Edit IAM Shop Settings
When you need to modify how Management Roles appear and behave in the IAM Shop self-service portal, you can update IAM Shop settings. This controls whether roles are requestable, who can see and request them, and what approval processes apply to requests.
Access Requirements: You must have appropriate permissions to manage the specific Management Role you want to modify.
Use this workflow when changing role visibility in self-service, updating approval policies, modifying who can request roles, or enabling/disabling self-service access for Management Roles.
Before You Start
You need access to the Resource Admin application to edit IAM Shop settings. If you can't access this workflow, contact your administrator to request permissions.
Make sure you have:
- Knowledge of who should be able to see and request the role
- Understanding of what approval policies should apply
- Decisions about whether the role should be available for self-service requests
Get Started
- Navigate to the Resource Admin portal.
- Select Management Roles from the resource type menu.
- Click the Workflows tab.
- Find and click Manage Management Role Wizard.
- Select the Management Role you want to modify by checking the box next to it, then click Next.
- Select Edit IAM Shop Settings from the available actions.
- Click Next to proceed to the IAM Shop settings configuration.
The workflow will open showing the current IAM Shop configuration.
Update IAM Shop Settings
-
Enable or configure the IAM Shop settings to control how the Management Role appears and behaves in the self-service portal:
Step 1: Enable Requestability (if needed)
Requestable in IAM Shop: This setting determines whether users can request access to the Management Role from the IAM Shop.
- To enable self-service access: Check the Requestable in IAM Shop checkbox. Additional configuration options will appear.
- To disable self-service access: Uncheck the checkbox. All other IAM Shop settings will be hidden and ignored.
noteIf this setting is unchecked, the configuration process ends here. The remaining IAM Shop settings will not appear or apply.
Step 2: Configure Additional Settings (if requestable is enabled)
Once you've enabled requestability, configure the following settings:
Access Request Policy: This setting controls how the system processes and approves access requests for the Management Role.
To update the request policy:
- Click the X to remove the current policy (if any).
- Search for and select a new policy that defines the appropriate access workflow for this role.
Select Assignees:
Eligible Assignees - Users who can request access to the role. When they submit a request, it is routed for approval based on the selected Access Request Policy.
To add eligible assignees:
- Choose an assignee type from the Choose Type dropdown (Person, Group, SetGroup, Management Role, Business Role, or Location).
- Search for and select the specific person, group, or role.
- Repeat as needed to add multiple selections.
- Use the Added counter to view or remove selections.
To remove eligible assignees:
- Locate the assignee you want to remove in the list.
- Toggle the Keep switch to Remove.
Preapproved Assignees - Users who are automatically granted access without needing approval. Their requests are auto-fulfilled.
To add preapproved assignees:
- Choose an assignee type from the Choose Type dropdown (Person, Group, SetGroup, Management Role, Business Role, or Location).
- Search for and select the specific person, group, or role.
- Repeat as needed to add multiple selections.
- Use the Added counter to view or remove selections.
To remove preapproved assignees:
- Locate the assignee in the list.
- Toggle the Keep switch to Remove.
Suggested Assignees - Users who see this role highlighted as a recommendation in the IAM Shop. If they request it, the standard approval policy applies.
To add suggested assignees:
- Choose an assignee type from the Choose Type dropdown (Person, Group, SetGroup, Management Role, Business Role, or Location).
- Search for and select the specific person, group, or role.
- Repeat as needed to add multiple selections.
- Use the Added counter to view or remove selections.
To remove suggested assignees:
- Locate the record you want to remove.
- Toggle Keep to Remove.
-
Click Next to proceed.
Complete the Workflow
- Review the Operation Execution Summary to confirm your changes were applied successfully:
The summary shows the specific IAM Shop settings that were updated. - Click Submit to continue.
- Choose your next action:
- Do you want to manage the same Management Role? - Select this to perform additional actions on the same role.
- Do you want to manage different Management Role(s)? - Select this to work with other Management Roles.
- Do you want to finish the workflow? - Select this to complete the process and exit the wizard.
- Click Submit to proceed with your selected option.
What Happens Next
- IAM Shop settings changes may generate business requests that require approval before taking effect.
- Once changes are applied, the role's visibility and requestability in the IAM Shop are updated immediately.
- Eligible users will see the role in their IAM Shop if it's configured as requestable.
- Preapproved users can activate role membership without approval workflows.
- Suggested users will see the role recommended in their IAM Shop interface.
If You Run Into Problems
Users can't see the role in IAM Shop: Check that the users are included in the Eligible Assignees list and that the role is configured as requestable.
Approval policies don't work as expected: Verify that the selected Access Request Policy is configured correctly and active.
Too many users can see the role: Review the Eligible Assignees configuration to ensure you haven't selected overly broad groups or locations.
Related Actions
- To create new Management Roles, see Onboard Management Roles.
- To modify role ownership, see Edit Management Role Owners & Deputies.
- To manage automatic membership policies, see Edit RBAC Membership Policies.