Configuring the Access Request Manager Solution · 2013. 6. 10. · Configuring the AccountCourier...

Configuring the AccountCourier Access Request Manager™ Solution

Release 8.2

Courion Corporation

1900 West Park DriveWestborough, MA 01581-3919

Phone: (508) 879-8400Domestic Toll Free: 1-866-Courion

Fax: (508) 366-2844

Copyright © Courion Corporation. All rights reserved.

Copyright (c) by Courion Corporation 1996-2013. All rights reserved. This document may be printed or copied for use by administrators of software that this guide accompanies. Printing or copying this document for any other purpose in whole or in part is prohibited without the prior written consent of Courion Corporation.

Courion, the Courion logo, AccountCourier, CertificateCourier, DIRECT!, PasswordCourier, ProfileCourier, RoleCourier are registered trademarks of Courion Corporation. Access Insight, CourionLive, See Risk in a Whole New Way, Access Assurance Suite, ComplianceCourier, and Enterprise Provisioning Suite are trademarks of Courion Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Any rights not expressly granted herein are reserved.

Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) (1) (ii) of the Rights in technical Data and Computer Software clause in DFAR 52.227-7013 or the equivalent clause in FAR 52.227-19, whichever is applicable.

Courion Corporation reserves the right to make changes to this document and to the products described herein without notice. Courion Corporation has made all reasonable efforts to insure that the information contained within this document is accurate and complete. However, Courion Corporation shall not be held liable for technical or editorial errors or omissions, or for incidental, special, or consequential damages resulting from the use of this document or the information contained within it.

The names of additional products may be trademarks or registered trademarks of their respective owners. The following list is not intended to be comprehensive.

Adobe®, the Adobe® logo, Acrobat®, and Acrobat® Reader® are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.

CA-TopSecret® and CA-ACF® are registered trademarks of Computer Associates International, Inc.

Citrix® is a registered trademark of Citrix Systems, Inc. in the United States and other countries.

HP-UX is an X/Open® Company UNIX® branded product.

Java™ and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.

Microsoft Corporation®, Microsoft Windows®, Microsoft Windows NT®, Microsoft Excel,® Microsoft Access™, Microsoft Internet Explorer®, and SQL Server® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Microsoft is a U.S. registered trademark of Microsoft Corp.

Netscape® is a registered trademark of Netscape Communications Corporation® in the U.S. and other countries. Netscape Communicator®, Netscape Navigator®, and Netscape Directory Server® are also trademarks of Netscape Communications Corporation and may be registered outside of the U.S.

Novell® and the Novell products, including NetWare®, NDS®, GroupWise®, and intraNetWare® are all registered trademarks of Novell.

IBM®, Lotus®, Lotus Notes®, Domino®, i5/OS®, z/OS®, and RACF are registered trademarks of International Business Machines Corporation in the United States, other countries, or both.

Oracle® and PeopleSoft® are registered trademarks of the Oracle Corporation. Oracle8i™ and Oracle9i™ are trademarks of the Oracle Corporation.

Remedy®, Action Request System®, and AR System® are registered trademarks of BMC Software, Inc.

SAP, the SAP logo, mySAP.com, and R/3 are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world.

SecurID® and BSAFE® are registered trademarks of RSA Security Inc. All rights reserved.

Sun, Sun Microsystems, the Sun Logo, iPlanet are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries.

All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc.

UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company Limited.

All other products and companies mentioned in this document may be the trademarks of their associated organizations.

May 2013

Trademarks

3

Courion Corporation

Contents

Chapter 1 - About the Access Request Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Access Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 2 - About The Access Request Manager Workflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

The Request and Approval WorkFlows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Manage User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Selecting Recipients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Selecting Access Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Submitting the Request for Approval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Approving a Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 3 - Configuring the Access Request Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Configuring the Access Request Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Before Configuring the Access Request Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18After Configuring the Access Request Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Editing Connection Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Configuring the Courion Request Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Configuring the Courion Notification Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Changing the Default Linked Server Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Deploying the Database without the Linked Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Authenticating in to the Access Assurance Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Using Multi-Domain Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Overview of the Administrative Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26The Administration Menu Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Administrative Menu Items through the Actions Menu Item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Chapter 4 - Using the Global Configuration Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Default Global Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Editing Global Configurations Using the Global Configuration Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Editing Global Configurations with Config Type as Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Editing Global Configurations with Config Type as Complex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Configuring the Individual Search Control Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Specifying Custom Macros in the Edit Complex Value Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Adding Global Configurations to the GlobalConfigValues Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Grid Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Adding, Removing and Ordering of Fields in the Global Configuration . . . . . . . . . . . . . . . . . . . . . . . . 44Using Custom Macros in <column> Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Drop-Down Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Views Used in Global Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

The vw_Role View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45The vw_Profile View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45The vw_Entitlement View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48The vw_Tag View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49The vw_Entitlement_Tag View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49The vw_Role_Tag View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Chapter 5 - Configuring Picklists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Using the Picklist Admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Default Picklist Types and Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Adding a Picklist Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Chapter 6 - Adding Access Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Definition of an Access Entitlement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

