Request access
In Identity Governance, end users can request access to resources, such as target applications, entitlements, or roles.
You define the resources end users can request by adding them to the access catalog.
An organization works with access requests as follows:
-
An Identity Governance administrator who can configure access requests. This includes defining which resources end users can request in the access catalog.
-
After an administrator defines requestable resources in the access catalog, end users submit requests to gain or remove (managers only) access to resources using the end user UI.
-
Approvers approve or deny access requests — End users configured as the approver (designated owner) to review and approve or reject the request. The items that display to the approver are known as request items.
Configure access requests
Before end users can request access to resources in Identity Cloud, you must:
Define resources that can be requested
By default, end users in Identity Cloud can’t request
access to a
resource.
For an end user to request access to a resource, the resource must
be marked as Requestable
to display in the access catalog.
You can make applications, entitlements, and roles requestable in Identity Governance.
Applications
To make applications requestable:
-
From the Identity Cloud admin UI, go to Applications.
-
Select an application. The application must be a target application.
-
In the Details tab, toggle the Requestable box.
-
For every target application you desire to be requestable, repeat steps 2-3.
Add owners to resources
Before an end user can request access to a resource, you must associate it to an owner. Owners are the individual(s) responsible for monitoring who has access to the resource.
When an end user requests access to a resource, Identity Governance sends the request to the owner(s) for approval.
In access requests, the owner is referred to as the approver. When the owner approves the access request, Identity Governance provisions the resource to the end user.
Application owners
To assign owners to applications in Identity Cloud:
-
From the Identity Cloud admin UI, go to Applications.
-
Select an application. The application must be a target application.
-
In the Details tab, click the Owners field, and add as many owners as you desire.
-
Repeat steps 2-3 for every target application.
Entitlement owners
After you load entitlements into Identity Cloud, they display in the Entitlements section.
To assign owners to entitlements in Identity Cloud:
-
From the Identity Cloud admin UI, go to Entitlements.
-
Select an entitlement.
-
In the Details tab, click the Entitlement Owner field, and select an owner.
-
Repeat steps 2-3 for every entitlement.
Optionally, create and configure glossary attributes
Governance glossary attributes enable you to attach custom attributes to applications, entitlements, or roles.
When configuring resources that your end users can request access to, consider creating searchable governance glossary attributes. These attributes enable end users to filter and select a resource when requesting access.
Example of using glossary attributes with access requests
An example of using a governance glossary attribute would be to assign a risk level to each role, indicating the level of sensitivity associated with the resources granted to end users. This risk level attribute lets end users efficiently filter and search for roles based on their desired risk level when requesting access.
-
From the Identity Cloud admin UI, click Glossary.
-
Click Role > + Role Glossary Item.
-
Enter the following values:
Field Value Name
riskLevel
Display Name
Risk Level
Description
The level of risk associated with granting this resource to a user. The higher the risk, the more sensitive the resource.
Type
String
Enumerated Values
Enable and create the following in the text and value fields:
-
Low
-
Medium
-
High
Show advanced settings > Searchable
Enable
. This enables the end user to search and filter on the attribute when requesting access to the role. -
-
Click Save.
-
Populate each role in Identity Cloud with either
Low
,Medium
, orHigh
.To do this, navigate to Manage > Alpha realm - Roles and populate newly created role attribute
Risk Level
.
Configure access requests for other users
Identity Governance provides the ability for end users to enter requests for other users.
End users must view privileges and read attribute access to other users. The
specific attributes are userName
, givenName
, sn
, and mail
.
While the organization owners and administrators get these privileges from the
Identity Management configuration targeted to only their
organizations members, other users outside of the organization do not have
access to these privileges. As a result, end users will only see List is empty
when clicking Other Users and not be able to select any users.
There are three use cases available to set up other users:
Use case 1: Configure all users to see all other users
To configure Identity Governance so that end users can see all other users, you can add
an internal role with view
privileges and set attributes to read
access.
-
Create a new internal role:
-
On the Identity Cloud admin UI, log in to Identity Cloud as a tenant administrator.
-
Click Identities > Manage > Internal Roles > New Internal Role.
-
On the New Internal role modal, enter the following:
-
Name. Enter a descriptive name for the internal role.
-
Description. Optional. Enter a description for the internal role.
-
-
Click Next.
-
-
Set the internal role permissions:
-
On the Internal role permissions modal, select Alpha realm - Users.
-
Click Add. The permissions for View, Create, Update, and Delete are displayed.
-
Keep View selected.
-
For attribute permissions, click Show advanced.
-
Click set all attributes, and select None.
-
For the following attributes, set the permission to
Read
:-
userName
-
givenName
-
sn
-
mail
-
-
Click Next.
Details
-
-
Configure a filter for the role:
-
On the Dynamic internal role Assignment modal, click A conditional filter for this role.
-
On the filter, select the following properties:
-
Select Any. Specifies when to apply the rule if the conditions are met.
-
Select an attribute like Username.
-
Select is present. Specifies the existence of the property or not.
-
-
Click Next.
Details
-
-
Set an time constraint on the internal role:
-
On the Time Constraint modal, leave the default as-is.
-
Click Save. The new internal role is created. All users will now have the ability to see all other users.
