Configure Eligibility for Computers

Owned by Phillip Hanegan
Feb 29, 2024
4 min read

Eligibility rules allow you to restrict who can and cannot see and shop for IT resources that you have enabled for the IAM Shop. Users added as eligible assignees for specific resources can shop for those objects in the IAM Shop.

Add eligibility

  1. On the navbar, expand Privileged Access and select Computers.

  2. Select the Computers tab and then search for the computer you want to configure eligibility for. 

  3. Click the Display Name link for the computer.


    This action opens the View One page for the computer. View One pages are designed to facilitate the viewing and management of the corresponding objects in EmpowerID.

     

  4. Click the Eligibility subtab.
    You should see the following two eligibility accordions:

    • Who is Eligible to Request (As Resource) – Allows you to specify who is eligible to request access to the computer, as well as their eligibility type.

    • Who is Excluded from Requesting (As Resource) – Allows you to explicitly specify who is not eligible to shop for the computer

  5. Expand the Who is Eligible to Request (As Resource) accordion and do the following to give users the ability to shop for access to the computer:

    1. Click the Add button in the grid header.

       

    2. Fill in the fields of the Assignment Information pane:

      • Eligibility Type – Select Eligible, PreApproved, or Suggested.

      • Which Type of Assignee for this Policy – Search for and select the EmpowerID actor type for which you are granting eligibility. For example, if you want to grant eligibility to all members of a specific group, you select Group as the assignee type.

      • Select <Assignee> Name to Search – Search for and select the specific assignee eligible for access to the Management Role. The assignee must match the assignee type, or it will not appear when searching. For example, if you select Group as the assignee type, you can only search for groups.

    3. After entering your information, click Save.

       

    4. Repeat the above steps for any other eligibility assignments desired.

    5. Click Submit when ready.

Add IAM Shop Assignees for Requesting Access

IAM Shop Assignees is an optional feature that you can implement to give eligible users the ability to request specific permissions, known as “IAM Shop Permission Levels,” to computers in the IAM Shop. For computers, out-of-the-box options include Local Admin and Domain Admin; however, you can create your own as needed. When users are added as IAM Shop Assignees for the computer, they can select the permission level(s) when requesting access.

If you wish to display to users additional options beyond the out-of-the-box IAM Shop Permission Levels, you can do so by creating your own and linking them to the computer resource type. For information, see Creating IAM Shop Permission Levels.

  1. From the View One page for the computer, click the RBAC subtab and expand IAM Shop Assignees for Requesting Access.

  2. Click the Add New button.

     

  3. Under General, select the IAM Shop Permission Level you want to assign.

     

  4. Under Assignee Granting the Permission Level, do the following:

    1. Select the assignee type from the Which Type of Assignee For This Policy dropdown.

    2. Select the appropriate assignee from the Select <Assignee> To Receive Policy dropdown.

       

  5. Click Save.

     

  6. Repeat to add other assignees as needed.

  7. Click Submit to complete the process.