Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

EmpowerID simplifies the integration of PBAC (Policy-Based Access Control) and and other types of non-Azure applications through its "Onboard Application" workflow. This wizard-driven process is designed to streamline the onboarding of applications streamlines application onboarding by offering configurable parameters and approval settings, ensuring a tailored fit for your organization's specific needs and security policies.

Insert excerpt
IL:New Resource Snippets
IL:New Resource Snippets
nameAllAccess
nopaneltrue

Easy html macrotheme{"label":"solarized_dark","value":"solarized_dark"}contentByMode

{"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <div class = \"bd-callout bd-callout-info\">\r\n <h4>Prerequisites</h4>\r\n <p>To add an enterprise application to Azure, you need:</p>\r\n <ul>\r\n <li>An Azure AD tenant managed by EmpowerID</li>\r\n <li>One of the following Azure roles linked to the Service Principal EmpowerID uses to connect to Azure: Global Administrator, Cloud Application Administrator, or Application Administrator.</li>\r\n </ul>\r\n <p class = \"bd-callout bd-callout-success\">To run the <b>CreateAzureApplication</b> workflow,\r\n users must have the <b>UI-Res-Admin-MS-Application</b> Management Role.</p>\r\n </div>","javascript":"","css":""}

Procedure

Step 1: Configure workflow parameters

The "Onboard Application" workflow features a variety of customizable parameters that allow administrators to adjust the fields displayed during the onboarding process. These settings enable you to define the specific workflow steps' visibility and default values of specific workflow steps, ensuring the workflow aligns with your organizational requirements.

Expand
titleView Workflow Parameters

Parameter

Description

CreateTrackingOnlyAccountStore_IsVisible

Boolean value to determine whether the “Create a Tracking-Only Account Store”selector is visible in the first step of the workflow.

DefaultAccessRequestPolicyID

Optional setting that specifies the default Access Request policy bound to the “Access Request Policy “dropdown in the IAM Shop Settings step of the workflow. If set, the value must be the GUID for the policy.

DefaultAccountStoreID

Optional setting that specifies the default account store bound to the “Select Account Store” dropdown in the first step of the workflow. If bound, users can select other account stores from the dropdown as needed. The value must be the AccountStoreID short.

DefaultOrgZoneID

Optional setting that specifies the default EmpowerID location bound to the “Select a Location” tree drop-down. If the “SelectaLocation_IsVisible” parameter is set to false, this parameter must be set to the integer of the default OrgZoneID.

DefaultProtectedApplicationResourceUsageTypeID

Optional setting that specifies the default Protected Application Resource Usage Type ID bound to the “App Authorization Model” dropdown. Possible values include:

Insert excerpt
IL:PBAC Snippets
IL:PBAC Snippets
nameProtectedAppResourceUsageType
nopaneltrue

DeputyResourceTypeRoleName

Specifies the Access Level assigned to deputy owners of the application. The default Access Level is the “ACT-Application-Object-Administration” Access Level, which grants access to create, edit and delete applications.

IAM_EligibleAssignees_IsVisible

Boolean value to determine whether the “Eligible to Request” option is visible in the IAM Shop Settings step of the workflow.

IAM_PreApprovedAssignees_IsVisible

Boolean value to determine whether the “Pre-Approved for Access” option is visible in the IAM Shop Settings step of the workflow.

IAM_SuggestedAssignees_IsVisible

Boolean value to determine whether the “Suggested” option is visible in the IAM Shop Settings step of the workflow.

ManagementRoleIDsToNotify

Comma separated list of Management Role IDs to be notified via email upon creation of the PBAC application

OwnerResourceTypeRoleName

Specifies the Access Level assigned to owners of the application. The default Access Level is the “Resource Role Assigner” Access Level.

SelectAccountStore_IsVisible

Boolean value to determine whether the “Select Account Store”selector is visible in the first step of the workflow.

SelectaLocation_IsVisible

Boolean value to determine whether the “Select a Location”selector is visible in the first step of the workflow. If false, the DefaultOrgZoneID parameter mentioned above must be set.

