Page Comparison

During recertification, EmpowerID sends requests to managers to certify whether their employees should have access to the resources that they currently have. The managers then recertify or revoke access, and if there are other approval steps, EmpowerID forwards their decisions to the next approver. In inventoried account stores, once the recertification has gone through all of the approval steps, EmpowerID fulfills the decision, updating or revoking access as specified.

However, EmpowerID does not perform inventory on tracking-only account stores directly. Instead, EmpowerID sends the application owner or group owners requests to manually add or remove access for the user accounts and groups. Once the application or group owner fulfills these requests, they mark the requests complete, and EmpowerID updates the account store, user account, and group information accordingly. We call this process fulfillment.

In the fulfillment process, EmpowerID creates, gets permission for, and tracks the requests and communicates them to the owner. Once the owner fulfills the requests, EmpowerID updates the tracking-only account store.

System Change Outbox

Owners receive fulfillment requests via the System Change Outbox, and you can track their progress there. 

Image Modified

Application-Centric vs. Group-Centric Fulfillment

Fulfillment can be processed in one of two ways: application centric or group centric. By default, fulfillment is performed in an application-centric fashion, bundling all requests for the application and sending them to a single application owner. 

Image Modified

Or you can opt to perform fulfillment in a group-centric fashion. In this case, EmpowerID bundles requests for each group in the application and sends them to each group owner. This process is run by the ProcessGroupFulfillment workflow.

Image Modified

...

...