When using the self-service functionality in HelloID Service Automation, end users currently request individual products one at a time. While this works functionally, it can be inefficient and does not align well with real-world scenarios where access is typically granted based on roles or job functions.

In many organizations, access to applications and services is grouped into roles (e.g. department roles, project roles, or job-based access). These roles often consist of multiple underlying products. Currently, end users must request each product individually, which increases complexity and does not reflect how access is logically structured.

Requested Enhancement

Introduce the ability for administrators to define roles that consist of one or more products, and allow end users to request these roles through the self-service portal.

When a role is requested:

The end user submits a single request for the role

HelloID provisions all underlying products linked to that role

Each product has its own workflow or there is a workflow defined at the role level

Additionally, the system should support dependency-aware deprovisioning:

When a role is revoked, HelloID evaluates whether underlying products are still assigned via other roles

A product should only be deprovisioned when it is no longer linked to any active role or assignment for that user

This ensures that access is not unintentionally removed when multiple roles grant the same product

Example Scenario

An employee requests the “Finance Employee” role via self-service. This role includes access to:

Financial system

Reporting tool

Shared finance drive

HelloID provisions all associated products.

Later, the employee also receives a “Project Controller” role, which includes the reporting tool. When the “Finance Employee” role is revoked, HelloID detects that the reporting tool is still assigned through the “Project Controller” role and does not remove access. Only when the last role granting that product is removed will the product be deprovisioned.

Business Value

This improvement aligns access management with real-world role-based access models, reduces the number of individual requests for end users, and improves usability of the self-service portal.

It also increases reliability and governance by preventing unintended access removal through dependency-aware deprovisioning. Additionally, it reduces administrative overhead by allowing administrators to centrally manage product groupings via roles instead of maintaining large numbers of individual product requests.