Archive for December, 2012

Notification and Denotification in IAM and IAG

December 27, 2012 2 comments

During a PoC in Canada in October i was talking with the hosting program manager around issues regarding Notification and Denotification in IAM and IAG suites. The discussion came up while discussing the following use case (excerpt):

An employee is requesting access to an resource by using the web based access request portal of an IAM / IAG suite. The access request needs to approved by a group of approvers. Unfortunately for the employee, none of the approvers is available due to whatever reasons. After an defined timeout the access request approval needs to be escalated to another group of approvers for an escalation approval. The former approvers should be notified that no further action is required from their side.

 When discussing this use case with the PoC hosting program manager to gather some background information about the denotification behavior he told me that this functional request is only based on the lack of some individuals, that might not understand that there are others in an enterprise having the same “power” like themselves to approve or recertify access for a bunch of employees. Personally i don’t see any need to have such an behavior implemented based on an pretty simple fact:

By using my favorite IAM / IAG suite an calculated approver has different ways to approve or deny an access request:

  • using the “approve” or “deny” button (hyperlink) in the notification email of an new incoming access request
  • using the approve or deny capabilities of the web based access request portal

Based on those two ways an potential approver could face two situations:

  1. None of the other approvers did an decision on the access request
  2. One of the other approvers or an approver in an escalation case already approved or denied the access request

Let’s have a brief look on those two scenarios from an approvers perspective.

Scenario 1

The approver is getting an email notification telling him about a new incoming access request which needs to be approve or deny. This can be done directly out of the notification email or by using the web based access request portal. Anyways, as soon as the approver is deciding the access request with an approval or denial, the access request moves forward within the request process.

Scenario 2

The approver was out of office for some days and might not have checked emails. Being back in the office, the approver is checking outstanding emails, discovering an approval request email. While clicking the button (hyperlink) to approve or deny the request, the system will tell the approver that this decision was already done and there is no outstanding request approval for (at least) this dedicated access request. This might be the case if another of the calculated approvers or an escalation instance already approved or denied the request or the request was cancelled by the requester (some rumors are telling stories of requesters canceling requests).

Both scenarios are pretty much the same from an requesters perspective and both are also pretty common from an approvers perspective. But right now the PoC hosting program manager was cutting the discussion: for scenario 2, when someone else already approved or denied the access request they requested an feature sending an identification email to the former approvers that there is no further action required from their side.

Based on the “story book” of potential approvers who are not that smart, i answered this feature request pretty short: “If you want us to turn the IAM / IAG suite into an spam machine, no problem. But you might face the situation that you might reconfigure that behavior pretty soon after go-live.” So our discussion kicked off and we did spent nearly the whole lunch break to discuss advantages and disadvantages from our perspectives. In the end we both agreed into the following statement: “We could setup the IAM / IAG suite to send notifications as well as denotifications.” But we skipped the denotification for the PoC as this would have been just an additional email workflow to the notification emails which were already sent by the system.

I have to admit that there might be some cases when an denotification might become a use case in the IAM / IAG scope but those scenarios are very limited from my perspective.

Whats your opinion on that? Let’s discuss in the comments.

Categories: IAG, IAM, IDM, Strategy