Identity Cloud

Request access

In Identity Governance, end users can request access to resources, such as target applications, entitlements, or roles.

You define the resources end users can request by adding them to the access catalog.

An organization works with access requests as follows:

  1. An Identity Governance administrator who can configure access requests. This includes defining which resources end users can request in the access catalog.

  2. After an administrator defines requestable resources in the access catalog, end users submit requests to gain or remove (managers only) access to resources using the end user UI.

  3. Approvers approve or deny access requests — End users configured as the approver (designated owner) to review and approve or reject the request. The items that display to the approver are known as request items.

Configure access requests

Before end users can request access to resources in Identity Cloud, you must:

Define resources that can be requested

By default, end users in Identity Cloud can’t request access to a resource. For an end user to request access to a resource, the resource must be marked as Requestable to display in the access catalog. You can make applications, entitlements, and roles requestable in Identity Governance.

Authoritative applications are not requestable and are limited to read-only access. These apps onboard new identities, modify existing identities, or remove identities when needed. When there is a requirement to both read from and write to an application like a directory service, customers can define two apps: one authoritative and the other targeted for non-authoritative purposes.

Applications

To make applications requestable:

  1. From the Identity Cloud admin UI, go to Applications.

  2. Select an application. The application must be a target application.

  3. In the Details tab, toggle the Requestable box.

  4. For every target application you desire to be requestable, repeat steps 2-3.

Entitlements

To make entitlements requestable:

  1. From the Identity Cloud admin UI, go to Entitlements.

  2. Select an entitlement.

  3. In the Details tab, toggle the Requestable box.

  4. For every entitlement you desire to be requestable, repeat steps 2-3.

Roles

To make roles requestable:

  1. From the Identity Cloud admin UI, go to Manage > Alpha realm - Roles.

  2. Select a role.

  3. In the Details tab, toggle the Requestable box.

  4. For every role you desire to be requestable, repeat steps 2-3.

Add owners to resources

Before an end user can request access to a resource, you must associate it to an owner. Owners are the individual(s) responsible for monitoring who has access to the resource.

When an end user requests access to a resource, Identity Governance sends the request to the owner(s) for approval.

In access requests, the owner is referred to as the approver. When the owner approves the access request, Identity Governance provisions the resource to the end user.

Application owners

To assign owners to applications in Identity Cloud:

  1. From the Identity Cloud admin UI, go to Applications.

  2. Select an application. The application must be a target application.

  3. In the Details tab, click the Owners field, and add as many owners as you desire.

  4. Repeat steps 2-3 for every target application.

Entitlement owners

After you load entitlements into Identity Cloud, they display in the Entitlements section.

To assign owners to entitlements in Identity Cloud:

  1. From the Identity Cloud admin UI, go to Entitlements.

  2. Select an entitlement.

  3. In the Details tab, click the Entitlement Owner field, and select an owner.

  4. Repeat steps 2-3 for every entitlement.

Role owners

To assign owners to roles in Identity Cloud:

  1. From the Identity Cloud admin UI, go to Manage > Alpha realm - Roles.

  2. Select a role.

  3. In the Details tab, click the Role Owner field, and select an owner.

  4. Repeat steps 2-3 for every role.

Optionally, create and configure glossary attributes

Governance glossary attributes enable you to attach custom attributes to applications, entitlements, or roles.

When configuring resources that your end users can request access to, consider creating searchable governance glossary attributes. These attributes enable end users to filter and select a resource when requesting access.

Example of using glossary attributes with access requests

An example of using a governance glossary attribute would be to assign a risk level to each role, indicating the level of sensitivity associated with the resources granted to end users. This risk level attribute lets end users efficiently filter and search for roles based on their desired risk level when requesting access.

  1. From the Identity Cloud admin UI, click Glossary.

  2. Click Role > + Role Glossary Item.

  3. Enter the following values:

    Field Value

    Name

    riskLevel

    Display Name

    Risk Level

    Description

    The level of risk associated with granting this resource to a user. The higher the risk, the more sensitive the resource.

