Set up PBAC Approval Routing

This article provides information on setting up PBAC approval routing for a “PBAC” application within EmpowerID. PBAC approval routing offers a flexible and dynamic framework for managing approver permissions based on specific criteria and conditions.

Prerequisites

Before you begin, ensure you have the following:

  • At least the Application RBAC Owner Management Role.

  • Defined rights, Field Types, and Field Type Values relevant to your application.

Procedure

Step 1: Create an Access Request Policy for PBAC Approval

  1. Use the EmpowerID navbar and navigate to Low Code/No Code Workflow > Access Request Policies.

  2. Click the Add button on the Access Request Policy page.

    image-20240617-190537.png

     

  3. In the General section of the form that appears, enter the following information:

    • Name: Enter an appropriate name for the policy, such as "PBAC Approval” or “PBAC Approval Access Request Policy."

    • Display Name: Enter an appropriate display name.

    • Description: Enter an appropriate description.

    • Approval Policy: Select PBAC Approval.

    • Allow Activation (Skip Business Request): Enable this option.

    • Selectable in UI: Enable this option.

      image-20240617-191733.png

  4. Leave all other form fields with their default settings and click Save.

Step 2: Create Approval Rights

Create approval rights for each application right you want to configure for PBAC approval. For example, if you have a “View Product Catalog” right, you could create an approval right named “View Product Catalog Approval.”

  1. Sign in to the Resource Admin portal as a user with at least the Application RBAC Owner Management Role.

  2. Search for the PBAC application where you want to create approval rights and click the Details button for the app record.

    This action directs you to the Overview page for the application.

     

  3. Expand the PBAC Definitions menu item, select App Rights, and click Create App Right.

     

    This action initiates the “Onboard Az Local Right” wizard workflow.

     

  4. Follow the wizard and fill in the fields of each workflow section with the appropriate information for the app right.

Under Advanced Right Information, deselect Allow Export and leave all other fields empty, as they pertain to PBAC approval routing set on app rights only, not approval rights.

Field

Description

Action

Field

Description

Action

Name

Name of the app right

Enter the name of the app right (without spaces). For example, if you have an app right named “View Product Catalog,” you could name the corresponding approval right “ViewProductCatalogApproval.”

Display Name

User friendly name of the app right

Enter a display name for the app right.

Description

Brief characterization of the app right

Enter a brief characterization of the app right.

Right Type

Application Right

N/A (The field is read-only with Application Right is selected by default)

Location

EmpowerID location to be used for RBAC access to the app right. Default Organization is selected by default.

If you wish to select a location other than the default, clear the default location and search for and select the desired location.

PBAC Resource Type

That is an optional setting that specifies the resource type to which the app corresponds.

Select the corresponding PBAC Resource Type. Options available include only those previously created for the application. If the app does not have any PBAC Resource Types, this field returns no results.

 

When onboarding an App Right, it's essential to specify the individuals responsible for its management and oversight. This includes designating the responsible party, owners, and deputies.

Field

Description

Action

Field

Description

Action

Responsible Party

Identifies the primary individual accountable for the App Right.

Type in the full name of the person who will take responsibility for managing the App Right. This field is mandatory.

Owners

Lists the people who have ownership rights over the App Right.

Enter the names of the individuals designated as owners. Providing owner information is optional but recommended for better governance.

Deputies

Specifies secondary contacts or assistants to the owners.

Input the names of individuals assigned as deputies. Including deputy information is optional.

IAM Shop settings specify whether the right is requestable in the IAM Shop, set the Access Request policy, and select eligibility.

 

Do the following in this section:

  1. Under Select Access Request Policy, select Default Access Request Policy.

  2. Under Select Assignees, select who should be eligible for assignment to the approval right. This allows you to assign the approval right to those eligible for it.

  3. Deselect Requestable in IAM Shop as the approval right should not be requestable, and click Next.

  4. Review the summary information for accuracy. If necessary, click the Back button to revisit previous workflow steps.

  5. When ready, click Submit to create the approval right.

  6. Repeat the procedure to add additional approval rights as needed.

Step 3: Assign Approval Rights to App Rights

  1. From the application's App Rights menu, search for the app right that is the target of the approval right you created.

  2. Click the gear icon for the app right and select Manage Local Right from the context menu.


    This initiates the ManageAzLocalRightWizard workflow, opening it to the Select Action section.

  3. Under Select Options, choose Edit Settings for Right and click Next.

  4. Under Advanced Settings, do the following:

    1. Select Split By Value for Approval to send approval requests to different people based on the requested Field Type Values. If you do not want to create separate requests for Field Type Values, leave this unselected.

    2. In the PBAC Approval Right field, enter the name of the approval right created for the app and click the tile for that approval right to select it.

  5. Click Next.

  6. Click Submit to close the Operation Execution Summary.

    This directs you to the "Finish or Start Over Workflow" step, which allows you to handle various aspects of the current local right, manage other local rights, or complete the workflow.

  7. Select the appropriate option and click Submit. For this article, we are finishing the workflow.

Step 4: Assign the Approval Right

In this step, you assign the approval right to users who can approve or reject business requests for the application right.

  1. On the App menu, navigate to PBAC Assignments > App Rights Assignments.

  2. Click the dropdown arrow on the Assign App Right button and select Assign to Person.

  3. Search for and select the person from the Select Person to Assign Right(s) field.

    This opens the “Assign Rights” modal with the person selected to receive one or more app rights.

  4. Click the app right to be assigned from the All panel on the left of the Assign Rights modal. This allows you to view information about the Access Request Policy governing access to the right and enables the “Add” button.

  5. Optionally, to add a time constraint to the assignment, toggle the Set Duration button, click the End Date Time field, and select the appropriate end time date from the calendar.

  6. Click Add.

     

    This moves the app right to the Added panel.

  7. Click Add to Cart.

  8. Click the shopping cart icon and fill in the required Add a Comment and Enter Business Request Name fields.

  9. When ready, click Submit.

    You should see a message indicating the status of the cart submission.

     

  10. Click the status link to view the request status in My Tasks and approve the assignment.

     

  11. Click Submit to complete the approval process.

     

    You should see that the request has been approved and completed.

  12. Return to the App Rights Assignments page in Resource Admin. You should see the assignment.

     

Expected Results

When someone with eligibility for the app right requests access to it from the IAM Shop, the request will be routed to the appropriate PBAC approver(s). To test this, do the following:

  1. Sign in to the IAM Shop as a user eligible for the application.

  2. Search for the application and click Request Access.

     

    This opens the application drawer.

  3. Select one of the rights configured for the application, then select a Field Type and one or more Field Type Values (if configured for the application). In the image below, we have selected “Edit Product Catalog” as the app right and “Lawn Care” and “Tools” Field Type Values from the “Hardware Products” Field Type.

  4. Click Add to Cart.

  5. Click the cart icon to open the cart. You should see the app right and any Field Type “Scope” Values (if selected).

  6. Fill in the required Comment fields and then click Evaluate Request to check for potential SOD violations.

  7. Once the request has been evaluated, enter a Business Request Name and click Submit.


    You should see that the request has been submitted for approval. If Field Type Values were selected and Split By Value Approval was selected for the requested app right, you will see an approval task for each requested Field Type Value.

  8. Click the status link.

     

    This directs you to the My Requests page of My Tasks and opens the Request Detail pane for the request.

  9. Click the Process Steps tab and then click the Show Approvers link. You should the person designated as the PBAC approver.

IN THIS ARTICLE