User access: executing a request
Executing a user access request.
A user access request might include an execution step.
According to the configuration (see ), this step might be executed:
- Automatically through a connector
- Manually
You can view a summary of the authorized requests. You can view two types of requests:
- Request ID
- Sub-Request ID
The Request ID, which is black, is the parent request. Parent requests (PR) are associated to one or more child requests (CR), which are called Sub-Requests and are red.
The requests that are generated during the authorization process can be characterized by different statuses, which are summarized in the following table:
| Status | Description |
|---|---|
| Approved | Request was successfully approved and is waiting to be processed. |
| Authorizable | Request is waiting for authorization. |
| Completed | Request was successfully propagated to the target system. It is a final status for the request. |
| Escalation | Request is being escalated because it contains incompatible roles. |
| Expired | Request exceeded the time limit that is specified by its Priority without being processed. |
| In execution | Request is waiting for the propagation to the target system. |
| Operation failed to complete | Completed request with faulty propagation to the target system. It is a final status for the request. |
| Partially Approved | Request with some sub requests in Approved status. |
| Partially Authorized | Request with some sub requests in Authorizable status. |
| Partially Completed | Request with all sub requests at end of lifecycle, some of them in Completed status and some of theme in Failed Completion status. |
| Partially Executed | Request with some sub requests in Executed status. |
| Partially Terminated | Request with some sub requests in Completed status and some in progress. |
| Pending | Source request is waiting for formalization by one or more approvers. |
| Rejected | Request can no longer be processed. It is a final status for the request. |
| Terminated With Reservation | This status includes all the requests that present an unclear or unexpected behavior. It is a final status for the request. |
Every request includes one or more subrequests. Subrequests are characterized by a status.
Figure 1. Subrequest status
| Status | Description |
|---|---|
| Authorizable | The request is waiting for authorization. |
| Completed | If the fulfillment is disabled, the action is completed. If the fulfillment is on Automatic, it means that the connector aligned every permission on the target system. If the fulfillment is on Manual, a human operator aligned every permission on the target system. |
| Expired | The request exceeded the time limit that is specified by its Priority without being processed. It needs to be escalated to an authorized approver. |
| Failed Completion | The connector failed to align all permission on the target system. |
| Incompatibility | The request contains incompatible roles. |
| Partially Completed | The connector failed to align some of the permissions. Others were successfully propagated. |
| Performed | The connector did not yet align the permissions on the target system. |
| Rejected | The request was rejected by the approver, and is not fulfilled. |
You can search specific requests with the following filters. Click Filter/Hide Filter and then click Search.
| Filter | Description | |
|---|---|---|
| Request ID | The Unique identifier of the request. | |
| Sub Request ID | A single request can generate from 1 to N subrequests. All are identified by a proper ID number. | |
| Applicant Identity | The identifier of the IAG actor who generated the request. | |
| Beneficiary Identity | The identifier of the beneficiary of the request. | |
| Type | The action that is requested. | |
| Status | The status of the sub request. | |
| Created between |
|
|
The results are displayed in the same frame, according to the following attributes:
| Attribute | Description |
|---|---|
| Request ID | Univocal identifier of the parent request. |
| Sub-Request ID | Univocal identifier of the child request. |
| Type | Type of request. |
| Applicant | Name of the applicant of the request. |
| Beneficiary | Name of the beneficiary of the request. |
| Created on | Date (dd/mm/yyyy) and hour (hh:mm) the request was created. |
| Status | Request Status. |
| Priority | The priority that is assigned to the request. |
Click Applicant and Beneficiary to open the User details window and show the following information:
| Detail | Description |
|---|---|
| Group | The organization unit to which user belongs |
| First Name | Names of user |
| Last Name | |
| User ID | Unique identifier of user |
| User Type | Information that helps describe the position of the user in the organization. Use it to indicate the user's title (User Manager, Security Officer) or - for external users - the type of relationship with the organization (for example, Business Partner, Customer, Supplier). |
| Address | Address details of user |
| City | |
| State | |
| Zip/Postal code | |
| Country | |
| Phone |
Click Request ID and Sub-Request ID to view the details.
