEvent and the status for each of the individual actions, use the View Submitted Tasks task to view event details. If one of the individual actions fails, the status of the event is failed, which moves the task to a failed state.
  • Workflow
    You can associate a workflow process with the AccumulatedProvisioningRolesEvent. In this case, an approver can approve or reject the entire event, which approves or rejects each of the individual events. To enable workflow for individual events within the AccumulatedProvisioningRolesEvent, the following additional configuration is required.
    1. In the Identity Manager Management Console, navigate to
      Home,
      Environments,
      <env_name>,
      Advanced Settings,
      Provisioning.
    2. Under the
      Provisioning Properties
      section, select
      Enable Accumulation of Provisioning Role Membership Events.
      Save the configuration and restart the environment for the changes to take effect.
    3. You will now see the
      Approve Accumulated Provisioning Roles
      task in the
      View Admin Task
      screen of the Identity Manager User Console.
    4. Assign this admin task to the System Manager role.
      1. Navigate to
        Admin Roles,
        Modify Admin Role
        and select
        System Manager.
      2. In the
        Tasks
        tab, select
        Filter by category
        as
        Users
        and
        Add Task
        as
        Approve Accumulated Provisioning Roles.
    5. Navigate to
      Modify Admin Task
      , and search
      Modify User
      or any task required for the workflow configuration. In this example, we use
      Modify User
      task.
    6. Select the
      Modify User
      task. In the
      Events
      tab, select the
      Non-Policy Based
      value as AccumulatedProvisioningRolesApproveProcess and click
      Ok.
    7. Workflow is now configured. If you now modify a user and add Provisioning Roles into the Provisioning tab, the System Manager role member gets a work Item for approval.
  • Auditing
    Identity Manager
    audits information about the AccumulatedProvisioningRolesEvent and each individual event.