Overview of Fulfillment

Owned by Phillip Hanegan
Feb 26, 2021
2 min read

During recertification, EmpowerID sends requests to managers to certify whether their employees should have access to the resources that they currently have. The managers then recertify or revoke access, and if there are other approval steps, EmpowerID forwards their decisions to the next approver. In inventoried account stores, once the recertification has gone through all of the approval steps, EmpowerID fulfills the decision, updating or revoking access as specified.

However, EmpowerID does not perform inventory on tracking-only account stores directly. Instead, EmpowerID sends the application owner or group owners requests to manually add or remove access for the user accounts and groups. Once the application or group owner fulfills these requests, they mark the requests complete, and EmpowerID updates the account store, user account, and group information accordingly. We call this process fulfillment.

In the fulfillment process, EmpowerID creates, gets permission for, and tracks the requests and communicates them to the owner. Once the owner fulfills the requests, EmpowerID updates the tracking-only account store.

The Group Membership Queue Processor job checks whether the application is group-centric or application-centric, selects which workflow to run, and passes in the list of changes from the System Change Outbox.

System Change Outbox

Owners receive fulfillment requests via the System Change Outbox, and you can track their progress there. 

In order to have the tracking-only account store send changes to the System Change Outbox queue instead of trying to add or remove user accounts, two settings must be in place for the account store:

  • Enable Group Membership Reconciliation

  • Send All Changes to Outbox


Application-Centric vs. Group-Centric Fulfillment

Fulfillment can be processed in one of two ways: by application or by group. By default, fulfillment is performed by application, bundling all requests for the application and sending them to a single application owner. You can also opt to perform fulfillment by group. In this case, EmpowerID bundles requests for each group in the application and sends them to each group owner. This process is run by the ProcessGroupFulfillment workflow.

  1. Changes from tracking-only account stores with the Send to System Change Outbox option set are sent to the System Change Outbox.

  2. EmpowerID checks whether the Is Group Centric option is selected.

  3. If not, it compiles a single email with all changes for each application and sends it to the application owner for fulfillment.
    If it is group centric, EmpowerID compiles a separate email with all changes for each group and sends it to each group owner for fulfillment.

  4. The application owner or group owners make the changes in the external application.

  5. The application owner or group owners mark their requests complete so that EmpowerID can update the status of each pending change.