4

Courion Corporation

Definition of a Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Definition of an Access Item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Adding a Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Adding Information on the Roles Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Adding General Information About Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Adding Definition and Access Approvers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Assigning Tags to Categorize Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Adding Information on the Access Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Editing an Existing Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Approving New and Modified Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Enabling or Disabling a Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Adding Access Entitlements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Assigning Tags to Access Entitlements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Chapter 7 - Configuring the Manage Access Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Configuring Items on Roles Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Configuring the Roles Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Configuring the Search Tags Drop-down on Assign Tags Popup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Configuring Items on the Add/Modify Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Configuring the Advanced Search Grid To Search for Owners on Roles Tab . . . . . . . . . . . . . . . . . 71Configuring the Owners or Approvers Drop-down on Roles Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Configuring the Advanced Search Grid To Search for Approvers on Roles Tab . . . . . . . . . . . . . . . 72Configuring the Search Tags Drop-down on Roles Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Configuring the Tag Grid on Roles Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Configuring the Search Profiles Drop-down on Access Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Configuring Advanced Search Grid for Intelligent Modeling on Access Tab . . . . . . . . . . . . . . . . . . . 75Configuring the Profile Grid for Intelligent Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Configuring the Role Definition Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Configuring Items on Entitlements Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Configuring the Entitlements Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Chapter 8 - Configuring the Manage User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Configuring Items for Selecting Recipients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Populating the Acting As Drop-Down List on Manage User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Configuring the Managed Users Drop-down on Users Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Configuring the Managed Users Grid With Recipient Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Configuring the Grid for Role and Access Entitlement Details on Users Tab . . . . . . . . . . . . . . . . . . . . . 81Configuring the Advanced Search Grid on Users Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Configuring the Search Profiles Drop-down on Access Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Configuring the Profile Grid for Intelligent Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Configuring the Advanced Search Grid on Access Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Configuring Access Items for Managing User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Configuring Items for Submitting the Request for Approval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Chapter 9 - Configuring the Approval Workflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Adding Definition Approvers for Role Approval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Adding Access Approvers for Access Approval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Configuring the Approval Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Populating the Acting As Drop-Down List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Showing Pending Requests Based on Selection from Acting-As Drop-Down List . . . . . . . . . . . . . . . . . 92Enabling Delegatees to Approve Their Own Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Setting Up Fields for Pending Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Setting Up Fields for Request Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Setting Up Fields To View Requester Details For All Request Types . . . . . . . . . . . . . . . . . . . . . . . . 93Configuring Items for Role Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Setting Up Fields For the Role Characteristics Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Setting Up the Role Definition Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Configuring Items for Access Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Setting Up Fields to View Recipient Details for Access Request . . . . . . . . . . . . . . . . . . . . . . . . 95Enabling Editing of Access Entitlement Values for Access Request . . . . . . . . . . . . . . . . . . . . . . 95Configuring the Access Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Configuring Items for Profile Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

5

Courion Corporation

Configuring the Approve and Deny Action Buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Approving New and Modified Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Approving Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Chapter 10 - Using Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Adding a New Macro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Editing or Deleting an Existing Macro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Using Restriction Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Naming a Restriction Macro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Other Macros Used Within Restriction Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Restrictions Available On Manage Access Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Restricting the Roles Grid on Roles Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Restricting the Access Entitlements Grid on Entitlements Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Restrictions on the Manage Access Catalog - Add/Modify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Restricting Profiles to Search for Role Owners on Roles Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Restricting Profiles to Search for Approvers on Roles Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Restricting Search for Tags on Roles Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Restricting Search for Roles on Access Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Restricting Search for Entitlements on Access Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Restricting Search for Profiles on Access Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Restrictions Available On Manage User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Restricting Search for Recipients on Users Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Restricting Search for Roles on Access Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Restricting Search for Access Entitlements on Access Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Restricting Search for Profiles on Access Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Defining Filter Expressions in Restriction Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Using Custom Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Custom Macros for Manage Access Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Show or Hide Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Show or Hide Access Entitlements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Show or Hide Intelligent Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Custom Macros for Manage User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Show or Hide Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Show or Hide Access Entitlements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Show or Hide Intelligent Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Other Macros Used with Custom Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Retrieving the User ID of Logged in User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Retrieving the User ID of the Acting as User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Retrieving the User ID of the Delegator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Chapter 11 - Using Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Delegating for Other Delegators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Displaying the Select Employee Panel to Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Delegating as Self . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Checking for Access Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Custom Macros to check for Access Privileges of a Delegator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Request Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Manager Approval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Access Approval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Profile Approval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Displaying Delegatee Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Using the Default Global Configuration to Customize the Search Control Popup . . . . . . . . . . . . . . . . . . . . 128

Using the MultiUserSearchRestriction2 to Implement Restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Customizing the Individual Search Control Popups for Delegator and Delegatee Search . . . . . . . . . . . 129

Default Values in the Restriction Global Configurations For Delegation . . . . . . . . . . . . . . . . . . . . . . 132Auditing Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Chapter 12 - Disabling Access For Terminated Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Configuring the Search Control Popup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Using the DisableUserSearchRestriction to Implement Restriction . . . . . . . . . . . . . . . . . . . . . . . . . 136

6

Courion Corporation

Chapter 13 - Setting Up Email Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Editing a Default Email Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Chapter 14 - Customizing the Access Request Manager User Interface . . . . . . . . . . . . . . . . . 141