To configure workflow parameters, do the following:On the navbar, expand


Configuring Parameters

  1. Sign in to EmpowerID as an administrator and browse to Low Code/No Code Workflow and select > Low Code Workflows.

  2. Select the Workflow tab and search for Onboard Application.

  3. Click the Display Name for the workflow link to browse to the workflow’s View One page.

    image-20240206-154059.pngImage Removedimage-20240206-154059.pngImage Added

     

  4. On Expand the Request Workflow Parameters accordion on the View One page for the workflow , expand the Request Workflow Parameters accordion and search for the parameter you need to configure. In this example, we set the DefaultAccountStoreID parameter to populate the “Select Account Store” field with the selected account store.

    image-20240206-154740.pngImage Removedimage-20240206-154740.pngImage Added

     

  5. Click the edit button for the parameter, enter the appropriate Value, and click Save.

    image-20240206-154935.pngImage Removedimage-20240206-154935.pngImage Added

     

  6. Configure any other settings parameters as needed.

Step

3

2: Execute the workflow

Run the “Onboard Application” workflow to initiate the onboarding process for a PBAC application.

OnboardingPBACApplications.mp4
  1. Access the Resource Admin portalSign in to Resource Admin as at least a user with the Application RBAC Owner Management Role.

  2. Under “Applications,”select the Workflows tab and click Onboard a Non-Azure Application.

    image-20240206-155627.pngImage Removedimage-20240423-193354.pngImage Added

    This opens the Onboard Application wizard workflow.
    Please note that based on the selected workflow parameter settings selected, the fields displayed may differ from those shown below.

    image-20240206-161313.pngImage Removedimage-20240423-193724.pngImage Added

  3. Follow the wizard and fill in the fields of each workflow section of the workflow with the appropriate information for your application.

Macrosuite divider macro
dividerWidth80
dividerTypetext
emoji{"id":"smile","name":"Smiling Face with Open Mouth and Smiling Eyes","short_names":["smile"],"colons":":smile:","emoticons":["C:","c:",":D",":-D"],"unified":"1f604","skin":null,"native":"😄"}
isEditingIconOrEmojifalse
textColor#000000
dividerWeight1
labelPositionmiddle
textAlignmentcenter
iconColor#000000
iconSizemedium
fontSizemedium
textApplication Details
emojiEnabledfalse
dividerIconfont-awesome/Rocket
dividerColor#000000

Field

Description

Action

Name

Name of the application

Enter the name of the application, without spaces or special characters.

Display Name

User friendly name of the application

Enter a display name for the application.

Description

Enter a brief Brief characterization of the application

Enter a description.

Select a Location

EmpowerID location to be used for RBAC access to the application.

Select an EmpowerID location for the application.

Select Account Store

Inventoried account store (directory) with application resources. In most cases, EmpowerID should be selected.

Select the inventoried account store (directory) with the resources the application applies to.

PBAC App

Specifies whether the application is a PBAC app. When selected, EmpowerID creates a Resource Module for the application.

Select this option to specify that the app is a PBAC app.

App Authorization Model

Defines the framework within the application for managing user access to its data, specifying how permissions are structured and enforced.

Select the appropriate app authorization model. For example, if the app does not have any app resources stored in the EmpowerID Identity Warehouse for access control, but does have field types, you would select “PBAC App: No App Resources, Yes Field Types.”

Allow Shop for Role Defintion AssignmentDefinitions

Choose whether to allow application Role Definitions to be assigned to users.

Allow Local Right Assignment

Choose whether to allow application rights to be assigned to users.

Allow App Management Role Assignment

Choose whether to allow application Management Roles to be assigned to usersSpecifies whether users can shop for any role definitions created for the application.

Enable/disable the setting for your situation.

Allow Shop for Rights

Specifes whether users can shop for any rights created for the application.

Enable/disable the setting for your situation.

Allow Shop for App Management Roles

Specifies whether users can shop for any Management Roles created for the applications.

Enable/disable the setting for your situation.

Macrosuite divider macro
dividerWidth80
dividerTypetext
emoji{"id":"smile","name":"Smiling Face with Open Mouth and Smiling Eyes","short_names":["smile"],"colons":":smile:","emoticons":["C:","c:",":D",":-D"],"unified":"1f604","skin":null,"native":"😄"}
isEditingIconOrEmojifalse
textColor#000000
dividerWeight1
labelPositionmiddle
textAlignmentcenter
iconColor#000000
iconSizemedium
fontSizemedium
textOwner Information
emojiEnabledfalse
dividerIconfont-awesome/Rocket
dividerColor#000000

When onboarding an application, it's essential to specify the individuals responsible for its management and oversight. This includes designating the responsible party, owners, and deputies.

