Request / Approval

An important part of the Self-service portal,from an IGA perspective, is the shopping-cart based service catalog. Using the catalog, users can search find entitlements or objects that they need and then create a request. Upon approval, access will be granted. This section describes how to configure the catalog.

To implement a service catalog in OpenIAM, we need to do the following:

• Define a categorization / classification structure within which users will be find their applications and entitlements
• Import applications and their entitlements
• Define the approval flow
• Define justification questionnaire

The sections below will describe how to configure each of these.

Define a categorization structure

If you goto Selfservice -> Create request for myself -> Select from service catalog you will see the OTB categorization structure shown below. This structure is simply a default model and you should customize this model to meet your organizations needs. This categorization structure and appropriate naming can have a significant impact on how easily end-users are able to navigate the catalog and find what they need.

To view the existing category structure, goto Webconsole -> Access Control -> Resource and filter by "Application Category" as show belown.

You can modify or remove these categories based on your needs.

Creating a new category

To create a new category goto Webconsole -> Access Control -> Resource and click on Create New Resource from the side menu bar. Complete the fields which are shown in the table below.

Save your category. You should see it appear in Self-service as well.

Create a child category

In some cases, when working with a large number of applications, you will want to nest your category structure. To create a child category:

• Create a new category like we described in the previous step.
• Find the parent category by going to Webconsole -> Access control -> Resource and then search for the name of category
• Click on the Actions button to view the Resource details.
• From the side menu bar, click on Entitlements
• Right click on Child resource and then click on Add
• From the dropdowns, first select Application category, followed by the name of your category in the second dropdown.

The parent - child relationship should appear like the example below.

In the self-service portal, the addition of a child category in the service catalog will appear as shown below.

Limiting access

You can limit access that people have a particular category by using the access model. The steps below describe how you can control which roles can see a particular category in the catalog.

• Go to Webconsole -> Access control -> [Group or Role that should have access to this category]
• Find the entitlement by searching in the Name column
• View the entitlement details using the button in the Actions column
• Click [Group or Role] Entitlements from the side menu
• Right click on Resource and select Application category followed by the category name.

The end result should be similar to the image below:

Importing entitlements

An essential part of developing the service catalog is to be able to represent your applications and related entitlements in the catalog. The applications / entitlements that we represent can be either associated with connectors or not. While applications which are integrated through a connector are called managed systems. Those that are not linked to a connector are referred to as Manual Managed Systems. While you can create these applications and their entitlements manually using the webconsole, OpenIAM provides tools to be able to import applications and their entitlements:

• Importing application using connectors
• Importing application data via a CSV file

Define approval flow

OpenIAM allows you to define the approval flow at either the application level (Managed System or Manual Managed System) or at the application entitlement (Group, Role, Resource) level. When working with application which have hundreds or thousands of entitlements, it may be better to define at the approval flow at at the application level and then override that flow at the entitlement level if needed. This approach is often more maintainable than defining a approvers only at the entitlement level.

To define approvers follow the steps below.

• Find the application or entitlement that you want to define approval flow for
  • Applications
    • Go to Webconsole -> Access control -> Resource
    • Filter by either Managed System or Manual Managed system in the Type column
    • Find the name of your application by searching in the Name column
    • Click on the button in the Actions column to see the application details
  • Entitlement
    • First enable entitlement level approval by going to:
      • Webconsole -> Adminstration -> System configuration
      • Go to the Workflow tab
      • Enable the checkbox labeled Use approver association or role/group instead of resource.
    • Determine the type entitlement that you need to find - Role, Resource, or Group
    • Go to Webconsole -> Access control -> [your entitlement type]
    • Filter by the managed system name in the Managed System column
      • If you application has several types of entitlements, you can further filter by the "Metadata type" in the Type in column
    • Find the name of your entitlement by searching in the Name column
    • Click on the button in the Actions column to see the entitlement details
• Define the approval flow
  • Click on the Approval Associations menu from the side bar
  • Click on the + on the screen below. It will open up a row where you can define the approver.

• Complete the fields in the approval flow as described below
  • Approver - Select the type of approver followed by the name of the approver. The table below describes each of the approval options.
  • Notify on Approval - Select who should be notified after this step has been approved.
  • Notify on Reject - Select who should be notified if this step is not approved.
  • Request service level agreement parameters
    • 1* - Number of reminders which should be sent to the approver to complete their task in a timely manner.
    • 2* - Number of days which should elapse before sending out a reminder
    • 3* - Calculated value from 1 and 2 which indicates the maximum amount of time allowed to complete this step.
  • Save this row (must be done independently of the save operation on the page)

To add additional approval steps, simply save the first approver and click on the + sign as shown above.

Approver Types

Justification questions

As part of the request approval process, its common to ask to the requestor to justify their request. The default approval flow provides a justification field. However, OpenIAM allows for the addition of questions specific to an application. To create an application specific questionnaire, follow the steps below:

• Go to Webconsole -> Access control -> Resource
• Filter by either Managed System or Manual Managed system in the Type column
• Find the name of your application by searching in the Name column
• Click on the button in the Actions column to see the application details
  • From the side menu click on Questionnaire
  • For each question that is to be added to form, do the following:
    • Click on the Add Question button
    • Enter text of the question in the Question column.
    • Select how the question should be rendered?
      • Select a Text if a free form answer is allowed
      • Select if you want to present a dropdown where users can select a single value.
      • MultiSelect if you want to present a dropdown where users can select one or more values.
    • In the Mandatory column select True if this is a required field or False if its not required.
    • Provide a groovy script URL if you have special processing associated with this question. _In most cases, this field should be blank
    • Save the question.