Skip to main content

HelloID

Products vs. delegated forms

The Service Automation module allows you to set up both products and delegated forms. Understanding the purpose and benefits of each helps you choose the most appropriate option for a given scenario.

The rule of thumb is:

When to create a product

Products are designed for requesting and managing permissions through self-service. For example:

  • Group memberships

  • Access to resources (mailboxes, SharePoint sites, shared drives, devices, etc.)

  • Access to applications

Choose to create a product in cases where approval, review and accountability are important, and when you need to demonstrate that access or permissions are appropriate.

Products provide:

  • Approval workflows. If approval is not required, automatic approval can be configured.

  • Admin dashboard visibility. Admins can see who has access to what at any time and revoke permissions if needed.

  • User dashboard visibility. Users can request access through the product catalog, view their assigned permissions and waive ('return') permissions in the Self Service portal. Product owners and managers can also request and return products on behalf of other users.

  • Audit logs: A complete audit trail for compliance and reporting, from request to approval to grant to revoke.

  • Time-bound access: Products can be configured with an expiration date, allowing access to be automatically revoked after a specified period. Products can also be automatically returned when a user account is disabled.

  • Recertification enables periodic review of granted permissions. Note that this requires the Governance module.

Tip

If you are using the Provisioning module for automated permission grants, consider whether a product is necessary at all. Provisioning may already handle it or be able to handle it through existing or new business rules.

When to create a delegated form

Delegated forms are intended for one-time operational actions, such as:

  • Creating new resources (e.g., AD users, mailboxes)

  • Password resets and account unlocks

  • One-time attribute updates (e.g., phone number, office location)

  • Administrative maintenance tasks (e.g., cleaning up outdated distribution lists)

Choose delegated forms in cases when the service desk has the authority to act, no approval or review is required, and there is no need to track ongoing ownership of permissions.

Delegated forms provide:

  • Controlled delegation: Enables the Service desk to execute tasks execution without granting broad or unnecessary rights.

  • Operational efficiency: Tasks are performed with minimal overhead.

  • Audit logs: Limited to what was done, when, and by whom. Does not provide insight into who currently has access to what.

  • Quick setup.

Tip

Do not temporarily set up delegated forms for permission management. Migrating from delegated forms to products is difficult because delegated forms do not track granted access. As a result, all permissions or group memberships must be manually audited during migration.

In this section: