Requesting access via catalog

This section describes how you can request access to an application or entitlement using the service catalog. The access request functionality is based on a shopping cart model where users can select items from the service catalog, place them in a cart and then checkout. Upon checkout, OpenIAM will start a workflow where the designated approvers are notified to review the request. If the request is approved, then OpenIAM will provision the access if a connector has been enabled. For systems where a connector does not exist, then a person or group designated to fulfil will be notified.

The steps below describe how you can create a request.

Selecting a user to create a request

You can create requests in OpenIAM for

Yourself.
One of your direct reports.
All other users.

The sections below describe how to create a request for each of the above scenarios.

Creating a request for yourself

To create a request for yourself, follow the steps below.

Login to the SelfService portal.
Select Create Request For Myself from the SelfService portal landing page as shown in the image below.

After selecting this option, you will be taken to the screen shown below.

Select Select from Service Catalog.

Creating a request for direct report

To create a request for one of your direct reports, follow the steps below.

Login to the SelfService portal.
From the menu bar select User Access > View Direct Reports.
This will display a list of your direct reports.

Click on the Create request button for the employee that you wish to create a request for. This will present the catalog selection page.
Select Select from Service Catalog.

Creating a request for any user in the system

To create a request for any user that is in the OpenIAM system, follow the steps described below.

Note that this method can also be used for creating a request for a direct report as well.

Login to the SelfService portal.
From the header search bar, select Create request.

Next, enter the name of the person you would like to create a request for. Enter this value in the field labeled Enter search text. As you type the username, OpenIAM will show matches for this user. Select the user and you will be taken directly to the catalog selection page.
Select Select from Service Catalog.

Creating a request

Each of the above steps has ended at the same point where service catalog has been selected. Follow the steps below to create a request for the selected user.

After selecting the catalog, you will be presented with a list of categories. The categories provide a way for applications and permissions to be organized in a way that is easy for users to find. This is especially important if your company has many applications or services which end users can request. Select a category to find your application. Categories may also have sub-categories as shown below. Drill down till you find your applications.

Select an application or service from the list and then click Next.

You will be presented with a list of entitlements for the selected application. If the selected user has already been entitled to one or more of the entitlements, then they will be greyed out so that you cannot accidentally select them again. If the list of entitlements is long, you can filter the list by searching for the entitlement. If it is the access right to the entitlement that you are requesting, it can be selected from Access rights drop down next to each entitlement.

To select an entitlement, simply click on the Add to cart button. You will see the shopping cart icon in the header being incremented. You can add more than one item.

Click Next. You will be taken the Questionnaire. This form serves two purposes:

Defines the duration for which you are requesting access.
A Start date is when access will start. The To date is when access will expire, and the system will revoke access.
Provides business justification for the request. This is captured in the Reason for request field.

OpenIAM allows custom justification questions to be introduced at the application level. If this has been enabled, then you will see additional questions on this form.

Click Next and you will be taken to the preview screen shown below. The preview provides a summary of the request and provides the requestor with an opportunity to review the request before it is submitted.

If the request contains all the required entitlements, click the Submit button. This will invoke the workflow, and the reviewer will be notified of the pending request.

Monitoring a request

After a request has been submitted, you can monitor its progress through the review process using the steps below.

Login to the SelfService portal.
Select View my requests from the landing page as shown below.

Next, you will see the list of requests which you currently have in progress as shown below. The fields for the page are explained in a table below.

Field name	Description
Request ID	Unique ID for each request in the system.
Requestor name	Person who created the request.
Request created for	Person for whom the request was created for.
Request create date	Date and time the request was created.
Status	On this screen, the status should always be `IN-PROGRESS` as these are requests which have yet to be completed.
Task type	Type of request.
Approver	Current approver that this request is with.
Description	Summary of the request.

Click the Actions button next to the request to view the request details. The example below shows the details of an existing request. You can see the list of approvers, and which one has approved/declined the request and when.

The review screen also has a Cancel button. You can use it to cancel a request.

Integrated create user request helper Groovy script

When request is finally approved, an abstract helper class IntegrateCreateUserRequestHelper is getting invoked to process user access requests. This class integrates various services for managing user objects, updating their attributes, provisioning resources, logging actions, and handling manual system tasks.

The workflow request could be of the following types

The request is approved by multiple approvers.
The request is auto-approved if no approvers are configured to the request.

The primary purpose of this class is to serve as a base for implementing custom logic in the perform method, which is invoked before the final request is saved.

The script path is /bpm/IntegrateCreateUserRequestHelper.groovy.

Example Flow

Request submission
- A user access request is submitted for approval.
Approval
- The request is either fully approved by assigned approvers or auto-approved.
Helper invocation
- IntegrateCreateUserRequestHelper is invoked to process the request.
Final processing
- The user object is saved or provisioned.

Example Groovy script

package org.openiam.workflow.activiti.groovy;
import org.apache.commons.collections.CollectionUtils;
import org.openiam.idm.searchbeans.GroupSearchBean;
import org.openiam.idm.srvc.audit.dto.AuditLogBuilder;
import org.openiam.idm.srvc.grp.dto.Group;
import org.openiam.idm.srvc.user.dto.CreateAccessRequestModel;
import org.openiam.idm.srvc.user.dto.User;
import java.util.List;
import java.util.Map;
public class CustomUserRequestHelper extends IntegrateCreateUserRequestHelper {
@Override
public void perform(User user, CreateAccessRequestModel request, Map<String,
Object> taskVariables, AuditLogBuilder auditLogBuilder) {
log.info("Custom implementation for user access request processing.");
// Example: Add a randomGroup group if not assigned
if (CollectionUtils.isEmpty(user.getGroups())) {
GroupSearchBean groupSearchBean = new GroupSearchBean();
groupSearchBean.addKey("randomGroupId");
List<Group> groups = groupRabbitMQService.findBeans(groupSearchBean,
null , 0, 1);
if (CollectionUtils.isNotEmpty(groups)) {
user.addGroup(groups.get(0));
}
}
// Log custom information
auditLogBuilder.addInfo("User updated with default group.");
}
}

Request management

Position change request