Skip to end of banner
Go to start of banner

Eligibility

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

EmpowerID offers a powerful policy engine that you can use to write policies that give users the opportunity to request access to targeted IT resources like shared folders, Office 365 licenses, group membership, roles, and more. These policies, known as “Eligibility policies,” enhance your organization’s security and benefit end-users both by shielding your organization’s most sensitive roles and resources from unnecessary exposure while giving users a simpler and less distracting “IT Shop” experience that targets each of those users with a streamlined catalog of resources from which they may pick and choose. Simply put, Eligibility policies allow you to control what IT resources users may see and request when shopping in the IT Shop. Eligibility policies are extremely flexible and can be written against any resource and applied to users by attribute query, role membership, group membership, or other criteria. This makes it easy to target who receives which policies for what resources and have the assignment automated and maintained through its lifecycle. To further ease the administrative burden, Eligibility policies can be applied to all requestable items of a type by location in addition to one by one. This allows policies to be broader granting or excluding eligibility using the EmpowerID Location tree. For roles, eligibility policies can be applied to their members to control what they may see and request in the IT Shop. Policies also apply to the role itself as a possible IT Shop item.

Eligibility Rules

Eligibility policies can be defined with rules known as “Inclusion” and “Exclusion.” Inclusion rules define the items a user is authorized to see and request in the IT Shop and ensure these items are only the ones that would make sense for them to request. A multinational company example would be a Field Sales employee in Austria that should not see the same requestable items as a Developer in Brazil. Their catalog of requestable roles and resources should be different, giving them a more pleasant user experience and ensuring unwarranted access requests are not generated, creating unnecessary approval tasks.

Eligibility Exclusion rules can be created as a protective measure to enforce regulatory restrictions and ensure that specific classes of users do not accidentally receive the ability to request items they should not.

Eligibility policies also include the capability of affecting the approval flow for an item requested by a user. When assigning eligibility policies, the policy author may assign an Eligibility Type for the assignment.

There are three types of eligibility in EmpowerID.

  • Eligible – Users can request items in the IT Shop, and the request will go for approval unless the requesting person has the RBAC delegations needed to grant the requested access.

  • Pre-Approved – Users assigned the policies are pre-approved for the items to which the policy is applicable. When the IT Shop user later requests access, it will not require an approval step before being fulfilled.

  • Suggested – The IT Shop item will show a “Suggested” additional item they may request because of their existing roles or in the context of a role they are currently requesting. The item will still follow standard approval routing rules.

Related Docs Topics:

Eligibility

  • No labels