Eligibility

EmpowerID offers a powerful policy engine that you can use to write policies that give users the opportunity to request access to targeted IT resources like shared folders, Office 365 licenses, group membership, roles, and more. These policies, known as “Eligibility policies,” enhance your organization’s security and benefit end-users both by shielding your organization’s most sensitive roles and resources from unnecessary exposure while giving users a simpler and less distracting “IT Shop” experience that targets each of those users with a streamlined catalog of resources from which they may pick and choose. Simply put, Eligibility policies allow you to control what IT resources users may see and request when shopping in the IT Shop. Eligibility policies are extremely flexible and can be written against any resource and applied to users by attribute query, role membership, group membership, or other criteria. This makes it easy to target who receives which policies for what resources and have the assignment automated and maintained through its lifecycle. To further ease the administrative burden, Eligibility policies can be applied to all requestable items of a type by location in addition to one by one. This allows policies to be broader granting or excluding eligibility using the EmpowerID Location tree. For roles, eligibility policies can be applied to their members to control what they may see and request in the IT Shop. Policies also apply to the role itself as a possible IT Shop item.

Eligibility Rules

Eligibility policies can be defined with rules known as “Inclusion” and “Exclusion.” Inclusion rules define the items a user is authorized to see and request in the IT Shop and ensure these items are only the ones that would make sense for them to request. An application example could be using rules to filter the type of applications and other resource types available for sales employees and developers. The catalog of requestable resources available to each of those employees should be different to ensure that unwarranted access requests are not generated. Additionally, inclusion and exclusion rules help organizations provide employees a more pleasant user shopping experience as they are shielded from viewing resources that they cannot request. 

If a user is excluded (either directly or indirectly by virtue of belonging to a group or role that is excluded), the exclusion takes priority over inclusion. Thus, if a user is eligible for a given resource via one assignment, but not eligible for that same resource via another assignment, that user will not be able to see or request access to the resource.

Inclusion rules, also known as “Eligibility Type,” include the following:

  • Eligible – Users can request items in the IT Shop, and the request will go for approval based on the Approval Flow policies specified for the item.

  • Pre-Approved – Users assigned the policies are pre-approved for the items to which the policy applies. When an IT Shop user requests access to a resource for which they are pre-approved, the system automatically grants them access.

  • Suggested – Users assigned the policies may opt to view additional “Suggested” items they may request. The item will still follow standard approval routing rules. 

 

Eligibility policy for an application being applied to a Business Role and Location and Application Role (Group)

 

 

Related Docs Topics:

Eligibility