The groups feature is where organizations define what resources will be available for request within self-service. The screen to define the configuration can be seen below:
Note that Fischer provides organizations with the ability to scale as needed around their self-service access requests. In some cases, a unique request tree (Group Tree) may need to be defined to create a mutually exclusive scenario. Mutually exclusiveness often comes when IGA Administrators need to provide governance and distinct authorization rules for specific resources. In that cause, while a single "Request Tree" can embed ABAC authorizations, you may need to define a separate request tree to meet your governance requirements. Also note that the Approval column will display the name of an approval if one is defined. Approvals are defined at the resource and provisioning policy level. If no approval appears in the column, this means no approval is required. When the resource is requested.
This feature provides the following functionality:
Name | |
Naming the request tree is required. It is suggested to name the request tree to properly represent what is defined as requestable, or within an authorization context. For example, you could consider naming the request tree "Administrative Resources" if you want to name the tree based on its contents, or you could name the same tree "Security Access List" or "Level 1 Risk Resources" to provide a name that has more authorization and governance connotation. Regardless of what you name it, it is best to use organization nomenclature and/or standard IGA nomenclature to help other IGA administrators that did not define it, have an understand of what is in it. | |
Description | |
Describe the request tree! Descriptions are important for change control and continuity reasons. Don't be lazy, provide your co-workers and auditors with the business-to-technical bridge using this space. | |
Root UI Label | |
This label is what will be displayed within self-service when an access request is initiated. For example, the root label seen above is "Select Resource" Within self-service, this will display here (see "Select Resource" within step 2 below):
|
|
Grouping Resources | |
Fischer provides a powerful feature to enable IGA Administrators to build out a user friendly request tree to help requestors to find what they are looking for. To accomplish this, IGA Administrators can group resources together into like combo boxes to help filter. For example, the screenshot below depicts the configuration of an Accounts combo box of the available accounts that are able to be requested and a separate selection to filter out the available Active Directory groups:
|
|
Scalable Authorization |
|
The PSA Group column available within the request tree configuration empowers IGA Administrators to build out a single request tree, and leverage attribute based access control and Fischer's authorization engine to determine which items in the request tree will present when an Identity authenticates. Fischer performs a real-time authorization at authentication time to determine which requestable resources will be available to the authenticated Identity based on that individual Identity's governance profile within Fischer. This feature also provides IGA Administrators with a simulated user experience as the structure of the request tree will be what the end user will see and interact with pertaining to combo box selection and the available resources that will appear under each. Not to mention the ability to define the UI labels as well. Fischer's dynamic configuration will automatically build the self-service interface as it is defined here. |
|
Delete | |
This will delete the selected resource. Note you need to select the radio button before the Delete option will become available. | |
Sort | |
You can sort the request tree. It will sort the tree alphabetically, in ascending order. Note that you can sort each group individually, so you must select a group first. | |
Move Up | |
You can move requestable resources up in the request tree. | |
Move Down | |
You can move requestables down in the request tree. |
Each resource within the request tree can be configured to enable and require Fischer's resource sponsor feature. Simply check the box for the enforcement level you would like. When enabled, the requestor will have the option to select a resource sponsor, if enabled and required, the requestor will be forced to select a sponsor before the request is able to be submitted.