You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Configure Eligibility Rules

Owned by Phillip Hanegan
Last updated: Sept 28, 2021
9 min read

Eligibility rules allow you to restrict who can and cannot see and shop for IT resources that you have enabled for the IT Shop. Users added as eligible assignees for specific resources can shop for those objects in the IT Shop.

Eligibility rules have several important settings that determine their impact on your users' IT shopping experience. These include the following:

  • Inclusion and Exclusion – These settings determine who is included for eligibility and who is excluded. Inclusion and exclusion can be assigned to any EmpowerID actor type. If a user is excluded (either directly or indirectly by virtue of belonging to a group or role that is excluded), the exclusion takes priority over inclusion.

  • Eligibility Type – There are three types of eligibility in EmpowerID:

    • Eligible

      • Users can request items in the IT Shop, and the request will go for approval unless the requesting person has the RBAC delegations needed to grant the access being requested.

    • Pre-Approved

      • Users assigned the policies are pre-approved for the items to which the policy is applicable. When the IT Shop user later requests access, it will not require an approval step before being fulfilled. 

    • Suggested

      • The IT Shop item will show a “Suggested” additional item they may request because of their existing roles or in the context of a role they are currently requesting. The item will still follow standard approval routing rules. 

 

This article demonstrates how to assign and remove eligibility rules to the following EmpowerID actor types:

  • Business Role and Location Combinations

  • Groups

  • Management Roles

Add eligibility for Business Roles and Locations

  1. On the navbar of the EmpowerID Web interface, expand Role Management and click Business Roles and Locations.

  2. Select the Allowed Combinations tab and then search for the Business Role and Location combination for which you want to configure eligibility.

     

  3. Click the Business Role and Location link for the combination.

  4. On the Role and Location Details page that appears, select the Eligibility tab.
    You should see four eligibility rules:

    • Resources Members Eligible to Request (As Actor) – Allows you to specify the resources that members of the Business Role and Location are eligible to request from the IT Shop, as well as the eligibility type for each of those resources.

    • Resources Members May Not Request (As Actor) – Allows you to specify the resources that members of the Business Role and Location are excluded from requesting. Resources added here will not be visible to any members of the Business Role and Location, even if they are eligible to request those resources by virtue of another assignment.

    • Who is Eligible to Request (As Resource) – Allows you to specify who is eligible to request membership access to the Business Role and Location combination, as well as the eligibility type for each of those potential members.

    • Who is Excluded from Requesting (As Resource) – Allows you to specify who is not eligible to shop for membership access to the Business Role and Location.

  5. Expand the accordion corresponding to the type of eligibility rule you want to assign to the Business Role and Location and follow the steps outlined for that eligibility rule.

Add this rule when you want to give members of the Business Role and Location the ability to shop for access to the resources you add here.

  1. Click the Add button in the grid header.

     

  2. Fill in the fields of the Assignment Information pane:

    • Assignment Type – Select Direct or Location.

    • Eligibility Type – Select Eligible, PreApproved or Suggested.

    • Resource Type – Search for and select the type of resource corresponding to the resource for which you are granting eligibility. For example, if you want to grant eligibility for a specific Management Role, you select Management Role as the resource type.

    • Enter a <Resource Type> Name to Search – Search for and select the specific resource to which members of the Business Role and Location are eligible to request. The resource must match the resource type or it will not appear when searching. For example, if you select Management Role as the resource type, you can only search for Management Roles.

  3. After entering your information, click Save.

     

  4. Repeat steps 2 and 3 to add other eligibility assignments as needed.

  5. When ready, close the Assignment Information pane and click Submit



Add this rule when you want to explicitly restrict members of the Business Role and Location from having access to certain resources. Keep in mind that users restricted from resources will not be able to request those resources even if they have another assignment that that grants them eligibility.

  1. Click the Add button in the grid header.

     

  2. Fill in the fields of the Assignment Information pane:

    • Mode – Select Direct or Location.

    • Eligibility Type – Select Eligible, PreApproved or Suggested.

    • Resource Type – Search for and select the type of resource corresponding to the resource for which you are granting eligibility. For example, if you want to grant eligibility for a specific group, you select Group as the resource type.

    • Enter a <Resource Type> Name to Search – Search for and select the specific resource to which members of the Business Role and Location are eligible to request. The resource must match the resource type or it will not appear when searching. For example, if you select Group as the resource type, you can only search for groups.

  3. After entering your information, click Save.

     

  4. Repeat steps 2 and 3 to add other eligibility assignments as needed.

  5. When ready, close the Assignment Information pane and click Submit



Add this rule when you want to give users the ability to shop for membership in the Business Role and Location from the IT Shop.

  1. Click the Add button in the grid header.

     

  2. Fill in the fields of the Assignment Information pane:

    • Eligibility Type – Select Eligible, PreApproved or Suggested.

