Authors – Ramakrishna J Gorthi (rjgorthi@in.ibm.com) & Vaibhav V Gadge (vaigadge@in.ibm.com)
Identity Governance and Intelligence (IGI) allows enterprises to provision, audit and report user access and his activities through life cycle, compliance and analytics capabilities. While one of the core functions of IGI revolves around Access Certification / Continued Business Need, there is a more specific requirement of performing certifications as delegated duties. Say one of the Line of Business managers (Assume SChang for the scope of the current discussion) is on leave, and a certification campaign is triggered, there needs to be a mechanism to have a delegate (Assume Jacob for the scope of the current discussion), to help perform certifications on behalf of SChang.
In order to Delegate Duties like Access Certification, need to ensure that there is a workflow to Delegate Admin Roles. If there’s none, admin needs to create a Delegate Admin Workflow as shown in Figure 1.
Figure 1. Configure a Delegation Workflow
Once the workflow is made online, login as SChang into the Service Center, go to the Delegation Tab and setup the Delegation Duties and Schedule. Select the User to whom you want to delegate your duties to, as shown in Figure 2 below.
Figure 2. Search for the appropriate user to delegate your duties to
You may resort to filtering / searching for specific users, if you know whom to delegate your duties to.
Once the user is selected, select the Role you want to Delegate to, as shown in Figure 3 below.
Figure 3. Select the Role that you want delegate
For Access Certification, the configuration is typically for the User Manager to do the Access Certifications, hence using User Manager as the role to delegate.
Once the role is selected, system will prompt you to specify the duration of delegation, as shown in Figure 4.
Figure 4. Specify Duration for Delegation
Once, you select the duration of delegation, go ahead and submit your Delegation Request, as shown in Figure 5.
Figure 5. Once duration is specified submit the request
Once the request is submitted, any relevant approval workflows will kick-in and once all approvals are in place, the delegation should be active per schedule.
Now, once the delegation kicks-in, there are some changes in the UI that Jacob will start to see. For instance, he would start seeing a new option in the Self Service Menu, as shown in Figure 6.
Figure 6. Act as a different user
As you can see, currently Jacob is performing the duties that Jacob should be doing for self and if intends to switch duties, he can click the Act as delegate for… option.
Jacob can still perform Certifications that he was slated to complete for his org, as shown in Figure 7 below.
Figure 7. Certification by Jacob as Jacob
At any given point of time, he can click on “Act as delegate for…” to launch a dialog where he can specify whose duties to perform. Refer Figure 8 for the dialog that shows up when he clicks on “Act as delegate for…”
Figure 8. Pick the User you want to Act As
Once you pick SChang here, the UI is re-rendered as if you have logged in as SChang and are performing his “User Manager” Actions.
Figure 9. Certification by Jacob as SChang
Notices that the same campaign looks with an entirely different set of records for Jacob. The Self-Service Menu Icon has changed and the options within the Self-Service Menu show more details on the Delegator, on behalf of whom, Jacob is doing the current set of tasks.
Once Jacob is done with his set of tasks, he can click on “Return to Self” and continue performing his duties as Jacob.