Field

Description

Action

Responsible Party

Identifies the primary individual accountable for the application.

Type in the full name of the person who will take responsibility for managing the application. This field is mandatory.

Owners

Lists the people who have ownership rights over the application.

Enter the names of the individuals designated as owners, one at a time. Providing owner information is optional but recommended for better governance.

Deputies

Specifies secondary contacts or assistants to the owners.

Input the names of individuals assigned as deputies, one at a time. Including deputy information is optional.

Macrosuite divider macro
dividerWidth80
dividerTypetext
emoji{"id":"smile","name":"Smiling Face with Open Mouth and Smiling Eyes","short_names":["smile"],"colons":":smile:","emoticons":["C:","c:",":D",":-D"],"unified":"1f604","skin":null,"native":"😄"}
isEditingIconOrEmojifalse
textColor#000000
dividerWeight1
labelPositionmiddle
textAlignmentcenter
iconColor#000000
iconSizemedium
fontSizemedium
textIAM Shop Settings
emojiEnabledfalse
dividerIconfont-awesome/Rocket
dividerColor#000000

When making an application requestable in the IAM Shop, it is crucial to configure several settings that dictate how requests are handled and who can access them.

Field

Description

Action

Set Requestable OptionSetting

Determine Specifies if users can request access to the application should be requestable by users in the IAM Shop.

Enable the "Set Requestable Setting" to make the application available for requests. When enabled, the settings below are relevantto eligible users in the IAM Shop; otherwise, disable the setting.

Select Access Request Policy

Defines the procedure policy to be used for processing application requests.

From the "Select Access Request Policy" dropdown, choose the policy that best fits how you wish to handle incoming requests for the application. For applications, the Default policy is suggested. This policy routes access requests to application owners for approval.

Eligible to Request

Specifies users allowed to request access to the application.

Select the assignee type (e.g., Person, Group, Management Role) and then identify the individuals, groups, or roles eligible to make requests.

Pre-approved for Access

Specifies users who are pre-approved for access to the application, bypassing the need for manual request approval.

Select the assignee type (e.g., Person, Group, Management Role) and then identify the individuals, groups, or roles pre-approved for the application.

Suggested Assignees

Identifies users who will see the application as a suggested resource that they can request.

Select the assignee type (e.g., Person, Group, Management Role) and then identify the individuals, groups, or roles suggested for application access.

  1. Review the summary information for the application and then click Submit.

    image-20240207-153502.pngImage Removedimage-20240423-211231.pngImage Added

  2. Click Submit to close the Operation Execution Summary and exit the wizard.

    Insert excerpt
    IL:External Stylesheet
    IL:External Stylesheet
    nopaneltrue

    image-20240207-153706.pngImage Removed


Confirm the Results

After completing the workflow, you should see verify that the application appears in Resource Admin ( and in the IAM Shop (if you configured the application as requestable in the IAM Shop.) Do the following to verify that the application has been successfully onboarded and that all configurations and rights settings are correctly applied.

  1. Locate the application in Resource Admin and click the Details button for the application record.

    image-20240207-154824.pngImage Removedimage-20240423-211707.pngImage Added

  2. On the Overview page, verify that the general information and eligibility settings match those initially set for the application.

    image-20240207-155942.pngImage Removed

  3. Expand the PBAC Assignments menu item and verify the ability to manage App Right and Role Definition assignments match those specified for the application. For example, if you enabled Allow Role Definition Assignment, you should see a “Role Definition Assignments” menu with an “Assign Role Definition” button.

    image-20240207-161030.pngImage Removed
  4. Expand the PBAC Definitions menu item and verify the ability to manage App Rights, Role Definitions, and App Management Roles match those specified for the application. what was submitted.

    image-20240423-212252.pngImage Added

Adding PBAC Resource Types

Adding PBAC App Resources

Managing App Rights and Field Types

Managing Role Definitions

/wiki/spaces/EAGV24R2/pages/3390562068

Setting up PBAC Approval Routing

Div
stylefloat:left; position:fixed;
idarticleNav

IN THIS ARTICLE

Table of Contents
maxLevel4
minLevel2
stylenone
printablefalse

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue