Request / Approval
An important part of the Self-service portal,from an IGA perspective, is the shopping-cart based service catalog. Using the catalog, users can search find entitlements or objects that they need and then create a request. Upon approval, access will be granted. This section describes how to configure the catalog.
To implement a service catalog in OpenIAM, we need to do the following:
- Define a categorization / classification structure within which users will be find their applications and entitlements
- Import applications and their entitlements
- Define the approval flow
- Define justification questionnaire
The sections below will describe how to configure each of these.
Define a categorization structure
If you goto Selfservice -> Create request for myself -> Select from service catalog you will see the OTB categorization structure shown below. This structure is simply a default model and you should customize this model to meet your organizations needs. This categorization structure and appropriate naming can have a significant impact on how easily end-users are able to navigate the catalog and find what they need.
To view the existing category structure, goto Webconsole -> Access Control -> Resource and filter by "Application Category" as show belown.
You can modify or remove these categories based on your needs.
Creating a new category
To create a new category goto Webconsole -> Access Control -> Resource and click on Create New Resource
from the side menu bar. Complete the fields which are shown in the table below.
Field Name | Description |
---|---|
Resource Type | Select Application category from the dropdown. This setting determines which type of resource we are creating. |
Name | Name of your category. This value can be any short descriptive name. |
Display name | This is value that end-users will see. It should a short descriptive name which should be meaningful for end users. This field has been localized and your should complete the localization for the languages that you need to support. |
Status | Flag which determines if this resource is active (visible) or inactive (hidden from users) |
Is Visible | Determines if this resource is visible or not from end-users. |
Save your category. You should see it appear in Self-service as well.
Create a child category
In some cases, when working with a large number of applications, you will want to nest your category structure. To create a child category:
- Create a new category like we described in the previous step.
- Find the parent category by going to Webconsole -> Access control -> Resource and then search for the name of category
- Click on the
Actions
button to view the Resource details. - From the side menu bar, click on
Entitlements
- Right click on
Child resource
and then click onAdd
- From the dropdowns, first select
Application category
, followed by the name of your category in the second dropdown.
The parent - child relationship should appear like the example below.
In the self-service portal, the addition of a child category in the service catalog will appear as shown below.
Limiting access
You can limit access that people have a particular category by using the access model. The steps below describe how you can control which roles can see a particular category in the catalog.
- Go to Webconsole -> Access control -> [Group or Role that should have access to this category]
- Find the entitlement by searching in the
Name
column - View the entitlement details using the button in the
Actions
column - Click [Group or Role] Entitlements from the side menu
- Right click on Resource and select
Application category
followed by the category name.
The end result should be similar to the image below:
Importing entitlements
An essential part of developing the service catalog is to be able to represent your applications and related entitlements in the catalog. The applications / entitlements that we represent can be either associated with connectors or not. While applications which are integrated through a connector are called managed systems. Those that are not linked to a connector are referred to as Manual Managed Systems
. While you can create these applications and their entitlements manually using the webconsole, OpenIAM provides tools to be able to import applications and their entitlements:
Define approval flow
OpenIAM allows you to define the approval flow at either the application level (Managed System or Manual Managed System) or at the application entitlement (Group, Role, Resource) level. When working with application which have hundreds or thousands of entitlements, it may be better to define at the approval flow at at the application level and then override that flow at the entitlement level if needed. This approach is often more maintainable than defining a approvers only at the entitlement level.
To define approvers follow the steps below.
- Find the application or entitlement that you want to define approval flow for
- Applications
- Go to Webconsole -> Access control -> Resource
- Filter by either
Managed System
orManual Managed system
in the Type column - Find the name of your application by searching in the Name column
- Click on the button in the Actions column to see the application details
- Entitlement
- First enable entitlement level approval by going to:
- Webconsole -> Adminstration -> System configuration
- Go to the
Workflow
tab - Enable the checkbox labeled
Use approver association or role/group instead of resource
.
- Determine the type entitlement that you need to find - Role, Resource, or Group
- Go to Webconsole -> Access control -> [your entitlement type]
- Filter by the managed system name in the Managed System column
- If you application has several types of entitlements, you can further filter by the "Metadata type" in the Type in column
- Find the name of your entitlement by searching in the Name column
- Click on the button in the Actions column to see the entitlement details
- First enable entitlement level approval by going to:
- Applications
- Define the approval flow
- Click on the
Approval Associations
menu from the side bar - Click on the
+
on the screen below. It will open up a row where you can define the approver.
- Click on the
- Complete the fields in the approval flow as described below
- Approver - Select the type of approver followed by the name of the approver. The table below describes each of the approval options.
- Notify on Approval - Select who should be notified after this step has been approved.
- Notify on Reject - Select who should be notified if this step is not approved.
- Request service level agreement parameters
- 1* - Number of reminders which should be sent to the approver to complete their task in a timely manner.
- 2* - Number of days which should elapse before sending out a reminder
- 3* - Calculated value from 1 and 2 which indicates the maximum amount of time allowed to complete this step.
- Save this row (must be done independently of the save operation on the page)
To add additional approval steps, simply save the first approver and click on the +
sign as shown above.
Approver Types
Type of Approver | Description |
---|---|
Supervisor | The manager of the person for whom this request has been created. Note, if the manager has submitted the request, then approval for the manager will be skipped as its assumed that the manager wanted to grant this access when creating the request. |
User | Select the user that should be the approver. |
Group | Group of people who should be the approver. Anyone in the group can claim and approve. |
Target user | Target user is the user for whom this request was created. |
Application owner | Owner that is defined on the managed system or manual managed system. |
Application admin | Admin that is defined on the managed system or manual managed system. |
Entitlement owner | Owner that is defined on the entitlement (Group, role, resource) |
Entitlement admin | Admin that is defined on the entitlement (Group, role, resource) |
Justification questions
As part of the request approval process, its common to ask to the requestor to justify their request. The default approval flow provides a justification field. However, OpenIAM allows for the addition of questions specific to an application. To create an application specific questionnaire, follow the steps below:
- Go to Webconsole -> Access control -> Resource
- Filter by either
Managed System
orManual Managed system
in the Type column - Find the name of your application by searching in the Name column
- Click on the button in the Actions column to see the application details
- From the side menu click on
Questionnaire
- For each question that is to be added to form, do the following:
- Click on the
Add Question
button - Enter text of the question in the
Question
column. - Select how the question should be rendered?
- Select a
Text
if a free form answer is allowed Select
if you want to present a dropdown where users can select a single value.MultiSelect
if you want to present a dropdown where users can select one or more values.
- Select a
- In the
Mandatory
column select True if this is a required field or False if its not required. - Provide a groovy script URL if you have special processing associated with this question. _In most cases, this field should be blank
- Save the question.
- Click on the
- From the side menu click on