If you are a large company, automation is especially critical if you ever hope to keep accurate track of all of these approvals. Automation will also help you in providing better customer service because a workflow tool would automatically route requests to approvers and implementers without human intervention. This could save you hours or even days on the end-to-end processing of an access request. Also, by automating, you will have a centralized repository that can be used for a variety of reporting:
§ Users can investigate their requests to determine status, without bothering someone on your team to assist them.
§ You can run monthly reports of what was requested and approved or rejected for contribution to your audit repository. This is a big step in creating a self-service environment for the auditors because they can select sample users from the user reports you have posted, and then they can look up approvals from the workflow reports.
§ You will also be able to better track frequency of request types and durations for service delivery, which will help you improve your customer service.
Implementing automation of approvals and therefore of user access requests is no small matter. This will be a fairly large and involved process. You will need to decide between building your tool in-house or buying a product that is available in the marketplace. This decision will depend on the size of your company, the number and complexity of your requests, and the amount of time you have to implement the new tool before it becomes an audit finding or before your customers kill you. It will also depend on the internal resources that you have available to do development work and what the prospect is for adequate ongoing support of the tool. Realistically, unless your company's core competency is software development and you want to get into the workflow market, you will be better off evaluating the products on the marketplace and purchasing one that suits your needs.
When it comes to workflow for user management, there are three broad classes of products from which you can choose:
1. Built-in functionality in an identity and access management suite. Most of the large vendors provide a workflow component with their user provisioning product. The advantage of going with their built-in product is that it already may be included in the cost of the provisioning tool, and you will not need to deal with integration. The disadvantage is that many of the workflow tools that ship with user provisioning products are fairly limited in scope. Users will be able to request access and possibly hardware or software with that workflow, but nothing else. If you want to provide users with a single tool from which they can request anything they need, including telephone or cellular equipment, facilities services, and even technical support or supplies, you will want to forego the savings in integration in favor of a tool that will provide a better user experience.
2. Technical workflow tool. A number of products on the market are designed to be used as generic workflow products. They will support a variety of different kinds of workflows, from IT service requests to business interactions. The advantage is that they are highly robust and can handle even the most complex workflows, often graphically. The disadvantages are that you must build all of your workflows from scratch, possibly being offered a few templates and some guidance to assist you, and you would have an additional component in your environment to be integrated with the rest of your identity management solution.
3. Service catalog tool. A small number of products on the market are sold as service catalog tools. A service catalog is a listing of services that are typically provided by a particular business unit—in this case, IT. This line of tools, in addition to providing basic service catalogs in key IT areas out of the box, also tends to offer user-friendly Web interfaces and familiar shopping cart style applications. The advantages are that you may be able to build your services more quickly because you would not be starting from scratch, and you would provide a very friendly experience for your users, potentially eliminating or at least decreasing a variety of status inquiries and the possibility of mis-submitting requests. The disadvantages are that you still have the integration problem, and this line of tools has a somewhat more lightweight workflow capability. It may not be able to handle the most complex workflows in your environment.
Ultimately, what you choose will depend on how customer focused you are, how far reaching you want the workflow tool to be, and how much you have to spend. Any one of the three solutions described here will provide you with the control and reporting you need to meet your audit requirements if you appropriately configure your new tool and accurately account for your critical applications and their approval requirements. Thus, the decision hinges on your other priorities and strategic vision.
If the business is interested in implementing an enterprisewide workflow tool that can be used ubiquitously, go with the technical workflow tool. If you need to have a greater customer service focus, want to make things easy for your end users, and ubiquity is not a requirement, consider a service catalog product. If speed of implementation is a top priority, and you have a solution for providing a single user front end for your access request system and other IT requests or are not concerned with providing a single user front end, select an identity and access management suite with a strong workflow component and use that directly.
Regardless of your decision, be sure to document your requirements and selection decisions and also create an architecture document of your new product that explains how the workflow functionality works, how it prevents requests from being implemented prior to being approved, and what security mechanisms are in place to protect the data store of approval information. All of this documentation should be posted to your audit repository so that the auditors have easy access to the information.
