You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Configure Eligibility for Business Roles and Location Combinations

Owned by Phillip Hanegan
Aug 28, 2022
6 min read

Eligibility rules allow you to restrict who can and cannot see and shop for IT resources that you have enabled for the IAM Shop. Users added as eligible assignees for specific resources can shop for those objects in the IAM Shop.

Add eligibility

  1. On the navbar, expand Role Management and click Business Roles and Locations.

  2. Select the Allowed Combinations tab and then search for the Business Role and Location combination for which you want to configure eligibility.

     

  3. Click the Business Role and Location link for the combination.

  4. On the Role and Location Details page that appears, select the Advanced tab and then click the Eligibility subtab.


    You should see four eligibility rules:

    • Resources Members Eligible to Request (As Actor) – Allows you to specify the resources that members of the Business Role and Location are eligible to request from the IAM Shop, as well as the eligibility type for each of those resources.

    • Resources Members May Not Request (As Actor) – Allows you to specify the resources that members of the Business Role and Location are excluded from requesting. Resources added here will not be visible to any members of the Business Role and Location, even if they are eligible to request those resources by virtue of another assignment.

    • Who is Eligible to Request (As Resource) – Allows you to specify who is eligible to request membership access to the Business Role and Location combination, as well as the eligibility type for each of those potential members.

    • Who is Excluded from Requesting (As Resource) – Allows you to specify who is not eligible to shop for membership access to the Business Role and Location.

  5. Expand the accordion corresponding to the type of eligibility rule you want to assign to the Business Role and Location and follow the steps outlined for that eligibility rule.

Add this rule when you want to give members of the Business Role and Location the ability to shop for access to the resources you add here.

  1. Click the Add button in the grid header.

     

  2. Fill in the fields of the Assignment Information pane:

    • Assignment Type – Select Direct or Location.

    • Eligibility Type – Select Eligible, PreApproved or Suggested.

    • Resource Type – Search for and select the type of resource corresponding to the resource for which you are granting eligibility. For example, if you want to grant eligibility for a specific Management Role, you select Management Role as the resource type.

    • Enter a <Resource Type> Name to Search – Search for and select the specific resource to which members of the Business Role and Location are eligible to request. The resource must match the resource type or it will not appear when searching. For example, if you select Management Role as the resource type, you can only search for Management Roles.

  3. After entering your information, click Save.

     

  4. Repeat steps 2 and 3 to add other eligibility assignments as needed.

  5. When ready, close the Assignment Information pane and click Submit

     

Add this rule when you want to explicitly restrict members of the Business Role and Location from having access to certain resources. Keep in mind that users restricted from resources will not be able to request those resources even if they have another assignment that that grants them eligibility.

  1. Click the Add button in the grid header.

     

  2. Fill in the fields of the Assignment Information pane:

    • Mode – Select Direct or Location.

    • Eligibility Type – Select Eligible, PreApproved or Suggested.

    • Resource Type – Search for and select the type of resource corresponding to the resource for which you are granting eligibility. For example, if you want to grant eligibility for a specific group, you select Group as the resource type.

    • Enter a <Resource Type> Name to Search – Search for and select the specific resource to which members of the Business Role and Location are eligible to request. The resource must match the resource type or it will not appear when searching. For example, if you select Group as the resource type, you can only search for groups.

  3. After entering your information, click Save.

     

  4. Repeat steps 2 and 3 to add other eligibility assignments as needed.

  5. When ready, close the Assignment Information pane and click Submit

     

Add this rule when you want to give users the ability to shop for membership in the Business Role and Location from the IAM Shop.

  1. Click the Add button in the grid header.

     

  2. Fill in the fields of the Assignment Information pane:

    • Eligibility Type – Select Eligible, PreApproved or Suggested.

    • Which Type of Assignee for this Policy – Search for and select the EmpowerID actor type for which you are granting eligibility. For example, if you want to grant all members of a specific group eligibility, you select Group as the assignee type.

    • Select <Assignee> Name to Search – Search for and select the specific assignee eligible for access to the Business Role and Location. The assignee must match the assignee type or it will not appear when searching. For example, if you select Group as the assignee type, you can only search for groups.

  3. After entering your information, click Save.

     

  4. Repeat steps 2 and 3 to add other eligibility assignments as needed.

  5. When ready, close the Assignment Information pane and click Submit.

     

Add this rule when you want to explicitly restrict specific users from being able to view or request access to the Business Role and Location from the IAM Shop. Keep in mind that users restricted from the Business Role and Location will not be eligible for it even if they have another eligibility assignment for the Role and Location.

  1. Click the Add button in the grid header.

     

  2. Fill in the fields of the Assignment Information pane:

    • Eligibility Type – Select Eligible, PreApproved or Suggested.

    • Which Type of Assignee for this Policy – Search for and select the EmpowerID actor type for which you are restricting eligibility. For example, if you want to restrict all members of a specific group from eligibility, you select Group as the assignee type.

    • Select <Assignee> Name to Search – Search for and select the specific assignee restricted from being eligible for access to the Business Role and Location. The assignee must match the assignee type or it will not appear when searching. For example, if you select Group as the assignee type, you can only search for groups.

  3. After entering your information, click Save.

     

  4. Repeat steps 2 and 3 to add other eligibility restrictions as needed.

  5. When ready, close the Assignment Information pane and click Submit.

     

Remove Eligibility

  1. On the navbar of the EmpowerID Web interface, expand Role Management and click Business Roles and Locations.

  2. Select the Allowed Combinations tab and then search for the Business Role and Location combination for which you want to remove an eligibility rule.

     

  3. Click the Business Role and Location link for the combination.

  4. On the Role and Location Details page that appears, select the Eligibility tab and then expand the accordion that corresponds to the eligibility assignment you want to remove.

  5. Click the trash can icon beside the assignment you wish to remove.

     

  6. Click Submit.

    Â