End users know their stuff.  I know this isn't a common refrain in IT but if you're talking about the users themselves when saying "their stuff" then there is no dispute.  So for some identity information, you actually need the user.  And to offer identity management self service.

The most obvious and important identity store to consider is Active Directory.  There is a lot of identity information within there to delegate: mobile phone, home address, and other personal information.  This is the sort of identity information your company needs and can only be provided by the users themselves.  In fact, once they enter it via your self service interface, take advantage of this and flow the information back to the HR system.

The items above you can usually trust your end users to provide.  There are a few items where you want to have control, put some sort of approval workflow on it.  Take for example, business phone, maybe you aren't flowing this from your telecom database and want your end user to update it but want the telecom guys to approve it, shoot a workflow request to them before committing it to AD.  I can't stress this enough, self service liberates IT but you need to have controls in place.

AD groups are a common delegated item.  End users should be able to join and leave groups but not all of them.  Using rights based approval routing, you can set specific groups to require group owner or admin approval before joining.  In fact, some groups should be completely off limits to self service (think financial reporting).

But Active Directory isn't the only identity store in your organization.  The benefit to a full Identity and Access Management platform is that you aren't limited to just AD.  By having a metadirectory in the middle of everything, you can create self service forms to the metadirectory or directly to any connected application. 

A great example is when you need to apply for a specific role in salesforce or your jive community.  Having a self service option allows you to apply for the role, enforce an approval workflow and using the IAM workflows, set a time limit on the access (temporary privileged access).  As you can see, self service is not limited to Active Directory at all but it can be in the exact same self service interface.

Of course, don't forget that self service identity management has to be part of an identity ecosystem.  Any attributes, roles or information that your users provide through self service should flow back into your identity stores and any appropriate applications.

Let us take you on a tour of how you can make this identity ecosystem more diverse and robust through self service.  With control.