Configure Eligibility for Resources

Overview

Eligibility rules allow you to control who can see and request resources in the IAM Shop. This document explains how to configure eligibility for different types of resources.

Configure Eligibility for Business Role and Location Combinations

1. Select the Advanced tab from the Business Role and Location Combination's View or View One page, then click the Eligibility subtab.

   You should see four eligibility rules:

   • Resources Members Eligible to Request (As Actor) – Specifies the resources that members of the Business Role and Location can request from the IAM Shop and the eligibility type for each resource.
   • Resources Members May Not Request (As Actor) – Indicates resources members of the Business Role and Location cannot request. These resources will be hidden from members even if they are eligible through another assignment.
   • Who is Eligible to Request (As Resource) – Defines who can request membership access to the Business Role and Location combination and the eligibility type for potential members.
   • Who is Excluded from Requesting (As Resource) – Specifies who is not eligible to shop for membership access to the Business Role and Location.

2. Expand the accordion corresponding to the type of eligibility rule you want to assign to the Business Role and Location and follow the steps outlined for that eligibility rule.

View Details

Resources Members Eligible to Request (As Actor)

1. Click the Add button in the grid header.
2. Fill in the fields of the Assignment Information pane:
   • Assignment Type – Select Direct or Location.
   • Eligibility Type – Select Eligible, PreApproved, or Suggested.
   • Resource Type – Search for and select the type of resource corresponding to the resource for which you are granting eligibility. For example, if you want to grant eligibility for a specific Management Role, you select Management Role as the resource type.
   • Enter a <Resource Type>Name to Search – Search for and select the specific resource members are eligible to request. The resource must match the resource type or it will not appear when searching. For example, if you select Management Role as the resource type, you can only search for Management Roles.
3. After entering your information, click Save.
4. Repeat steps 2 and 3 to add other eligibility assignments as needed.
5. When ready, close the Assignment Information pane and click Submit.

Resources Members May Not Request (As Actor)

1. Click the Add button in the grid header.

   

2. Fill in the fields of the Assignment Information pane:

   • Mode – Select Direct or Location.
   • Eligibility Type – Select Eligible, PreApproved, or Suggested.
   • Resource Type – Search for and select the type of resource corresponding to the resource for which you are granting eligibility. For example, if you want to grant eligibility for a specific group, you select Group as the resource type.
   • Enter a <Resource Type>Name to Search – Search for and select the specific resource users are eligible to request. The resource must match the resource type or it will not appear when searching. For example, if you select Group as the resource type, you can only search for groups.

3. After entering your information, click Save.

4. Repeat steps 2 and 3 to add other eligibility assignments as needed.

5. When ready, close the Assignment Information pane and click Submit.

   

Who is Eligible to Request (As Resource)

1. Click the Add button in the grid header.

   

2. Fill in the fields of the Assignment Information pane:

   • Mode – Select Direct or Location.
   • Eligibility Type – Select Eligible, PreApproved, or Suggested.
   • Which Type of Assignee for this Policy – Search for and select the type of resource corresponding to the resource for which you are granting eligibility. For example, if you want to grant all members of a specific group eligibility, you select Group as the resource type.
   • Select <Resource Type> Name to Search – Search for and select the specific assignee eligible for access. The assignee must match the assignee type or it will not appear when searching. For example, if you select Group as the assignee type, you can only search for groups.

3. After entering your information, click Save.

4. Repeat steps 2 and 3 to add other eligibility assignments as needed.

5. When ready, close the Assignment Information pane and click Submit.

   

Who is Excluded from Requesting (As Resource)

1. Click the Add button in the grid header.

   

2. Fill in the fields of the Assignment Information pane:

   • Eligibility Type – Select Eligible, PreApproved, or Suggested.
   • Which Type of Assignee for this Policy – Search for and select the type of resource corresponding to the resource for which you are granting eligibility. For example, if you want to grant all members of a specific group eligibility, you select Group as the resource type.
   • Select <Resource Type> Name to Search – Search for and select the specific assignee eligible for access to the group. The assignee must match the assignee type or it will not appear when searching. For example, if you select Group as the assignee type, you can only search for groups.

