Eligibility and the IAM Shop

Owned by Phillip Hanegan
Last updated: Jul 09, 2023
3 min read

A seamless end-user experience for access requests is essential in maintaining security and compliance within an organization. To achieve this, it is crucial to manage the visibility and requestability of items for different user types effectively. Presenting all users with a uniform catalog of requestable items can lead to an overwhelming and confusing experience as they must navigate through vast amounts of data to find relevant resources. Moreover, exposing unnecessary data poses a significant security risk, as external users or potentially malicious actors could gain access to the organization's most sensitive roles and resources. For regulatory compliance, it is vital to prevent specific user groups from seeing or requesting certain roles and resources by enforcing country-specific restrictions like the International Traffic in Arms Regulations (ITAR).

Eligibility Policies

EmpowerID addresses this issue with a robust policy engine designed to control which users may see and request roles and resources in the IT Shop. These policies, known as "Eligibility policies," can be applied to users based on attribute queries, roles, groups, or other criteria. This flexibility makes it easy to target specific users for policy assignment and automate the process throughout their lifecycle. To further reduce administrative workload, Eligibility policies can be applied to all requestable items of a particular type or location instead of individually. This approach allows policies to be more comprehensive, granting or excluding eligibility using the EmpowerID Location tree. For roles, eligibility policies can be applied to their members to control what they may see and request in the IAM Shop. Policies also apply to the role itself as a potential IAM Shop item to regulate who may see and request it.

Eligibility Rules

Eligibility policies can be categorized as either inclusion rules or exclusion rules. Inclusion rules define the items a user is authorized to see and request in the IT Shop, ensuring that only relevant resources are available to them. An example of this would be filtering available resources for Field Sales employees and developers, providing each group with a tailored catalog of requestable roles and resources. This approach prevents unwarranted access requests, reducing unnecessary approval tasks. Furthermore, inclusion and exclusion rules enhance the user shopping experience by shielding employees from viewing resources they cannot request.

Inclusion rules consist of the following:

  • Eligible: Users can request a resource in the IAM Shop, creating a Business Request. All business requests are routed for approval unless the requester is a designated approver and no additional approvals are needed.

  • Pre-Approved: Users are pre-approved for the resource and presented with an Activate button in the IAM Shop. To gain immediate access, users click the Activate button. Business Requests are not created, as no approvals are needed.

  • Suggested: Users will see resources with this rule applied as suggested items they may want to request. Submitted requests for suggested items follow standard approval routing rules.

 

Eligibility types applied to a specific resource type

Inclusion and exclusion rules can be assigned to any EmpowerID actor type. If a user is excluded (either directly or indirectly by virtue of belonging to a group or role that is excluded), the exclusion takes priority over inclusion.

https://dotnetworkflow.jira.com/wiki/spaces/EIDADV23/pages/2984891197