You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Configure Eligibility Rules
Eligibility rules allow you to restrict who can and cannot see and shop for IT resources that you have enabled for the IT Shop. Users added as eligible assignees for specific resources can shop for those objects in the IT Shop.
Eligibility rules have several important settings that determine their impact on your users' IT shopping experience. These include the following:
Inclusion and Exclusion – These settings determine who is included for eligibility and who is excluded. Inclusion and exclusion can be assigned to any EmpowerID actor type. If a user is excluded (either directly or indirectly by virtue of belonging to a group or role that is excluded), the exclusion takes priority over inclusion.
Eligibility Type – There are three types of eligibility in EmpowerID:
Eligible
Users can request items in the IT Shop, and the request will go for approval unless the requesting person has the RBAC delegations needed to grant the access being requested.
Pre-Approved
Users assigned the policies are pre-approved for the items to which the policy is applicable. When the IT Shop user later requests access, it will not require an approval step before being fulfilled.
Suggested
The IT Shop item will show a “Suggested” additional item they may request because of their existing roles or in the context of a role they are currently requesting. The item will still follow standard approval routing rules.
This article demonstrates how to assign and remove eligibility rules to the following EmpowerID actor types:
Business Role and Location Combinations
Groups
Management Roles
Add eligibility for Business Roles and Locations
On the navbar of the EmpowerID Web interface, expand Role Management and click Business Roles and Locations.
Select the Allowed Combinations tab and then search for the Business Role and Location combination for which you want to configure eligibility.
Click the Business Role and Location link for the combination.
On the Role and Location Details page that appears, select the Eligibility tab.
You should see four eligibility rules:Resources Members Eligible to Request (As Actor) – Allows you to specify the resources that members of the Business Role and Location are eligible to request from the IT Shop, as well as the eligibility type for each of those resources.
Resources Members May Not Request (As Actor) – Allows you to specify the resources that members of the Business Role and Location are excluded from requesting. Resources added here will not be visible to any members of the Business Role and Location, even if they are eligible to request those resources by virtue of another assignment.
Who is Eligible to Request (As Resource) – Allows you to specify who is eligible to request membership access to the Business Role and Location combination, as well as the eligibility type for each of those potential members.
Who is Excluded from Requesting (As Resource) – Allows you to specify who is not eligible to shop for membership access to the Business Role and Location.
Expand the accordion corresponding to the type of eligibility rule you want to assign to the Business Role and Location and follow the steps outlined for that eligibility rule.
Add eligibility for groups
On the navbar of the EmpowerID Web interface, expand Identity Administration and click Groups.
From the All Groups tab, search for the group for which you want to configure eligibility.
Click the Logon Name link for the group.
On the Group Details page that appears, select the Advanced tab and then click the Eligibility sub-tab near the bottom of the page. You should see four eligibility rules.
Eligibility rules:Resources Members Eligible to Request (As Actor) – Allows you to specify the resources that members of the group are eligible to request from the IT Shop.
Resources Members May Not Request (As Actor) – Allows you to specify the resources that members of the group are excluded from requesting. Resources added here will not be visible to any members of the group, even if they are eligible to request those resources by virtue of another assignment.
Who is Eligible to Request (As Resource) – Allows you to specify the actors eligible to shop for access to the group, as well as the eligibility type for each of those actors.
Who is Excluded from Requesting (As Resource) – Allows you to specify the actors not eligible to shop for access to the group.
Expand the accordion corresponding to the type of eligibility you want to assign or restrict.
Click the Add button in the accordion grid and fill in and save the Assignment Information.
Click Submit.
Add eligibility for Management Roles
On the navbar, expand Role Management and click Management Roles.
From the All Roles tab, search for the Management Role for which you want to configure eligibility.
Click the Management Role link for the role.
On the Management Role Details page that appears, select the Advanced tab and then the Eligibility sub-tab near the bottom of the page. You should see four eligibility rules.
Eligibility Rules:Resources Members Eligible to Request (As Actor) – Allows you to specify the resources that members of the Management Role are eligible to request from the IT Shop, as well as the eligibility type for each of those resources.
Resources Members May Not Request (As Actor) – Allows you to specify the resources that members of the Management Role are excluded from requesting. Resources added here will not be visible to any members of the Management Role, even if they are eligible to request those resources by virtue of another assignment.
Who is Eligible to Request (As Resource) – Allows you to specify the actors eligible to shop for access to the Management Role, as well as the eligibility type for each of those actors.
Who is Excluded from Requesting (As Resource) – Allows you to specify the actors not eligible to shop for access to the Management Role.
Expand the accordion corresponding to the type of eligibility you want to assign.
Select the Eligibility Type.
Select the assignee type from the Which Type of Assignee for this Policy? drop-down. Assignee types can be any EmpowerID actor type.
Search for the specific assignee and then click the tile for that assignee.
Click Save.
Click Submit.
Remove eligibility
You can remove existing eligibility rules from any resource to which they have been added. This example demonstrates how to remove them from a Business Role and Location and Combination.
On the navbar of the EmpowerID Web interface, expand Role Management and click Business Roles and Locations.
Select the Allowed Combinations tab and then search for the Business Role and Location combination for which you want to remove an eligibility rule.
Click the Business Role and Location link for the combination.
On the Role and Location Details page that appears, select the Eligibility tab and then expand the accordion that corresponds to the eligibility assignment you want to remove.
Click the trash can icon beside the assignment you wish to remove.
Click Submit.
See Also
Make resources available in the IT Shop
IN THIS ARTICLE