Details
The one side effect to this procedure is that the end user’s UI displays
Alpha Realm - user
on the left navigation bar, which can be useful as a company-wide address book or when you want to add attributes, such astelephoneNumber
.
-
Use case 2: Configure all users to see a subset of other end users
This case is when you want the end users to see a subset of end users that match
an attribute, such as department
or city
.
-
Repeat the steps 1–2 in Use case 1: Configure all users to see all other users.
-
Configure a filter for the role:
-
On the Dynamic internal role Assignment modal, click A conditional filter for this role.
-
On the filter, select the following properties:
-
Select Any. Specifies when to apply the rule if the conditions are met.
-
Select City. An attribute name.
-
Select is. Specifies the relationship between the attribute and its value.
-
Enter {{attribute}}. Curly braces indicates that the user’s current property. For example, you can use
{{city}}
indicating the end user’scity
of work be included in the decision. This filter rule enables the manager to make requests for any other users whosecity
matches the manager’scity
property. If you want to specify end users in a different city from the manager’s city, you can use, for example,{{Denver}}
to indicate the manager can see direct reports located inDenver
.
-
-
Click , and then click Add Rule.
-
Click Next.
Details
-
Use case 3: Configure only managers to request for their directs
The third use case is to configure the system so that only managers can request for their direct reports. One solution is to use a multivalued attribute to hold the value of the manager ID for each user.
-
On the Identity Cloud admin UI, log in to Identity Cloud as a tenant administrator.
-
Create a managed object. A managed object is an identity-related data object managed in the Identity Management:
-
Click Native Console > Identity Management.
-
On the Quick Start page, click Configure on the top navigation bar, and then select Managed Objects.
-
On the Managed Objects page, click Alpha_user.
-
Scroll down, and click the pencil icon () next to frindexedMultivalued1 to edit it.
-
On the frindexedMultivalued1 page, enter the following values:
Field Value Readable Titles
Enter
managerID
.Description
Enter a description of the managed object.
Show advanced options.
Click the link to display more options.
Viewable
Click to disable it.
User Editable
Click to disable it.
Virtual
Click to enable it.
-
Click Save.
Details
-
Click the Query Configuration tab, enter the following, and then click Save.
Field Value Referenced Relationship Fields
Enter
["manager"]
.Referenced Object Fields
Enter the referenced object,
_id
.Flatten Properties
Click to enable it.
Details
-
-
Now, set up a manager on each user using a relationship-derived virtual property (RDVP). RDVPs are calculated based on relationships and relationship notifications. Here we create an RDVP to query users ("reports") who have a manager expressed in the
_id
property. For more information, learn about it at Relationship-derived virtual properties.Create a new internal role called
RequestDirects
:-
On the Identity Cloud admin UI, log in to Identity Cloud as a tenant administrator.
-
Click Identities > Manage > Internal Roles > New Internal Role.
-
On the New Internal role modal, enter the following, and then click Next.
-
Name. Enter a descriptive name for the internal role. Enter
RequestDirects
. -
Description. Optional. Enter a description for the internal role.
-
-
-
Set the internal role permissions:
-
On the Internal role permissions modal, select Alpha realm - Users.
-
Click Add. The permissions for View, Create, Update, and Delete are displayed.
-
Keep View selected.
-
For attribute permissions, click Show advanced.
-
Click set all attributes, and select None.
-
For the following attributes, set the permission to
Read
:-
userName
-
givenName
-
sn
-
mail
-
-
Click Administer only a subset of Alpha realm - Users by applying a filter.
-
Click Advanced Editor, and enter
/frIndexedMultivalued3 eq "{{_id}}"
.-
Click Next.
Details
-
-
On the Dynamic Internal role Assignment modal, click Next.
-
On the Time Constraint modal, click Save.
-
-
Create an RDVP and make it queryable:
-
Click Native Console > Identity Management.
-
On the Quick Start page, click Configure on the top navigation bar, and then select Managed Objects.
-
On the Managed Objects page, click Alpha_user.
-
Scroll down, and pencil icon () next to frindexedMultivalued2 to edit it..
-
-
On the frindexedMultivalued2, enter the following values:
-
Readable Titles:
reportsIDs
-
Description: Enter a description of the managed object.
-
-
Click Show advanced options.
-
Click Viewable to disable it.
-
Click User Editable to disable it.
-
Click Virtual to enable it. We are using
frIndexedMultivalued2
as a virtual RDVP.Details
-
-
Click Query Configuration.
-
In the Referenced Relationship Fields, enter
["reports"]
. This relationship property is used to calculate the RDVP. -
In the Referenced Object Fields, enter
_id
. This property is used to hold the returned value when the RDVP is calculated. In this example, this would be_id
. -
Click Flatten Properties to enable it.
-
Click Save. The Managed Object created message appears.
-
-
Reset the
RequestDirects
internal role:-
Click Manage Identities > Internal Roles > RequestDirects.
-
On the RequestDirects modal, click Privileges.
-
Click the ellipsis icon () next to the [.label]#View privilege.
-
On the Edit Privilege modal, click Show advanced, and then click Advanced Editor.
-
In the Assign user based on if query evaluates to true: field, enter the condition
/frIndexedMultivalued2 pr
. -
Click Save. The new RDVP allows an end-user’s direct reports to be updated virtually whenever the RDVP is recalculated due to a change.
Details
-