Displayed Text in the Resource File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Chapter 15 - Managing Access to the Access Request Manager Web Pages . . . . . . . . . . . . 143

Adding Communities and Entitlements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Communities and Entitlements in the Access Assurance Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Entitlements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Securing Access to Web Pages in the Access Request Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Entitlement and Web Page Pairs in the Access Request Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Adding Web Pages For a New Entitlement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Chapter 16 - Creating Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Configuring Items to Add a New Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154Providing a Label for the Profile Manager Link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Configuring DefaultApproverProfileUID Global Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Approval Workflow for New Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Access Request Approval Workflow for a New Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

7

Courion Corporation

Chapter 1: About the Access Request Manager

The AccountCourier Access Request ManagerTM Solution is a component of the Access Assurance Suite that resides within the Access Assurance Portal. The Access Request Manager is a complete, highly functional request management system that enables:

• An individual, whether in IT or in a line of business, to request or remove access to resources, such as an online application system.

• Designated approvers to approve or reject requests.

This manual is intended for use by an IT administrator to configure the Access Request Manager. It describes how to use the Access Request Manager administration menu available through the Access Assurance Portal to configure the request and approval workflows, and includes the following chapters:

• “About The Access Request Manager Workflows” on page 9 describes the request and the approval workflows, and the screens associated with it.

• “Configuring the Access Request Manager” on page 17 describes how to configure the Access Request Manager, and introduces the administrative menu to configure the request and approval workflows.

• “Using the Global Configuration Manager” on page 29 describes how to use the GLOBAL CONFIGURATION MANAGER to set up the global configurations.

• “Configuring Picklists” on page 51 describes how to configure the picklist using the PICK LIST ADMIN.

• “Adding Access Items” on page 57 describes how to configure the roles and access entitlements, jointly referred to as access items.

• “Configuring the Manage Access Catalog” on page 69 describes how to configure the UI items, including the grids and drop-down lists, on the MANAGE ACCESS CATALOG.

• “Configuring the Manage User Access” on page 79 describes how to configure the UI items on the MANAGE USER ACCESS screen.

• “Configuring the Approval Workflows” on page 89 describes how to configure approvers and the APPROVE REQUESTS screen for the approval workflow.

• “Using Macros” on page 101 describes how to configure a macro, and the macros required to configure the workflows for the Access Request Manager.

• “Using Delegation” on page 121 describes how to delegate access privileges to other users.

• “Disabling Access For Terminated Users” on page 135 describes how to disable access for a terminated user.

• “Setting Up Email Notifications” on page 137 describes how to create and maintain email templates for notifications sent to requesters, recipients, and approvers.

• “Customizing the Access Request Manager User Interface” on page 141 describes how to customize the text for buttons, tabs, and dialog boxes.

8 About the Access Request Manager

Courion Corporation

• “Managing Access to the Access Request Manager Web Pages” on page 143 describes how to configure users to see only those web pages they are entitled to in the Access Request Manager.

• “Creating Profiles” on page 153 describes the configurations for creating a new profiles, and the approval workflows for a new profile. It also describes the access request workflow for a newly created profile.

Access Keys

The Access Request Manager requires an AccountCourier® access key obtained from Courion.

9

Courion Corporation

Chapter 2: About The Access Request Manager Workflows

This chapter describes the Manage User Access and Approval workflows and the screens you need to configure to enable them. It includes the following sections:

• “Manage User Access” on page 12

• “Approving a Request” on page 15

10 About The Access Request Manager Workflows

Courion Corporation

The Request and Approval WorkFlows

The following workflows enable users to seamlessly request and approve access:

• Managing User Access - The actions a user (requester) takes to request access to resources in an enterprise. Requesters are users who request access for themselves or other users. A recipient includes any person in an enterprise who is given access to a resource.

This access request workflow includes creating a request by selecting recipients, adding or removing access items, and submitting the request for approval. For additional information about the access request workflow, refer to the section “Manage User Access” on page 12.

Note: In this manual, the terms access request and request may be used as general statements to refer to the process of submitting a request to add or remove access for a user.

• Approving Requests - The actions an approver completes to approve pending requests. Approvers are users who approve requests.

For additional information about the approval workflow, refer to the section “Approving a Request” on page 15.

To access the Access Request Manager (ARM), a requester authenticates through the Access Assurance Portal. Upon authentication, the Access Request Manager landing page is available with a top-level menu, as shown in Figure 1. The top-level menu items include HOME and ACTIONS.

Figure 1: The Access Request Manager Landing Page

A user with administrative privileges who belongs to the ARM Admins community sees an additional ADMIN top-level menu item, as shown in Figure 2. This ADMIN menu item provides an administrator access to administrative capabilities. For more information about the menu options, refer to the chapter “Configuring the Access Request Manager” on page 17.

The Request and Approval WorkFlows 11

Courion Corporation

Figure 2: The Access Request Manager with the Admin Menu Item

For additional information about configuring the menu items, refer to the chapter “Managing Access to the Access Request Manager Web Pages” on page 143.


