RapidIdentity Workflow Governance Requests Use Cases
  • 11 Oct 2023
  • 2 Minutes to read
  • Dark
    Light

RapidIdentity Workflow Governance Requests Use Cases

  • Dark
    Light

Article summary

Workflow governance requests are standardized forms and workflows that request input and perform repeatable, auditable tasks. These tasks can be configured to require one or more levels of approval, although approval isn’t required. Time limits can be applied to automatically revoke elevated rights or permissions.

The following are examples of how RapidIdentity customers are using Requests:

Privileged Account Management 

Request elevated permissions in any application, such as Domain Admin in Active Directory, Google Super Admin, and others. This can be accomplished through security group membership, or by enabling a separate admin account used only for elevated rights.

Approval: one or more approvals are required depending on the level of access requested

Time limit: 2-4 hours, then the group membership is revoked or the admin account is disabled.

MFA Registration

Allow staff to self-select alternate multi-factor authentication methods. For example, the baseline MFA method for everyone is TOTP (Authenticator app). Staff are given workflows to self-select SMS, PingMe, email, or any other method they prefer. Workflows are also given to staff to deregister from the alternate methods.

The form collects a mobile number for SMS, a personal account for email, and other criteria as needed, and stores them in the metadirectory.

Approval: Usually not required

Time limit: none

Substitute Assignments

Long-term substitute teachers (anyone assigned to a school for more than 5-10 days) often need the same rights and access as the teacher they are temporarily replacing, such as email group membership, access to network or Google files, door access, and others. The form collects the username of the sub, the location/department/job code where they are assigned, and an expiration date for when their assignment is due to expire.

Approval: May be required of the building’s administration or office manager

Time limit: The maximum number of days/weeks/months a sub will be assigned (usually the length of a school year)

Request Forms

MAC address requests

Approval: None

Time limit: None

Role Membership Requests

One-off requests to be added to any security or email group (Role) for any reason.

Approval: May or may not require approval

Time Limit: Max length of a school year to prevent “scope creep”, giving users indefinite rights

Rotation of SROs

Rotation of school resource officers (similar to long-term sub assignments)

Approval: May be required of the building’s administration or security department

Time limit: The maximum number of days/weeks/months an SRO will be assigned (usually the length of a school year)

File Shares/Folders Permissions

Granting access to file shares/folders (if using local windows file systems)

Approval: May or may not require approval depending on the nature of the files

Time Limit: Max length of a school year to prevent “scope creep”, giving users indefinite rights

Critical Applications

Annual recertification of access for critical applications (HR/Payroll/Finance).

Approval: Requires the department head’s approval

Time Limit: Max length of one year to prevent “scope creep”, giving users indefinite rights

System Status Queries

Requests can be used to query the status of downstream systems to confirm accounts exist and that the status in that system matches what’s in RapidIdentity. For example, a query can be run to verify that an account that exists in RapidIdentity, also exists in Google, and the active status of the account in both systems agree with each other.

Approval: None

Time Limit: None


Was this article helpful?


ESC

Eddy AI, facilitating knowledge discovery through conversational intelligence