The green J-M-L flow is great. How I explain this flow:
J-M-L is the flow that contains the legal obligations between a person and an organization. Any JML change will be evaluated for IAM relevant consequences. The legal consequences can be generated in an HR dept, a student administration, hiring contractors and interns. The authorative source being eHRM, a Student directory, etc. IAM would just use the data from those repositories.
This means that Move only occurs when changing dept, manager or other HR related attribs that result in a change in the (legal) relation between the person and the org, like a new manager, a new dept. But nothing changes in the green flows.
But this does imply that manager induced changes (non-legal changes) can occur that do also result in Manage Access: It could means that a manager assigns a role to a direct report, but that change doesn't have legal consequences. So in the Joiner process we need to add a manage access block. In this 'legal relations' concept changing a role is not a Move, it's just a change that result in Manage Access. So we would have:
[Create identity], [Provision account], [Provision access], [Manage access].
I would also remove the [Authenticate] block. I don't know how to explain it.Or we should add it as a sub-process of [Provision account].
In workforce I suggest the following changes:
The green J-M-L flow is great. How I explain this flow: J-M-L is the flow that contains the legal obligations between a person and an organization. Any JML change will be evaluated for IAM relevant consequences. The legal consequences can be generated in an HR dept, a student administration, hiring contractors and interns. The authorative source being eHRM, a Student directory, etc. IAM would just use the data from those repositories.
This means that Move only occurs when changing dept, manager or other HR related attribs that result in a change in the (legal) relation between the person and the org, like a new manager, a new dept. But nothing changes in the green flows.
But this does imply that manager induced changes (non-legal changes) can occur that do also result in Manage Access: It could means that a manager assigns a role to a direct report, but that change doesn't have legal consequences. So in the Joiner process we need to add a manage access block. In this 'legal relations' concept changing a role is not a Move, it's just a change that result in Manage Access. So we would have: [Create identity], [Provision account], [Provision access], [Manage access].
I would also remove the [Authenticate] block. I don't know how to explain it.Or we should add it as a sub-process of [Provision account].