Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
This article provides information on setting up PBAC approval routing for a “PBAC” application within EmpowerID. PBAC approval routing offers a flexible and dynamic framework for managing approver permissions based on specific criteria and conditions.
Prerequisites
Before you begin, ensure you have the following:
At least the Application RBAC Owner Management Role.
Defined rights, Field Types, and Field Type Values relevant to your application.
Procedure
Step 1: Create an Access Request Policy for PBAC Approval
Use the EmpowerID navbar and navigate to Low Code/No Code Workflow > Access Request Policies.
Click the Add button on the Access Request Policy page.
...
- Image Added
In the General section of the form that appears, enter the following information:
Name: Enter an appropriate name for the policy, such as "PBAC Approval” or “PBAC Approval Access Request Policy."
Display Name: Enter an appropriate display name.
Description: Enter an appropriate description.
Approval Policy: Select PBAC Approval.
Allow Activation (Skip Business Request): Enable this option.
Selectable in UI: Enable this option.
...
- Image Added
Leave all other form fields with their default settings and click Save.
Step 2: Create Approval Rights
Create approval rights for each application right you want to configure for PBAC approval. For example, if you have a “View Product Catalog” right, you could create an approval right named “View Product Catalog Approval.”
Sign in to the Resource Admin portal as a user with at least the Application RBAC Owner Management Role.
Search for the PBAC application where you want to create approval rights and click the Details button for the app record.
...
- Image Added
This action directs you to the Overview page for the application.
...
- Image Added
Expand the PBAC Definitions menu item, select App Rights, and click Create App Right.
...
- Image Added
This action initiates the “Onboard Az Local Right” wizard workflow.
...
- Image Added
Follow the wizard and fill in the fields of each workflow section with the appropriate information for the app right.
Macrosuite divider macro | ||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Under Advanced Right Information, deselect Allow Export and leave all other fields empty, as they pertain to PBAC approval routing set on app rights only, not approval rights.
Field | Description | Action |
---|---|---|
Name | Name of the app right | Enter the name of the app right (without spaces). For example, if you have an app right named “View Product Catalog,” you could name the corresponding approval right “ViewProductCatalogApproval.” |
Display Name | User friendly name of the app right | Enter a display name for the app right. |
Description | Brief characterization of the app right | Enter a brief characterization of the app right. |
Right Type | Application Right | N/A (The field is read-only with Application Right is selected by default) |
Location | EmpowerID location to be used for RBAC access to the app right. Default Organization is selected by default. | If you wish to select a location other than the default, clear the default location and search for and select the desired location. |
PBAC Resource Type | That is an optional setting that specifies the resource type to which the app corresponds. | Select the corresponding PBAC Resource Type. Options available include only those previously created for the application. If the app does not have any PBAC Resource Types, this field returns no results. |
Macrosuite divider macro | ||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
When onboarding an App Right, it's essential to specify the individuals responsible for its management and oversight. This includes designating the responsible party, owners, and deputies.
...
Field | Description | Action |
---|---|---|
Responsible Party | Identifies the primary individual accountable for the App Right. | Type in the full name of the person who will take responsibility for managing the App Right. This field is mandatory. |
Owners | Lists the people who have ownership rights over the App Right. | Enter the names of the individuals designated as owners. Providing owner information is optional but recommended for better governance. |
Deputies | Specifies secondary contacts or assistants to the owners. | Input the names of individuals assigned as deputies. Including deputy information is optional. |
Macrosuite divider macro | ||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
IAM Shop settings
...
specify whether the right is requestable in the IAM Shop, set the Access Request policy, and select eligibility.
...
Do the following in this section:
Under Select Access Request Policy, select Default Access Request Policy.
Under Select Assignees, select who should be eligible for assignment to the approval right. This allows you to assign the approval right to those eligible for it.
Deselect Requestable in IAM Shop as the approval right should not be requestable, and click Next.
...
- Image Added
Review the summary information for accuracy. If necessary, click the Back button to revisit previous workflow steps.
...
- Image Added
When ready, click Submit to create the approval right.
Repeat the procedure to add additional approval rights as needed.
Step 3: Assign Approval Rights to App Rights
From the application's App Rights menu, search for the app right that is the target of the approval right you created.
Click the gear icon for the app right and select Manage Local Right from the context menu.
...
