Updating Group IAM Shop Settings

Owned by Phillip Hanegan
Feb 29, 2024
6 min read

You can update the IAM Shop settings for each group you own. Editable IAM Shop settings include the following:

  • Requestable in IAM Shop – Specifies whether users can request access to the group from the IAM Shop

  • Access Request Policy – Specifies the Access Request policy used to control access to the group and the approvals required before access is granted to the requesting person.

  • Eligible Assignees – Specifies who is eligible to request membership in the group.

  • Pre-Approved Assignees – Specifies who is pre-approved for membership in the group.

  • Suggested Assignees – Specifies who sees membership in the group as a suggested item in the IAM Shop.

Procedure

  1. Log in to Resource Admin.

  2. Select Groups from the Resource Type menu and search for the group you want to update.

  3. Click the gear icon on the group record and select Manage Group Wizard.

     

  4. Under Select Options, select Edit IAM Shop settings.

     

  5. Click Next.
    You should see the Edit IAM Shop Settings form for the group.

     

  6. Update the IAM Shop settings information as needed.

This true or false setting determines whether eligible users can request access to the group in the IAM Shop. In the below image, the setting is true. To remove the group, deselect the setting.

This setting specifies the policy for enforcing how the system fulfills access requests for the group and whether those requests need to route for approval before being fulfilled. To change the policy, clear the current policy and then search for and select the new one.

 

This setting allows you to specify who is eligible to request group membership. Eligible assignees can include the following:

  • Person – You can assign eligibility to individual people within your organization.

  • Group – You can assign eligibility to other groups. When selected, members of those groups can request access.

  • Set Group – You can assign eligibility to Set Groups. When selected, members of those Set Groups can request access.

  • Management Role – You can assign eligibility to Management Roles. When selected, members of those Management Roles can request access.

  • Management Role Definition – You can assign eligibility to Management Role Definitions. When selected, all members of Management Roles derived from the Management Role Definition can request access.

  • Business Role and Location – You can assign eligibility to Business Roles and Locations. When selected, members of those Business Roles and Locations can request access.

 

To add eligible assignees, do the following:

  1. Under Eligible Assignees, select the assignee type from the Choose Type dropdown.

     

  2. Search for and select the appropriate assignee. For example, if assigning eligibility to a Management Role, search for and select the specific role.

  3. Click Add.

     

  4. Repeat the above steps to add other eligible assignees as needed.

 

To remove eligible assignees, do the following:

  1. Under Eligible Assignees, locate the record for the eligible assignee you want to remove.

  2. Toggle Keep to Remove.

     

  3. Repeat the above steps to remove other eligible assignees as needed.

     

This setting allows you to specify who is pre-approved for group membership. Users who are pre-approved simply need to activate their membership. No further approvals are needed. Pre-approved assignees can include the following:

  • Person – You can assign pre-approval status to individual people within your organization.

  • Group – You can assign pre-approval status to other groups. When selected, all members of those groups are pre-approved.

  • Set Group – You can assign pre-approval status to Set Groups. When selected, all members of those Set Groups are pre-approved.

  • Management Role – You can assign pre-approval status to Management Roles. When selected, all members of those Management Roles are pre-approved.

  • Management Role Definition – You can assign pre-approval status to Management Role Definitions. When selected, all members of Management Roles derived from the Management Role Definition are pre-approved.

  • Business Role and Location – You can assign pre-approval status to Business Roles and Locations. When selected, all members of those Business Roles and Locations are pre-approved.

 

To add pre-approved assignees, do the following:

  1. Under Pre-Approved Assignees, select the assignee type from the Choose Type dropdown.

     

  2. Search for and select the appropriate assignee. For example, if assigning pre-approval status to a Business Role and Location, search for and select the specific role and location.

     

  3. Click Add.

  4. Repeat the above steps to add other pre-approved assignees as needed.

 

To remove pre-approved assignees, do the following:

  1. Under Pre-Approved Assignees, locate the record for the assignee you want to remove.

  2. Toggle Keep to Remove.

     

  3. Repeat the above steps to remove other pre-approved assignees as needed.

     

This setting allows you to specify who sees the group as suggested in the IAM shop. Suggested assignees who request access to the group route through the regular approval process set by the Access Request policy for the group. Suggested assignees can include the following:

  • Person – You can assign suggested eligibility to individual people within your organization.

  • Group – You can assign suggested eligibility to other groups. When selected, all members of those groups can request access.

  • Set Group – You can assign suggested eligibility to Set Groups. When selected, all members of those Set Groups can request access.

  • Management Role – You can assign suggested eligibility to Management Roles. When selected, all members of those Management Roles can request access.

  • Management Role Definition – You can assign suggested eligibility to Management Role Definitions. When selected, all members of Management Roles derived from the Management Role Definition can request access.

  • Business Role and Location – You can assign suggested eligibility to Business Roles and Locations. All members of those Business Roles and Locations can request access when selected.

 

To add suggested assignees, do the following:

  1. Select the assignee type from the Choose Type dropdown.

     

  2. Search for and select the appropriate assignee. For example, if assigning eligibility to a Set Group, search for the specific Set Group.

  3. Click Add.

     

  4. Repeat the above steps to add other suggested assignees as needed.

 

To remove suggested assignees, do the following:

  1. Under Suggested Assignees, locate the record for the assignee you want to remove.

  2. Toggle Keep to Remove.

     

  3. Repeat the above steps to remove other suggested assignees as needed.

 

7. After making the needed updates to the IAM Shop Settings, click Next.

8. After the wizard completes the request, you should receive an Operation Execution Summary message stating the request was executed successfully.

9. Click Submit to close the summary message.

9. Click Yes or No when asked if you would like to manage another group. In this case, we are selecting No to exit the wizard.

Selecting No directs you to the Workflows page, where you can initiate group-related workflows that you have to run.