3. After entering your information, click Save.

4. Repeat steps 2 and 3 to add other eligibility assignments as needed.

5. When ready, close the Assignment Information pane and click Submit.

   

Configure Eligibility for Groups

1. Select the Advanced tab from the group's View page and click the Eligibility subtab.

   

   You should see four eligibility rules:

   • Resources Members Eligible to Request (As Actor) – Allows you to specify the resources that members of the group are eligible to request from the IAM Shop.
   • Resources Members May Not Request (As Actor) – Allows you to specify the resources that members of the group are excluded from requesting. Resources added here will not be visible to any members of the group, even if they are eligible to request those resources by virtue of another assignment.
   • Who is Eligible to Request (As Resource) – Allows you to specify the actors eligible to shop for access to the group and the eligibility type for each of those actors.
   • Who is Excluded from Requesting (As Resource) – Allows you to specify the actors not eligible to shop for access to the group.

2. Expand the accordion corresponding to the type of eligibility rule you want to assign to the group and follow the steps outlined for that eligibility rule.

Configure Eligibility for Management Roles

1. Select the Advanced tab from the Management Role's View or View One page, then click the Eligibility subtab.

   

   You should see four eligibility rules:

   • Resources Members Eligible to Request (As Actor) – Allows you to specify the resources that members of the group are eligible to request from the IAM Shop.
   • Resources Members May Not Request (As Actor) – Allows you to specify the resources that members of the group are excluded from requesting. Resources added here will not be visible to any members of the group, even if they are eligible to request those resources by virtue of another assignment.
   • Who is Eligible to Request (As Resource) – Allows you to specify the actors eligible to shop for access to the group and the eligibility type for each of those actors.
   • Who is Excluded from Requesting (As Resource) – Allows you to specify the actors not eligible to shop for access to the group.

2. Expand the accordion corresponding to the type of eligibility rule you want to assign to the Management Role and follow the steps outlined for that eligibility rule.

Configure Eligibility for Shared Folders

1. Select the General tab from the shared folder's View or View One page.

   

   You should see three accordions related to eligibility:

   • IAM Shop Assignees for Requesting Access – Allows you to assign permission levels for shared folders to specific assignees, such as a group or role. When users request access to the shared folder in the IAM Shop, upon approval, they are added as members to the group or role, which grants them the permission level you assign.
   • Who is Eligible to Request (As Resource) – Allows you to specify who is eligible to request access to the shared folder and the eligibility type linked to them.
   • Who is Excluded from Requesting (As Resource) – Allows you to specify who is not eligible to shop for the shared folder.

2. Expand the IAM Shop Assignees for Requesting Access and click the Add button.

   

   This opens the IAM Shop Permission Level pane.

   

3. Enter the appropriate information for the assignee:

   • IAM Shop Permission Level – Select the IAM Shop Permission Level that represents the native permission being granted.
   • Enforce Assignee Eligibility in the IAM Shop – Select this option if you want EmpowerID to enforce the eligibility of users to access the assignee being granted the permission level.
   • Which Type Of Assignee For This Policy? – Select the assignee type, such as group.

4. Click Save and then click Submit.

5. Repeat the above steps for any other permission levels you wish to make available for the shared folder. Keep in mind that only one permission level can be assigned per shared folder and group.

6. Expand the Who is Eligible to Request (As Resource) accordion and do the following to give users the ability to shop for access to the shared folder:

   • Click the Add button in the grid header.

     

   • Fill in the fields of the Assignment Information pane:

     • Eligibility Type – Select Eligible, PreApproved, or Suggested.
     • Which Type of Assignee for this Policy – Search for and select the EmpowerID actor type for which you are granting eligibility.
     • Select <Assignee> Name to Search – Search for and select the specific assignee eligible for access.

   • After entering your information, click Save.

     

   • Repeat the above steps for any other eligibility assignments desired.

   • Click Submit when ready to commit the eligibility assignments to the Identity Warehouse.

     

Related

• Configure IAM Shop Permission Levels
• Create IAM Shop Permission Levels