Position change request
End users can have promotion and demotion during their career. This information usually comes from HR system can can be stored in the user object. Fields that can support position change monitoring in OpenIAM are:
- Job Code (metadata based field)
- Title
- Employee type (metadata based field)
- Location code
- Location name
Administrator can configure field or combination field + supervisor changing in the System Configuration, tab workflow. Combination of field and supervisor changing means that position change request will be initiated only when both - field and supervisor got changed, this can happen even in two separate transactions. For example. user got title changed and then supervisor changed in a week, in this case request will be initiated at the moment of supervisor change. If user had initial value in the configured field and at some point value got changed (via change came from HR or modified directly via OpenIAM UI - doesn't matter), OpenIAM recognizes it as a position change and triggers position workflow initiation. Approval flow is defined in resource 'Review All Access Change Position'. If field is not selected in System Configuration position change request won't be ever initiated.
Important note here: OpenIAM position change request assumes review of current user's access and does not assume conformation of the position change.
Another configuration available in System Configuration, tab workflow is Include in Position Change request only role and groups requested from service catalog. When access requested through service catalog it is assigned to a user with a description equals to request ID. And then if the checkbox is enabled, workflow service will collect entitlements of user only where description is not empty. This is done to avoid review on position change user's birthright access.
Reviewer of position change request can approve - keep all current user's access mentioned in request, reject - revoke all user's access mentioned in request or partly approve (items marked as 'do not approve' will be revoked, other access will remain).