RapidIdentity Workflow Governance Requests Use Cases
- 11 Oct 2023
- 2 Minutes to read
- Print
- DarkLight
RapidIdentity Workflow Governance Requests Use Cases
- Updated on 11 Oct 2023
- 2 Minutes to read
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Workflow governance requests are standardized forms and workflows that request input and perform repeatable, auditable tasks. These tasks can be configured to require one or more levels of approval, although approval isn’t required. Time limits can be applied to automatically revoke elevated rights or permissions.
The following are examples of how RapidIdentity customers are using Requests:
Privileged Account Management | Request elevated permissions in any application, such as Domain Admin in Active Directory, Google Super Admin, and others. This can be accomplished through security group membership, or by enabling a separate admin account used only for elevated rights. Approval: one or more approvals are required depending on the level of access requested Time limit: 2-4 hours, then the group membership is revoked or the admin account is disabled. |
|---|---|
MFA Registration | Allow staff to self-select alternate multi-factor authentication methods. For example, the baseline MFA method for everyone is TOTP (Authenticator app). Staff are given workflows to self-select SMS, PingMe, email, or any other method they prefer. Workflows are also given to staff to deregister from the alternate methods. The form collects a mobile number for SMS, a personal account for email, and other criteria as needed, and stores them in the metadirectory. Approval: Usually not required Time limit: none |
Substitute Assignments | Long-term substitute teachers (anyone assigned to a school for more than 5-10 days) often need the same rights and access as the teacher they are temporarily replacing, such as email group membership, access to network or Google files, door access, and others. The form collects the username of the sub, the location/department/job code where they are assigned, and an expiration date for when their assignment is due to expire. Approval: May be required of the building’s administration or office manager Time limit: The maximum number of days/weeks/months a sub will be assigned (usually the length of a school year) |
Request Forms | MAC address requests Approval: None Time limit: None |
Role Membership Requests | One-off requests to be added to any security or email group (Role) for any reason. Approval: May or may not require approval Time Limit: Max length of a school year to prevent “scope creep”, giving users indefinite rights |
Rotation of SROs | Rotation of school resource officers (similar to long-term sub assignments) Approval: May be required of the building’s administration or security department Time limit: The maximum number of days/weeks/months an SRO will be assigned (usually the length of a school year) |
File Shares/Folders Permissions | Granting access to file shares/folders (if using local windows file systems) Approval: May or may not require approval depending on the nature of the files Time Limit: Max length of a school year to prevent “scope creep”, giving users indefinite rights |
Critical Applications | Annual recertification of access for critical applications (HR/Payroll/Finance). Approval: Requires the department head’s approval Time Limit: Max length of one year to prevent “scope creep”, giving users indefinite rights |
System Status Queries | Requests can be used to query the status of downstream systems to confirm accounts exist and that the status in that system matches what’s in RapidIdentity. For example, a query can be run to verify that an account that exists in RapidIdentity, also exists in Google, and the active status of the account in both systems agree with each other. Approval: None Time Limit: None |
Was this article helpful?