Services overview

Generally, services are used to provide linkage between user identities and the systems external to Cloud Identity Service to which users might need to be provisioned.

You can manage services, including service membership, by using Cloud Identity Service. Service membership can be managed manually or can be managed by using a dynamic provisioning policy. Each service must have a service owner. A service owner is a user who is typically defined as the owner or administrator of the external system to which the service is linked. Service categories can be used to group related services together to make it easier for Self Service users to manage their services.

The user membership of a service can be statically or dynamically defined. Static user membership requires you to manually add each user to the service, and to manually manage membership. Dynamic user membership automatically selects users for membership based on any matching combination of their identity attribute values, other group memberships, other service memberships, or whether they are assigned a role as a manager.

Dynamic user membership is implemented by using a dynamic provisioning policy, in which you define the membership selection criteria.

Any number of dynamic policies can be defined for a service. A policy can be applied on demand by reconciling the policy. A policy can also be applied according to a schedule. When a policy is applied, its selection criteria is evaluated, and the user membership is updated so that non-matching users are removed and matching users are added.

Services include options for creating dependencies between services, including parent and child relationships and container mappings. A parent and child relationship is used to enforce attaining membership in the parent service before attaining membership in any child services. Container mappings are used to define services that directly request a user's membership in each contained service when membership to the container is attained.

Notifications are used to send notification emails to various recipients. Notifications can include service-specific provisioning and deprovisioning information.

Recertification is used to provide control over who remains a member of a service over time. Recertification policies are defined in the same way as dynamic provisioning policies. Depending how the service is defined, any member that meets the criteria of a recertification policy has a recertification request sent to their manager, or the service owner, or both. The manager or service owner certifies whether the user still belongs to the service. Recertification can be required for policy-based service membership and manually controlled service membership. Recertification policies can be scheduled so that recertification occurs at a specified frequency.

Approvals are used to provide control over who can gain membership to a service. Approval can be required for dynamically controlled membership and manually controlled membership. Approval can require action by a manager, a service owner, or both. Approvals can be applied to membership and recertification processes.