    • Which Type of Assignee for this Policy – Search for and select the EmpowerID actor type for which you are granting eligibility. For example, if you want to grant all members of a specific group eligibility, you select Group as the assignee type.

    • Select <Assignee> Name to Search – Search for and select the specific assignee eligible for access to the Business Role and Location. The assignee must match the assignee type or it will not appear when searching. For example, if you select Group as the assignee type, you can only search for groups.

  3. After entering your information, click Save.

     

  4. Repeat steps 2 and 3 to add other eligibility assignments as needed.

  5. When ready, close the Assignment Information pane and click Submit



Add this rule when you want to explicitly restrict specific users from being able to view or request access to the Business Role and Location from the IT Shop. Keep in mind that users restricted from the Business Role and Location will not be eligible for it even if they have another eligibility assignment for the Role and Location.

  1. Click the Add button in the grid header.

     

  2. Fill in the fields of the Assignment Information pane:

    • Eligibility Type – Select Eligible, PreApproved or Suggested.

    • Which Type of Assignee for this Policy – Search for and select the EmpowerID actor type for which you are restricting eligibility. For example, if you want to restrict all members of a specific group from eligibility, you select Group as the assignee type.

    • Select <Assignee> Name to Search – Search for and select the specific assignee restricted from being eligible for access to the Business Role and Location. The assignee must match the assignee type or it will not appear when searching. For example, if you select Group as the assignee type, you can only search for groups.

  3. After entering your information, click Save.

     

  4. Repeat steps 2 and 3 to add other eligibility restrictions as needed.

  5. When ready, close the Assignment Information pane and click Submit



Add eligibility for groups

  1. On the navbar of the EmpowerID Web interface, expand Identity Administration and click Groups.

  2. From the All Groups tab, search for the group for which you want to configure eligibility.

  3. Click the Logon Name link for the group.

  4. On the Group Details page that appears, select the Advanced tab and then click the Eligibility sub-tab near the bottom of the page. You should see four eligibility rules.


    Eligibility rules:

    • Resources Members Eligible to Request (As Actor) – Allows you to specify the resources that members of the group are eligible to request from the IT Shop.

    • Resources Members May Not Request (As Actor) – Allows you to specify the resources that members of the group are excluded from requesting. Resources added here will not be visible to any members of the group, even if they are eligible to request those resources by virtue of another assignment.

    • Who is Eligible to Request (As Resource) – Allows you to specify the actors eligible to shop for access to the group, as well as the eligibility type for each of those actors.

    • Who is Excluded from Requesting (As Resource) – Allows you to specify the actors not eligible to shop for access to the group.

  5. Expand the accordion corresponding to the type of eligibility you want to assign or restrict.

  6. Click the Add button in the accordion grid and fill in and save the Assignment Information.

  7. Click Submit.

 

Add eligibility for Management Roles

  1. On the navbar, expand Role Management and click Management Roles.

  2. From the All Roles tab, search for the Management Role for which you want to configure eligibility.

  3. Click the Management Role link for the role.

  4. On the Management Role Details page that appears, select the Advanced tab and then the Eligibility sub-tab near the bottom of the page. You should see four eligibility rules.


    Eligibility Rules:

    • Resources Members Eligible to Request (As Actor) – Allows you to specify the resources that members of the Management Role are eligible to request from the IT Shop, as well as the eligibility type for each of those resources.

    • Resources Members May Not Request (As Actor) – Allows you to specify the resources that members of the Management Role are excluded from requesting. Resources added here will not be visible to any members of the Management Role, even if they are eligible to request those resources by virtue of another assignment.

    • Who is Eligible to Request (As Resource) – Allows you to specify the actors eligible to shop for access to the Management Role, as well as the eligibility type for each of those actors.

    • Who is Excluded from Requesting (As Resource) – Allows you to specify the actors not eligible to shop for access to the Management Role.

  5. Expand the accordion corresponding to the type of eligibility you want to assign.

  6. Select the Eligibility Type.

  7. Select the assignee type from the Which Type of Assignee for this Policy? drop-down. Assignee types can be any EmpowerID actor type.

  8. Search for the specific assignee and then click the tile for that assignee.

  9. Click Save.

  10. Click Submit.

 

Remove eligibility

You can remove existing eligibility rules from any resource to which they have been added. This example demonstrates how to remove them from a Business Role and Location and Combination.

  1. On the navbar of the EmpowerID Web interface, expand Role Management and click Business Roles and Locations.

  2. Select the Allowed Combinations tab and then search for the Business Role and Location combination for which you want to remove an eligibility rule.

     

  3. Click the Business Role and Location link for the combination.

  4. On the Role and Location Details page that appears, select the Eligibility tab and then expand the accordion that corresponds to the eligibility assignment you want to remove.

  5. Click the trash can icon beside the assignment you wish to remove.

     

  6. Click Submit.

     

 

 

See Also

Make resources available in the IT Shop

 

IN THIS ARTICLE