Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This article provides information on setting up PBAC approval routing for a “PBAC” application within EmpowerID. PBAC approval routing offers a flexible and dynamic framework for managing approver permissions based on specific criteria and conditions.

Prerequisites

Before you begin, ensure you have the following:

  • At least the Application RBAC Owner Management Role.

  • Defined rights, Field Types, and Field Type Values relevant to your application.

Procedure

Step 1: Create an Access Request Policy for PBAC Approval

  1. Use the EmpowerID navbar and navigate to Low Code/No Code Workflow > Access Request Policies.

  2. Click the Add button on the Access Request Policy page.

...

  1. image-20240617-190537.pngImage Added

  2. In the General section of the form that appears, enter the following information:

    • Name: Enter an appropriate name for the policy, such as "PBAC Approval” or “PBAC Approval Access Request Policy."

    • Display Name: Enter an appropriate display name.

    • Description: Enter an appropriate description.

    • Approval Policy: Select PBAC Approval.

    • Allow Activation (Skip Business Request): Enable this option.

    • Selectable in UI: Enable this option.

...

    • image-20240617-191733.pngImage Added

  1. Leave all other form fields with their default settings and click Save.

Step 2: Create Approval Rights

Create approval rights for each application right you want to configure for PBAC approval. For example, if you have a “View Product Catalog” right, you could create an approval right named “View Product Catalog Approval.”

  1. Sign in to the Resource Admin portal as a user with at least the Application RBAC Owner Management Role.

  2. Search for the PBAC application where you want to create approval rights and click the Details button for the app record.

...

  1. image-20240805-204223.pngImage Added

    This action directs you to the Overview page for the application.

...

  1. image-20240805-205602.pngImage Added

     

  2. Expand the PBAC Definitions menu item, select App Rights, and click Create App Right.

...

  1. image-20240617-210000.pngImage Added

    This action initiates the “Onboard Az Local Right” wizard workflow.

...

  1. image-20240805-211804.pngImage Added

     

  2. Follow the wizard and fill in the fields of each workflow section with the appropriate information for the app right.

Macrosuite divider macro
dividerWidth80
dividerTypetext
emoji{"id":"smile","name":"Smiling Face with Open Mouth and Smiling Eyes","short_names":["smile"],"colons":":smile:","emoticons":["C:","c:",":D",":-D"],"unified":"1f604","skin":null,"native":"😄"}
isEditingIconOrEmojifalse
textColor#000000
dividerWeight1
labelPositionmiddle
textAlignmentcenter
iconColor#000000
iconSizemedium
fontSizemedium
textApp Right Information
emojiEnabledfalse
dividerIconfont-awesome/Rocket
dividerColor#000000

Under Advanced Right Information, deselect Allow Export and leave all other fields empty, as they pertain to PBAC approval routing set on app rights only, not approval rights.

Field

Description

Action

Name

Name of the app right

Enter the name of the app right (without spaces). For example, if you have an app right named “View Product Catalog,” you could name the corresponding approval right “ViewProductCatalogApproval.”

Display Name

User friendly name of the app right

Enter a display name for the app right.

Description

Brief characterization of the app right

Enter a brief characterization of the app right.

Right Type

Application Right

N/A (The field is read-only with Application Right is selected by default)

Location

EmpowerID location to be used for RBAC access to the app right. Default Organization is selected by default.

If you wish to select a location other than the default, clear the default location and search for and select the desired location.

PBAC Resource Type

That is an optional setting that specifies the resource type to which the app corresponds.

Select the corresponding PBAC Resource Type. Options available include only those previously created for the application. If the app does not have any PBAC Resource Types, this field returns no results.

Macrosuite divider macro
dividerWidth80
dividerTypetext
emoji{"id":"smile","name":"Smiling Face with Open Mouth and Smiling Eyes","short_names":["smile"],"colons":":smile:","emoticons":["C:","c:",":D",":-D"],"unified":"1f604","skin":null,"native":"😄"}
isEditingIconOrEmojifalse
textColor#000000
dividerWeight1
labelPositionmiddle
textAlignmentcenter
iconColor#000000
iconSizemedium
fontSizemedium
textOwner Information
emojiEnabledfalse
dividerIconfont-awesome/Rocket
dividerColor#000000

When onboarding an App Right, it's essential to specify the individuals responsible for its management and oversight. This includes designating the responsible party, owners, and deputies.

