A seamless end-user experience for access requests is essential in maintaining security and compliance within an organization. To achieve this, it is crucial to manage the visibility and requestability of items for different user types effectively. Presenting all users with a uniform catalog of requestable items can lead to an overwhelming and confusing experience as they must navigate through vast amounts of data to find relevant resources. Moreover, exposing unnecessary data poses a significant security risk, as external users or potentially malicious actors could gain access to the organization's most sensitive roles and resources. For regulatory compliance, it is vital to prevent specific user groups from seeing or requesting certain roles and resources by enforcing country-specific restrictions like the International Traffic in Arms Regulations (ITAR).
Eligibility Policies
EmpowerID addresses this issue with a robust policy engine designed to control which users may see and request roles and resources in the IT Shop. These policies, known as "Eligibility policies," can be applied to users based on attribute queries, roles, groups, or other criteria. This flexibility makes it easy to target specific users for policy assignment and automate the process throughout their lifecycle. To further reduce administrative workload, Eligibility policies can be applied to all requestable items of a particular type or location instead of individually. This approach allows policies to be more comprehensive, granting or excluding eligibility using the EmpowerID Location tree. For roles, eligibility policies can be applied to their members to control what they may see and request in the IAM Shop. Policies also apply to the role itself as a potential IAM Shop item to regulate who may see and request it.
Eligibility Rules
Eligibility policies can be categorized as either inclusion rules or exclusion rules. Inclusion rules define the items a user is authorized to see and request in the IT Shop, ensuring that only relevant resources are available to them. An example of this would be filtering available resources for Field Sales employees and developers, providing each group with a tailored catalog of requestable roles and resources. This approach prevents unwarranted access requests, reducing unnecessary approval tasks. Furthermore, inclusion and exclusion rules enhance the user shopping experience by shielding employees from viewing resources they cannot request.
...
Macrosuite divider macro | ||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Configure Eligibility for Business Roles and Location Combinations
...