Self-Service Access Overview

EmpowerID provides a central location called the "IT Shop" from which users can request access to the Application Roles and Business Roles your organization makes available. To request a role, users navigate to the IT Shop, where they can see their current roles and request access to more. Depending on their job function, users may also request roles for other users. To shop for or request membership access to a  role, they simply select the role type and search for the specific roles belonging to that type. Once they have found the role, they request access, which opens a drawer. From the drawer, users can optionally place time constraints on the request and add it to their carts or simply close the drawer to discontinue. Once a requested role is added to a user’s cart, it stays there until the user either checks out (submits the cart) or removes it. By keeping roles in the cart, users can navigate away from the IT Shop as needed without losing the contents of their carts. When ready to submit their access requests, users review the roles in their cart, add a reason for requesting those roles and then submit them to the Identity and Access Management platform (EmpowerID). If they decide they don’t want to request a role that is in their cart, they can simply remove that role.

Figure 1 below shows the main flow that occurs for users shopping for roles in the IT Shop, as well as the user interface in which the flow occurs.

Open

Figure 1: IT Shop Flow and User Interface

If users have the delegations needed to add themselves or another to the requested role(s) without requiring approval, EmpowerID grants them immediate membership; otherwise, EmpowerID routes request for approval. When approval is required, the process can involve multiple levels of approval depending on the type of resource requested, the user’s existing resources and the parameters applied to the workflows responsible for processing the requests. Approval may first be required from the user’s manager before those requests can be further processed. When such approval is required and the manager rejects a request, no updates occur. If, however, manager approval is not required, the process continues to the next level, which in the case of Business Roles is submission to the RBAC engine for final approval by role owners or other delegated users (when required). For groups the process requires the same final approval. However, before reaching that stage, the workflow determines whether it needs to check each requested role assignment for potential Separation of Duties (SoD) violations. If true, each request is evaluated by the Separation of Duties (SoD) engine to determine whether the resulting role assignment would trigger a violation of current SoD policies. If any potential violations is detected, the workflow routes each violating request to a corresponding risk owner, who must either approve or reject those requests. If there are no SoD violations—or a risk owner approves violations—the requests are then submitted to the RBAC engine for final operational approval in the same way as Business Role requests. In the same manner, if the workflow does not require SoD evaluation, requests are submitted for final operational approval. At any time, rejection by anyone in the approval pipeline stops the assignment. In all cases, EmpowerID maintains a complete record of the business process, including:

• Who made the request

• The requested role

• From where the request originated (IP)

• The date and time of the request

• Whether the request was approved or denied

• Who approved or denied the request

• The date and time of the approval or denial

Self-Service and Eligibility

EmpowerID offers a powerful policy engine to control which users may see and request which roles and resources in the IT Shop. These policies are known as “Eligibility.” Eligibility policies may apply to users by attribute query, role, group, or other criteria, making it easy to target who receives which policies and have the assignment automated and maintained throughout their lifecycle. To further ease the administrative burden, Eligibility policies can be applied to all requestable items of a type by location in addition to one by one. This allows policies to be broader, granting or excluding eligibility using the EmpowerID Location tree. For roles, eligibility policies can be applied to their members to control what the members may see and request in the IT Shop. Policies also apply to the role itself as a possible IT Shop item to control who may see and request it.

Eligibility policies can be defined as either inclusion rules or exclusion rules. Inclusion rules define the items a user is authorized to see and request in the IT Shop and ensure these are only the ones that would make sense for them to request. An example for a multinational company would be a Field Sales employee in Austria that should not see the same requestable items as a Developer in Brazil. Their catalog of requestable roles and resources should be different to provide a pleasant user experience and ensure that unwarranted access requests are not generated, creating unnecessary approval tasks.

Inclusion rules include the following:

• Eligible — Users can request items in the IT Shop, and the request will go for approval unless the requesting person has the RBAC delegations needed to grant the access being requested.

• Pre-Approved — Users assigned the policies are pre-approved for the items to which the policy is applicable. When the IT Shop user later requests access, it will not require an approval step before being fulfilled. 

• Suggested — The IT Shop item will show a “Suggested” additional item they may request because of their existing roles or in the context of a role they are currently requesting. The item will still follow standard approval routing rules. 

Open

Figure 2: Eligibility Policy applied to a person

Eligibility Exclusion rules would be created as a protective measure to enforce regulatory restrictions and ensure that specific classes of users are not accidentally given the ability to request items that they should not. If a user is excluded (either directly or indirectly by virtue of belonging to a group or role that is excluded), the exclusion takes priority over inclusion.

Approvals and Approval Routing

Being built on a workflow paradigm, EmpowerID includes a powerful approval routing engine and friendly end-user interfaces for task tracking and decisions. As discussed above, Eligibility policies are considered when calculating if a request requires approval and if so, how many approval steps and to whom should the tasks be assigned at each step. Determination of the approval process is dynamic and considers the roles of the requestor, the sensitivity of the items being requested, and an organization’s risk and Segregation of Duties (SoD) policies. Based on these factors an item may require many levels of approval and an additional SoD approval by the risk owner or skip the approval process entirely.

Approvers are notified via configurable and localized email notifications with reminder emails configured based on flexible policies. All decisions at each step in the process are logged and traceable up to and including the final fulfillment of access.

Architecture of the IT Shop Microservice application

The EmpowerID IT Shop microservice is an EmpowerID application that is predefined with numerous protected application subcomponents—termed “subcomponents” from this point forward—out of the box. These subcomponents provide functional access to the microservice for users in that they make up the individual pages and controls users with which user interact. Each subcomponent is itself an application, which means access to these individual pages and controls can be added to and removed from users through Access Level assignments.

Subcomponents configured with the default IT Shop microservice include those listed in the below table.

Next Steps