All,
Lately I’m involved in a project where I’m being asked more and more advanced Identity Management related tasks to be implemented.
So I think I might be reaching the boundaries of the FIM Portal, or what my mind can build of solutions ;)
E.g. Suppose you want a manager to be able to choose whether or not a user should receive an account for an SAP system. How would you implement this? I’m aware of the Set/MPR/WF/SR thingy. But would you add a Boolean attribute on the user for this like “RequireSAPAccount”? What if you have more and more of these items. Add them all on the user? Wouldn’t a user object end up like a garbage object?
Other examples could be "user should have limited/standard/full internet", "user should receive a laptop/desktop" ," user should be able work from home (smartcard)", "user requires access to file share X and Y"....
As I see it, ideally each of these "rights/entitlments" would be translated to a group membership. That way you can use the existing objects/GUI/approval capabilities and present a more or less user friendly way of working.
Second, regarding approvals. Suppose you don’t configure an escalation approver, and an approval goes into the escalation timeframe, is it lost inevitably? Because an “administrator” can see the approval, but even he can’t approve as he’s not part of the “approvers” list for this WF. So what’s the typical approach here? Add a windows group in the escalation approvers list? Add na “emergency service account”.
I'm aware that an exact answer is probably not possible, but I'm just wondering how you guys are tackling these challenges.
Kind regards,
Thomas