    Type

    String

    Enumerated Values

    Enable and create the following in the text and value fields:

    • Low

    • Medium

    • High

    Show advanced settings > Searchable

    Enable. This enables the end user to search and filter on the attribute when requesting access to the role.

  4. Click Save.

  5. Populate each role in Identity Cloud with either Low, Medium, or High.

    To do this, navigate to Manage > Alpha realm - Roles and populate newly created role attribute Risk Level.

Configure access requests for other users

Identity Governance provides the ability for end users to enter requests for other users. End users must view privileges and read attribute access to other users. The specific attributes are userName, givenName, sn, and mail.

While the organization owners and administrators get these privileges from the Identity Management configuration targeted to only their organizations members, other users outside of the organization do not have access to these privileges. As a result, end users will only see List is empty when clicking Other Users and not be able to select any users.

access request other users

There are three use cases available to set up other users:

Use case 1: Configure all users to see all other users

To configure Identity Governance so that end users can see all other users, you can add an internal role with view privileges and set attributes to read access.

  1. Create a new internal role:

    1. On the Identity Cloud admin UI, log in to Identity Cloud as a tenant administrator.

    2. Click Identities > Manage > Internal Roles > New Internal Role.

    3. On the New Internal role modal, enter the following:

      • Name. Enter a descriptive name for the internal role.

      • Description. Optional. Enter a description for the internal role.

    4. Click Next.

  2. Set the internal role permissions:

    1. On the Internal role permissions modal, select Alpha realm - Users.

    2. Click Add. The permissions for View, Create, Update, and Delete are displayed.

    3. Keep View selected.

    4. For attribute permissions, click Show advanced.

    5. Click set all attributes, and select None.

    6. For the following attributes, set the permission to Read:

      • userName

      • givenName

      • sn

      • mail

    7. Click Next.

      Details
      governance internal role attribute permissions
  3. Configure a filter for the role:

    1. On the Dynamic internal role Assignment modal, click A conditional filter for this role.

    2. On the filter, select the following properties:

      • Select Any. Specifies when to apply the rule if the conditions are met.

      • Select an attribute like Username.

      • Select is present. Specifies the existence of the property or not.

    3. Click Next.

      Details
      governance dynamic internal role assignment
  4. Set an time constraint on the internal role:

    1. On the Time Constraint modal, leave the default as-is.

    2. Click Save. The new internal role is created. All users will now have the ability to see all other users.

      Details
      governance internal role requestForAll

      The one side effect to this procedure is that the end user’s UI displays Alpha Realm - user on the left navigation bar, which can be useful as a company-wide address book or when you want to add attributes, such as telephoneNumber.

      governance end user alpha realm user nav

Use case 2: Configure all users to see a subset of other end users

This case is when you want the end users to see a subset of end users that match an attribute, such as department or city.

  1. Repeat the steps 1–2 in Use case 1: Configure all users to see all other users.

  2. Configure a filter for the role:

    1. On the Dynamic internal role Assignment modal, click A conditional filter for this role.

    2. On the filter, select the following properties:

      • Select Any. Specifies when to apply the rule if the conditions are met.

      • Select City. An attribute name.

      • Select is. Specifies the relationship between the attribute and its value.

      • Enter {{attribute}}. Curly braces indicates that the user’s current property. For example, you can use {{city}} indicating the end user’s city of work be included in the decision. This filter rule enables the manager to make requests for any other users whose city matches the manager’s city property. If you want to specify end users in a different city from the manager’s city, you can use, for example, {{Denver}} to indicate the manager can see direct reports located in Denver.

    3. Click , and then click Add Rule.

    4. Click Next.

      Details
      governance dynamic internal role assignment 2

Use case 3: Configure only managers to request for their directs

The third use case is to configure the system so that only managers can request for their direct reports. One solution is to use a multivalued attribute to hold the value of the manager ID for each user.

