Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
EmpowerID simplifies the integration of PBAC (Policy-Based Access Control) and non-Azure applications through its "Onboard Application" workflow. This wizard-driven process is designed to streamline application onboarding by offering configurable parameters and approval settings, ensuring a tailored fit for your organization's specific needs and security policies.
Insert excerpt | ||||||||
---|---|---|---|---|---|---|---|---|
|
theme | {"label":"solarized_dark","value":"solarized_dark"} |
---|---|
contentByMode | {"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <div class = \"bd-callout bd-callout-info\">\r\n <h4>Prerequisites</h4>\r\n <p>To add an enterprise application to Azure, you need:</p>\r\n <ul>\r\n <li>An Azure AD tenant managed by EmpowerID</li>\r\n <li>One of the following Azure roles linked to the Service Principal EmpowerID uses to connect to Azure: Global Administrator, Cloud Application Administrator, or Application Administrator.</li>\r\n </ul>\r\n <p class = \"bd-callout bd-callout-success\">To run the <b>CreateAzureApplication</b> workflow,\r\n users must have the <b>UI-Res-Admin-MS-Application</b> Management Role.</p>\r\n </div>","javascript":"","css":""} |
Procedure
Step 1: Configure workflow parameters
The "Onboard Application" workflow features a variety of customizable parameters that allow administrators to adjust the fields displayed during the onboarding process. These settings enable you to define specific workflow steps' visibility and default values, ensuring the workflow aligns with your organizational requirements.
Expand | ||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||
|
Configuring Parameters
Sign in to EmpowerID as an administrator and browse to Low Code/No Code Workflow > Low Code Workflows.
Select the Workflow tab and search for Onboard Application.
Click the Display Name link to browse to the workflow’s View One page.
Expand the Request Workflow Parameters accordion on the View One page for the workflow and search for the parameter you need to configure. In this example, we set the DefaultAccountStoreID parameter to populate the “Select Account Store” field with the selected account store.
Click the edit button for the parameter, enter the appropriate Value, and click Save.
Configure any other parameters as needed.
Step 2: Execute the workflow
Run the “Onboard Application” workflow to initiate the onboarding process for a PBAC application.
Sign in to Resource Admin as at least a user with the Application RBAC Owner Management Role.
Under “Applications,”select the Workflows tab and click Onboard a Non-Azure Application.
This opens the Onboard Application wizard workflow.
Please note that based on the selected workflow parameter settings, the fields displayed may differ from those below.Follow the wizard and fill in the fields of each workflow section with the appropriate information for your application.
Macrosuite divider macro | ||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Field | Description | Action |
---|---|---|
Name | Name of the application | Enter the name of the application. |
Display Name | User friendly name of the application | Enter a display name for the application. |
Description | Brief characterization of the application | Enter a description |
Select a Location | EmpowerID location to be used for RBAC access to the application. | Select an EmpowerID location for the application. |
Select Account Store | Inventoried account store (directory) with application resources. In most cases, EmpowerID should be selected. | Select the inventoried account store (directory) with the resources the application applies to. |
PBAC App | Specifies whether the application is a PBAC app. When selected, EmpowerID creates a Resource Module for the application. | Select this option to specify that the app is a PBAC app. |
App Authorization Model | Defines the framework within the application for managing user access to its data, specifying how permissions are structured and enforced. | Select the appropriate app authorization model. |
Allow Shop for Role Definitions | Specifies whether users can shop for any role definitions created for the application. | Enable/disable the setting for your situation. |
Allow Shop for Rights | Specifes whether users can shop for any rights created for the application. | Enable/disable the setting for your situation. |
Allow Shop for App Management Roles | Specifies whether users can shop for any Management Roles created for the applications. | Enable/disable the setting for your situation. |
Macrosuite divider macro | ||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
When onboarding an application, it's essential to specify the individuals responsible for its management and oversight. This includes designating the responsible party, owners, and deputies.
Field | Description | Action |
---|---|---|
Responsible Party | Identifies the primary individual accountable for the application. | Type in the full name of the person who will take responsibility for managing the application. This field is mandatory. |
Owners | Lists the people who have ownership rights over the application. | Enter the names of the individuals designated as owners, one at a time. Providing owner information is optional but recommended for better governance. |
Deputies | Specifies secondary contacts or assistants to the owners. | Input the names of individuals assigned as deputies, one at a time. Including deputy information is optional. |
Macrosuite divider macro | ||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
When making an application requestable in the IAM Shop, it is crucial to configure several settings that dictate how requests are handled and who can access them.
Field | Description | Action |
---|---|---|
Set Requestable Setting | Specifies if users can request access to the application in the IAM Shop. | Enable the "Set Requestable Setting" to make the application available for requests. When enabled, the settings below are relevant. |
Select Access Request Policy | Defines the policy to be used for processing application requests. | From the "Select Access Request Policy" dropdown, choose the policy that best fits how you wish to handle incoming requests for the application. |
Eligible to Request | Specifies users allowed to request access to the application. | Select the assignee type (e.g., Person, Group, Management Role) and then identify the individuals, groups, or roles eligible to make requests. |
Pre-approved for Access | Specifies users who are pre-approved for access to the application, bypassing the need for manual request approval. | Select the assignee type (e.g., Person, Group, Management Role) and then identify the individuals, groups, or roles pre-approved for the application. |
Suggested Assignees | Identifies users who will see the application as a suggested resource. | Select the assignee type (e.g., Person, Group, Management Role) and then identify the individuals, groups, or roles suggested for application access. |
Review the summary information for the application and then click Submit.
Click Submit to close the Operation Execution Summary and exit the wizard.
Insert excerpt IL:External Stylesheet IL:External Stylesheet nopanel true
Confirm the Results
After completing the workflow, verify that the application appears in Resource Admin and the IAM Shop (if configured as requestable).
Locate the application in Resource Admin and click the Details button for the application record.
On the Overview page, verify that the general information and eligibility settings match what was submitted.
Next Steps
Div | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
IN THIS ARTICLE
|
Insert excerpt | ||||||
---|---|---|---|---|---|---|
|