Courion Corporation

Manage User Access

From the top-level ACTIONS menu item, select MANAGE USER ACCESS to make a request. The ROLES and ACCESS tabs appear to enable you to create a request and submit it for approval.

Note: In this section, the terms access request and request may be used as general statements to refer to the process of submitting a request to add or remove access for a user.

Selecting Recipients

From the MANAGE USER ACCESS > USERS tab, shown in Figure 3, the requester can select one or more users, and simultaneously manage their current access.

Figure 3: Manage User Access — Users and Current Access

Requesters can manage access for themselves or other users. The selected recipients appear in the Managed Users grid on the left.

The Access Request Manager enables select users (delegators) to delegate their ability to request access to other users (delegatees). A delegatee needs to first change his operating identity to the delegator’s so that he can act as the delegator and request access.

For more information about delegation, refer to the chapter “Using Delegation” on page 121.

After the requester selects recipients from, the Current Access grid on the right shows a summary of access items that the users being managed currently have. The requester can manage access for all users in the Managed Users grid on the left by selecting access items in the Current Access grid, and then adding or removing the selected items. The add access or remove access change requests appear in the Access Modifications grid located at the bottom of the MANAGE USER ACCESS screen as shown in Figure 5.

Items that you can configure on the USERS tab, for example:

• The SEARCH PROFILES drop-down list to search for users by name.

• The ADVANCED SEARCH panel to search for users by other criteria, such as by department or Manager.

• The Managed Users and Current Access grids.

Manage User Access 13

Courion Corporation

• Restrictions that may apply to the grids.

The requester can add additional access by selecting the ACCESS tab.

Selecting Access Items

From the MANAGE USER ACCESS > ACCESS tab, shown in Figure 4, the requester can select one or more new access items for the users being managed.

Figure 4: Manage User Access — New Access

To add an access item, the requester uses the FIND ACCESS BY drop-down list, which provides the ability to search the Role Catalog, the Entitlement Catalog, or search for access held by current users through the Intelligent Modeling feature.

When the requester selects a new access item, it appears in the Access Modifications grid with the add and change requests that will be together submitted for approval.

Items that you can configure on the ACCESS tab include:

• The FIND ACCESS BY drop-down list.

• Grids for the respective options determined by the option selected by the requester. For example, the Entitlements grid if Entitlement is selected.

• Restrictions that may apply to the grids.

Submitting the Request for Approval

The Access Modifications grid shows access items that the requester selected from the Current Access grid, and any new access items that were added through the ACCESS tab. Requesters can modify the editable entitlements within the grid or remove access items from the grid. The request submitted for approval will include the latest modifications the requester makes within the grid.

Requesters can review the access items in the Access Modifications grid by modifying an attribute value for an access entitlement or removing an access item before submitting the request for approval.


Courion Corporation

Figure 5: Submit Request for Approval

Items that you can configure in the Access Modifications grid include:

• Fields that appear in the grid.

• Restrictions that may apply to the grid.

To configure the features described in this section, refer to the chapter “Configuring the Manage User Access” on page 79.

An email notification is sent to the requester, recipient, and the approver about the request. To configure the email notifications, refer to “Setting Up Email Notifications” on page 137.

Approving a Request 15

Courion Corporation

Approving a Request

When approvers access the Access Request Manager, they can approve through the APPROVE REQUESTS menu item.

On selecting APPROVE REQUESTS, approvers see any outstanding requests they need to approve, as shown in Figure 6 on the APPROVE REQUESTS screen.

The Access Request Manager enables select users (delegators) to delegate their ability to approve requests to other users (delegatees). A delegatee needs to first change his operating identity to the delegator’s so that he can act as the delegator and approve requests. The APPROVE REQUESTS screen will display the selected delegator’s outstanding requests to approve. For more information about delegation, refer to the chapter “Using Delegation” on page 121.

If a request was submitted as a bulk request (a request with more than one recipient), it is separated in to multiple requests with one request for each recipient. For example, a bulk request that includes three recipients with two access items splits into three separate requests on the APPROVE REQUESTS screen. Each request includes one recipient and two access items. Splitting the bulk request enables the approver to act independently on each access item for each recipient.

Figure 6: Requests Pending Approval

Items that you can configure on the APPROVE REQUESTS screen include:

• The Approval Requests grid.

• The editing of access entitlements attributes.

Refer to “Configuring the Approval Workflows” on page 89 for adding approvers and configuring the APPROVE REQUESTS screen.


Courion Corporation

17

Courion Corporation

Chapter 3: Configuring the Access Request Manager

This chapter describes how to configure the Access Request Manager. It also provides an overview of the administrative menu available to configure the access request and approval workflows.

The chapter includes the following sections:

• “Configuring the Access Request Manager” on page 18

• “Authenticating in to the Access Assurance Portal” on page 24

• “Overview of the Administrative Menu” on page 26

18 Configuring the Access Request Manager

Courion Corporation

Configuring the Access Request Manager

The Access Request Manager is installed with the Access Assurance Suite as described in the manual Installing the Access Assurance Suite.

Before Configuring the Access Request Manager

Configure the following before using the Access Request Manager:

• An Active Directory domain with the Active Directory groups, including Managers, Owners, Approvers and ARM Admins.

