Onboarding Groups

Owned by Phillip Hanegan
Feb 29, 2024
5 min read

The "Onboard Group" workflow provided by EmpowerID offers a structured and intuitive approach for integrating groups into your organization's system. This workflow is tailored to assist users in performing a range of group-related tasks efficiently during the onboarding process. Key functionalities of this workflow include:

  1. Adding Permanent Members: This feature allows for the seamless addition of permanent group members, ensuring that the right individuals gain access to necessary organizational resources.

  2. Applying RBAC Membership Policies: Users can add members to a group based on Role-Based Access Control (RBAC) assignments, such as specific Management Roles, Business Roles, and Locations, or group affiliations. Automatic removal of users from the group is triggered if they lose their RBAC assignments.

  3. Assigning Responsibility Parties and Owners: Users can designate responsible parties and owners for the group.

  4. Configuring IAM Shop Settings: The group can be published to the IAM Shop, where eligibility and Access Request policies are configured.

Procedure

To onboard a group, follow these steps:

  1. Access the Portal: Log in to the Resource Admin app in your environment.

  2. Navigate to Group Workflows: In Resource Admin, select Groups from the Resource Type menu and then select the Workflows tab.

  3. Launch the Onboard Group Workflow: Click Onboard Group to start the workflow.

     

    This opens the Onboard Group wizard workflow. Follow the wizard and fill in the fields in each section of the workflow with the appropriate information for your group. Please note that the sections and fields available may vary depending on the configuration of the workflow parameters.

     

  4. Select a Tenant or Directory: Choose the tenant or directory location for the new group. For on-premise directories like Active Directory, additionally select the appropriate Organizational Unit (OU).

  5. Submit and Proceed: Click Submit to move to the Group Information section.

     

  6. Fill in General Group Information: Provide details in the following fields:

    • Group Purpose Text: Enter a name for the group.

    • Group Purpose Additional Text: Enter a display name for the group.

    • Group Usage Type: Indicate the intended usage category for the group.

    • Group Description: Optionally, give a brief description of the group.

       

  7. Configure Membership Options:

    • Decide if you want to add permanent members to the group.

    • Choose whether to apply RBAC membership policies to the group.

       

  8. Click Next to proceed to Additional Group Details and enter additional information about the group, including:

    • Group Type: Select the appropriate type for the group.

    • Is Mail Enabled: If applicable, enable this feature and specify email settings, such as requiring authenticated senders and setting the email domain. Please note mail settings only appear when onboarding groups in directories that support email usage.

    • Notes: Add any relevant notes about the group.

       

  9. Click Next to proceed to Owner Information and enter the following information:

    • Responsible Party: Search for and select the user responsible for managing and maintaining the group.

    • Owners: Search for and select one or more users to be group owners.

    • Deputies: Search for and select one or more users to be group deputies.

       

  10. Click Next to proceed to IAM Shop Settings and do the following:

    1. Decide if the group should be requestable in the IAM Shop.

    2. If so, select an Access Request Policy and define Eligible, Preapproved, and Suggested Assignees. Users must have one of the below eligibility assignments to view the group in the IAM Shop.

      • Eligible Assignees – Choose the type (Person, Group, SetGroup, Management Role, Business Role and Location), and then search for and select the specific assignees eligible for the group.

      • Preapproved Assignees – Choose the type (Person, Group, SetGroup, Management Role, Business Role and Location), and then search for and select the specific assignees pre-approved for the group.

      • Suggested Assignees – Choose the type (Person, Group, SetGroup, Management Role, Business Role and Location), and then search for and select the specific assignees suggested for the group.

    3. Optionally, enter any Additional IAM Shop Settings information.

       

  11. Click Next to proceed.

  12. If you opted to add group members earlier, search for and select one or more accounts to add as group members and then click Next to proceed.

     

  13. If you opted to add RBAC Membership policies earlier, do the following and then click Next to proceed:

    1. Select the type of RBAC Membership policy type. Types include Person, Group, Set Group, Management Role, Management Role Definition, and Business Role and Location.

    2. Search for and select the specific assignee for the type. For example, if you selected Management Role as the type, search for and select the specific Management Role.

    3. Repeat a and b to add additional assignee types as needed.

    4. Click Preview RBAC Membership Resultant People if you want to preview the number of people who would be added to the group based on the policy.

       

  14. If you opted to Preview RBAC Membership Resultant People, review the resultant count and then click Next to review the resultant list of people.

     

  15. If you opted to Preview RBAC Membership Resultant People, review the RBAC Membership Resultant List of People and click Next to proceed.

     

  16. Review the summary information and then click Submit to onboard the group.

     

  17. Review the Operation Execution Summary and click Submit.

  18. Click Submit to exit the wizard.

Results

Upon successful completion, the group will be onboarded, and you can view it both in the connected system and EmpowerID. For auditing purposes, the process can be tracked in the System Logs under Audit Log.

Â