Workflow based access request
Defining catalogue structures
Catalogue (categories or menues) are used by the OpenIAM UI to gain access to specific functions. As with all resources, These can be used to control the functionality provided to a person or a set of people.
Catalogue is a tree-like structure and there several categories the user can have access to. The top-used one is IDM (aka Webconsole), the other of interest to a user is SelfService menu. To be able to see and use the branch, a user needs to be entitled to do so.
User can have access to a menu in case it was made public (meaning available to all users not depending on their entitlements) or in case their entitlements allow seeing the particular catergory.
The comprehensive guide on catalogue structure and cateegories can be found here.
Adding applications to a category
The user also might need an access to particular application granted, depending on business processes and worflow. Adding an SSO application process in details is described in Access to applications section.
Defining approval workflow
OpenIAM allows the user to define the approval flow by different means. One can do that at either the application level (Managed System or Manual Managed System) or at the application entitlement (Group, Role, Resource) level.
Since application might have hundreds or thousands of entitlements, a goos idea might be defining the approval flow at at the application level and then override that flow at the entitlement level if needed. This approach is often more maintainable than defining approvers at the entitlement level only.
The details instruction on how to describe approval workflow can be found here. The section covers
- Application level approval
- Entitlement level approval.
Requests
A defined workflow based review process allows OpenIAM to provide the ability to create requests. These requests are made in order to have an access to a particular function, i.e creating a user, creating group, etc. Upon approval by the designated reviewers, access can be granted. There are several types of requests and they are defined in the Request Management section.