Birthright access
Birthright access refers to the entitlements that are granted automatically if specified conditions are true. For example, we could set rules in the business rules engine of OpenIAM so that during the joiner process a user that has a job title of HR Information Specialist would automatically be assigned roles specific to that job function. Similarly, the rule would be configured to remove those roles if there is a change in job title during the mover process. The steps below outline how to configure the business rules engine to enable birthright access.
- Sign into the webconsole.
- Select Access Control > Business Rules.
Adding targets
Targets are actions that are performed on a user. These are invoked when conditions are met as defined by the business rules (described in the section below).
- Select Add Target.
- Enter the Name and Description of the target. Select Active to ensure the target will be applied by the business rules. Select Save.
- Select and hold (or right-click) target name from the target listing. Select Add action.
- Select Type > type:
- Activate User
- Add User to Group. Choose managed system and group.
- Add User to Organization. Choose organization type and organization.
- Add User to Role. Choose managed system and role.
- Call Groovy script. Select groovy script which will be called when target is invoked.
- Deactivate User
- Disable User
- Enable User
- Grant Resource to User. Choose resource type and resource.
- Lock User
- Remove all entitlements (Roles, Groups, Organizations, Resources) now
- Remove User from Group. Choose managed system and group.
- Remove User from Organization. Choose organization type and organization.
- Remove User from Role. Choose managed system and role.
- Resume access, erase memberships end dates
- Resume access, prolong end date for given number of days from current moment. The number of days entered specifies how many days will elapse from the time the target is invoked until access is removed.
- Revoke Access from Resource. Choose resource type and resource.
- Terminate access to all entitlements by setting end date for now
Select Save. You may add multiple actions per target.
Adding Business rules
Business rules enable targets (documented above) to be invoked on users when specified conditions are met.
- Select Add Business rules.
- Enter Name and Description of the new business rule. Choose Operation:
- All. Business rule will be applied during new user creation and user update.
- Add. Business rule will be applied during new user creation only.
- Update. Business rule will be applied during user update only.
- Choose Status:
- Active
- Inactive
- Choose Apply selected rule when conditions match: > target. This determines which target gets invoked when the conditions set in the business rule are met.
- Choose Apply selected rule when conditions DO NOT match: > target. This determines which target gets invoked when the conditions set in the business rule are not met.
- Select and hold (or right-click) Or to begin setting the condition:
- Add
Or
. Add a condition which groups two or more expressions. If one of the expressions evaluates to true, the condition evaluates to true. - Add
And
. Add a condition which groups two or more expressions. If all of the expressions evaluate to true, the condition evaluates to true. - Add
Expression
. Add an expression to be evaluated. Negation will reverse the expression result if set to true. - Add
Groovy
. Add a groovy script to be called. The logic contained in the script will be evaluated against the user. - Edit.
- Select Save.
Known issue: Some customers have encountered a problem when running this task. The solution is under way.
It is possible to assign new access through the Business Rule (BR) associated with a user’s new job title, and automatically remove the access previously granted by the former BR, without triggering a workflow or implementing custom logic in the preprocessing script. When you create a rule, you have a matching and non-matching targets. In the matching target, you should define an access to grant. In the non-matching, you should define access that will be taken away. Here, you don't need to do anything with scripts or workflows.
Out of sync users
Out of sync users are users who will be impacted by updated business rules but have not been provisioned yet.
- Select Preview impacted users to check all users against the updated business rules. A list of out of sync users will be displayed.
- Select Provision impacted users to begin provisioning out of sync users.