Figure [link] shows how the Hitachi ID Identity Manager request portal can allow a requester to compare groups, roles and accounts between a request's recipient and an existing, reference (model) user. The requester selects from those items which differ between the model user and recipient to formulate a request which is then submitted to the workflow engine for validation and approval prior to fulfillment.
There are two key technical elements in this process:
- Encouraging requesters to judiciously select some entitlements from a model user, to request on behalf of the recipient.
- Limiting the set of recipients and model users available to a given requester, typically based on the relationships between requester/recipient and requester/model, but possibly also based on the relationship between recipient/model.