- 19 Nov 2024
- 3 Minutes to read
- Print
- DarkLight
- PDF
Mover (Internal Role Change)
- Updated on 19 Nov 2024
- 3 Minutes to read
- Print
- DarkLight
- PDF
This article will walk you through how the default workflow that governs the Mover process works. Each aspect of the workflow will be explained, including the available options for configurable steps.
Workflows
Default Workflow
This section will provide details for the default configuration of the Identity Modified workflow.
Default Workflow Steps
Each Step of the workflow is outlined in the following table:
Class | Name | Description | Optional/Required |
---|---|---|---|
Trigger | Identity Modified | This trigger picks up anytime attributes on the Identity are detected, not limited to changes with your Organizational Units. | Required |
Action | Find/Create Role | Find or Create a new Role for the Identity that triggered the workflow, then move the Identity to that Role. Note: If attributes used for your Organizational Units are not changed, then this action will not result in the Identity changing roles, or new roles generated. | Required |
Action | Re-Provision Identity* | Provision new access, and remove old access. *See the section below for more details. Note: If attributes used for your Organizational Units are not changed, then this action will not result in any changes to access. | Optional (required for Lifecycle Manager) |
Action | Push Identity Attributes | Post/Update Identity Attribute changes that were detected to the Downstream Applications that support it (as appropriate for this Identity that triggered the workflow). | Optional |
Action: Re-Provision Identity
The following options for the Re-Provision Identity action in the workflow govern if and when Entitlements from the previous role will be removed. This action will only results in changes to access when the trigger event for the workflow involves changes to the attributes which determine Role Membership (Ex: Department, Job Title, etc.)
Options | Description |
---|---|
never | Entitlements outlined in the previous role will be converted to Grant Type: Exception, and not removed automatically by Clarity. |
immediate | Entitlements outlined in the previous role (which is not present in the new role) will be immediately removed during this workflow action. |
custom | You choose the number of days Entitlements outlined in the previous role will be converted to Grant Type: Exception, and receive an expiration date for automatic removal by Clarity. |
Existing Exceptions
If an Identity already has Exceptions present, these will be retained during the Movers process as they were granted to this user outside the scope of their Role.
Testing
To test out the Mover actions you will want to configure the Action: Re-Provision Identity step to match your requirements for retaining previous access. You can also check out our guide: Mover Testing for information on how to test, and which Reports might be useful.
Before Testing
You may want to add a Condition to the workflow during testing, so that only a specific group of Identities (such as those designated for testing) is allowed to reach the provisioning or attribute push steps.
Need Help?
If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.