Account request workflows
Account request workflows provide a decision-based process to determine whether to grant the entitlement provided by a provisioning policy..
The entitlement provided by a provisioning policy specifies the account request workflow that applies to the set of users in the provisioning policy membership. There might be multiple provisioning policies that apply to the same user for the same service target. There might be different account request workflows in each provisioning policy. The account request workflow that is started for the user is determined based on the priority of the provisioning policy..
If a provisioning policy has no associated workflow and the policy grants an account entitlement, the operations that are related to the request run immediately. For example, an operation might add an account.
However, if a provisioning policy has an associated workflow, that workflow runs before the policy grants the entitlement. If the workflow returns a result of approved, the policy grants the entitlement. If the workflow has a result of rejected, the entitlement is not granted. For example, a workflow might require a manager's approval. Until the approval is submitted and the workflow completes, the account is not provisioned.
When you design a workflow, consider the intent of the provisioning policy and the purpose of the entitlement itself. For example, a provisioning policy is intended to automatically provision an intranet ID for every new person in an organization. The policy does not need an associated workflow that contains an approval activity. An approval request that might be rejected is in conflict with the intent to assign an intranet account to every new employee..
Workflows for an account contain types of information that are pertinent to the workflow: input parameters and output parameters. Input and output parameters are mapped to relevant data defined in the entitlement workflow. The mapping of input parameters to the relevant data is pre-defined. The input parameters are preselected, read-only parameters.
However, modification can occur for the mapping of the output parameters to the relevant data and the output parameter relevant data identifiers. The relevant data can be modified or deleted if it is not referenced by any input or output parameters. New relevant data can be added. Adding or modifying an account triggers an entitlement workflow if it is associated with the provisioning policy that governs the account.. An account request workflow is started during:
- New account requests from an ISIM user
- Account modify requests from an ISIM user
- Automatic account provisioning from ISIM system when automatic entitlement is defined in the provisioning policy
- New access requests from an ISIM user, and there is no access request workflow defined for that access
- Policy enforcement from an ISIM system. An account modify operation might occur because of a policy enforcement action. The account request workflow for an account is run only if the following property in the enRole.properties file is set to false:
enrole.workflow.skipfornoncompliantaccount=fals.
The default value is true.
Parent topic: User account and access request workflows