Fulfillment Change Request Types capabilities

Hi,

I am going to start configuring fulfillment in Identity Governance 3.7.0 in menu: Fulfillment > Configuration > Fulfillment Targets > Add Fulfillment target

I see the following section:

=============================================================================================

Supported Change Request Types

Select the types of change requests this fulfillment target will process. You must select at least one.

Assign User to Account
Remove Permission Assignment
Remove user from account
Modify Permission Assignment
Modify Account Assignment
Remove account
Add permission to user
Give User Access to Application
Remove User Access to Application
Add technical role to user
Remove permission from account
Modify Account
Remove Technical Role Assignment

=============================================================================================

I want to know the capabilities of each "Change Request Type"

Does anyone have a description of each of them?

For example, what actions does the "Modify Account" execute? Is there an example where you can see how it works?

  • 0  

    They aren't documented, as far as I know.   I have been able to deduce some info, so use this carefully and at your own risk.  I looked at this over a year ago, so some of these might be a little different now.

    REMOVE_ACCOUNT_PERMISSION - A result of a permission review where a permission assignment is revoked from an account. Specifies target account and target permission.

    ADD_PERMISSION_TO_USER - After a request, assigns a new permisison to a account in a system.(WHICH ACCOUNT?)

    REMOVE_ACCOUNT_ASSIGNMENT - During account review, if you remove the user from an account this event is sent to the application with the identity name and the account.

    ADD_USER_TO_ACCOUNT - During a account review, if you enable modify permission you can assign unmapped accounts to a user/identity. This lists as “Assign User to Account” in fulfillment, and links the account object to the Identity. If you use a custom fulfiller action to select a user, from config, this does not work - its just a modify account type. Note that this is a change sent to the fulfiller (ad and edir do not support) and would likely entail an admin manually updating an account to have a matching attribute.

    MODIFY_ACCOUNT - During an review you can enable custom modify actions via config..Modify Review Item Reasons. These changes become modify accounts.

    ADD_APPLICATION_TO_USER- As a result of a request for an account, adds an account to a target application. Still needs collection for validation. The fulfiller needs to populate all appropriate attributes for creation/matching/placement. The default script uses a userProfile attribute that is configured in Config…Fulfillment Context Attributes

    REMOVE_ACCOUNT- As a result of a account review, where an account is revoked. Specifies the target account in the target system that will be removed.

    MODIFY_USER_PROFILE- After a user profile review, sends changes to a system (not supported by AD or eDir fulfillers?). Attributes must have the checkbox for available to review before showing up here.

    MODIFY_USER_SUPERVISOR - After a user direct reports review, to confirm managers, this type changes the manager (not supported by AD or eDir fulfillers)