The upper part of the frame shows the following information about the Actors of the Request:
| Box | Details |
|---|---|
| Request |
|
| Applicant/ Beneficiary/ Delegator/ |
|
| Modified Entitlement |
|
Note: The
Request Notes are not mandatory. If there are no notes in the request, the fields of the Request
Notes are blank.
Click the 
Info icon to open the User details window and show the
information in a set of tabs:
| Detail | Description |
|---|---|
| Group | The organization unit to which user belongs |
| First Name | Names of user |
| Last Name | |
| User ID | Unique identifier of user |
| User Type | Information that helps describe the position of the user in the organization. Use it to indicate the user's title (User Manager, Security Officer) or - for external users - the type of relationship with the organization (for example, Business Partner, Customer, Supplier). |
| Address | Address details of user |
| City | |
| State | |
| Zip/Postal code | |
| Country | |
| Phone |
| Details | Description |
|---|---|
 |
Click Info to open the Entitlement information window |
| Application | Type of application |
| Name | Name of the entitlement |
| Description | A brief description of the nature of the entitlement |
| Owner | Owner of the entitlement |
| Start Date | Start date of the assignation of the entitlement to the user |
| End Date | End date of the assignation of the entitlement to the user |
| VV | The  icon
denotes an entitlement in Role Alignment Violation |
| Detail | Description |
|---|---|
| Config.Name | Configuration name of the account |
| Code | Unique identifier of the account |
| Detail | Description |
|---|---|
| Name | Name of the activity |
| Path | Position of the activity in the Activity Tree |
| Description | Brief description of the activity |
| Detail | Description |
|---|---|
| Name | Name of the entitlement. |
| Value | This field is referred to the value of a right that is possibly associated to a permission, present in the list. |
| Application | Name of the parent application of the entitlement considered. |
| Group[Code] | The Organization Unit [Unique identifier of the OU] to which the user belongs. |
| Hierarchy | Name of the attribute hierarchy. |
The lower part of the frame shows the following information about the requests:
| Attribute | Description |
|---|---|
| Application | Type of application. |
| Name | Name of the entitlement. |
| Description | Brief description of the entitlement. |
| Owner | Owner of the entitlements that are involved in the Request. |
| Start Date | Start date of the assignment of the entitlement to the user. |
| End Date | End date of the assignment of the entitlement to the user. |
| VV | The icon denotes an
entitlement in Role Alignment Violation. |
| Group [Code] | Code of the node of the hierarchy, for example, the organization unit (OU) code in the hierarchy of OUs. |
| Hierarchy | Name of the hierarchy. |
| Details | For a selected entitlement, click:
|
Click the 
Info icon to open the Entitlement info window and
show the summarized information in the following set of tabs:
- Details
- Structure
- Activity
- Permissions
- Groups
- Rights
The Structure tab is always available. It shows the structure of the entitlement of the request. The other tabs are available only when the entitlement is characterized by Activities or Rights.
| Detail | Description |
|---|---|
| Name | Name of the entitlement |
| Application | Type of application |
| Description | Brief description of the entitlement |
| Owner | User who is responsible for the considered entitlement |
| Family | Family of the selected entitlement |
A generic Entitlement has a hierarchical structure.
The following list describes
the various types of entitlements:
- Permission
- It is the basic authorization object. It is defined as an authorized action on a protected object, such as reading and writing a local file or creating a connection.
- IT Role (Application Role)
- A collection of permissions that are defined in the context of
a single system or application. It can contain other IT roles of the
same application, in other words:
- IT Roles
- Permissions
- External Role
- A set of permissions and roles that are received from an external
application or target. It is conceptually like a business role, but
is received directly from a connected target. It can contain other
external roles, in other words:
- External Roles
- Permissions
Remember: Because an external role originates from without IBM® Security Identity Governance and Intelligence virtual appliance, it is handled as a unit. The permissions that constitute it cannot be separated from the role and handled individually. - Business Role
- Any combination of application permissions, IT roles,
external roles, and other business roles. Different business roles
can be defined in the same organizational unit. It can contain:
- Business Roles
- IT Roles (Application Roles)
- External Roles
- Permissions
The following icons represent these entitlements:
If notes about the considered entitlement are in the request, the 
Note icon is available. Click it to open the Notes
window and show the contents of the note.