For synchronization pipelines that use rules-based transformation, you can configure source events to require an extra manual approval step prior to the change being sent to target systems. The “Require Approval” option is used for this purpose and dictates that certain events must be approved by a specified set of users before they are applied to target systems. When a change associated with a rule that requires approval is detected in a source, the instance is published into the approvals queue and awaits action. All users that are required to act on the event, must be assigned to the Approvers role and use the Approvals application to act on the event before it expires. If the change is approved, it is processed, removed from the queue and published to the target(s). If it is rejected, the change is aborted and the message is deleted from the queue. A high-level diagram of the process is shown below.
The approval queue is automatically created as needed.
Any user located in the RadiantOne virtual namespace that is a member of the Approvers group can be an approver. In the following example, the ICS Admin user is made an approver.
To manage the Approvers group:
- In the Main Control Panel, go to the Directory Browser tab.
- Expand cn=config,ou=globalgroups.
- Select cn=approvers.
- Click the Manage Group button. The Manage Group window displays.
- Click the Add Member(s) button.
- Click the Expand Tree button. The RadiantOne namespace displays on the right.
- In the namespace, navigate to the location of the user that you want to approve events. In this example, the location cn=config,ou=globalusers is selected.
- Click the Find Now button.
- Select the entry you want to approve events and click the Move selected entry down button. In this example, uid=icsadmin,ou=globalusers,cn=config is selected.
- Click the Confirm button. The member is displayed in the cn=approvers group.
- Click Confirm again to commit the change.
If you want the approver to receive an email alert when they have pending approvals, the user account must have a valid email address (mail attribute).
To enable email alerts for approvers, SMTP must be configured.
- Navigate to the RadiantOne Main Control Panel > Settings tab > Monitoring > Email Alerts Settings.
- Enter your SMTP settings (host, port, user, password, from email and to email) in the Email Alerts (SMTP Settings) section.
- Click Save.
- If you would like to test your settings, click Send Test Email.
For security and audit purposes, it is not advised to connect to your mail server anonymously (leaving user and password >properties blank in the Email Alert Settings).
Insights, Reports and Administration Portal
The RadiantOne Insights, Reports and Administration portal is designed for power users and administrators that are in charge of identity management tasks such as approving synchronization events (e.g. creation of new accounts in target systems) or auditing group memberships.
To access the portal, navigate in a web browser as follows (replacing radiantoneserver with your actual server name) and enter your login credentials.
You can access the portal on any RadiantOne cluster node. User to DN mapping must be properly configured so that the approver can login with their user ID and not require their full DN.
The applications currently available in this portal are Approvals and Global Identity Viewer. A brief description of each application is provided below.
When a change associated with a rule that requires approval is detected in a source, the instance is published into the approvals queue and awaits action. Approvers use the Approvals application to accept or reject events.
Approvers log into the Insights, Reports and Administration Portal and click the Approvals icon.
The pending events assigned to the approver are displayed.
The user must approve or reject the event. This can be done using the
to reject an event or the
to accept an event.
Check boxes in the column on the far left can also be used. If you check the box in the column header, options include “Select Current Page”, “Select Everything”, “Unselect Current Page”, and “Unselect Everything”. Then select an option from the Select Bulk Action drop-down menu (Approve All or Reject All).
To fetch additional pending modifications, click the Refresh button.
After acting on all events, click Submit Changes and then Yes to confirm the updates.
Approved events are processed by the sync engine and applied to the target.
Approval Audit Log
The actions taken by approvers is logged. Logging is enabled by default and the log file is:
Global Identity Viewer
RadiantOne includes an easy-to-use, web-based application named the Global Identity Viewer that facilitates searching for identities and/or groups across all data sources that have been integrated in a Global Identity Builder project. When a query returns an identity, a list of tabs display for the selected user based on how many identity sources the user has an account in. If the identity is found in the global profile list, the attributes corresponding to this account display on the Global Profile tab. The names of the other tabs indicate the identity source’s “friendly name” as configured in the Global Identity Builder project. When a tab is selected, the identity attributes and group membership associated with the user’s account in that particular identity source are displayed. In the diagram below, a user identified as Brian Carmen has an account in the RadiantOne global profile store, and accounts in identity sources named adpartnerdomain, ldap, and azuread. The example shows the adpartnerdomain tab selected and Brian’s attributes from that particular data source returned. For more details on the Global Identity Viewer, see the RadiantOne Global Identity Viewer Guide.