Eligibility and the IAM Shop

Owned by Phillip Hanegan
Last updated: Dec 16, 2024
3 min read

Effectively managing which users can view and request resources is an important aspect of maintaining security and compliance within an organization. Without proper controls, presenting a large, unfiltered catalog of requestable resources can lead to confusion, inefficiency, and increased risk. This article provides an overview of how resource visibility and requestability can be managed using EmpowerID’s eligibility policies and rules.

Understanding Access Control Requirements

Organizations must ensure users see only those roles and resources relevant to their responsibilities. Additionally, compliance and regulatory frameworks may require restrictions based on factors such as geographic location, organizational structure, or industry standards. Eligibility policies and rules provide the fine-grained control needed to determine what users can view and request in the IAM Shop.

Eligibility Policies

Eligibility policies determine which users can see and request specific roles and resources. Administrators can base these policies on various criteria, including:

  • User attributes

  • Group memberships

  • Role assignments

  • Custom conditions

Applying policies at the appropriate scope—such as to all items of a certain type or at a specific node in the EmpowerID Location tree—helps streamline management. For example, you can assign an eligibility policy to a role so that only its members can view certain resources.

Eligibility Rules

Within eligibility policies, two primary rule types define visibility and requestability: Inclusion Rules and Exclusion Rules.

Inclusion Rules

Inclusion rules specify which resources are visible and requestable to particular user sets. They ensure that users only see items aligned with their roles and responsibilities. Inclusion rules fall into three categories:

  • Eligible:

    • Description: Users can request the resource, generating a Business Request that follows standard approval workflows (unless the requester is already an authorized approver).

    • Example Use Case: Assign this status to software licenses that require a manager’s approval before provisioning.

  • Pre-Approved:

    • Description: Users see an Activate button in the IAM Shop. Selecting it grants immediate access without generating a Business Request.

    • Example Use Case: Use for low-risk resources, such as basic application access or self-service password resets, that do not require additional approval.

  • Suggested:

    • Description: Resources appear as recommended items. Requests follow standard approval workflows.

    • Example Use Case: Apply to departmental tools or commonly requested resources to guide users without overwhelming them. 

Eligibility types applied to a specific resource type

 

Exclusion Rules

Exclusion rules prevent certain users or groups from viewing or requesting specific resources. These rules override inclusion rules, ensuring that sensitive or restricted resources remain inaccessible to unauthorized individuals.

Rule Precedence

If a user is subject to inclusion and exclusion rules, the exclusion rule takes precedence.

Best Practices

Policy Design and Implementation

  • Apply Targeted Policies: Assign policies to specific user groups or organizational units for greater control and reduced complexity.

  • Use Broad Assignments First: Consider applying policies at higher levels (e.g., the location tree) as a starting point before refining them at more granular levels.

  • Test Before Deployment: Evaluate policies and rules in a non-production environment to ensure proper functionality before applying them broadly.

Maintenance and Monitoring

  • Conduct Regular Reviews: Periodically review and adjust policy assignments to maintain alignment with organizational changes.

  • Validate Exclusion Rules: Confirm that exclusion rules function as intended and prevent unauthorized access.

  • Monitor Policy Performance: Assess whether policies effectively control access and adjust them as needed.

By effectively implementing eligibility policies and rules, organizations can present users with a relevant subset of resources, maintain compliance with regulatory requirements, and reduce the risk of inappropriate access.

Next Steps

https://dotnetworkflow.jira.com/wiki/spaces/EAGV24R2/pages/3390580235

Â