Note: Groups created for authentication and authorization need to be global.

Note: A user with direct reports belongs to the Manager Active Directory group.

• An Active Directory target named Active Directory. See Configuring Password Management Modules (PMMs), Connectors, and Agents for information on how to create targets.

You need the Active Directory target for the default authentication and authorization.

After Configuring the Access Request Manager

After you configure the Access Request Manager:

1. Open the DBServer.sql file located in the [courion-installation-folder]\Courion Service folder in Microsoft® SQL Management Studio.

2. Select SQL CMD Mode under Query in Microsoft® SQL Management Studio.

3. Execute the DBServer.sql script to create a linked server with the default name LOOPBACK. To change the default linked server name, refer to the section “Changing the Default Linked Server Name” on page 22.

Note: Configuring the Access Request Manager without a linked server will result in degraded request performance, including slower request processing times and possibly failed requests. If you still prefer to use the Access Request Manager without the linked server, follow the steps in the section “Deploying the Database without the Linked Server” on page 22.

4. Open the Courion.sql located in the [courion-installation-folder]\Courion Service folder in Microsoft® SQL Management Studio.


6. Edit the database name:

:Setvar DatabaseName “Courion”

7. Execute the Courion.sql database script. This will create a database with the default name COURION for the Access Request Manager, Access Certification, and Identity Mapping.

Configuring the Access Request Manager 19

Courion Corporation

8. Edit connection strings. Refer to the section “Editing Connection Strings” on page 19.

9. Configure the Courion Request Service. Refer to the section “Configuring the Courion Request Service” on page 20.

10. Configure the Courion Notification Service. Refer to the section “Configuring the Courion Notification Service” on page 21

11. Populate the IdentityMap and Profile tables in the newly created COURION database.

12. Configure a Microsoft-ADO-3.0 target named ARM. This target should point to the COURION database. See Configuring Password Management Modules (PMMs), Connectors, and Agents for information on how to create targets.

Editing Connection Strings

Edit the MetricRepositoryDefault, Default, dbConnectionString, and ARMEntities connection strings in the [courion-installation-folder]\CourionARMS\CustomerConnStrings.config file. The connection strings should be uncommented and point to the COURION database.

<add name="MetricRepositoryDefault" connectionString="Data Source=$$YOURSERVERHERE$$;Initial Catalog=$$YOURDBHERE$$;Trusted_Connection=True" providerName="System.Data.SqlClient" />

<add name="Default" connectionString="Data Source=$$YOURSERVERHERE$$;Initial Catalog=$$YOURDBHERE$$;Trusted_Connection=True" providerName="System.Data.SqlClient" />

<add name="dbConnectionString" connectionString="Data Source=$$YOURSERVERHERE$$;Initial Catalog=$$YOURDBHERE$$;Trusted_Connection=True" providerName="System.Data.SqlClient" />

<add name="ARMEntities" connectionString="metadata=res://*/;provider=System.Data.SqlClient;provider connection string="Data Source=$$YOURSERVERHERE$$;Initial Catalog=$$YOURDBHERE$$;Trusted_Connection=True;MultipleActiveResultSets=True"" providerName="System.Data.EntityClient" />

<add name="AccessEntities" connectionString="metadata=res://*/AccessModel.csdl|res://*/AccessModel.ssdl|res://*/AccessModel.msl;provider=System.Data.SqlClient;provider connection string="Data Source=$$YOURSERVERHERE$$;Initial Catalog=$$YOURDBHERE$$;Integrated Security=false;User ID=$$YOURUSERIDHERE$$;Password=$$YOURDBPASSWORDHERE$$;multipleactiveresultsets=True;App=EntityFramework"" providerName="System.Data.EntityClient" />

Courion Corporation

Note: To point the connection strings to the correct database, replace $$YOURSERVERHERE$$ with the name of the database server, and replace $$YOURDBHERE$$ with the name of the COURION database.

Configuring the Courion Request Service

Add the configuration for the Request Service to the Courion.Framework.RequestService.exe.config file found in the [courion-installation-folder]\CourionService folder. The Request Service processes the automated and manual requests on which approvers have taken action. The configuration file contains the following information:

<configuration>

<appSettings>

<add key="CourionServer" value="http://localhost/courion/WebSamples/AccessOptions/XMLAO/xmlao.asp"/>

<add key="NumberToProcess" value="5"/>

<add key="SleepTime" value="1"/>

<add key="AppName" value="Courion Request Service"/>

<add key="ManualProcedure" value=""/>

</appSettings>

<connectionStrings>



</connectionStrings>

</configuration>

Note: To encrypt the Courion.Framework.RequestService.exe.config file, refer to the Microsoft® documentation.

CourionServer: The link to the XMLAO processing engine where the Courion Server is hosted.

NumberToProcess: The number of requests to process.

SleepTime: The number of minutes the service goes to sleep after processing the number of requests specified in NumberToProcess.

AppName: The name of the service.

ManualProcedure: By default, the value is empty.

dbConnectionString: The connection string points to the database which holds the ARM schema.

