This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA® Identity Governance & Lifecycle Discussions

Discussions about RSA Identity Governance & Lifecycle.
AndriiDrobenko1
Beginner
Beginner
‎2021-02-03 05:15 AM

manual fulfilment sub action

Jump to solution

All, 

 

We have one application that is using AD groups for authorization, though accounts should be manually created on local DB of application prior to that.

So once user account is added to AD group, in order to get this access to work same user account should be added to application itself.

For AD group membership can use OOTB automatic AFX provisioning, now we also would like to add sub action - manual fulfilment step assigned to app owner to complete user provision on the app itself. 

What would be the best way to implement this? - ideally, we want to keep this sub action as a part of provisioning workflow.

 

Regards 

Andrii Drobenko

Labels (1)
Labels
0 Likes
Reply
1 Solution

Accepted Solutions
AhmedNofal
Moderator Moderator
Moderator
In response to D.S.9
a month ago

Jump to solution

I'd add as well some local entitlements in a separate application where those local entitlements would represent provisioning/de-provisioning of DB accounts (whether done manually or automatically via AFX), so you have a CR item in your CR (for an example of a CR containing the Add account to group and manual DB user creation activities) that states that this local entitlement (let's name it Create - DB User) is being added to the user along with adding the user's account to the authorization group, so you know from a CR & User Access governance standpoint that this user had a DB account created for the user.

Are you collecting those DB/application users (accounts) or it is just a manual activity at the moment to be issued to the application admin to manually create those users on the app side?

View solution in original post

0 Likes
Reply
5 Replies
D.S.9
Frequent Contributor Frequent Contributor
Frequent Contributor
a month ago

Jump to solution

Should be fairly simple. You can add manual activity node which can be assigned to app owner to complete the task. However, this item cannot be verified. Make sure to use manual activity instead of manual fulfillment. Manual fulfillment will most likely auto complete as the actual fulfillment (add account to group) is already completed here. You can also automatically provision this create account if you set up a database connector and use provisioning command. 

0 Likes
Reply
AhmedNofal
Moderator Moderator
Moderator
In response to D.S.9
a month ago

Jump to solution

I'd add as well some local entitlements in a separate application where those local entitlements would represent provisioning/de-provisioning of DB accounts (whether done manually or automatically via AFX), so you have a CR item in your CR (for an example of a CR containing the Add account to group and manual DB user creation activities) that states that this local entitlement (let's name it Create - DB User) is being added to the user along with adding the user's account to the authorization group, so you know from a CR & User Access governance standpoint that this user had a DB account created for the user.

Are you collecting those DB/application users (accounts) or it is just a manual activity at the moment to be issued to the application admin to manually create those users on the app side?

View solution in original post

0 Likes
Reply
JamiePryer
Moderator Moderator
Moderator
a month ago

Jump to solution

Not sure if this content also helps too? https://community.rsa.com/community/products/governance-and-lifecycle/exchange/recipes/blog/2020/04/... 

0 Likes
Reply
AndriiDrobenko1
Beginner
Beginner
In response to AhmedNofal
a month ago

Jump to solution

hi Ahmed, 

 

That's exactly how I thought it should be done - will try to configure that somewhere next week and will let you know the result. In our case most probably we'll go for manual fulfillment sub-action, as that a network mgmt device we're taking about and we are not collecting users from it.

 

Andrew 

0 Likes
Reply
AndriiDrobenko1
Beginner
Beginner
In response to D.S.9
a month ago

Jump to solution

Thanks for suggestion, Shrestha, indeed that would work, but in this case requestor will not be able to see if his/her request is actually fulfilled, as it will be completed once AFX added it to group.

 

Andrew 

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.