During recertification, EmpowerID sends requests to managers to certify whether their employees should have access to the resources that they currently have. The managers then recertify or revoke access, and if there are other approval steps, EmpowerID forwards their decisions to the next approver. In inventoried account stores, once the recertification has gone through all of the approval steps, EmpowerID fulfills the decision, updating or revoking access as specified.
However, in situations where access exists in an external system to which EmpowerID is not connected, fulfilling recertification decisions is a manual process that is performed by users delegated that responsibility (generally application or group owners). When this is the case, EmpowerID sends notifications to each owner, assigning them tasks to perform in the external system in accordance with recertification decisions. Once those tasks are complete are completed, EmpowerID updates the account store, user account, and group information within its Identity Warehouse accordingly. We call this process fulfillment.
In the fulfillment process, EmpowerID creates, gets permission for, and tracks the requests, communicating them to the owner. Once the owner fulfills the requests, EmpowerID updates the account store.
The Group Membership Queue Processor job checks whether the application is group centric or application centric, selects which workflow to run, and passes in the list of changes from the System Change Outbox.
System Change Outbox
Owners receive fulfillment requests via the System Change Outbox, and you can track their progress there.
In order to have the tracking-only account store send changes to the System Change Outbox queue instead of trying to add or remove user accounts, two settings must be in place for the account store:
- Enable Group Membership Reconciliation
- Send All Changes to Outbox
Application-Centric vs. Group-Centric Fulfillment
Fulfillment can be processed in one of two ways: by application or by group. By default, fulfillment is performed by application, bundling all requests for the application and sending them to a single application owner. You can also opt to perform fulfillment by group. In this case, EmpowerID bundles requests for each group in the application and sends them to each group owner. This process is run by the ProcessGroupFulfillment
workflow.
- Changes from tracking-only account stores with the Send to System Change Outbox option set are sent to the System Change Outbox.
- EmpowerID checks whether the Is Group Centric option is selected.
- If not, it compiles a single email with all changes for each application and sends it to the application owner for fulfillment.
If it is group centric, EmpowerID compiles a separate email with all changes for each group and sends it to each group owner for fulfillment. - The application owner or group owners make the changes in the external application.
- The application owner or group owners mark their requests complete so that EmpowerID can update the status of each pending change.