Access Request provisioning by IDM and GRC

Access Request provisioning by IDM and GRC with same provisioning settings

Purpose

This document explains different scenarios for provisioning either done by IDM or by GRC, with the fact that you cannot change the auto provisioning settings for the system.

Example: Firefighter ID provisioning needs to be done by GRC but the User/Role provisioning needs to happen from IDM, with risk analysis in GRC, the auto-provisioning settings for the system remain the same, Auto-provisioning is set as YES.

Overview

Access request scenarios can be configured in a variety of ways depending on the provisioning settings for the concerned backend system which can provide provisioning either by the GRC system if auto provisioning is set to YES, and if set to NO, you can have the provisioning done by the IDM and not by GRC.

This document helps to understand how can we achieve some provisioning by GRC and rest by the IDM. Example used here would be for Firefighter ID provisioning and User/Role provisioning.

NOTE: The Auto-provisioning settings in IMG would remain same for both the scenarios, setting as YES. Refer to the following screen capture.

Functional requirement

The two functional scenarios have been highlighted as below.

Important to understand: this document highlights these two scenarios where Auto-provisioning for the system remains YES for both the requirements.

This above screen capture is an IMG setting within User Provisioning.

Firefighter ID provisioning performed by GRC

To achieve firefighter id provisioning by GRC, you would have to follow the regular configuration of Auto-provisioning setting set as YES, at the provisioning settings at system level in the IMG.

By this configuration, the access request can be provisioned as a regular from GRC and the Firefighter ID assignment will happen in the target backend system, with auto-provisioning settings set as YES. If you set the auto-provisioning for the backend system as NO, the Firefighter ID assignment will not happen.

User and Role provisioning performed by IDM - consuming risk analysis within GRC.

This scenario for user/role provisioning exist in continuation with the above configuration, where the auto-provisioning setting is kept as YES (in IMG).

Now with the above constraint of not having to change the auto-provisioning setting, ideally the roles provisioning would be performed by GRC only, which would be similar to firefighter id provisioning. But, as per the requirement, you want user/role provisioning to happen only by IDM and not by GRC.

Way to achieve

To achieve firefighter id provisioning by GRC and user/role provisioning by IDM, with Auto provisioning set to YES (in IMG), you need to change the "Allow Auto-provisioning" setting in BRM (open the role in change mode) and set this to NO. Once you have set the "Allow Auto-provisioning" to NO, the roles will not be provisioned to the user even if the Auto-provisioning is set to YES, at the system level in IMG.

Below screen refers to the "Allow Auto-provisioning" setting by opening the role in change mode via NWBC.

PS: You might have to mass update your roles to maintain the "Allow Auto-provisioning" setting to NO to configure this setting for all/multiple roles. (try mass role import).

As a pre-requisite, you need to understand the provisioning settings in IMG. You can configure the provisioning at the system level, rather than global level.