Versions Compared

Old Version 8

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Dhiraj Kumar (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. On the navbar of the EmpowerID Web interface, expand Identity Administration and click Groups.

  2. From the All Groups tab, search for the group for which you want to add eligibility.

  3. Click the Logon Name link for the group.

  4. On the Group Details page that appears, select the Advanced tab and then click the Eligibility sub-tab near the bottom of the page. You should see four eligibility rules.

    Image RemovedImage Added


    Eligibility rules:

    • Resources Members Eligible to Request (As Actor) – Allows you to specify the resources that members of the group are eligible to request from the IT Shop.

    • Resources Members May Not Request (As Actor) – Allows you to specify the resources that members of the group are excluded from requesting. Resources added here will not be visible to any members of the group, even if they are eligible to request those resources by virtue of another assignment.

    • Who is Eligible to Request (As Resource) – Allows you to specify the actors eligible to shop for access to the group, as well as the eligibility type for each of those actors.

    • Who is Excluded from Requesting (As Resource) – Allows you to specify the actors not eligible to shop for access to the group.

  5. Expand the accordion corresponding to the type of eligibility you want to assign or restrict and follow the steps outlined for that eligibility rule.

...


{"html":"<doctype html></doctype>\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\n<div class =\"bd-example\">\n<div class=\"accordion\" id=\"accordionExample\">\n <div class=\"accordion-item\">\n <h2 class=\"accordion-header\" id=\"headingOne\">\n <button class=\"accordion-button\" type=\"button\" data-bs-toggle=\"collapse\" data-bs-target=\"#collapseOne\" aria-expanded=\"true\" aria-controls=\"collapseOne\">\n Resources Members Eligible to Request (As Actor)\n </button>\n </h2>\n <div id=\"collapseOne\" class=\"accordion-collapse collapse show\" aria-labelledby=\"headingOne\" data-bs-parent=\"#accordionExample\">\n <div class=\"accordion-body\">\n <p>Use this option when hosting the microservice outside of Azure.</p>\n <ul>\n <li><b>Name</b> - Enter a name for your account store</li>\n <p><img src=\"Image-20210201-160614.png\"></p>\n <li><b>Base DN</b> - Enter the root OU of the LDAP system, such as, \n <code><mark>dc=example,dc=com</mark></code></li>\n <li><b>SCIM Base URL</b> - Enter the URL for the SCIM app service. The base URL should include the \n version and look similar to the following: <br /><code><mark>http://192.168.87.106:8080/empoweridisam/scim/v2/</mark></code></li>\n <li><b>Use EmpowerID Authentication</b> - Select this option when using EmpowerID for authentication</li>\n <li><b>OAuth Application GUID</b> - Enter the GUID of the OAuth application you created for IBM Security Verify Access in EmpowerID.</li>\n <li><b>URL For Access Token</b> - Enter the URL to your EmpowerID environment, such as <code><mark>https://sso.empoweriam.com</mark></code>, where <code><mark>sso.empoweriam.com</mark></code>\n is the FQDN of your EmpowerID front-end server.</li>\n <li><b>Is Remote (Requires Cloud Gateway)</b> - This setting appears for account stores with local directories, such as Active Directory, LDAP, SAP, etc. When enabled, this tells EmpowerID to use the Cloud Gateway Connection for that account store. The Cloud Gateway Connection must be installed on an on-premise machine. For installation information, \n please see <a href=\"https://dotnetworkflow.jira.com/wiki/spaces/EAGV21/pages/2276065995/Install+the+Cloud+Gateway+Client\">Installing the EmpowerID Cloud Gateway Client</a>.</li>\n <li><b>Check For Deleted Objects</b> - Select this option to sync deleted objects. If this is not set to true,\n the connector will not disable deleted objects.</li>\n <li><b>Check For Deleted Objects Interval Minutes</b> - Specify the interval in minutes that EmpowerID should check for deleted objects.</li>\n </ul>\n </div>\n </div>\n </div>\n <div class=\"accordion-item\">\n <h2 class=\"accordion-header\" id=\"headingTwo\">\n <button class=\"accordion-button collapsed\" type=\"button\" data-bs-toggle=\"collapse\" data-bs-target=\"#collapseTwo\" aria-expanded=\"false\" aria-controls=\"collapseTwo\">\n Using Azure AD for Authentication\n </button>\n </h2>\n <div id=\"collapseTwo\" class=\"accordion-collapse collapse\" aria-labelledby=\"headingTwo\" data-bs-parent=\"#accordionExample\">\n <div class=\"accordion-body\">\n <p>Use this option when hosting the microservice in Azure.</p>\n <ul>\n <li><b>Name</b> - Enter a name for your account store</li>\n <li><b>Base DN</b> - Enter the root OU of the LDAP system, such as, <code><mark>dc=example,dc=com</mark></code></li>\n <li><b>SCIM Base URL</b> - Enter the URL for the SCIM app service. The base URL should include the \n version and look similar to the following: <br /><code><mark>http://192.168.87.106:8080/empoweridisam/scim/v2/</mark></code></li>\n <li><b>Application ID</b> - Enter the Client ID of the service principal application you registered in Azure for EmpowerID.</li>\n <li><b>Tenant ID</b> - Enter the Tenant ID for your Azure tenant hosting the app service.</li>\n <li><b>Is Remote (Requires Cloud Gateway)</b> - This setting appears for account stores with local directories, such as Active Directory, LDAP, SAP, etc. When enabled, this tells EmpowerID to use the Cloud Gateway Connection for that account store. The Cloud Gateway Connection must be installed on an on-premise machine. For installation information, \n please see <a href=\"https://dotnetworkflow.jira.com/wiki/spaces/EAGV21/pages/2276065995/Install+the+Cloud+Gateway+Client\">Installing the EmpowerID Cloud Gateway Client</a>.</li>\n <li><b>Azure App Certificate Thumbprint</b> - Enter the thumbprint of the certificate you uploaded to Azure for the service principal application</li>\n <li><b>Check For Deleted Objects</b> - Select this option to sync deleted objects. If this is not set to true,\n the connector will not disable deleted objects.</li>\n <li><b>Check For Deleted Objects Interval Minutes</b> - Specify the interval in minutes that EmpowerID should check for deleted objects.</li>\n </ul>\n </div>\n </div>\n </div>\n </div>\n <br />\n <ol start=\"5\">\n <li>When ready, click <b>Submit</b>.</li>\n </ol>\n</div>","javascript":"","css":""}
Expand
titleResources Members Eligible to Request (As Actor)

