| Info |
|---|
To effectively learn the Fulfillment workflow, prior knowledge of the Approval Flow Engine is recommended, along with an understanding of key concepts such as Business Request, Business Request Items, and Item Type Actions. Please refer to the Approval Flow Engine and Admin Training documentation for further information. |
I will explain the key concepts required to understand the Fulfillment workflow.
Business Request
A Business Request is a formal submission by users within an organization to request access to resources. It is directed to managers, resource owners, or delegated authorities for approval or rejection. In Empower ID, business requests group lists of actions for approval. These actions may include adding or removing group members, assigning management roles, or performing other tasks. The Business Request serves as a container that organizes related items also known as Business Request Items.
Creating a demo Business Request
First, go to your EmpowerID Web UI. Expand the IAM Shop, and under it, click on Shop for Access and it will take you to the IT Shop
On the IT Shop page, click the Request Access button next to any two groups. Make sure you have selected Groups from the dropdown.
When you click the Request Access button, a window will appear. From there, click the Add to Cart button to add the group to your cart.
Now, from the dropdown, select Management Roles. In the grid, click the Request Access button next to any role. A window will appear; click the Add to Cart button.
Click the Cart icon at the top right of the UI. A window will appear, listing your selected groups and a management role. For each group, choose New application roll-out from the dropdown. For the management role, choose New or additional responsibilities, then click the Evaluate Request button.
After clicking the Evaluate Request button, few controls will appear in the window. In the first textbox, enter the Business Request name, e.g., FWTest BR. Click on the Submit button.
Submitting this, EmpowerID API will create a Business Request. A popup will appear; click the name of your business request, which will open another screen where you can track the status of your request and see the requested items.
As you can see, there are three Requested Items (Business Request Items) in this Business Request. These Business Request Items are what need to be fulfilled. Sometimes they are approved, and sometimes they are rejected. Based on that decision, you will need to take the appropriate action.
Now, click the SHOW button next to any Request Item to view the data contained in a Business Request Item. Notice the Action Type for the Business Request Item. Every Business Request Item has Action Type (Item Type Action).
You can also view the Business Request Items created above in the UI by navigating to Business Request and Tasks → Business Request Reports. Go to the Business Request Items tab, type the name of your Business Request in the search box, and it will display all related Business Request Items along with their details. The Approval Engine uses this information to determine who should approve the request, and the Fulfillment Workflow, which is responsible for executing the action, also relies on this data. The Business Request Item must include at least the Requested Resource, which you can find by navigating to the right side of this grid on your UI.
If you scroll to the right side of the grid, you can see additional columns. For example, to add a person to a group, you need both the assignee (the person you want to add) and the group or group name. The workflow will use this information to complete the fulfillment process. All this information can be found in the Business Request Item.
Business Request Item
A Business Request Item is part of a business request that is processed through a fulfillment workflow. Business Request Items (BRIs) are the individual actions within a larger Business Request in the identity management system. They represent the specific tasks or changes that need to be made, like adding a user to a group, disabling an account, or sending an email etc.
Imagine you're shopping at an online store:
Business Request: This is like your shopping cart, containing everything you want to order.
Business Request Items (BRIs): These are the individual items in your cart. Each one is a separate request for a product.
Here's how BRIs fit into the bigger picture:
Origin: BRIs can originate from various sources:
IT Shop: Users can manually request actions through an interface called the "IT Shop”.
Workflows: Automated workflows, such as those triggered by lifecycle events (e.g., employee termination), can generate BRIs.
Recertification Processes: BRIs can be created as part of periodic reviews to confirm access rights.
Grouping: BRIs are grouped within a Business Request to provide context and allow for collective approval or rejection.
Data Storage: BRIs contain essential data for processing, including:
Target Resource ID: This is typically the GUID of the resource being acted upon, such as the account to be disabled.
Assignee ID: The GUID of the user receiving access or being affected by the action.
Each Business Request Item includes an Item Type Action.
Item Type Action
Each Business Request Item (BRI) has an associated Item Type Action that defines the specific change to be made. For example:
Add Account to Group
Disable Account
Send Email to Person etc.
Item Type Actions are linked to Fulfillment Workflows, which are automated processes responsible for executing these actions once the BRI is approved. These workflows are designed to handle multiple BRIs in bulk for greater efficiency.
Click the Edit (pencil) icon for the Add Account to Group item type action. On the edit page, you can view the Fulfillment Workflow that will be triggered if this action is approved.