Navigating the IAM Shop
When users log in to the IAM Shop, they can see the pages and controls to which their roles grant them access. (See IAM Shop Management Roles for access granted.) In the below image, the logged-in user has full access to the IAM Shop and can see all pages and controls. Users can see and request access to those entitlements for which they are eligible or which the person they are shopping for is eligible. Entitlement display names and descriptions can be localized.
From the IAM Shop users can shop for roles or other published resources and submit Business Requests for those objects.
The IAM Shop application includes the following controls. Depending on their access to the IAM Shop, not all users will see all controls.
Control | Description |
---|---|
Navigation Sidebar | Allows users to seamlessly navigate from the IAM Shop to other EmpowerID applications |
Filter Pane | Provides filters to allow users to selectively filter the resources they see. |
Filters | |
Resource Type | Filter available resource by resource type. Available resource types include:
|
Shopping For | Shop for self or another person |
Show Only Pre-Approved | Filter to show only roles for which the user is pre-approved to receive via Eligibility policies. This filter appears only when shopping for Business Roles, Application Roles, and Management Roles. |
Show Suggested Roles | Filter to show roles suggested for the user via Eligibility policies. This filter appears only when shopping for Business Roles and Management Roles. |
Applications | Filter to show only roles that can requested for a specific application. This filter appears only when shopping for Business Roles, Application Roles, and Management Roles. |
Business Domains | Filter available roles by Business Domain. This filter appears only when shopping for Business Roles and Management Roles. |
Business Functions | Filter available Business Roles by Business Functions. This filter appears only when shopping for Business Roles, Application Role, and Management Roles. |
Rights | Filter available roles by external system rights granted to those roles. This filter appears only when shopping for Business Roles, Application Roles, and Management Roles. |
Suggest Application Roles | Filter to show roles suggested for the user via Eligibility policies. This filter appears only when shopping for Application Roles. |
Target System | Filters available Application Roles based on the selected Account Store Type and / or Account Store.
|
Application Processes | Filters available Application Roles based on the selected process. This filter appears only when shopping for Application Roles. |
TCode Search | Filters available Application Roles by TCode. This filter appears only when shopping for Application Roles |
Shop By Reference Person | Filter available resources to show only those given to the referenced person. This is useful for quickly requesting access to the same resources of the referenced person when that person has the same job function as the person shopping for resources. The user shopping must have the same eligibility and visibility of the referenced person to see that person’s resources. |
Advanced Search | Provides advanced search capabilities to further filter the resources that appear to the shopper. |
Resource Panel | Provides a grid or card view of the roles for which the user can request. Each record can be clicked to open a pane that contains an Overview of the request and a Process Steps view from which users can see how far along in the approval process the request is. Users can view and add comments here as well. |
Shopping Cart | The shopping cart contains the business items the user has requested but not yet submitted. Users shopping for both themselves and others will see two shopping carts. One containing items for themselves and the other containing items requested for others. |
Manage Access Page | The Manage Access page provides users with views of their current access, filtered by the selected resource type (Management Roles in the below image). Users can access this page selecting Manage Access. Once on the page, they can submit requests to revoke their access to a given resource item by clicking the Revoke button. |
Shopping for resources
Users access the IAM Shop to request available resources. This requesting action is known as creating or submitting a “Business Request.” Once a Business Request is submitted, EmpowerID routes it for approval based on the Approval Flow policies configured for that request. The following demonstrates a typical IAM Shop user experience.
The user accesses the IAM Shop and filters the available resources to those for which that user is shopping.
The user request access to a particular resource, which opens an Overview panel for that item. This panel provides more information about the resource, including who can approve the request.
Users then click Add to Cart to add the requested role to their cart.
Once a resource item is added to the cart, users can click the cart icon when ready to submit their request.
Doing so opens the cart. From the cart, users can add a comment to the request, view who can approve their request, and enter a Business Request name for their request. Business Requests allow requesting parties to group together multiple cart items into one coherent request. For example, if a user submitted a request to grant roles to another user when onboarding that user, the Business Request name could be “Onboarding New Employee Max Anderson.” By default, the approver is the role receiver’s line manager. If the role receiver does not have a line manager, the cart displays that information.
Users with authorization to manually delegate approval tasks to another can do so by entering the name of an approver in the Select Approver field. This field is secured by the Reassign Cart Approver Control protected application subcomponent and is only available to users with access to the control.When ready to submit the request, the user does the following:
Optionally enter a Business Request Type
Enters a Business Request Name.
Optionally selects a due date.
Optionally adds a comment.
Clicks Submit.
Once successfully submitted, a window appears stating that the cart was successfully submitted with a link to track the status of the request.
Clicking the link directs the user’s browser to the My Request page of the My Tasks application with the Overview card for the request open. The card allows the user to view details about the request and the number of approvals needed for the request to be granted.
Using the Manage Access Page
The Manage Access page provides users with a view of their current access, filtered by resource type. When users navigate to the page, the default view they see is a grid view with records of their current resources for the selected resource type. Each record includes a Details button that users can click to open an Overview pane containing more information about the role, including who owns the role and the access granted to the user by the role. The below image shows the default view of the Manage Access page for a user with one Azure Role.
What can users do on this page?
Users can search for a specific resource and type by using the search bar and filter located at the top of the page.
Users can view all roles to which they have access by selecting the filter for that role type.
Users can view the details about a particular role they have by clicking the Details button for the role.
Users with the authority to revoke access to a role can do so by clicking the Revoke button for the role.
Users can view all roles to which another person has access by selecting that person as the Shopping For recipient. Users must have access to view the person and the person’s roles to do so.
Users can view any roles they have that are limited to specific dates and times by toggling the Show Time Constrained button.
Users can view pending requests by clicking the View Pending Access button. Clicking the button directs the user’s browser to the My Requests View of the My Tasks application.