Secure Change Authorization
All requests in the self-service workflow system in ID-Synch® are reviewed and validated by an authorized person and approved before being applied to managed systems. An ID-Synch web form and automated e-mail notification system performs this approval workflow.
The identity of authorizers and the number of authorizers required for any given request, depends on customer business requirements:
- In a very simple configuration, all requests can be checked and approved
by a single, global entity, such as the help desk.
- In more complex deployments, groups of authorizers may be attached to resources or the organization chart. For example, authorizers may be associated with target systems, templates, roles or groups. There may be a requirement that someone in the requester's management chain, at a minimum level of authority, must approve all changes submitted by that requester.
ID-Synch supports importing organization chart data into a standardized internal representation. Typically this data is imported nightly. Having standardized data about management structure allows ID-Synch to easily be configured to draw managers into the change authorization and escalation processes without custom coding.
Regardless of what business logic is used to select authorizers, requests are routed to authorizers, who get an e-mail and periodic reminders, asking for review and approval. Authorizers click on an embedded URL in the e-mail, sign into ID-Synch with their network credentials, review the details of the requested change and either grant change approval or reject it.
Authorizers may temporarily or permanently delegate their responsibility -- for example when they leave for holidays or change job functions.
When an authorizer fails to respond to a change request, that request can be automatically escalated to another authorizer. Business logic can be implemented here as well or else a simple rule such as "escalate to the original authorizer's manager" can be used.
Authorizers may be granted partial or total veto power over a request. With partial veto power, their rejection of a change will block just those parts of the change that they were associated with, but other components can still be approved by their own authorizers. Global veto allows an authorizer to cancel a whole request, for multiple resources.
While parallel change authorization is the norm, it is also possible to configure ID-Synch to require serial authorization, by attaching additional authorizers to a change request after an initial set of authorizers have either approved or rejected it.