A critical aspect of providing a simple end-user experience for access requests and ensuring that only compliant access can be requested is controlling which items different types of users see and may request. Suppose all end users are presented with the same catalog of requestable items. In that case, the user experience quickly becomes overwhelming and confusing as users must filter through large amounts of data to find the access they want that would be relevant for them to request. Exposing unnecessary data also creates a severe security vulnerability, as external users or potentially malicious actors may browse the entire catalog of the organization’s most sensitive roles and resources. Also crucial for regulatory compliance is to blacklist or explicitly deny the ability of certain groups of users ever to see or request specific roles and resources to enforce country-specific restrictions such as the International Traffic in Arms Regulations (ITAR).
Eligibility Policies
EmpowerID offers a powerful policy engine to control which users may see and request which roles and resources in the IT Shop. These policies are known as “Eligibility.” Eligibility policies may apply to users by attribute query, role, group, or other criteria, making it easy to target who receives which policies and have the assignment automated and maintained throughout their lifecycle. To further ease the administrative burden, Eligibility policies can be applied to all requestable items of a type by location in addition to one-by-one. This allows policies to be broader, granting or excluding eligibility using the EmpowerID Location tree. For roles, eligibility policies can be applied to their members to control what those members may see and request in the IT Shop. Policies also apply to the role itself as a possible IT Shop item to control who may see and request it.
Eligibility Rules
Eligibility policies can be defined as either inclusion rules or exclusion rules. Inclusion rules define the items a user is authorized to see and request in the IT Shop and ensure these are only the ones that would make sense for them to request. An application example could be rules that filter resources available for Field Sales employees and developers. The catalog of requestable roles and resources available to each of those employees should be different to ensure that unwarranted access requests are not generated, creating unnecessary approval tasks. Additionally, inclusion and exclusion rules help organizations provide employees with a more pleasant user shopping experience as they are shielded from viewing resources they cannot request.
Inclusion rules include the following:
Eligible – Users can request a resource in the IAM Shop, which creates what is known as a Business Request. All business requests are routed for approval unless the requesting person is a designated approver and no additional approvals are needed.
Pre-Approved – Users are pre-approved for the resource and presented with an Activate button in the IAM Shop. To gain immediate access, users click the Activate button. Business Requests are not created as no approvals are needed.
Suggested – Users will see resources where this rule has been applied as suggested items they may want to request. Submitted requests for suggested items follow standard approval routing rules.
Eligibility types applied to a specific resource type
Inclusion and exclusion rules can be assigned to any EmpowerID actor type. If a user is excluded (either directly or indirectly by virtue of belonging to a group or role that is excluded), the exclusion takes priority over inclusion.
Next Steps
Configure Eligibility for Business Roles and Location Combinations
Configure Eligibility for Groups