Courion Corporation

The courrequestservice.log log file for the Request Service is found in the [courion-installation-folder]\CourionService folder. It logs errors, warnings or any information related to the Request Service.

Configuring the Courion Notification Service

Add the configuration for the Notification Service to the Courion.Framework.NotificationService.exe.config file found in the [courion-installation-folder]\CourionService folder. The Notification Service sends notification when an event occurs, such as a request is submitted, approved or denied. The configuration file contains the following information:

<configuration>

<appSettings>

<add key="SMTPServer" value="$$YourSMTPServerName$$" />

<add key="SenderAddress" value="$$SenderEmailAddress$$" />

<add key="SleepTime" value="1" />

<add key="EnableLogging" value="true" />

<add key="AppName" value="Courion Notification Service" />

<add key="UserName" value="$$UserName$$" />

<add key="Password" value="$$Password$$" />



</appSettings>

<connectionStrings>



</connectionStrings>

</configuration>

Note: To encrypt the Courion.Framework.NotificationService.exe.config file, refer to the Microsoft® documentation.

SMTPServer: The server that sends emails.

SenderAddress: The email address from which emails are sent to requesters, approvers and administrators.


Courion Corporation

SleepTime: The number of minutes the service goes to sleep after processing pending notifications.

EnableLogging: Not applicable; however, do not remove.

AppName: The name of the service.

UserName: The administrative account for the SMTP server.

Password: The administrative account password for SMTP Server.

LogLevel: Log level can be classified into different levels with 0 for error, 1 for warning and error, 2 for information, warning and error.

The cournotificationservice.log log file for the Notification Service is found in the [courion-installation-folder]\CourionService folder. It logs errors, warnings or any information related to the Notification Service.

Changing the Default Linked Server Name

To change the default linked server name, follow these steps:



3. Edit the default linked server name. For example, this line shows the default name:

:setvar LoopbackLinkedServerName “loopback”

Replace it with a custom name:

:setvar LoopbackLinkedServerName “Custom”

4. Return to the section “After Configuring the Access Request Manager” on page 18 to execute the Courion.sql script.

Deploying the Database without the Linked Server

To deploy the Courion database without the linked server, follow these steps:

1. Do not run the DBServer.sql file.



4. Delete this line in the Courion.sql file:

:setvar LoopbackLinkedServerName “loopback”

5. Find the single reference to “LoopbackLinkedServerName” in the Get_NextID stored procedure, and change this line:


Courion Corporation

EXEC [$(LoopbackLinkedServerName)].[$(DatabaseName)].[dbo].[_usp_GetNextId]

so that it reads:

EXEC [dbo].[_usp_GetNextId]

6. Return to the section “After Configuring the Access Request Manager” on page 18, and resume from step 4 to execute the Courion.Sql script.


Courion Corporation

Authenticating in to the Access Assurance Portal

The Access Request Manager is available through the Access Assurance Portal.

To access the Portal on the server where it is installed, navigate to:

http://localhost/CourionARMS/AspxCommon/PortalHome.aspx

To access the Portal from another system, navigate to:

http://[machine-name or IP address]/CourionARMS/AspxCommon/PortalHome.aspx

Note: You may need to add the machine name to the list of trusted sights on any system that accesses the Portal using the machine name or the IP address.

The screen in Figure 7 appears for the Access Assurance Portal.

Figure 7: The Access Assurance Portal

Click LOGIN to authenticate into the Access Assurance Portal, and access the menu items. An authentication screen appears, as shown in Figure 8. You need to be a member of the ARM Admins Active Directory group to authenticate in to the Portal, and access the ADMIN menu for administration.

Note: If the Integrated screens Authentication feature is configured, you are automatically authenticated in to the Access Assurance Portal.

Authenticating in to the Access Assurance Portal 25

Courion Corporation

Figure 8: The Access Authentication screen

Upon authentication, logged in users see the menu items based on the community they belong to, and the access entitlements associated with that community. For additional information about communities and access entitlements, refer to the chapter “Managing Access to the Access Request Manager Web Pages” on page 143.

Using Multi-Domain Authentication

The multi-domain feature enables a user to authenticate in to the Access Assurance Portal by selecting a Microsoft® Active Directory® domain from a drop-down list.

If multi-domain authentication is enabled, the authentication screen displays the drop-down list with the available domains as shown in Figure 9.

Figure 9: Multi-Domain Authentication Enabled

For additional information about multi-domain authentication, refer to the manual Installing the Access Assurance Suite.


Courion Corporation

Overview of the Administrative Menu

When you authenticate in to the Portal as a member of the ARM Admins community, you may see specific administrative menu items on the ACTIONS and ADMIN drop-down. This section describes the administrative menu items that are available to you to configure the request and approval workflows, as shown in Figure 10.

Note: You may see one or more of the administrative menu items described in this section.

Figure 10: Administrative Menu Items

The Administration Menu Items

The following menu items are available through the ADMIN drop-down for administration:

• ACCESS REQUEST MANAGER > PICK LIST CONFIGURATION — Select this option to create and manage picklists. See “Configuring Picklists” on page 51 for more details on picklists.

