Creating App Rights
- Phillip Hanegan
Application rights, or app rights, specify the actions that users or groups can perform within an application. These rights dictate what users can create, read, update, or delete based on their roles or attributes. For example, in a commerce application, app rights determine who can update the product catalog, view customer information, and access sales data. Such permissions enable users to complete tasks efficiently while safeguarding the application's data and resources from unauthorized access or manipulation.
This article provides step-by-step directions for creating and adding these rights to PBAC applications in EmpowerID.
Prerequisites
Ensure you have the Application RBAC Owner Management Role at the minimum.
Procedure
Step 1: Sign In to Resource Admin
Sign in to Resource Admin as at least a user with the Application RBAC Owner Management Role.
Step 2: Locate the PBAC Application
Select Applications from the Resource Type menu, search for the target PBAC application, and click the Details button.
This action directs you to the Overview page for the application.
Step 3: Initiate App Right Creation
On the application menu, expand the PBAC Definitions menu item, select App Rights, and click Create App Right.
This action initiates the “Onboard Az Local Right” wizard workflow.
Step 4: Follow the Wizard to Create the App Right
Follow the wizard and fill in the fields of each workflow section with the appropriate information for your application.
General Information Fields
Field | Description | Action |
|---|---|---|
Name | Name of the app right | Enter the name of the app right. |
Display Name | User friendly name of the app right | Enter a display name for the app right. |
Description | Brief characterization of the app right | Enter a brief characterization of the app right. |
Right Type | Application Right | N/A (The field is read-only with Application Right is selected by default) |
Location | EmpowerID location to be used for RBAC access to the app right. Default Organization is selected by default. | If you wish to select a location other than the default, clear the default location and search for and select the desired location. |
PBAC Resource Type | That is an optional setting that specifies the resource type to which the app corresponds. | Select the corresponding PBAC Resource Type. Options available include only those previously created for the application. If the app does not have any PBAC Resource Types, this field returns no results. |
Advanced Information Fields
Several of these fields pertain to app rights with field types, field type values and PBAC approval routing. See Setting up PBAC Approval Routing for a demonstration of how these settings apply in those cases.
Field | Description | Action |
|---|---|---|
Split By Value for Approval | Specifies whether to split Field Type Values into different Business Request Items for approval. | Enable the setting as needed. |
Enforce Field Type Selection | Determines whether to enforce the selection of at lease one Field Type and its corresponding value before items can be added to the shopping cart when no Field Types are marked as required. | Enable the setting as needed. |
PBAC Approval Right | Used to select the PBAC approval right configured for the application right. | Select the approval right, if configured. See Setting up PBAC Approval Routing for more information. |
Flow to Person Values | Specifies whether edits made to Field Types for the app right update those values on people (used in PBAC Membership policies). | Enable the setting as needed. |
Fulfillment Group | Used to specify any group memberships assignees receiving the right should receive, if any. | Select a group as needed. |
Allow Export | Used to specify whether right assignments should be available for export to downstream systems. | Enable the setting as needed. |
When onboarding an App Right, it's essential to specify the individuals responsible for its management and oversight. This includes designating the responsible party, owners, and deputies.
Field | Description | Action |
|---|---|---|
Responsible Party | Identifies the primary individual accountable for the App Right. | Type in the full name of the person who will take responsibility for managing the App Right. This field is mandatory. |
Owners | Lists the people who have ownership rights over the App Right. | Enter the names of the individuals designated as owners. Providing owner information is optional but recommended for better governance. |
Deputies | Specifies secondary contacts or assistants to the owners. | Input the names of individuals assigned as deputies. Including deputy information is optional. |
When making an application requestable in the IAM Shop, it is crucial to configure several settings that dictate how requests are handled and who can access them.
Field | Description | Action |
|---|---|---|
Set Requestable Setting | Determine if the app right should be requestable by users in the IAM Shop. | Enable the "Requestable in IAM Shop" to make the app right available for requests. When enabled, the settings below are relevant. |
Select Access Request Policy | Defines the procedure for processing requests for the App Right. | From the "Select Access Request Policy" dropdown, choose the policy that best fits how you wish to handle incoming requests for the app right. If you are using PBAC approval routing, you should select the PBAC Approval Access Request Policy. |
Eligible to Request | Specifies users allowed to request access to the app right. | Select the assignee type (e.g., Person, Group, Management Role) and then identify the individuals, groups, or roles eligible to make requests. |
Pre-approved for Access | Specifies users who are pre-approved for access to the app right, bypassing the need for manual request approval. | Select the assignee type (e.g., Person, Group, Management Role) and then identify the individuals, groups, or roles pre-approved for the app right. |
Suggested Assignees | Identifies users who will see the app right as a suggested resource. | Select the assignee type (e.g., Person, Group, Management Role) and then identify the individuals, groups, or roles suggested for app right eligibility. |
Review the summary information for accuracy. If necessary, click the Back button to revisit previous workflow steps.
When ready, click Submit to create the App Right.
Repeat the procedure to add additional App Rights to the application as needed.
Expected Results
You should see the app right has been added to the application.
See Also
https://dotnetworkflow.jira.com/wiki/spaces/EAGV7212/pages/3734353312
Adding Field Type Values to Field Types
Configuring Field Types for App Rights
https://dotnetworkflow.jira.com/wiki/spaces/EAGV23R3/pages/3347546144
https://dotnetworkflow.jira.com/wiki/spaces/EAGV7212/pages/3734354521