Unable to render embedded object: File (Emp18Notice.png) not found.
Skip to end of banner
Go to start of banner

Fulfillment

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

During recertification, EmpowerID sends requests to managers to certify whether their employees should have access to the resources that they currently have. The managers then recertify or revoke access, and if there are other approval steps, EmpowerID forwards their decisions to the next approver. In inventoried account stores, once the recertification has gone through all of the approval steps, EmpowerID fulfills the decision, updating or revoking access as specified.

However, EmpowerID does not perform inventory on tracking-only account stores directly. Instead, EmpowerID sends the application owner or group owners requests to manually add or remove access for the user accounts and groups. Once the application or group owner fulfills these requests, they mark the requests complete, and EmpowerID updates the account store, user account, and group information accordingly. We call this process fulfillment.

In the fulfillment process, EmpowerID creates, gets permission for, and tracks the requests and communicates them to the owner. Once the owner fulfills the requests, EmpowerID updates the tracking-only account store.

System Change Outbox

Owners receive fulfillment requests via the System Change Outbox, and you can track their progress there. 

In order to have the tracking-only account store send changes to the System Change Outbox queue instead of trying to add or remove user accounts, two settings must be in place for the account store:

  • Enable Group Membership Reconciliation
  • Send All Changes to Outbox


Application-Centric vs. Group-Centric Fulfillment

Fulfillment can be processed in one of two ways: application centric or group centric. By default, fulfillment is performed in an application-centric fashion, bundling all requests for the application and sending them to a single application owner. 



Or you can opt to perform fulfillment in a group-centric fashion. In this case, EmpowerID bundles requests for each group in the application and sends them to each group owner. This process is run by the ProcessGroupFulfillment workflow.






In this article







  • No labels