• ACCESS REQUEST MANAGER > SECURITY ADMIN — Select this option to configure the Active Directory Groups and the web pages to which they have access. For more information, refer to the chapter “Managing Access to the Access Request Manager Web Pages” on page 143.

• ACCESS REQUEST MANAGER > MANAGE ACCESS CATALOG — Select this option to create new roles, assign tags, and specify the definition and access approvers for roles. For more information, refer to the chapter “Adding Access Items” on page 57.

• GLOBAL CONFIGURATION MANAGER —Select this option to configure the global configurations for the request and approval workflows. See “Using the Global Configuration Manager” on page 29.

• EMAIL TEMPLATE CONFIGURATION — Select the EMAIL TEMPLATES MANAGER to configure the email notifications sent to requesters, recipients, and approvers. Refer to the chapter “Setting Up Email Notifications” on page 137 for additional information.

• MACRO CONFIGURATION — Select this option to configure custom and restriction macros. Refer to the chapter “Using Macros” on page 101 for additional information.

Overview of the Administrative Menu 27

Courion Corporation

Administrative Menu Items through the Actions Menu Item

Some menu items on the ACTION drop-down are only visible if you authenticate into the Portal as an administrator.

Figure 11: Action Menu Items for Administrators

The administrative menu items include:

• PRIORITY DISABLE — Disable access for a terminated user. For more information, refer to the chapter “Disabling Access For Terminated Users” on page 135.

• ADMIN - VIEW ALL REQUESTS — View all the pending requests.


Courion Corporation

29

Courion Corporation

Chapter 4: Using the Global Configuration Manager

This chapter describes how to edit the global configurations thorough the Global Configuration Manager or add new global configurations to the GlobalConfigValues table. It includes the following sections:

• “Default Global Configurations” on page 30

• “Editing Global Configurations Using the Global Configuration Manager” on page 38

• “Adding Global Configurations to the GlobalConfigValues Table” on page 43

30 Using the Global Configuration Manager

Courion Corporation

Default Global Configurations

Select ADMIN > GLOBAL CONFIGURATION MANAGER to set up the global configurations for the MANAGE ACCESS CATALOG, MANAGE USER ACCESS and Approval workflows. The global configurations may include the column names (fields) to show in a search results grid, the restrictions you want to implement, or the search fields you can search on in a popup.

This section lists the default global configurations that are configurable, and describes the general procedure to edit them. For specific details about the global configurations and how they affect the Access Request Manager workflows, refer to the individual chapters.

Table 1 lists the default global configurations with a brief description about what each does.

Table 1: The Default Global Configuration

Global Configuration (CONFIG NAME)

Description Default (CONFIG VALUE)

More Information

Access.ManageUsersAccess.CurrentUsersDetailsEntitlementsColumns

Configures the Details grid that is shown when a role or entitlement is clicked in the Current Access grid on the USERS tab.

CONFIG TYPE: Text

“Configuring the Grid for Role and Access Entitlement Details on Users Tab” on page 81

Access.ManageUsersAccess.SharedProfileGridColumns

Configured the MANAGED USERS grid on the USERS tab.

CONFIG TYPE: Text

“Configuring the Managed Users Grid With Recipient Information” on page 81

Access.ManageUsersAccess.UserMgProfileSearch

Configures the results grid on the ADVANCED SEARCH CONTROL on USERS tab.

CONFIG TYPE: Text

“Configuring the Advanced Search Grid on Users Tab” on page 82

Access.ManageUsersAccess.UserAccessProfileSearch

Configures the results grid on the ADVANCED SEARCH CONTROL on ACCESS tab for Intelligent Modeling.

CONFIG TYPE: Text

“Configuring the Advanced Search Grid on Access Tab” on page 85

Default Global Configurations 31

Courion Corporation

Access.ManageUsersAccess.SharedAccessModificationGridColumns

Configures the Access Modifications grid on the MANAGE USER ACCESS screen.

CONFIG TYPE: Text

“Configuring Items for Submitting the Request for Approval” on page 87

Access.ManageUsersAccess.SharedProfileSearchProp

Configures the following drop-downs for MANAGE USER ACCESS:

MANAGED USERS on USERS tab

Search Profiles for Intelligent Modeling

CONFIG TYPE: Text

“Configuring the Managed Users Drop-down on Users Tab” on page 80

“Configuring the Search Profiles Drop-down on Access Tab” on page 83

Access.ManageUsersAccess.SharedProfileGridColumns

Configures the Profile grid on the Access tab for Intelligent Modeling.

CONFIG TYPE: Text

“Configuring the Profile Grid for Intelligent Modeling” on page 84

Admin.CatalogModify.SharedProfileSearchProp

Configures drop-downs on MANAGE ACCESS CATALOG to search for profiles.

CONFIG TYPE: Text

“Configuring the Owners or Approvers Drop-down on Roles Tab” on page 72

“Configuring the Search Profiles Drop-down on Access Tab” on page 74

Admin.Catalog.SharedRolesGridColumns

Configures the Roles grid on the MANAGE ACCESS CATALOG.

