New hire
Birthright access overview
Birthright rules determine access that should be automatically granted if certain conditions are true. It is usually done by setting up a certain business rule, so that a user that has a certain job title would automatically be assigned roles specific to that job function. Setting business rules can be done in the business rules engine of OpenIAM.
Use the matrix and examples below to define these rules
| Rule Name | Inclusion criteria | Access | Exclusion criteria |
|---|---|---|---|
| Criteria that determines when a person should get the defined access. | Entitlements that a person should get when the inclusion criteria are true. | Criteria that prevents a user from getting the defined birthright access. |
Example: Accounts payable role
| Rule Name | Inclusion criteria | Access | Exclusion criteria |
|---|---|---|---|
| Account payable | Department="Finance" and Title="Account payable agent" | AD Group=Account Payable, AD Group=Finance, Shared folder= /some path/finance team, MyERP application Access = Payables agent role | Role=Invoice approval |
Specific information on how to define birthright and set business rules are given in Birthright section of Administration Guide.
New hire
There are two ways to initiate new hire from UI:
- with approval flow. Go to selfservice -> Access management -> New user. To initiate a new hire from an approval flow, you will need to define approvers. This process is shown in the document by the link. There, search for NEW_HIRE_WITH_APPROVAL_AR resource.
- without approval flow. To use this feature, go to selfservice -> Access management -> New user-NO approver.
Creating a business rule that will assign the user to the role
Business rules enable actions performed on a user (target) to be invoked on users when specified conditions are met.
To add a business rule that will assign the user to the role or any other business rule:
Go to webconsole -> Access Control -> Business Rules.
Select Add Business rules.
Enter Name and Description of the new business rule.
Choose Operation:
- All. Business rule will be applied during new user creation and user update.
- Add. Business rule will be applied during new user creation only.
- Update. Business rule will be applied during user update only.
- Choose Status:
- Active
- Inactive
- Choose Apply selected rule when conditions match: > target. This determines which target gets invoked when the conditions set in the business rule are met.
- Choose Apply selected rule when conditions DO NOT match: > target. This determines which target gets invoked when the conditions set in the business rule are not met.
- Select and hold (or right-click) Or to begin setting the condition:
- Add 'Or'. Add a condition, which groups two or more expressions. If one of the expressions evaluates to true, the condition evaluates to true.
- Add 'And'. Add a condition, which groups two or more expressions. If all of the expressions evaluate to true, the condition evaluates to true.
- Add 'Expression'. Add an expression to be evaluated. Negation will reverse the expression result if set to true.
- Add 'Groovy'. Add a groovy script to be called. The logic contained in the script will be evaluated against the user.
- Edit.
- Condition.
- Select Save. Business rule added.
Checking the business rule
To check if the business rule works, create a new user (via UI or using a CSV file) that matches exactly the expression in your business rule. In case the test user has all the mentioned attributes - the business rule works.