Mover (Internal Role Change)
  • 19 Nov 2024
  • 3 Minutes to read
  • Dark
    Light
  • PDF

Mover (Internal Role Change)

  • Dark
    Light
  • PDF

Article summary

This article will walk you through how the default workflow that governs the Mover process works.  Each aspect of the workflow will be explained, including the available options for configurable steps.


Workflows

Default Workflow

This section will provide details for the default configuration of the Identity Modified workflow.

Default Workflow Steps

Each Step of the workflow is outlined in the following table:

Class

Name

Description

Optional/Required

Trigger

Identity Modified

This trigger picks up anytime attributes on the Identity are detected, not limited to changes with your Organizational Units.

Required

Action

Find/Create Role

Find or Create a new Role for the Identity that triggered the workflow, then move the Identity to that Role.

Note: If attributes used for your Organizational Units are not changed, then this action will not result in the Identity changing roles, or new roles generated.

Required

Action

Re-Provision Identity*

Provision new access, and remove old access. *See the section below for more details.

Note: If attributes used for your Organizational Units are not changed, then this action will not result in any changes to access.

Optional

(required for Lifecycle Manager)

Action

Push Identity Attributes

Post/Update Identity Attribute changes that were detected to the Downstream Applications that support it (as appropriate for this Identity that triggered the workflow).

Optional

Action: Re-Provision Identity

The following options for the Re-Provision Identity action in the workflow govern if and when Entitlements from the previous role will be removed.  This action will only results in changes to access when the trigger event for the workflow involves changes to the attributes which determine Role Membership (Ex: Department, Job Title, etc.)

Options

Description

never

Entitlements outlined in the previous role will be converted to Grant Type: Exception, and not removed automatically by Clarity.

immediate

Entitlements outlined in the previous role (which is not present in the new role) will be immediately removed during this workflow action.

custom

You choose the number of days

Entitlements outlined in the previous role will be converted to Grant Type: Exception, and receive an expiration date for automatic removal by Clarity.

Existing Exceptions

If an Identity already has Exceptions present, these will be retained during the Movers process as they were granted to this user outside the scope of their Role.

Testing

To test out the Mover actions you will want to configure the Action: Re-Provision Identity step to match your requirements for retaining previous access. You can also check out our guide: Mover Testing for information on how to test, and which Reports might be useful.

Before Testing

You may want to add a Condition to the workflow during testing, so that only a specific group of Identities (such as those designated for testing) is allowed to reach the provisioning or attribute push steps.


Need Help?

If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.


Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.