I recently came across a scenario where Training requirements need to be factored in IdM while provisioning roles. Unlike GRC (using parameter 2024), IdM does not have any thing out of the box to support this. I thought I will share my thoughts as this might be helpful for others who have the same requirement. I have made it easier for beginners to understand.
Employees need to attend training before being granted a particular role. In real life, I don’t see this followed religiously at all times 🙂 . The system should also be capable to support exceptions where a person should be granted access to a Role even without they attending a training. The training data (usually held) in some other system has to be fed into IdM
In my scenario, I have a flat file provided as an input from the Training system, which has the Employee ID, Course Name, Validity dates.
Next, one would need to map the relationships between a Training course and a Business Role. I have created a new Privilege for each Training course as shown below. I preferred to use a naming convention PRIV:TRAINING:<NAME>
Create a Business Role as shown below.
Under the visibility tab, add the Training Privilege as shown below and set the visibility to “Owner+Members”.
Also, make sure that the backend privileges (from the initial load) are grouped and assigned to this Business role.
Login as an end user for whom Self-Service is enabled to request a role.
The user would be allowed to navigate/search for Business Roles and assign them. The user would not be able to select Privileges. Notice that the user is not able to locate the new Business Role “ACCOUNTS_PAYABLE” as this user does not have the required Training privilege
This end user can go on an actual training course and this data would be fed into the IdM system via a flat file from the Training system. If for some reasons, this user wants access to this business role (without attending a formal training) based on your approval process in your organization, you could forward this request to your IdM Admin who could manually assign this privilege to this user via IdM UI as shown below.
After the Training privilege has been assigned, this user end should be able to search and assign this corresponding business role as shown below
This should provision all the privileges attached to the business role to the respective backend systems.
There could also be additional requirements where the Training courses have a validity period. Once the Training privilege expires, additional jobs need to be configured to remove the business role from the user.