Provisioning Access via Shibboleth-delivered Role Data

fontsize="12";
rank=same;
node [shape=rect];

login [style=rounded, label="User Signs In"];
has_access [shape=diamond, label="does user have access?"];
has_data [shape=diamond, label="can sp provision access?"];
provision [label="provisions access dynamically"];
register [label="triggers workflow to ask admin to assign permission"];
assign_access [label="admin assigns role in permission management system"];
role_update [label="triggers group/role/entitlement data update in Directory"];
arp_update [label="triggers IDP ARP Update"];
done [style=rounded, label="user enters application"];
done2 [style=rounded, label="user has access"];
note1 [style=note, label="provision using role data supplied in Shib response"];

login -> has_access;
has_access -> done [label="yes"];
has_access -> has_data [label="no"];
has_data -> provision;
provision -> done;
has_data -> register;
register -> assign_access;
assign_access -> role_update;
role_update -> arp_update;
arp_update -> done2;
note1 -> has_data [arrowhead=none, style=dotted];