Provisioning Role Event Processing Order
Some default
Identity Manager
tasks include events
, actions that Identity Manager
performs to complete a task, that determines provisioning role membership. For example, the default Modify User task includes the AssignProvisioningRoleEvent and the RevokeProvisioningRoleEvent. Assigning or revoking a provisioning role may add or remove an account on an endpoint. In some cases, the endpoint may require that all Add actions occur before Remove actions.To make
Identity Manager
process Add actions first, you enable the Accumulation of Provisioning Role Membership Events setting in the Management Console. When this setting is enabled, Identity Manager
accumulates all of the Add and Remove actions into a single event, called the AccumulatedProvisioningRolesEvent. For example, if the Modify User task assigns a user to three provisioning roles and removes that user from two other provisioning roles, an AccumulatedProvisioningRolesEvent will be generated which contains five actions: 3 Add actions and 2 remove actions.When this event executes, all Add actions are combined into a single operation and sent to the Provisioning Server for processing. Once processing of the Add actions completes,
Identity Manager
combines the Remove actions into a single operation and sends that operation to the Provisioning Server.Enabling this setting affects the following
Identity Manager
functionality:- Provisioning Roles Tab in User TasksWhen an administrator adds or removes a user from a provisioning role using the Provisioning Roles tab,Identity Manageraccumulates those actions into a single event.
- Identity PoliciesAll provisioning role membership events (AssignProvisioningRoleEvent or RevokeProvisioningRoleEvent ) that are generated as a result of an Identity Policy evaluation are accumulated into a single AccumulatedProvisioningRolesEvent.Identity Managerexecutes this event like any other secondary event. For example, consider an identity policy set that includes two identity policies: Policy A revokes membership in the Provisioning Role A and Policy B makes users members of Provisioning Role B. IfIdentity Managerdetermines that a user no longer satisfies Policy A, but now satisfies PolicyB, an AccumulatedProvisioningRolesEvent that contains two actions (one for the remove action and one for the add action) is generated. The Add action is executed first and then the Remove action is executed.
- View Submitted TasksTo view the status of the AccumulatedProvisioningRolesEvent and the status for each of the individual actions, use the View Submitted Tasks task to view event details. If one of the individual actions fails, the status of the event is failed, which moves the task to a failed state.
- WorkflowYou can associate a workflow process with the AccumulatedProvisioningRolesEvent. In this case, an approver can approve or reject the entire event, which approves or rejects each of the individual events. To enable workflow for individual events within the AccumulatedProvisioningRolesEvent, the following additional configuration is required.
- In the Identity Manager Management Console, navigate toHome,Environments,<env_name>,Advanced Settings,Provisioning.
- Under theProvisioning Propertiessection, selectEnable Accumulation of Provisioning Role Membership Events.Save the configuration and restart the environment for the changes to take effect.
- You will now see theApprove Accumulated Provisioning Rolestask in theView Admin Taskscreen of the Identity Manager User Console.
- Assign this admin task to the System Manager role.
- Navigate toAdmin Roles,Modify Admin Roleand selectSystem Manager.
- In theTaskstab, selectFilter by categoryasUsersandAdd TaskasApprove Accumulated Provisioning Roles.
- Navigate toModify Admin Task, and searchModify Useror any task required for the workflow configuration. In this example, we useModify Usertask.
- Select theModify Usertask. In theEventstab, select theNon-Policy Basedvalue as AccumulatedProvisioningRolesApproveProcess and clickOk.
- Workflow is now configured. If you now modify a user and add Provisioning Roles into the Provisioning tab, the System Manager role member gets a work Item for approval.
- AuditingIdentity Manageraudits information about the AccumulatedProvisioningRolesEvent and each individual event.