Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Each resource object that EmpowerID protects has a View One page associated with it. For groups, this page is the “View One Person Group Page.” This page contains tabs and accordions that provide information about a specific group and gives administrators and other delegated users the ability to manage that group in EmpowerID. The below image shows what a typical View One Group Page looks like to a user with admin access to the group.

...

The View One Group Page contains a number of tabs and accordions that provide information about the specific group being viewed , and access to workflows for managing that group.

Macrosuite divider macro
dividerIcon
dividerWidth90
dividerTypetext
dividerWeight1
labelPositionmiddle
textAlignmentcenter
iconColor#000000
fontSizemedium
textGeneral Tab
textColor#000000
dividerIcon
dividerColor#000000

The General tab allows users to view general information about a group and manage aspects of that group as needed. The tab contains a number of components to include including informational cards about the group, as well as various accordions that provide authorized users access to workflows for managing the group.

...

Components of the General tab include the following:

Component

Purpose

General Card

Displays general information about the group, such as the group type and the account store

Tooltip and footnote macro
color#0052CC
descriptionAn account store is an object in EmpowerID that represents directories with user accounts.
macroTypetooltip
to which the group belongs.

Image Modified
  • Name – Name of the group

  • Display Name – Display name of the group

  • Description – Description of the group

  • Group Type – Group type

  • Account Store – User directory of origin for the group

  • Email – Email address of the group if mail-enabled

Flags Card

Displays flags for the group, such as whether the group is published in the IT Shop. Users with appropriate access, can change the state of this flag as needed.

Image Modified
  • Publish In IT Shop – Specifies whether eligible users can request access to the group in the IT Shop. Setting this flag to true does not indicate that all users can view and request access to the group. Users must be granted eligibility for the group before they can do so. For more information on eligibility, please see Eligibility and the IAM Shop.

  • Is High Security Group – Specifies whether the group is considered high security

  • Prevent External Membership Changes – Specifies whether group membership changes can originate in the external account store containing the group

EmpowerID Attributes Card

Displays EmpowerID attributes for the group. Examples of attributes include Application Role Owners and Application Role Approvers.

Image Modified
  • EmpowerID Name – Allows you to set the name of the group to be displayed to users in the IT Shop. The value set here can differ from the name of the group in the account store (displayed as the Name attribute on the General card discussed above). The value for the attribute is stored in the EmpowerID database only and has no effect on any attribute of the group in the account store (external system).

  • EmpowerID Friendly Name – Allows you to set the friendly name of the group to be displayed to users in the IT Shop. The value for the attribute is stored in the EmpowerID database only and has no effect on any attribute of the group in the account store (external system).

  • EmpowerID Description – Allows you to set the description of the group to be displayed to users in the IT Shop. The value for the attribute is stored in the EmpowerID database only and has no effect on any attribute of the group in the account store (external system).

  • Access Request Policy ID – Allows you to set the Access Request policy for the group. Access Request policies are used to control access to resources in EmpowerID and can be used to designate different Approval Flow policies for resources based on their Access Request policy. For more information, please see Approval Engine.

  • Application Role Owners – Allows you to specify one or more people as group owners. Each person added here is granted the ACT-Group-Object-Administration access level for the group. The access level can be used to configure approval routing whenever users request access to the group. When this is the case, group owners can approve or reject access requests.

  • Application Role Approvers – Allows you to specify one or more people who can approve or reject requests for access to the group. Each person added here is granted the Access Manager access level for the group.

  • Group Usage Type Friendly Name – Allows you to set the usage type of the group from a pre-defined list in EmpowerID. The value set here can be shown to users in the IT Shop as one of the group attributes and can be used to filter groups available to request.

  • Differentiation Locations – Allows you to set the differentiation location for the group. Differentiation locations are EmpowerID locations that provide containers for the placement of groups based on their location within an organization.

  • Process Locations – Allows you to set process location for the group. Process locations are EmpowerID locations that provide logical containers for the placement of groups in a manner that matches their function in an organization.

  • Responsible Parties – Allows you to set one or more people responsible for the group. By default, each person assigned as a responsible party is granted the Access Manager access level for the group.

Group Members Accordion

Displays group members, as well as provides access to edit these as needed.

Image Modified

Pre-Approved Just-in-Time Accordion

Displays eligibility types for the group as well as provides access for authorized users to create new eligibility types. In the below image, all members of the Doc in Docs Business Role and Location are preapproved for just-in-time membership in the group. This means members of the Business Role and Location will be granted group membership as soon as they request it in the IT Shop.

Image Removed
Image Added

Resultant Membership Accordion

Displays all members of the group, including direct and indirect memberships

Access Managers (Owners) Accordion

Displays group owners and provides access to add new owners as well as remove current owners

Image Modified

Actions Accordion

Displays several Workflow tiles that can used to perform actions against the group, such as adding accounts to the group, etc. The actions that appear on this page are contingent on the group type of the group. For example, the “Convert Group Membership to RBAC Assignments” action shown below appears only for Generic group types.

Image Modified

Additional Information Accordion

Provides access to additional information about the group, such as “Who Has Access to this Group”, etc.

Macrosuite divider macro
dividerWidth90
dividerTypetext
dividerWeight1
labelPositionmiddle
textAlignmentcenter
iconColor#000000
fontSizemedium
textAdvanced Tab
textColor#000000
dividerIcon
dividerColor#000000dividerIcon

The Advanced tab provides access to various subtabs and cards with additional information about the groups than is displayed on the General tab.

