Birthright access

Birthright access refers to the entitlements that are granted automatically if specified conditions are true. For example, we could set rules in the business rules engine of OpenIAM so that during the joiner process a user that has a job title of HR Information Specialist would automatically be assigned roles specific to that job function. Similarly, the rule would be configured to remove those roles if there is a change in job title during the mover process. The steps below outline how to configure the business rules engine to enable birthright access.

  1. Sign into the webconsole.
  2. Select Access Control > Business Rules.

Add Targets

Targets are actions that are performed on a user. These are invoked when conditions are met as defined by the business rules (described in the section below).

  1. Select Add Target.
  2. Enter the Name and Description of the target. Select Active to ensure the target will be applied by the business rules. Select Save.
  3. Select and hold (or right-click) target name from the target listing. Select Add action.
  4. Select Type > type:
  • Activate User
  • Add User to Group. Choose managed system and group.
  • Add User to Organization. Choose organization type and organization.
  • Add User to Role. Choose managed system and role.
  • Call Groovy script. Select groovy script which will be called when target is invoked.
  • Deactivate User
  • Disable User
  • Enable User
  • Grant Resource to User. Choose resource type and resource.
  • Lock User
  • Remove all entitlements (Roles, Groups, Organizations, Resources) now
  • Remove User from Group. Choose managed system and group.
  • Remove User from Organization. Choose organization type and organization.
  • Remove User from Role. Choose managed system and role.
  • Resume access, erase memberships end dates
  • Resume access, prolong end date for given number of days from current moment. The number of days entered specifies how many days will elapse from the time the target is invoked until access is removed.
  • Revoke Access from Resource. Choose resource type and resource.
  • Terminate access to all entitlements by setting end date for now

Select Save. You may add multiple actions per target.

Targets

Add Business Rules

Business rules enable targets (documented above) to be invoked on users when specified conditions are met.

  1. Select Add Business rules.
  2. Enter Name and Description of the new business rule. Choose Operation:
  • All. Business rule will be applied during new user creation and user update.
  • Add. Business rule will be applied during new user creation only.
  • Update. Business rule will be applied during user update only.
  1. Choose Status:
  • Active
  • Inactive
  1. Choose Apply selected rule when conditions match: > target. This determines which target gets invoked when the conditions set in the business rule are met.
  2. Choose Apply selected rule when conditions DO NOT match: > target. This determines which target gets invoked when the conditions set in the business rule are not met.
  3. Select and hold (or right-click) Or to begin setting the condition:
  • Add 'Or'. Add a condition which groups two or more expressions. If one of the expressions evaluates to true, the condition evaluates to true.
  • Add 'And'. Add a condition which groups two or more expressions. If all of the expressions evaluate to true, the condition evaluates to true.
  • Add 'Expression'. Add an expression to be evaluated. Negation will reverse the expression result if set to true.
  • Add 'Groovy'. Add a groovy script to be called. The logic contained in the script will be evaluated against the user.
  • Edit

Condition

  1. Select Save.

Note: In case a Business rule is newly implemented and you have existing Users that you want BR to provision for, this can be done using a batch task called Perform Business Rules recalculation. More on bath tasks can be found in the document by the link.

Known issue: Some customers have encountered a problem when running this task. The solution is under way.

Out of sync users

Out of sync users are users who will be impacted by updated business rules but have not been provisioned yet.

  • Select Preview impacted users to check all users against the updated business rules. A list of out of sync users will be displayed.
  • Select Provision impacted users to begin provisioning out of sync users.