Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

A seamless end-user experience for access requests is essential in Effectively managing which users can view and request resources is an important aspect of maintaining security and compliance within an organization. To achieve this, it is crucial to manage the visibility and requestability of items for different user types effectively. Presenting all users with a uniform Without proper controls, presenting a large, unfiltered catalog of requestable items resources can lead to an overwhelming and confusing experience as they must navigate through vast amounts of data to find relevant resources. Moreover, exposing unnecessary data poses a significant security risk, as external users or potentially malicious actors could gain access to the organization's most sensitive roles and resources. For regulatory compliance, it is vital to prevent specific user groups from seeing or requesting certain roles and resources by enforcing country-specific restrictions like the International Traffic in Arms Regulations (ITAR).

Eligibility Policies

EmpowerID addresses this issue with a robust policy engine designed to control which users may see and request roles and resources in the IT Shop. These policies, known as "Eligibility policies," can be applied to users based on attribute queries, roles, groups, or other criteria. This flexibility makes it easy to target specific users for policy assignment and automate the process throughout their lifecycle. To further reduce administrative workload, Eligibility policies can be applied to all requestable items of a particular type or location instead of individually. This approach allows policies to be more comprehensive, granting or excluding eligibility using the EmpowerID Location tree. For roles, eligibility policies can be applied to their members to control what they may see and request in the IAM Shop. Policies also apply to the role itself as a potential IAM Shop item to regulate who may see and request it.

Eligibility Rules

Eligibility policies can be categorized as either inclusion rules or exclusion rules. Inclusion rules define the items a user is authorized to see and request in the IT Shop, ensuring that only relevant resources are available to them. An example of this would be filtering available resources for Field Sales employees and developers, providing each group with a tailored catalog of requestable roles and resources. This approach prevents unwarranted access requests, reducing unnecessary approval tasks. Furthermore, inclusion and exclusion rules enhance the user shopping experience by shielding employees from viewing resources they cannot request.

Inclusion rules consist of the following:

...

Eligible: Users can request a resource in the IAM Shop, creating a Business Request. All business requests are routed for approval unless the requester is a designated approver and no additional approvals are needed.

...

confusion, inefficiency, and increased risk. This article provides an overview of how resource visibility and requestability can be managed using EmpowerID’s eligibility policies and rules.

Understanding Access Control Requirements

Organizations must ensure users see only those roles and resources relevant to their responsibilities. Additionally, compliance and regulatory frameworks may require restrictions based on factors such as geographic location, organizational structure, or industry standards. Eligibility policies and rules provide the fine-grained control needed to determine what users can view and request in the IAM Shop.

Eligibility Policies

Eligibility policies determine which users can see and request specific roles and resources. Administrators can base these policies on various criteria, including:

  • User attributes

  • Group memberships

  • Role assignments

  • Custom conditions

Applying policies at the appropriate scope—such as to all items of a certain type or at a specific node in the EmpowerID Location tree—helps streamline management. For example, you can assign an eligibility policy to a role so that only its members can view certain resources.

Eligibility Rules

Within eligibility policies, two primary rule types define visibility and requestability: Inclusion Rules and Exclusion Rules.

Inclusion Rules

Inclusion rules specify which resources are visible and requestable to particular user sets. They ensure that users only see items aligned with their roles and responsibilities. Inclusion rules fall into three categories:

  • Eligible:

    • Description: Users can request the resource, generating a Business Request that follows standard approval workflows (unless the requester is already an authorized approver).

    • Example Use Case: Assign this status to software licenses that require a manager’s approval before provisioning.

  • Pre-Approved:

    • Description: Users see an Activate button in the IAM Shop.

    To gain immediate access, users click the Activate button. Business Requests are not created, as no approvals are needed.
  • Suggested: Users will see resources with this rule applied as suggested items they may want to request. Submitted requests for suggested items follow standard approval routing rules.

 

...

    • Selecting it grants immediate access without generating a Business Request.

    • Example Use Case: Use for low-risk resources, such as basic application access or self-service password resets, that do not require additional approval.

  • Suggested:

    • Description: Resources appear as recommended items. Requests follow standard approval workflows.

    • Example Use Case: Apply to departmental tools or commonly requested resources to guide users without overwhelming them. 

...

Eligibility types applied to a specific resource type

...

...

Info

Inclusion and exclusion rules can be assigned to any EmpowerID actor type. If a user is excluded (either directly or indirectly by virtue of belonging to a group or role that is excluded), the exclusion takes priority over inclusion.

Macrosuite divider macro
dividerWidth80
dividerTypetext-with-icon
emoji{"id":"smile","name":"Smiling Face with Open Mouth and Smiling Eyes","short_names":["smile"],"colons":":smile:","emoticons":["C:","c:",":D",":-D"],"unified":"1f604","skin":null,"native":"😄"}
textColor#000000
dividerWeight3
labelPositionmiddle
textAlignmentcenter
iconColor#0052CC
iconSizemedium
fontSizemedium
textNext Steps
emojiEnabledfalse
dividerIconbootstrap/BarChartSteps
dividerColor#DFE1E6

...

Exclusion Rules

Exclusion rules prevent certain users or groups from viewing or requesting specific resources. These rules override inclusion rules, ensuring that sensitive or restricted resources remain inaccessible to unauthorized individuals.

Rule Precedence

If a user is subject to inclusion and exclusion rules, the exclusion rule takes precedence.

Best Practices

Policy Design and Implementation

  • Apply Targeted Policies: Assign policies to specific user groups or organizational units for greater control and reduced complexity.

  • Use Broad Assignments First: Consider applying policies at higher levels (e.g., the location tree) as a starting point before refining them at more granular levels.

  • Test Before Deployment: Evaluate policies and rules in a non-production environment to ensure proper functionality before applying them broadly.

Maintenance and Monitoring

  • Conduct Regular Reviews: Periodically review and adjust policy assignments to maintain alignment with organizational changes.

  • Validate Exclusion Rules: Confirm that exclusion rules function as intended and prevent unauthorized access.

  • Monitor Policy Performance: Assess whether policies effectively control access and adjust them as needed.

By effectively implementing eligibility policies and rules, organizations can present users with a relevant subset of resources, maintain compliance with regulatory requirements, and reduce the risk of inappropriate access.

Next Steps

/wiki/spaces/EAGV24R2/pages/3390580235 Insert excerptIL:External StylesheetIL:External Stylesheetnopaneltrue