- Image Added
This initiates the ManageAzLocalRightWizard workflow, opening it to the Select Action section.
...
- Image Added
Under Select Options, choose Edit Settings for Right and click Next.
...
- Image Added
Under Advanced Settings, do the following:
Select Split By Value for Approval to send approval requests to different people based on the requested Field Type Values. If you do not want to create separate requests for Field Type Values, leave this unselected.
In the PBAC Approval Right field, enter the name of the approval right created for the app and click the tile for that approval right to select it.
...
- Image Added
Click Next.
Click Submit to close the Operation Execution Summary.
This directs you to the "Finish or Start Over Workflow" step, which allows you to handle various aspects of the current local right, manage other local rights, or complete the workflow.
...
- Image Added
Select the appropriate option and click Submit. For
...
this article, we are finishing the workflow.
...
- Image Added
Insert excerpt | ||||||
---|---|---|---|---|---|---|
|
In this step, you assign the approval right to users who can approve or reject business requests for the application right.
On the App menu, navigate to PBAC Assignments > App Rights Assignments.
Click the dropdown arrow on the Assign App Right button and select Assign to Person.
...
- Image Added
Search for and select the person from the Select Person to Assign Right(s) field.
...
- Image Added
This opens the “Assign Rights” modal with the person selected to receive one or more app rights.
...
- Image Added
Click the app right to be assigned from the All panel on the left of the Assign Rights modal. This allows you to view information about the Access Request Policy governing access to the right and enables the “Add” button.
...
- Image Added
Optionally, to add a time constraint to the assignment, toggle the Set Duration button, click the End Date Time field, and select the appropriate end time date from the calendar.
...
- Image Added
Click Add.
...
- Image Added
This moves the app right to the Added panel.
...
- Image Added
Click Add to Cart.
...
- Image Added
Click the shopping cart icon and fill in the required Add a Comment and Enter Business Request Name fields.
When ready, click Submit.
...
- Image Added
You should see a message indicating the status of the cart submission.
...
- Image Added
Click the status link to view the request status in My Tasks and approve the assignment.
...
- Image Added
Click Submit to complete the approval process.
...
- Image Added
You should see that the request
...
has been approved and completed.
...
- Image Added
Return to the App Rights Assignments page in Resource Admin. You should see the assignment.
...
- Image Added
Expected Results
When someone with eligibility for the app right requests access to it from the IAM Shop, the request will be routed to the appropriate PBAC approver(s). To test this, do the following:
...
Sign in to the IAM Shop as a user
...
eligible for the application.
Search for the application and click Request Access.
Edit Approval Routing for Field Types
In the above example, PBAC Approval was configure to allow the approvers to approve all requests to view the product catalog. If needed, the assignment can be scoped to limit approval to specific field types defined for the product catalog. To implement scopes, do the following:
...
Click the Edit button for the approval right.
...
If you are assigning the approval right to a single person, do the following:
Click Assign to Person.
Enter the name of the person in the Select Person to Assign Right(s) field and click the tile for that person.
If assigning to another assignee type such as a Manageemnt Role, click Assign Right to any Assignee Type and do the following:
...
Choose Type: Enter the assignee type and then click the tile for that type to select it.
...
Right to Grant: Enter the name of the approval right and click the tile for that right to select it.
...
- Image Added
This opens the application drawer.
Image Added Select one of the rights configured for the application, then select a Field Type and one or more Field Type Values (if configured for the application). In the image below, we have selected “Edit Product Catalog” as the app right and “Lawn Care” and “Tools” Field Type Values from the “Hardware Products” Field Type.
Image AddedClick Add to Cart.
Click the cart icon to open the cart. You should see the app right and any Field Type “Scope” Values (if selected).
Image AddedFill in the required Comment fields and then click Evaluate Request to check for potential SOD violations.
Once the request has been evaluated, enter a Business Request Name and click Submit.
Image Added
Image Added
You should see that the request has been submitted for approval. If Field Type Values were selected and Split By Value Approval was selected for the requested app right, you will see an approval task for each requested Field Type Value.Click the status link.
Image AddedThis directs you to the My Requests page of My Tasks and opens the Request Detail pane for the request.
Image AddedClick the Process Steps tab and then click the Show Approvers link. You should see the person designated as the PBAC approver.
Image Added
Div | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
IN THIS ARTICLE
|