EmpowerID simplifies the integration of PBAC (Policy-Based Access Control) and non-Azure applications through its "Onboard Application" workflow. This wizard-driven process is designed to streamline the onboarding of applications by offering configurable parameters and approval settings, ensuring a tailored fit for your organization's specific needs and security policies.
Procedure
Step 1: Configure workflow parameters
The "Onboard Application" workflow features a variety of customizable parameters that allow administrators to adjust the fields displayed during the onboarding process. These settings enable you to define the visibility and default values of specific workflow steps, ensuring the workflow aligns with your organizational requirements.
To configure workflow parameters, do the following:
On the navbar, expand Low Code/No Code Workflow and select Low Code Workflows.
Select the Workflow tab and search for Onboard Application.
Click the Display Name for the workflow.
On the View One page for the workflow, expand the Request Workflow Parameters accordion and search for the parameter you need to configure. In this example, we set the DefaultAccountStoreID parameter to populate the “Select Account Store” field with the selected account store.
Click the edit button for the parameter, enter the appropriate Value, and click Save.
Configure any other settings as needed.
Step 3: Execute the workflow
Run the “Onboard Application” workflow to initiate the onboarding process for a PBAC application.
Access the Resource Admin portal.
Under “Applications,” select the Workflows tab and click Onboard a Non-Azure Application.
This opens the Onboard Application wizard workflow.
Please note that based on the workflow parameter settings selected, the fields displayed may differ from those shown below.
Follow the wizard and fill in the fields of each section of the workflow with the appropriate information for your application.
Field | Description |
|---|---|
Name | Enter the name of the application. |
Display Name | Enter a display name for the application. |
Description | Enter a brief characterization of the application |
Select a Location | Select an EmpowerID location for the application. |
Select Account Store | Select the account store with the resources the application applies to. |
PBAC App | Select this option to specify that the app is a PBAC app. |
App Authorization Model | Select the appropriate app authorization model. |
Allow Role Defintion Assignment | Choose whether to allow application Role Definitions to be assigned to users. |
Allow Local Right Assignment | Choose whether to allow application rights to be assigned to users. |
Allow App Management Role Assignment | Choose whether to allow application Management Roles to be assigned to users. |
When onboarding an application, it's essential to specify the individuals responsible for its management and oversight. This includes designating the responsible party, owners, and deputies.
Field | Description | Action |
|---|---|---|
Responsible Party | Identifies the primary individual accountable for the application. | Type in the full name of the person who will take responsibility for managing the application. This field is mandatory. |
Owners | Lists the people who have ownership rights over the application. | Enter the names of the individuals designated as owners. Providing owner information is optional but recommended for better governance. |
Deputies | Specifies secondary contacts or assistants to the owners. | Input the names of individuals assigned as deputies. Including deputy information is optional. |
When making an application requestable in the IAM Shop, it is crucial to configure several settings that dictate how requests are handled and who can access them.
Field | Description | Action |
|---|---|---|
Set Requestable Option | Determine if the application should be requestable by users in the IAM Shop. | Enable the "Set Requestable Setting" to make the application available for requests. When enabled, the settings below are relevant. |
Select Access Request Policy | Defines the procedure for processing application requests. | From the "Select Access Request Policy" dropdown, choose the policy that best fits how you wish to handle incoming requests for the application. |
Eligible to Request | Specifies users allowed to request access to the application. | Select the assignee type (e.g., Person, Group, Management Role) and then identify the individuals, groups, or roles eligible to make requests. |
Pre-approved for Access | Specifies users who are pre-approved for access to the application, bypassing the need for manual request approval. | Select the assignee type (e.g., Person, Group, Management Role) and then identify the individuals, groups, or roles pre-approved for the application. |
Suggested Assignees | Identifies users who will see the application as a suggested resource. | Select the assignee type (e.g., Person, Group, Management Role) and then identify the individuals, groups, or roles suggested for application access. |
Review the summary information for the application and then click Submit.
Click Submit to close the Operation Execution Summary and exit the wizard.
Confirm the Results
After completing the workflow, you should see the application in Resource Admin (and in the IAM Shop if you configured the application as requestable in the IAM Shop.) Do the following to verify that the application has been successfully onboarded and that all configurations and rights settings are correctly applied.
Locate the application in Resource Admin and click the Details button for the application record.
On the Overview page, verify eligibility settings match those initially set for the application.
Expand the PBAC Assignments menu item and verify the ability to manage App Right and Role Definition assignments match those specified for the application. For example, if you enabled Allow Role Definition Assignment, you should see a “Role Definition Assignments” menu with an “Assign Role Definition” button.
Expand the PBAC Definitions menu item and verify the ability to manage App Rights, Role Definitions, and App Management Roles match those specified for the application.