IAM Shop User Experience

Shopping for resources

When users log in to the IAM Shop, they can view the pages and controls that their roles permit access to. (See Granting Access to the IAM Shop for a list of these roles and the access they grant.) For example, the image below shows pages and controls viewable to a user with full access to Resource Admin.

IAM Shop User Interface for Users with Full Access

 

Users visit the IAM Shop to request resources for which they are eligible or to activate resource assignments they have been preapproved for. This action of requesting access to resources is referred to as creating or submitting a "Business Request." After a Business Request is submitted, EmpowerID routes it for approval according to the Approval Flow policies set up for the specifically requested resource.

Typical IAM Shop User Experience

  1. The user accesses the IAM Shop and filters the available resources to those for which that user is shopping.

  2. The user clicks the Request Access button for a specific resource, which opens a panel with more information about the resource and options for requesting access.

     

  3. Users then click Add to Cart to add the requested resource to their cart.

  4. When ready to review the items in their carts, users click the cart icon to open the shopping cart.

     

  5. When ready to submit their requests for approval, users do the following:

    • Enter a Business Request Name.

    • Optionally select a due date.

    • Optionally add a comment.

    • Click Submit.

Once successfully submitted, a window appears stating that the cart was successfully submitted with a link to track the request's status.

Clicking the link directs the user’s browser to the My Request page of the My Tasks application with the Overview card for the request open. Overview cards allow users to view details about their requests and the number of approvals needed for access to be granted.

 

Activating Pre-Approved Resources

For resources where users have been pre-approved for access, the IAM Shop displays an Activate button. Clicking this button allows users to immediately activate their assignments, bypassing the full business request process, which typically involves manual approval by one or more designated approver(s).

Users select a resource they wish to activate (e.g., group, Business Role, mailbox, shared folder, application, etc.).

If the resource is pre-approved for the user, the Activate button will appear in place of the Request Access button, as shown in the image below. In the image, the user is eligible for two groups: one is pre-approved, indicated by the Activate button, while the other requires a request for access, which will go through an approval process before access is granted.

Upon clicking Activate, the system assigns the resource to the user without further approval.

Note for Administrators:
To enable the Activate functionality for pre-approved resources, administrators must configure the appropriate access request policies and eligibility settings. This includes:

  • Defining eligibility criteria for pre-approval based on user attributes or roles.

  • Configuring access request policies to allow activation without manual approval.

  • Testing the configuration to ensure the Activate button appears for eligible users.

For detailed instructions on setting up pre-approval processes, see Configuring Pre-Approval Processes in the IAM Shop.

Shopping for Resources and Risk Violations

The IAM Shop incorporates preventive risk management controls to identify potential risk violations when users request access to resources. This feature allows users to view any risk policy violations their access request may cause before submission, promoting transparency and informed decision-making. In such cases, users must acknowledge the violations before proceeding with their access request.

The IAM Shop incorporates preventive risk management controls to identify potential risk violations when users request access to resources. This feature allows users to view any risk policy violations their access request may cause before submission, promoting transparency and informed decision-making. In such cases, users must acknowledge the violations before proceeding with their access request.

When violations like those mentioned above are identified and submitted for approval, the requests undergo an additional layer of approval by risk owners. The risk owners can either accept the risk and implement mitigating controls or reject the risk and deny the access assignment.

Using the Manage Access Page

The Manage Access page lets users view their current access, filtered by resource type.

What can users do on this page?

  • Users can search for a specific resource assignment.

  • Users can view the details about a particular resource assignment by clicking the Details button.

  • Users with the authority to revoke their access to a resource can do so by clicking the Revoke button.

     

  • Users with the appropriate access can view the resources another person has access to by selecting that person in the Manage For field. Users must have access to view the person and the person’s resources to do so.

     

  • Users can view any resources they have access to that are limited to specific dates and times by toggling the Show Time Constrained button.

  • Users can view pending requests by clicking the View Pending Access button. Clicking the button directs the user’s browser to the My Requests View of the My Tasks application.

  • Users can activate login sessions for computers by clicking the Unlock button.

Using the Workflows Page

The Workflows page provides authorized users with workflows that can be initiated against a particular resource type. Users select the desired resource type and navigate to the Workflows page to view the workflows available for that resource type. The image below shows the workflows available for the Credential resource type.