/
Configure Azure Applications for the IAM Shop

You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Configure Azure Applications for the IAM Shop

To allow users to request access to Azure applications managed by EmpowerID, you need to perform these steps:

  1. Enable the applications for the IAM Shop

  2. Configure eligibility for the applications

  3. Assign IAM Shop permission levels to the applications

Enable Azure applications for the IAM Shop

In order to allow users to request access to Azure applications, the applications must first be published in the IAM Shop. This makes the applications available for eligible users to view and request access to in the IAM Shop portal.

  1. Log in to Resource Admin.

  2. Select Applications from the Resource Type menu and search for the application you want to update.

  3. Click the gear icon on the application record and select Edit Azure Application.

     

  4. Select Publish in IAM Shop.

     

  5. Click Next.

  6. Follow the wizard and click Next until all steps are completed.

Configure Eligibility

For each Azure application, two eligibility rules can be configured, the Who is Eligible to Request (As Resource) rule and the Who is Excluded from Requesting (As Resource) rule. These rules are used to specify who can and cannot request access to the application in the IAM Shop.

  1. Navigate to the View One page for the application and select the RBAC tab. You should see two accordions for eligibility: Who is Eligible to Request (As Resource) and Who is Excluded from Requesting (As Resource).

  2. Expand the accordion corresponding to the eligibility you want to set for the application and follow the steps outlined below.

Add this rule when you want to give users the ability to shop for the application in the IAM Shop.

  1. Click the Add button in the grid header.

     

  2. Fill in the fields of the Assignment Information pane:

    • Eligibility Type – Select Eligible

      , PreApproved
      , or Suggested
      .

    • Which Type of Assignee for this Policy – Search for and select the assignee type for which you are granting eligibility. For example, if you want to grant eligibility to all members of a specific Management Role, you select Management Role as the assignee type.

    • Select <Assignee> Name to Search – Search for and select the specific assignee you want to make eligible for access to the application. The assignee must match the assignee type selected above, or it will not appear when searching. For example, if you select Management Role as the assignee type, you can only search for Management Roles.

  3. After entering your information, click Save.

     

  4. Repeat steps 2 and 3 to add other eligibility assignments as needed.

  5. When ready, click Submit.

     

Add this rule when you want to explicitly restrict specific users from being able to request access to the application in the IAM Shop. Keep in mind that users restricted from the application will not be eligible for it even if they have another eligibility assignment for the application via a different path.

  1. Click the Add button.

     

  2. Fill in the fields of the Assignment Information pane:

    • Eligibility Type – Select Eligible

      , PreApproved
      , or Suggested
      .

    • Which Type of Assignee for this Policy – Search for and select the EmpowerID actor type for which you want to restrict eligibility. For example, if you want to restrict all members of a specific group from eligibility, you select Group as the assignee type.

    • Select <Assignee> Name to Search – Search for and select the specific assignee you want to restrict. The assignee must match the assignee type, or it will not appear when searching. For example, if you select Group as the assignee type, you can only search for groups.

  3. After entering your information, click Save.

     

  4. Repeat steps 2 and 3 to add other eligibility restrictions as needed.

  5. When ready, click Submit.

     

Configure IAM Shop Permission Levels for Assignees

IAM Shop Permissions Levels allow you to specify which permissions eligible assignees can select when requesting access to an Azure application.

  1. Navigate to the View One page for the application.

     

  2. Select the RBAC tab and expand the IAM Shop Assignees for Requesting Access accordion.

  3. Click the Add button.

     

  4. In the IAM Shop Labels for End User Requests section, enter values in the IAM Shop Localized Name Label and IAM Shop Localized Description Label fields. These values appear to users as permissions level options when shopping for the application.

     

  5. In the Assignee Granting the Permission Level section, select the assignee type. You can select an Azure role or an EmpowerID actor type, such as a Management Role, Business Role and Location, or group. If you want to assign the permission level to an EmpowerID actor, do the following:

    1. Which Type of Assignee for this Policy? – Select the appropriate assignee type. A description of each assignee type is listed in the below table.

    2. Select <Assignee>to Receive Policy – Based on the assignee type selected above, search for and select the target assignee. For example, if you selected Management Role as the assignee type, you search for and select the specific Management Role to receive the IAM Shop Permission Level.

  6. Click Save.

  7. Repeat for any other IAM Shop assignees you want to add.

  8. When ready, click Submit.

     

    As shown in the below image, users with eligibility will see the permission level(s) when shopping for the application in the IAM Shop.