...

image-20240627-141046.pngImage Added

Field

Description

Action

Responsible Party

Identifies the primary individual accountable for the App Right.

Type in the full name of the person who will take responsibility for managing the App Right. This field is mandatory.

Owners

Lists the people who have ownership rights over the App Right.

Enter the names of the individuals designated as owners. Providing owner information is optional but recommended for better governance.

Deputies

Specifies secondary contacts or assistants to the owners.

Input the names of individuals assigned as deputies. Including deputy information is optional.

Macrosuite divider macro
dividerWidth80
dividerTypetext
emoji{"id":"smile","name":"Smiling Face with Open Mouth and Smiling Eyes","short_names":["smile"],"colons":":smile:","emoticons":["C:","c:",":D",":-D"],"unified":"1f604","skin":null,"native":"😄"}
isEditingIconOrEmojifalse
textColor#000000
dividerWeight1
labelPositionmiddle
textAlignmentcenter
iconColor#000000
iconSizemedium
fontSizemedium
textIAM Shop Settings
emojiEnabledfalse
dividerIconfont-awesome/Rocket
dividerColor#000000

IAM Shop settings

...

specify whether the right is requestable in the IAM Shop, set the Access Request policy, and select eligibility.

...

image-20240627-141344.pngImage Added

Do the following in this section:

  1. Under Select Access Request Policy, select Default Access Request Policy.

  2. Under Select Assignees, select who should be eligible for assignment to the approval right. This allows you to assign the approval right to those eligible for it.

  3. Deselect Requestable in IAM Shop as the approval right should not be requestable, and click Next.

...

  1. image-20240618-124743.pngImage Added

  2. Review the summary information for accuracy. If necessary, click the Back button to revisit previous workflow steps.

...

  1. image-20240627-142249.pngImage Added

  2. When ready, click Submit to create the approval right.

  3. Repeat the procedure to add additional approval rights as needed.

Step 3: Assign Approval Rights to App Rights

  1. From the application's App Rights menu, search for the app right that is the target of the approval right you created.

  2. Click the gear icon for the app right and select Manage Local Right from the context menu.

...

  1. image-20240626-185049.pngImage Added


    This initiates the ManageAzLocalRightWizard workflow, opening it to the Select Action section.

...

  1. image-20240626-185219.pngImage Added

  2. Under Select Options, choose Edit Settings for Right and click Next.

...

  1. image-20240626-185323.pngImage Added

  2. Under Advanced Settings, do the following:

    1. Select Split By Value for Approval to send approval requests to different people based on the requested Field Type Values. If you do not want to create separate requests for Field Type Values, leave this unselected.

    2. In the PBAC Approval Right field, enter the name of the approval right created for the app and click the tile for that approval right to select it.

...

    1. image-20240626-190830.pngImage Added

  1. Click Next.

  2. Click Submit to close the Operation Execution Summary.

    This directs you to the "Finish or Start Over Workflow" step, which allows you to handle various aspects of the current local right, manage other local rights, or complete the workflow.

...

  1. image-20240618-201412.pngImage Added

  2. Select the appropriate option and click Submit. For

...

  1. this article, we are finishing the workflow.

...

  1. image-20240618-201641.pngImage Added

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue
Step 4: Assign the Approval Right

In this step, you assign the approval right to users who can approve or reject business requests for the application right.

  1. On the App menu, navigate to PBAC Assignments > App Rights Assignments.

  2. Click the dropdown arrow on the Assign App Right button and select Assign to Person.

...

  1. image-20240627-144029.pngImage Added

  2. Search for and select the person from the Select Person to Assign Right(s) field.

...

  1. image-20240627-144142.pngImage Added

    This opens the “Assign Rights” modal with the person selected to receive one or more app rights.