  1. On the Identity Cloud admin UI, log in to Identity Cloud as a tenant administrator.

  2. Create a managed object. A managed object is an identity-related data object managed in the Identity Management:

    1. Click Native Console > Identity Management.

    2. On the Quick Start page, click Configure on the top navigation bar, and then select Managed Objects.

    3. On the Managed Objects page, click Alpha_user.

    4. Scroll down, and click the pencil icon () next to frindexedMultivalued1 to edit it.

    5. On the frindexedMultivalued1 page, enter the following values:

      Field Value

      Readable Titles

      Enter managerID.

      Description

      Enter a description of the managed object.

      Show advanced options.

      Click the link to display more options.

      Viewable

      Click to disable it.

      User Editable

      Click to disable it.

      Virtual

      Click to enable it.

    6. Click Save.

      Details
      governance frindexedMultivalued1
    7. Click the Query Configuration tab, enter the following, and then click Save.

      Field Value

      Referenced Relationship Fields

      Enter ["manager"].

      Referenced Object Fields

      Enter the referenced object, _id.

      Flatten Properties

      Click to enable it.

      Details
      governance frindexedMultivalued1 query config
  3. Now, set up a manager on each user using a relationship-derived virtual property (RDVP). RDVPs are calculated based on relationships and relationship notifications. Here we create an RDVP to query users ("reports") who have a manager expressed in the _id property. For more information, learn about it at Relationship-derived virtual properties.

    Create a new internal role called RequestDirects:

    1. On the Identity Cloud admin UI, log in to Identity Cloud as a tenant administrator.

    2. Click Identities > Manage > Internal Roles > New Internal Role.

    3. On the New Internal role modal, enter the following, and then click Next.

      • Name. Enter a descriptive name for the internal role. Enter RequestDirects.

      • Description. Optional. Enter a description for the internal role.

  4. Set the internal role permissions:

    1. On the Internal role permissions modal, select Alpha realm - Users.

    2. Click Add. The permissions for View, Create, Update, and Delete are displayed.

    3. Keep View selected.

    4. For attribute permissions, click Show advanced.

    5. Click set all attributes, and select None.

    6. For the following attributes, set the permission to Read:

      • userName

      • givenName

      • sn

      • mail

    7. Click Administer only a subset of Alpha realm - Users by applying a filter.

    8. Click Advanced Editor, and enter /frIndexedMultivalued3 eq "{{_id}}".

      1. Click Next.

        Details

        governance internal role permissions requestDirects

    9. On the Dynamic Internal role Assignment modal, click Next.

    10. On the Time Constraint modal, click Save.

  5. Create an RDVP and make it queryable:

    1. Click Native Console > Identity Management.

    2. On the Quick Start page, click Configure on the top navigation bar, and then select Managed Objects.

    3. On the Managed Objects page, click Alpha_user.

    4. Scroll down, and pencil icon () next to frindexedMultivalued2 to edit it..

  6. On the frindexedMultivalued2, enter the following values:

    • Readable Titles: reportsIDs

    • Description: Enter a description of the managed object.

  7. Click Show advanced options.

    1. Click Viewable to disable it.

    2. Click User Editable to disable it.

    3. Click Virtual to enable it. We are using frIndexedMultivalued2 as a virtual RDVP.

      Details
      governance frindexedMultivalued2
  8. Click Query Configuration.

    1. In the Referenced Relationship Fields, enter ["reports"]. This relationship property is used to calculate the RDVP.

    2. In the Referenced Object Fields, enter _id. This property is used to hold the returned value when the RDVP is calculated. In this example, this would be _id.

    3. Click Flatten Properties to enable it.

    4. Click Save. The Managed Object created message appears.

  9. Reset the RequestDirects internal role:

    1. Click Manage Identities > Internal Roles > RequestDirects.

    2. On the RequestDirects modal, click Privileges.

    3. Click the ellipsis icon () next to the [.label]#View privilege.

    4. On the Edit Privilege modal, click Show advanced, and then click Advanced Editor.

    5. In the Assign user based on if query evaluates to true: field, enter the condition /frIndexedMultivalued2 pr.

    6. Click Save. The new RDVP allows an end-user’s direct reports to be updated virtually whenever the RDVP is recalculated due to a change.

      Details
      governance frindexedMultivalued2 rdvp
Copyright © 2010-2024 ForgeRock, all rights reserved.