Service Automation

When using the self-service functionality in HelloID Service Automation, end users currently request individual products one at a time. While this works functionally, it can be inefficient and does not align well with real-world scenarios where access is typically granted based on roles or job functions. In many organizations, access to applications and services is grouped into roles (e.g. department roles, project roles, or job-based access). These roles often consist of multiple underlying products. Currently, end users must request each product individually, which increases complexity and does not reflect how access is logically structured. Requested Enhancement Introduce the ability for administrators to define roles that consist of one or more products, and allow end users to request these roles through the self-service portal. When a role is requested: The end user submits a single request for the role HelloID provisions all underlying products linked to that role Each product has its own workflow or there is a workflow defined at the role level Additionally, the system should support dependency-aware deprovisioning: When a role is revoked, HelloID evaluates whether underlying products are still assigned via other roles A product should only be deprovisioned when it is no longer linked to any active role or assignment for that user This ensures that access is not unintentionally removed when multiple roles grant the same product Example Scenario An employee requests the “Finance Employee” role via self-service. This role includes access to: Financial system Reporting tool Shared finance drive HelloID provisions all associated products. Later, the employee also receives a “Project Controller” role, which includes the reporting tool. When the “Finance Employee” role is revoked, HelloID detects that the reporting tool is still assigned through the “Project Controller” role and does not remove access. Only when the last role granting that product is removed will the product be deprovisioned. Business Value This improvement aligns access management with real-world role-based access models, reduces the number of individual requests for end users, and improves usability of the self-service portal. It also increases reliability and governance by preventing unintended access removal through dependency-aware deprovisioning. Additionally, it reduces administrative overhead by allowing administrators to centrally manage product groupings via roles instead of maintaining large numbers of individual product requests.

Currently, in HelloID Service Automation, when a product has no (valid) approver or owner configured, the requester must manually click a button in the request details to report this. Current Behavior When a product has no approver/owner: HelloID detects this (otherwise the button would not be shown) The requester must manually report the missing owner via a button If the requester does not click this button, nothing happens As a result: Requests remain stuck without progress Administrators are not notified The issue is often only discovered later Why this is a problem * This process relies on manual action from the requester, which is often forgotten. This causes: Stuck requests Lack of visibility for beheer/servicedesk Delays in processing requests Unnecessary troubleshooting Since HelloID already detects the missing owner, requiring manual reporting is redundant. Suggested Improvement Primary: Automatically send a notification/email to a configurable address (e.g. servicedesk or functional beheer) when HelloID detects that a product has no approver at the moment a request is submitted. Secondary: Provide an option to configure or customize the content of this notification. In short: If HelloID detects a missing approver, it should automatically notify the appropriate team, without requiring manual input from the requester.

We would like to have the ability to select a file via a file picker for end users looking to complete bulk import/processing via a form.

Currently, the GET /datasource/{DataSourceGUID} API endpoint does not return the agentPoolGUID field, even when an agent pool has been configured for that data source in the HelloID web interface. The POST /datasource endpoint does accept agentPoolGUID (allowing the value to be set), but without being able to read the current value back, it is impossible to: - Display the current agent pool assignment in tooling - Conditionally update only when a change is needed - Build fully idempotent post-import scripts Requested improvement: Include agentPoolGUID (and optionally agentPoolName) in the response body of: - GET /datasource/{DataSourceGUID} - GET /datasource/named/{DataSourceName} - GET /datasource/all Expected response addition: { "dataSourceGUID": "...", "name": "...", "agentPoolGUID": "a1b2c3d4-...", "agentPoolName": "PRODUCTION" } Use case: We manage HelloID Delegated Forms via automated createform.ps1 deployment scripts, followed by a post-import.ps1 that configures agent pools on all PowerShell data sources (required for on-premises Exchange connectivity). Because the current agent pool assignment is not returned by the API, our tooling cannot show the user the current state before prompting for a change, and cannot skip unnecessary API calls when the pool is already correct. This forces either blind overwrites on every run or a manual check in the UI — both of which break a clean automated workflow.

In order to show managed products in a form and edit corresponding Active Directory Groups/Entra groups, I would like to have an API call to retrieve managed products for a user.

Make it possible to use the Provisioning Target Systems in Service Automation. With the same options as available in de Business Rules. Simply select.

When using the managed users functionality in HelloID, it is currently only possible to request one product at a time for a user. While this works functionally, it can be inefficient in scenarios where multiple products need to be requested for the same user. In many organizations, requesters such as managers or service desk employees are responsible for requesting access to several applications or services for a user. With the current functionality, each product must be requested separately, which increases the number of steps and makes the process more time-consuming. Requested Enhancement Introduce the ability to request multiple products at once for a managed user. This would allow requesters to select several products in a single request instead of submitting separate requests for each product. The request process should still follow the existing approval and workflow logic for each product. Example Scenario A manager or service desk employee needs to request access to several applications for a new employee. Instead of submitting multiple individual requests, the requester could select multiple products and submit them in a single action. Each product would still follow its configured approval workflow. Business Value This improvement would make the request process more efficient for managers and service desk employees, reduce repetitive actions when requesting multiple products, and improve the usability of the managed users functionality.

Introduce the ability to configure a delegated requester group on a product. Members of this group should be able to submit requests for that product through the Managed Products functionality. This would allow designated users to request access for other users without giving them approval permissions. The delegated requester should only be able to submit requests and should not be able to approve them. Currently, the resource owner group is responsible for managing and approving access for a product. However, in some scenarios it is desirable that certain users can submit requests for a product without being responsible for approving them. Requested Enhancement Allow administrators to configure a delegated requester group on a product. Members of this group should be able to submit requests for that product through Managed Products for other users. This permission should only allow submitting requests and should not grant approval rights. It is important to clearly distinguish this functionality from the resource owner group. Resource owners are responsible for managing and approving access to a product, while delegated requesters should only be able to submit requests for that product. This configuration should also be manageable through the HelloID API so that delegated requester assignments can be automated. Example Scenario A service desk team is responsible for submitting access requests for users. Instead of making the service desk part of the resource owner group, a delegated requester group could be configured on the product. Members of this group could then submit requests for users through Managed Products without being able to approve the requests. Business Value This improvement would provide more flexibility in request delegation and better reflect real organizational processes where certain teams, such as service desks, are responsible for submitting requests while product owners remain responsible for approvals. It also enables automation and integration through the HelloID API for managing delegated requester configurations.

It would be good to be able to let all e-mails be sent via the internal SMTP server i/o SendGrid. Thereby not needing to open up the mail gateway to allow e-mail from SendGrid with our own sender addresses.

In the reconsiliation report of the governance module only entitlements created by the provisioning module are seen as valid permission. Assignments created by the Service Automation should also be incorporated in the reconsiliation report to give an accurate report and find discrepancies.