Service Automation

In HelloID, the default Admin role does not include all available permissions. As a result, newly created portals require manual role adjustments before an administrator can fully manage the environment. For a clearer and more intuitive out-of-the-box role configuration, update the default permission set for new HelloID portals, so that the Admin role includes all permissions available at the time of portal creation. This would align the Admin role with common expectations. In addition, other default roles could be reviewed and adjusted where necessary to ensure logical, consistent, and clearly differentiated permission boundaries across the role model. As this applies only to newly created portals, existing portals remain unchanged and there is no impact on customer-defined or customized roles.

Currently, the GET /datasource/{DataSourceGUID} API endpoint does not return the agentPoolGUID field, even when an agent pool has been configured for that data source in the HelloID web interface. The POST /datasource endpoint does accept agentPoolGUID (allowing the value to be set), but without being able to read the current value back, it is impossible to: - Display the current agent pool assignment in tooling - Conditionally update only when a change is needed - Build fully idempotent post-import scripts Requested improvement: Include agentPoolGUID (and optionally agentPoolName) in the response body of: - GET /datasource/{DataSourceGUID} - GET /datasource/named/{DataSourceName} - GET /datasource/all Expected response addition: { "dataSourceGUID": "...", "name": "...", "agentPoolGUID": "a1b2c3d4-...", "agentPoolName": "PRODUCTION" } Use case: We manage HelloID Delegated Forms via automated createform.ps1 deployment scripts, followed by a post-import.ps1 that configures agent pools on all PowerShell data sources (required for on-premises Exchange connectivity). Because the current agent pool assignment is not returned by the API, our tooling cannot show the user the current state before prompting for a change, and cannot skip unnecessary API calls when the pool is already correct. This forces either blind overwrites on every run or a manual check in the UI — both of which break a clean automated workflow.

When using the self-service functionality in HelloID Service Automation, end users currently request individual products one at a time. While this works functionally, it can be inefficient and does not align well with real-world scenarios where access is typically granted based on roles or job functions. In many organizations, access to applications and services is grouped into roles (e.g. department roles, project roles, or job-based access). These roles often consist of multiple underlying products. Currently, end users must request each product individually, which increases complexity and does not reflect how access is logically structured. Requested Enhancement Introduce the ability for administrators to define roles that consist of one or more products, and allow end users to request these roles through the self-service portal. When a role is requested: The end user submits a single request for the role HelloID provisions all underlying products linked to that role Each product has its own workflow or there is a workflow defined at the role level Additionally, the system should support dependency-aware deprovisioning: When a role is revoked, HelloID evaluates whether underlying products are still assigned via other roles A product should only be deprovisioned when it is no longer linked to any active role or assignment for that user This ensures that access is not unintentionally removed when multiple roles grant the same product Example Scenario An employee requests the “Finance Employee” role via self-service. This role includes access to: Financial system Reporting tool Shared finance drive HelloID provisions all associated products. Later, the employee also receives a “Project Controller” role, which includes the reporting tool. When the “Finance Employee” role is revoked, HelloID detects that the reporting tool is still assigned through the “Project Controller” role and does not remove access. Only when the last role granting that product is removed will the product be deprovisioned. Business Value This improvement aligns access management with real-world role-based access models, reduces the number of individual requests for end users, and improves usability of the self-service portal. It also increases reliability and governance by preventing unintended access removal through dependency-aware deprovisioning. Additionally, it reduces administrative overhead by allowing administrators to centrally manage product groupings via roles instead of maintaining large numbers of individual product requests.

Currently, in HelloID Service Automation, when a product has no (valid) approver or owner configured, the requester must manually click a button in the request details to report this. Current Behavior When a product has no approver/owner: HelloID detects this (otherwise the button would not be shown) The requester must manually report the missing owner via a button If the requester does not click this button, nothing happens As a result: Requests remain stuck without progress Administrators are not notified The issue is often only discovered later Why this is a problem * This process relies on manual action from the requester, which is often forgotten. This causes: Stuck requests Lack of visibility for beheer/servicedesk Delays in processing requests Unnecessary troubleshooting Since HelloID already detects the missing owner, requiring manual reporting is redundant. Suggested Improvement Primary: Automatically send a notification/email to a configurable address (e.g. servicedesk or functional beheer) when HelloID detects that a product has no approver at the moment a request is submitted. Secondary: Provide an option to configure or customize the content of this notification. In short: If HelloID detects a missing approver, it should automatically notify the appropriate team, without requiring manual input from the requester.

We would like to have the ability to select a file via a file picker for end users looking to complete bulk import/processing via a form.

Introduce the ability to configure a delegated requester for a user by assigning a group. Users who are members of this group should be able to submit requests on behalf of the configured user. This allows certain users to create requests for another user without giving them approval rights. The delegated requester should only be able to submit requests and not approve them. This functionality is similar to part of the behavior that managers currently have, where they can submit requests for their employees. Requested Enhancement Allow administrators to configure a delegated requester for a user by assigning a group. Members of this group should be able to submit requests on behalf of the configured user. The delegated requester should only have permission to submit requests and should not receive any approval permissions. It is important to clearly distinguish this functionality from delegated approvers. Delegated approver functionality allows someone to approve requests in addition to or on behalf of the manager. Delegated requester functionality would only allow someone to submit requests on behalf of another user. This configuration should also be manageable through the HelloID API so that delegated requester assignments can be automated or integrated with external systems. Example Scenario A common scenario is that the service desk submits access requests on behalf of users. For example, a service desk employee may request access to applications or resources for another employee. By configuring a delegated requester group for a user or department, service desk employees who are members of that group would be able to submit requests on behalf of the user without receiving approval permissions. Use Case / User Story As an administrator, I want to configure delegated requesters for a user so that designated users, such as service desk employees, can submit requests on behalf of that user without granting them approval rights. Business Value This functionality provides more flexibility in request delegation and better reflects real organizational processes where service desk employees, assistants, or coordinators often submit requests on behalf of others. It also ensures that request submission and approval responsibilities remain clearly separated.

For a Self Service Product, which is only requestable for specific group (max 100 people). Within the Managed Products all the users (close to 3000) are visible and it is not really easy to find out for whom this is requestable/not requestable. Can we scope this to just the users that this is requestable for? If this is by design, can we add a filter or sorting option or something so we can quickly see who this is requestable for?

Currently, end users can see all available Self Service Products, even those they do not have access to. When attempting to request such a product, they receive a message like "You are not allowed to request this product." This leads to unnecessary clutter and confusion in the product overview. We would like to limit the visibility of products so that end users only see the groups/products they are actually allowed to request. This would significantly reduce the number of visible products and improve clarity. At the moment, the only workaround is to use categories to segment visibility, but this requires creating a separate category for each product, which is not scalable or maintainable. Suggested Improvement: Add a configuration option to hide products from users who do not have access. Make product visibility dynamically dependent on group membership or access rights. Benefit: Improves user experience by reducing confusion. Keeps the product overview clean and manageable. Reduces administrative overhead by eliminating the need for excessive category creation.

In order to show managed products in a form and edit corresponding Active Directory Groups/Entra groups, I would like to have an API call to retrieve managed products for a user.

Make it possible to use the Provisioning Target Systems in Service Automation. With the same options as available in de Business Rules. Simply select.