Access to SSO applications

Adding application to launchpad at SelfService is closely connected to authentication provider the user has.

To add application to a Launchpad or My Application tab one needs to add user to a Ggroup and assign a Role as described in Create Role section. In case the user gained access to application, the icon will be displayed at a launchpad and in My Applications tab.

Users can become entitled to a particular Role and Group, meaning have access to SSO applications at Launchpad and My Application tab, several ways:

  • Via Webconsole. See how to add users to Roles and Groups in Create Role document.
  • Via Synchronization with a correspondednt HR system or another source. See how to import Roles using Synchronization Service in Importing Roles document.
  • Via Business Rule. Here, the entitlement is given based on Birth Right as a default access. See BirthRights for details about Business Rules.
  • Via creating a request in SelfService catalogue. To know more about requests, see Requests Tutorial.

There are also several ways to check whether the user has an access to the respective application.

First, go to respective authentication provider and click edit as shown below. The types of authentication providers that can be displayed to launchpad are identified as OAUTH-CLIENT and SAML_PROVIDER.

Auth_provider

Authentication provider doesn't have entitlements, however, resource of this provider does. Hence, in the application provider editing window, click Linked to Resources field to open Resource editting window.

Auth_provider_resource

At the resource edit template go to Entitlements from the side menu. You cannot entitle users and resources directly since it is a bad practice when using RBAC model for Access Control. Hence, the resourses are tied to Roles and Groups meaning that the particular member of particular group and having a particular role can be entitled to this resource and can have access to SSO app.

Another option to see whether the user is entitled to a particular resource is going to user entitlements and choosing the Resources tab as shown below.

User entitlements

In the respective table shown above one can see all the entitlement to object the user has.

Users can also check their entitlements themselfves from SelfService by going to My Access tab and checking the list of Groups and Roles they are entitled to.