Add this rule when you want to give members of the group the ability to shop for access to the resources you add here.

  1. Click the Add button in the grid header.

  2. Fill in the fields of the Assignment Information pane:

    • Assignment Type – Select Direct or Location.

    • Eligibility Type – Select Eligible, PreApproved,or Suggested.

    • Resource Type – Search for and select the type of resource corresponding to the resource for which you are granting eligibility. For example, if you want to grant eligibility for a specific Management Role, you select Management Role as the resource type.

    • Enter a <Resource Type> Name to Search – Search for and select the specific resource to which members of the group are eligible to request. The resource must match the resource type or it will not appear when searching. For example, if you select Management Role as the resource type, you can only search for Management Roles.

  3. After entering your information, click Save.

    Image RemovedImage Added

  4. Repeat steps 2 and 3 to add other eligibility assignments as needed.

  5. When ready, close the Assignment Information pane and click Submit

    Image RemovedImage Added


Expand
titleResources Members May Not Request (As Actor)

Add this rule when you want to explicitly restrict members of the group from having access to certain resources. Keep in mind that users restricted from resources will not be able to request those resources even if they have another assignment that that grants them eligibility.

  1. Click the Add button in the grid header.

    Image RemovedImage Added

  2. Fill in the fields of the Assignment Information pane:

    • Mode – Select Direct or Location.

    • Eligibility Type – Select Eligible, PreApproved,or Suggested.

    • Resource Type – Search for and select the type of resource corresponding to the resource for which you are granting eligibility. For example, if you want to grant eligibility for a specific group, you select Group as the resource type.

    • Enter a <Resource Type> Name to Search – Search for and select the specific resource to which members of the group are eligible to request. The resource must match the resource type or it will not appear when searching. For example, if you select Group as the resource type, you can only search for groups.

  3. After entering your information, click Save.

  4. Repeat steps 2 and 3 to add other eligibility assignments as needed.

  5. When ready, close the Assignment Information pane and click Submit


...

Expand
titleWho is Excluded from Requesting (As Resource)

Add this rule when you want to explicitly restrict specific users from being able to view or request access to the group from the IT Shop. Keep in mind that users restricted from the group will not be eligible for it even if they have another eligibility assignment for the Role and Location.

  1. Click the Add button in the grid header.

  2. Fill in the fields of the Assignment Information pane:

    • Eligibility Type – Select Eligible, PreApproved,or Suggested.

    • Which Type of Assignee for this Policy – Search for and select the EmpowerID actor type for which you are restricting eligibility. For example, if you want to restrict all members of a specific group from eligibility, you select Group as the assignee type.

    • Select <Assignee> Name to Search – Search for and select the specific assignee restricted from being eligible for access to the group. The assignee must match the assignee type or it will not appear when searching. For example, if you select Group as the assignee type, you can only search for groups.

  3. After entering your information, click Save.

  4. Repeat steps 2 and 3 to add other eligibility restrictions as needed.

  5. When ready, close the Assignment Information pane and click Submit


...

Info

Related Docs Topics:

Configure Eligibility

Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<!doctype html>\n<head>\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.1.0/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-KyZXEAg3QhqLMpG8r+8fhAXLRk2vvoC2f3B09zVXn8CA5QIVfZOJ3BCsw2P0p/We\" crossorigin=\"anonymous\">\n</head>\n<nav aria-label=\"...\">\n <ul class=\"pagination justify-content-center\">\n <li class=\"page-item\">\n <a class=\"page-link\" href=\"https://dotnetworkflow.jira.com/wiki/spaces/acessselfservice/pages/2457537690/Eligibility\" target=\"_top\"> &laquo; &nbsp;&nbsp;Previous</a>\n </li>\n <li class=\"page-item active\" aria-current=\"page\">\n <span class=\"page-link\">Current</span>\n </li>\n <li class=\"page-item\">\n <a class=\"page-link\" href=\"https://dotnetworkflow.jira.com/wiki/spaces/acessselfservice/pages/2457537754/Approval+Engine\" target=\"_top\"> Next&nbsp;&nbsp; &raquo;</a>\n </li>\n </ul>\n</nav>","javascript":"","css":""}