Identity and Access Management User's Guide

Figure 1. Provisioning Overview.
The system recognizes three distinct classes of users requiring access to enterprise applications. The user classes include: HHS employees, contractor employees, and partner employees. Figure at left shows the activity diagram and provides an overview of the workflow for the provisioning process.
To see an annimated view of the diagram click here.

Though the workflows are different for the 3 different types of users, each workflow begins with the user opening a browser link to the Enterprise Portal, where they will identify the type of user. The activities and administrators involved in the provisioning of Portal access is then dependent upon the type of user making the request.

Figure 2. Provisioning HHS Employee Portal Access.
The Figure at left depicts the activity flow for an HHS employee requesting access to the Portal. You will note that the provisioning process for Portal access is completely automated for the HHS employee.
To see an annimated view of the diagram click here.

Figure 3. Provisioning Contractor Portal Access.
Contractor employees requiring access to the Portal follow a similar workflow as shown above. In this example, the contractor user initiates a request for access to the Enterprise Portal. The system then prompts the contractor user for username, first and last name, email address, supervisors name and supervisors email. Once the requested information is entered the system verifies the existence of the supervisor and uniqueness of the username. If the username is unique, i.e., does not already exist in the system, an automated prompt is sent to the Enterprise Security Management (ESM) who will again verify the supervisor and approve the request.
To see an annimated view of the diagram click here.

Figure 4. Provisioning Partner Employee Portal Access.
The fully automated Enterprise Portal provisioning process for partner employees is shown at the left. The partner employee provisioning process is similar to the contractor provisioning process in the type of data requested from the user. The user initiates the process by requesting Portal access, the system then prompts the user to enter their vendor tax ID, username, first and last names, email address and phone number. After the user has entered the requested data the system verifies the existence of the partner organization (i.e., vendor tax ID exists in the system), then determines if the username is unique (i.e., in use). If the username is unique the system emails the user a one-time password.
To see an annimated view of the diagram click here.

Like provisioning of Enterprise Portal access, the provisioning of user access to applications differs for each type of user and the application being provisioned. In each case the user initiates the request for access. Granting of access requires Supervisory and Application Administration personnel to access the ITIM system. The workflows for each of the three types of employees are shown in the activity diagrams below.

Figure 5. HHS Employee and Contractor Application Provisioning.
Here the user initiates the request for access to an application through the EnterprisePortal, their supervisor receives an email notification from the system of a pending action. The supervisor then logs onto the ITIM and navigates to the To Do List to approve the request. Upon approval, the request is forwarded to the Application Administrator. The Application Administrator then logs onto the ITIM, navigates the To Do List and approves the access and assigns a role.
An automated escalation process involves Enterprise Security Management should either the supervisor or application administrator fail to act on the request.
To see an annimated view of the diagram click here.

Figure 6. Partner Employee Application Provisioning.
The Application Provisioning process for Partner employees differs from the two process described above, in that no Supervisory approval is needed. Instead a First Level Approver from the partner organization approves application access. Once the user is granted access to the Enterprise Portal, they then request access to an application. The Application Administrator then approves the request and assigns a role to the user. The activity diagram in Figure at left depicts the workflow for Application Provisioning of Partner employees.
To see an annimated view of the diagram click here.

Self-service account maintenance allows users to maintain personal identifying information and reset their passwords without having to call Help Desk.

Figure 7. First Time Login Process.
The First Time Login Process, shown in Figure at left, provides the user with the opportunity to enter the required Security information for access control.
To see an annimated view of the diagram click here.

Figure 8. Retrieve Forgotten Username.
On the rare occassion when a user has forgotten their username, the Self-service account maintence provisions of the Enterprise Identity and Access Control Management system comes to the rescue. As shown in the figure to the left, a user can retrieve a forgotten username without a call to the Help Desk.
To see an annimated view of the diagram click here.

Figure 9. Self-Service Password Reset.
Shown in the Figure at left is the Self-Service Password Reset workflow. The feature allows a users to reset their own password provides they have not been Locked Out of the Portal.
Upon logging in to the Enterprise Portal user follows the promts to change their password.
To see an annimated view of the diagram click here.