Status: Pending implementation
When access changes in UMS, downstream systems must receive the corresponding create, update, or remove instruction automatically. UMS must provide governed provisioning connectors so identity operations remain synchronized across external applications.
| Actor | Responsibility |
|---|---|
| Identity Operations Administrator | Configures the connector and its mapping rules. |
| External System Owner | Confirms the downstream target and access model. |
| Integration Connector | Applies the provisioning or deprovisioning action. |
| Auditor | Reviews the provisioning history and failures. |
If the downstream system is unavailable, the action is retained and retried according to policy.
If the mapped data is incomplete or invalid, the system marks the action as failed and requires correction.
If a user loses access, the deprovisioning action must still be attempted and tracked until the downstream system is no longer granting that access.
| Rule | Description |
|---|---|
| BR-01 | Every governed access change must be reflected downstream when the connector is enabled. |
| BR-02 | Deprovisioning is mandatory when access is revoked or expired. |
| BR-03 | Failures must be visible and retryable; they cannot silently grant or keep access. |
| BR-04 | Mapping rules must be explicit and versioned for each target system. |
| BR-05 | The same user or profile change must not create duplicate downstream operations. |
| BR-06 | The downstream access result must remain auditable. |
| # | Acceptance Criterion |
|---|---|
| 1 | A connector can be registered for a downstream system. |
| 2 | Access changes generate the expected provisioning or deprovisioning action. |
| 3 | The action remains traceable until the downstream system confirms it or it is corrected. |
| 4 | Access removal triggers a deprovisioning action. |
| 5 | Failures are visible to operations and can be retried. |
| 6 | Duplicate downstream actions are prevented for the same change. |
| Type | References |
|---|---|
| Domain Entities | UserAccount, Profile, Role, SystemSuite, IdentityProvider, AuditRecord |
| Functional Stories | FS-03, FS-05, FS-24 |
| ADRs | ADR-0015, ADR-0033, ADR-0072 |