Access Manager is designed for self-service access requests by an
AuthUser. A user's manager, system owner, or an Access Manager administrator can also request access on the user's behalf.
An AuthUser can view a list of available approvable relationships that they can request access to.
Each approvable relationship has a default
ApprovalChain that has one or more
ApprovalPolicy(s) that specify which users or groups need to provide approval before access is provisioned. The default
ApprovalChain is designed to specify the full series of approvals needed for any user.
If a user is a member of a pre-approved group that should have access to a system, either automatically without an
ApprovalTransaction or with reduced number of approvals, one or more
ApprovalChain(s) can be added to an approvable relationship that have a list of
ApprovalPolicy(s) specify which
AuthGroup the user must be a member of to use that
When a user requests access to an approvable relationship, Access Manager will loop through the associated
ApprovalChain(s) and check if the
AuthUser is a member of an
AuthGroup that is associated with one of the
ApprovalChain(s). If no match is found, the default
ApprovalChain for the approvable relationship will be used.
ApprovalChain is determined, an
ApprovalFlow is created with
ApprovalFlowTransaction child records. The
ApprovalFlow is the sequence of users or groups that must approve access. An
ApprovalFlowTransaction is the audit log entry of who needs to approve and what date and time they approved or denied the request.
ApprovalFlow uses template metadata from the
ApprovalChain and creates
ApprovalFlowTransactions using template metadata from the
ApprovalPolicy(s) attached to the