...

  1. image-20240627-144645.pngImage Added

  2. Click the app right to be assigned from the All panel on the left of the Assign Rights modal. This allows you to view information about the Access Request Policy governing access to the right and enables the “Add” button.

...

  1. image-20240627-144738.pngImage Added

  2. Optionally, to add a time constraint to the assignment, toggle the Set Duration button, click the End Date Time field, and select the appropriate end time date from the calendar.

...

  1. image-20240627-144936.pngImage Added

  2. Click Add.

...

  1. image-20240627-145014.pngImage Added

    This moves the app right to the Added panel.

...

  1. image-20240627-145125.pngImage Added

  2. Click Add to Cart.

...

  1. image-20240627-150657.pngImage Added

  2. Click the shopping cart icon and fill in the required Add a Comment and Enter Business Request Name fields.

  3. When ready, click Submit.

...

  1. image-20240627-152410.pngImage Added

    You should see a message indicating the status of the cart submission.

...

  1. image-20240627-152507.pngImage Added

  2. Click the status link to view the request status in My Tasks and approve the assignment.

...

  1. image-20240627-154318.pngImage Added

  2. Click Submit to complete the approval process.

...

  1. image-20240627-154433.pngImage Added

    You should see that the request

...

  1. has been approved and completed.

...

  1. image-20240627-155206.pngImage Added

  2. Return to the App Rights Assignments page in Resource Admin. You should see the assignment.

...

  1. image-20240627-155511.pngImage Added

Expected Results

When someone with eligibility for the app right requests access to it from the IAM Shop, the request will be routed to the appropriate PBAC approver(s). To test this, do the following:

...

  1. Sign in to the IAM Shop as a user

...

  1. eligible for the application.

  2. Search for the application and click Request Access.

Edit Approval Routing for Field Types

In the above example, PBAC Approval was configure to allow the approvers to approve all requests to view the product catalog. If needed, the assignment can be scoped to limit approval to specific field types defined for the product catalog. To implement scopes, do the following:

...

Click the Edit button for the approval right.

...

If you are assigning the approval right to a single person, do the following:

  1. Click Assign to Person.

  2. Enter the name of the person in the Select Person to Assign Right(s) field and click the tile for that person.

If assigning to another assignee type such as a Manageemnt Role, click Assign Right to any Assignee Type and do the following:

...

Choose Type: Enter the assignee type and then click the tile for that type to select it.

...

Right to Grant: Enter the name of the approval right and click the tile for that right to select it.

...

  1. image-20240627-171110.pngImage Added

    This opens the application drawer.

    image-20240627-175305.pngImage Added

  2. Select one of the rights configured for the application, then select a Field Type and one or more Field Type Values (if configured for the application). In the image below, we have selected “Edit Product Catalog” as the app right and “Lawn Care” and “Tools” Field Type Values from the “Hardware Products” Field Type.

    image-20240627-175624.pngImage Added

  3. Click Add to Cart.

  4. Click the cart icon to open the cart. You should see the app right and any Field Type “Scope” Values (if selected).

    image-20240627-180044.pngImage Added

  5. Fill in the required Comment fields and then click Evaluate Request to check for potential SOD violations.

  6. Once the request has been evaluated, enter a Business Request Name and click Submit.

    image-20240627-180659.pngImage Added


    You should see that the request has been submitted for approval. If Field Type Values were selected and Split By Value Approval was selected for the requested app right, you will see an approval task for each requested Field Type Value.

    image-20240627-181046.pngImage Added

  7. Click the status link.

    image-20240627-181557.pngImage Added

    This directs you to the My Requests page of My Tasks and opens the Request Detail pane for the request.

    image-20240627-181839.pngImage Added

  8. Click the Process Steps tab and then click the Show Approvers link. You should see the person designated as the PBAC approver.

    image-20240627-192720.pngImage Added

Div
stylefloat: left; position: fixed;padding: 5px;

IN THIS ARTICLE

Table of Contents
maxLevel4
minLevel2
stylenone