Creating App Rights
Application rights, or app rights, specify the actions that users or groups can perform within an application. These rights dictate what users can create, read, update, or delete based on their roles or attributes. For example, in a commerce application, app rights can determine who has the authority to update the product catalog, view customer information, and access sales data. Such permissions enable users to complete tasks efficiently while safeguarding the application's data and resources from unauthorized access or manipulation. This article provides step-by-step directions for adding these rights to PBAC applications.
Procedure
Sign in to Resource Admin as at least an Application RBAC Owner.
Under Applications, search for the PBAC application to which you intend to add App Rights and click the Details button for the app record.
This action directs you to the Overview page for the application.
On the app menu, expand the PBAC Definitions menu item, select App Rights, and click Create App Right.
This action initiates the “Onboard Az Local Right” wizard workflow.Follow the wizard and fill in the fields of each workflow section with the appropriate information for your application.
For now, leave the Advanced section of the App Right Information empty as it pertains to PBAC approval routing. We will revisit this section later when setting up PBAC Approval routing.
Field | Description | Action |
---|---|---|
Name | Name of the app right | Enter the name of the app right. |
Display Name | User friendly name of the app right | Enter a display name for the app right. |
Description | Brief characterization of the app right | Enter a brief characterization of the app right. |
Right Type | Application Right | N/A (The field is read-only with Application Right is selected by default) |
Location | EmpowerID location to be used for RBAC access to the app right. Default Organization is selected by default. | If you wish to select a location other than the default, clear the default location and search for and select the desired location. |
PBAC Resource Type | That is an optional setting that specifies the resource type to which the app corresponds. | Select the corresponding PBAC Resource Type. Options available include only those previously created for the application. If the app does not have any PBAC Resource Types, this field returns no results. |
When onboarding an App Right, it's essential to specify the individuals responsible for its management and oversight. This includes designating the responsible party, owners, and deputies.
Field | Description | Action |
---|---|---|
Responsible Party | Identifies the primary individual accountable for the App Right. | Type in the full name of the person who will take responsibility for managing the App Right. This field is mandatory. |
Owners | Lists the people who have ownership rights over the App Right. | Enter the names of the individuals designated as owners. Providing owner information is optional but recommended for better governance. |
Deputies | Specifies secondary contacts or assistants to the owners. | Input the names of individuals assigned as deputies. Including deputy information is optional. |
When making an application requestable in the IAM Shop, it is crucial to configure several settings that dictate how requests are handled and who can access them.
Field | Description | Action |
---|---|---|
Set Requestable Setting | Determine if the app right should be requestable by users in the IAM Shop. | Enable the "Requestable in IAM Shop" to make the app right available for requests. When enabled, the settings below are relevant. |
Select Access Request Policy | Defines the procedure for processing requests for the App Right. | From the "Select Access Request Policy" dropdown, choose the policy that best fits how you wish to handle incoming requests for the app right. If you are using PBAC approval routing, you should select the PBAC Approval Access Request Policy. |
Eligible to Request | Specifies users allowed to request access to the app right. | Select the assignee type (e.g., Person, Group, Management Role) and then identify the individuals, groups, or roles eligible to make requests. |
Pre-approved for Access | Specifies users who are pre-approved for access to the app right, bypassing the need for manual request approval. | Select the assignee type (e.g., Person, Group, Management Role) and then identify the individuals, groups, or roles pre-approved for the app right. |
Suggested Assignees | Identifies users who will see the app right as a suggested resource. | Select the assignee type (e.g., Person, Group, Management Role) and then identify the individuals, groups, or roles suggested for app right eligibility. |
Review the summary information for accuracy. If necessary, click the Back button to revisit previous workflow steps.
When ready, click Submit to create the App Right.
Repeat the procedure to add additional App Rights to the application as needed.
Expected Results
You should see the app right has been added to the application.
See Also
Adding Field Type Values to Field Types
Configuring Field Types for App Rights
https://dotnetworkflow.jira.com/wiki/spaces/EAGV23R3/pages/3347546144
Setting up PBAC Approval Routing