Self-Service Access Overview

Owned by Phillip Hanegan
Last updated: May 08, 2023
3 min read

EmpowerID's self-service access feature streamlines the process of granting authorized access to IT resources, removing the need for additional requests beyond a user's assigned responsibilities. To maintain compliance and ensure security, access requests exceeding standard roles undergo a user-friendly, monitored approval process. EmpowerID manages these requests, emphasizing appropriate justification, traceability, manageability, and temporary access when required. The self-service access system consists of three components: IAM Shop, Eligibility, and Approvals & Approval Routing, which work together to provide compliant access.

IAM Shop

The IAM Shop, a microservice provided by EmpowerID, allows users to request access to IT resources. Users can view their current resources and request additional access based on their job functions. They can search for specific roles, request access, and even set time constraints for their requests. Requests are stored in the user's cart until they are submitted or removed. Users can review the resources in their cart, provide a justification, and submit the request for approval.

 

 

Figure 1: IAM Shop Flow and User Interface

 

Eligibility

To ensure a seamless end-user experience and prevent non-compliant access requests, it is crucial to control the resources that different users can view and request. EmpowerID offers a powerful policy engine called "Eligibility" to manage which users can view and request these items in the IAM Shop. Eligibility policies can be applied to users based on various criteria and can be classified as inclusion rules or exclusion rules.

Inclusion rules specify the resources that users are authorized to see and request in the IAM Shop to ensure that inappropriate items are not requested, which can result in unnecessary approval tasks. For example, rules can be formulated to filter the resources available to employees with different roles, such as sales employees or developers, to ensure that each type of employee sees a different catalog of requestable resources. Inclusion and exclusion rules provide a more user-friendly shopping experience by removing irrelevant options and shielding employees from requesting unwanted or non-compliant items.

Inclusion rules consist of the following:

  • Eligible – Users can request items in the IAM Shop, and the request will be sent for approval unless the requester has the RBAC delegations required to satisfy the access being requested.

  • Pre-Approved – Users who are assigned the policies are pre-approved for the items that are applicable to the policy. When an IAM Shop user subsequently requests access, there is no need for an approval step to be implemented before the fulfillment of the request.

  • Suggested – In the context of a role users are currently requesting or their existing roles, the IAM Shop item will display a "Suggested" additional item that they can request. The item will still be subject to the standard approval routing rules.

By applying appropriate Eligibility policies and using inclusion rules, EmpowerID ensures that users can easily request compliant access and that unnecessary approval tasks are minimized to provide a better user experience.

 

 

Figure 2: Eligibility Policy applied to a person

 

Approvals and Approval Routing

EmpowerID's approval routing engine is a powerful tool that ensures that only authorized users have access to sensitive resources. As mentioned earlier, Eligibility policies are taken into account when determining if a request requires approval and, if so, the number of approval steps and the assignees for each step. The approval process is dynamically calculated, considering the requester's roles, the sensitivity of the requested items, and the organization's risk and Segregation of Duties (SoD) policies. Depending on these factors, a requested item may not require approval, or it could necessitate multiple levels of approval and additional SoD approval from a risk owner.

Approvers receive configurable email notifications that are localized to ensure they have relevant information to make informed decisions. Reminder emails can be configured based on flexible policies to ensure that the approval process is completed efficiently. To ensure accountability, every decision made in the approval process is logged and traceable through to the final fulfillment of access.

EmpowerID's approval routing engine guarantees that access requests comply with organizational risk and segregation of duties policies while ensuring users can only access appropriate resources. This process also enables greater accountability since all decisions are traceable, and the necessary checks are made.

 

Risk Management