Skip to main content

Configuring the IamShop Mode for the IAM Shop

Administrators can leverage IAM Shop modes and visibility filters to configure various aspects of the IAM Shop. These configurations include restricting the scope of access to resources appearing to users in the IAM Shop via the "IamShop" mode and limiting the number of users available for selection in the "Shop For" control. This article demonstrates how to configure and apply the IamShop mode to restrict the scope of access to resources available to assignees of the mode.

Eligibility policies apply when configuring IamShop mode for resources. For more information on Eligibility policies and the IAM Shop, see Configure Eligibility for Resources.

Procedure

To configure the IamShop mode, follow these steps:

  1. Navigate to Visibility Restriction Policies
    On the navbar, expand Role Management and select Visibility Restriction Policies.

  2. Create a Visibility Restriction Policy
    On the Find Visibility Filters page, click the Create Policy tab. This opens the "Create a Visibility Restriction Policy" form.
    Create Policy Tab

  3. Complete the Policy Form

    • Assign Policy To: Select the type of assignee to whom the policy will be applied. Assignee types include:

      • Person
      • Group
      • Business Role and Location
      • Management Role
      • Management Role Definition
      • Query-Based Collection (SetGroup)

    • Enter a <Assignee Type> Name to Search: Enter the name of the specific assignee instance you want to target. For example, if you selected Management Role as the assignee type, search for and select the relevant Management Role. Note that <Assignee Type> is replaced by the selected assignee type in the form.

    • Object Type To Restrict: Select the object type you want to restrict, such as "ProtectedApplicationResource," "Group," or "Management Role," etc.

    • Assignment Type: Define the scope of the visibility restriction:

      • Direct: Limits the visibility of resources to a single resource belonging to the selected object type, e.g., a single group if Group is selected as the object type.
      • Scoped At Location: Limits the visibility of resources to those in and below the selected location.
      • Target Group: Limits the visibility of resources to members of the selected group.
      • Target Management Role: Limits the visibility of resources to members of the selected Management Role.
      • Target Query-Based Collection: Limits the visibility of resources to those in the selected collection.

    • Enter a <Target Assignee> Name to Search: Depending on the assignment type chosen, search for and select the specific instance. For example, if you selected Management Role, search for and select the relevant Management Role.

    • Priority: Enter a priority value for the policy. Lower values indicate higher priority, ensuring that users with multiple assignments receive the policy with the highest priority.
      Note: EmpowerID includes Visibility Restriction policies with the IamShop mode for all resources published in the IAM Shop with a priority of 100. Thus, for your policy to take precedence, it must be set with a numeric value of 99 or lower.

    • Mode: Replace "Default" with "IamShop"

    • Enabled: Leave this option checked to enable policy enforcement immediately or uncheck it to disable the policy.

    In the example image below, the policy is assigned to a Management Role named "Docs-SA" and is restricted to people belonging to a group called "HDQ Sales." This configuration ensures that members of the Docs-SA Management Role can only shop for users who are part of the "HDQ Sales" group.
    Example Policy Configuration

  4. Click Save.

Expected Results

Policy assignees should only see the resources meeting the policy's conditions. To verify this, sign in to the IAM Shop as a user assigned the policy and verify they can only see the specified resources. Keep in mind that users still need to be eligible for resources to see them.