...

Components of the Advanced tab include the following:

Component

Purpose

General Card

Displays general information about the group, such as the group type and the account store

Tooltip and footnote macro
color#0052CC
descriptionAn account store is an object in EmpowerID that represents directories with user accounts.
macroTypetooltip
to which the group belongs.

Flags Card

Displays flags for the group, such as whether the group is published in the IT Shop.

Advanced Options Card

Displays advanced information about the group, such as the Group GUID

Image Removed
Image Added

Extension Attributes 1-10 Card

Displays extension attributes 1-10 stored in the database for the group, if any

Extension Attributes 11-20 Card

Displays extension attributes 11-20 stored in the database for the group, if any

Membership Tab

Contains several accordions with categorized group membership information

Image Modified

Access Tab

Displays current access by category for the group

Image Modified

Risks Tab

Displays risk-related information for the group, such as any local functions granted to the group

Image Modified

RBAC Tab

Displays categorized RBAC information about the group, such as group membership

Image Modified

Policies Tab

Displays policy-related information for the group, such as any inherited resource entitlements granted to the group

Eligibility Tab

Displays eligibility-related information for the group, such as “Who is Eligible for this Group”

Image Modified

Other Tab

Displays miscellaneous information about the group, such as the search tags linked to it

Image Modified

Macrosuite divider macro
dividerIcon
dividerWidth90
dividerTypetext
dividerWeight1
labelPositionmiddle
textAlignmentcenter
iconColor#000000
fontSizemedium
textOther Attributes Tab
textColor#000000
dividerIcon
dividerColor#000000

The Other Attributes tab provides access to extension and custom attribute information specific to the group and common Actions, as well as access to common Workflow tilessuch as “Add Accounts to Group.” Please note that the Actions available are contingent on the group type of the group. For example, the “Convert Group Membership to RBAC Assignments” action shown below appears only for Generic group types.

...

Macrosuite divider macro
dividerIcon
dividerWidth90
dividerTypetext
dividerWeight1
labelPositionmiddle
textAlignmentcenter
iconColor#000000
fontSizemedium
textOptimize Tab
textColor#000000
dividerIcon
dividerColor#000000

The Optimize tab provides quick access to visual dashboards of information related to group memberships, including least privilege and risks stats, as well as allows users with the appropriate access to manage aspects of the group as needed.

...

Components of the Optimize tab include the following:

Component

Purpose

Membership Dashboard

Displays quick view of the number of members in a group, including JIT versus permanent members

Image Modified

Functional Access Card

Displays any local functions the group has, and the risk level associated with those functions

Image Modified

Group Members Accordion

Displays current group members and gives authorized users the ability to manage membership

Image Modified

Pre-Approved Just-in-Time Members Accordion

Displays assignees who are pre-approved for group membership. Pre-approved assignees are automatically granted membership when requesting it from the IT Shop. In the below image, the pre-approved assignee is a Business Role and Location. This means that all members of the Business Role and Location are pre-approved.

Image Modified

Assignments Granting Membership in Group Accordion

Displays group members and information about the origin of the group membership

Membership Changes Accordion

Displays changes in group membership

Resultant Members Accordion

Displays all members of the group, including direct and indirect members

Direct Mapped Local Functions Accordion

Displays all local functions mapped directly to the group and gives authorized users the ability to manage the functions mapped to a group

Image Modified

Function Access Report Accordion

Displays information about any functions the group has access to, including direct and indirect function access

Violations Accordion

Displays violations of organizational risk policies for the group, if any

Rules Accordion

Displays Risk rules associated with the group, if any

Recertification Items Accordion

Displays recertification items for the group, if any

Actions Accordion

Displays a list of workflow tiles that can be used to perform common actions against the group, such as adding accounts to the group

Macrosuite hidden content macro
data{"usersAndGroups":[{"value":"557058:b7e6171b-97ca-4b93-ac6f-9e29353b4c9a","label":{"key":null,"ref":null,"props":{"user":{"type":"known","accountId":"557058:b7e6171b-97ca-4b93-ac6f-9e29353b4c9a","accountType":"atlassian","email":"","publicName":"Phillip Hanegan","profilePicture":{"path":"/wiki/aa-avatar/557058:b7e6171b-97ca-4b93-ac6f-9e29353b4c9a","width":48,"height":48,"isDefault":false},"displayName":"Phillip Hanegan","isExternalCollaborator":false,"_expandable":{"operations":"","personalSpace":""},"_links":{"self":"https://dotnetworkflow.jira.com/wiki/rest/api/user?accountId=557058:b7e6171b-97ca-4b93-ac6f-9e29353b4c9a","base":"https://dotnetworkflow.jira.com/wiki","context":"/wiki"}}},"_owner":null},"type":"user"}]}
showSelectedtrue
editorValue{"editorValue":{"version":1,"type":"doc","content":[{"type":"paragraph","content":[{"type":"text","text":"Access to the page, as well as the number of tabs and accordions available on the page differs according to the Management Role assignments of the person viewing the page. The number of tabs, accordions, and information presented on these pages differs according to the amount of access granted to the person viewing the page. Not all users will see the same amount of information or be able to manage information about the person. For example, the above image shows what the View page looks like for a user who has full access to the person. haveof the person amount of information displayed and the ability to to users and the Each tab and accordion on Person View or Person View One pages is secured and management tools "}]}]}}

...