Access request for new account

jolan · June 13, 2023, 2:59am

Hi,

Is there a way to setup access request in Identity Governance to allow end user to submit request for a new account.

As per my understanding, current Identity Governance access request OOTB setup is focus on role-based request.

My situation is where an user can have multiple AD accounts. Where by default user have its own AD account which represented/mapped to FR OOTB user managed object. In this case, is there any way/workaround to meet this requirements?

salbertelli01 · July 3, 2023, 3:06pm

Hi @jolan,

Thank you for your question about setting up IGA to allow end user to submit request for a new account. I understand your use case involves users having multiple AD accounts, each with their own AD account mapped to the Identity Governance OOTB user-managed object.

To better address your needs, I will consult with our internal teams to explore if there are any recommendations or alternative approaches to meet your requirements effectively or if raising a support ticket would be the best course of action.

I appreciate your patience. I will update you as soon as I have the relevant information. If you have any additional information or specific details about your setup, please feel free to share them, as they may be helpful in our assessment.

TIA

Cheers,

Sheila

jolan · July 4, 2023, 6:22am

Thanks Sheila for helping out on this. Hope to hear from you soon.

Here are few key requirements I have in my projects in using IDM+IGA.

Access request for a system account. (this is related to multiple AD account as well)
Enabling/Disabling user account (inclusive other own system account) - This is in the context of user of being away from organization for a temporary period. But in FR IDM/IGA do not have such placeholder to allow such action to be done. As I know, in IDM there is only between create and delete. Not sure if the team have better solution to be suggested on this as well.

Thanks again

salbertelli01 · July 5, 2023, 5:36pm

Hi Jolan,

Thank you for supplying us with the additional details regarding the key requirements. I have promptly communicated this information to our internal teams for recommendations. I will update you here as soon as I have the pertinent information.

Thank you!
Sheila

salbertelli01 · July 13, 2023, 4:25pm

Hi Jolan,

I appreciate your patience. After consulting with our internal IGA team to explore your use case and potential solutions, we have identified the following insights:

In self-managed environments, there is no concept of accounts/multiple accounts and, therefore, not inherent to IGA (Identity Governance and Administration). As a result, IGA does not provide built-in support for handling these scenarios. However, customers often address these requirements through customizations tailored to their specific needs.

It’s worth noting that some customers have successfully implemented workarounds.

One example is creating an account MO (Managed Object), associating it with a role, and making the role requestable in IGA. This workaround allows for managing multiple accounts effectively.

However, it is possible that there are other scalable workarounds members have tried.

I hope this suggested workaround helps. If you need further guidance with the workaround or have additional questions, may I suggest raising a Support ticket.
Our support team will be better equipped to provide you with the best guidance on the workaround for your use case.

For assistance with raising a support ticket, please see the following support article:
Best practice for raising an Identity Platform ticket with ForgeRock Support

Thank you,
Sheila