CONFIG TYPE: Text

“Configuring the Roles Grid” on page 70

Admin.CatalogModify.RoleOwnerProfileSearch

Configures the results grid for Owners on the MANAGE ACCESS CATALOG.

CONFIG TYPE: Text

“Configuring the Advanced Search Grid To Search for Owners on Roles Tab” on page 71




More Information


Courion Corporation

Admin.CatalogModify.RoleApproverProfileSearch

Configures the results grid for approvers on the MANAGE ACCESS CATALOG.

CONFIG TYPE: Text

“Configuring the Advanced Search Grid To Search for Approvers on Roles Tab” on page 72

Admin.CatalogModify.SharedProfileGridColumns

Configures the Approver grid on the MANAGE ACCESS CATALOG.

CONFIG TYPE: Text

“Configuring the Search Tags Drop-down on Roles Tab” on page 73

Admin.CatalogModify.SharedTagSearchColumns

Configures the Tag grid on the MANAGE ACCESS CATALOG.

CONFIG TYPE: Text

“Configuring the Tag Grid on Roles Tab” on page 74

Admin.CatalogModify.AccessCatalogProfileSearch

Configures the results grid on the ADVANCED SEARCH CONTROL for Intelligent Modeling on the MANAGE ACCESS CATALOG.

CONFIG TYPE: Text

“Configuring Advanced Search Grid for Intelligent Modeling on Access Tab” on page 75

Admin.CatalogModify.SharedProfileGridColumns

Configures the Profile grid for Intelligent Modeling on the ACCESS tab of the MANAGE ACCESS CATALOG.

CONFIG TYPE: Text

“Configuring the Profile Grid for Intelligent Modeling” on page 75

Admin.CatalogModify.RoleDefAccessGrid

Configures the Role Definition grid on the MANAGE ACCESS CATALOG.

CONFIG TYPE: Text

“Configuring the Role Definition Grid” on page 76

Admin.Catalog.SharedEntitlementsGridColumns

Configures the Entitlements grid on the MANAGE ACCESS CATALOG.

CONFIG TYPE: Text

“Configuring the Entitlements Grid” on page 78




More Information


Courion Corporation

Admin.Catalog.SharedTagSearchProperties

Configures the drop-down for searching tags on ASSIGN TAGS popup.

CONFIG TYPE: Text

“Configuring the Search Tags Drop-down on Assign Tags Popup” on page 71


Admin.CatalogModify.SharedTagSearchColumns

Configures the TAG grid in the TAGS section of the MANAGE ACCESS CATALOG.

CONFIG TYPE: Text


Admin.CatalogModify.RoleOwnerProfileSearch

Configures the Search Result grid on the ADVANCED SEARCH CONTROL for role owners.

CONFIG TYPE: Text

“Configuring the Advanced Search Grid To Search for Owners on Roles Tab” on page 71

AllowAttributeValueEditingOnApproval

Enables/disables the editing of target attributes on the REQUEST DETAILS screen for approval.

CONFIG TYPE: Text

False “Configuring the Approve and Deny Action Buttons” on page 96

ApprovalActionApprove Configures the Approve button.

CONFIG TYPE: Complex

“Configuring the Approve and Deny Action Buttons” on page 96

ApprovalActionDeny Configures the Deny button.



ApprovalProfileDisplayFields

Configures the fields for the EMPLOYEE grid on the REQUEST DETAILS screen.

The fields are from the Profile table.

CONFIG TYPE: Complex.

“Setting Up Fields to View Recipient Details for Access Request” on page 95




More Information


Courion Corporation

ApprovalQueueDisplay Columns

Configures the fields for the APPROVAL REQUESTS grid on the APPROVAL QUEUE screen.

The fields are from the Request table.


“Setting Up Fields for Pending Requests” on page 93

ApprovalRoleCharacteristicDisplayField

Configures a section of the ROLE CHARACTERISTICS panel with details, such as the role owner and role name.


“Setting Up Fields For the Role Characteristics Panel” on page 94

ApprovalRoleCharacteristicApproverDisplayFields

Configures the DEFINITION/ACCESS APPROVERS grid in the ROLE CHARACTERISTICS panel.


“Setting Up Fields For the Role Characteristics Panel” on page 94

ApprovalRoleDefinitionDisplayFields

Configures the Role Definition grid.


“Setting Up the Role Definition Grid” on page 95

ApprovalRequestDetail Fields

Configures the fields for the REQUEST grid on the REQUEST DETAILS screen.

The fields are from the RequestItem table.


“Setting Up Fields To View Requester Details For All Request Types” on page 93

ApproveAsApproverSearchRestriction


“Configuring the Search Control Popup” on page 135

ApproveAsManagerSearchRestriction






More Information


Courion Corporation

DefaultApproverProfileUID

Add approvers for profile approval.

CONFIG TYPE: Text

“” on page 157

DisableUserSearchOption Configures the fields displayed in the SEARCH CONTROL popup. This popup appears when a unique identifier is searched on the PRIORITY DISABLE screen.



DisableUserSearchRestriction



FindDelegatorSearchRestriction



GetARMAdminCommunityMacro

Calls the macro that checks if the user belongs to the ARM Admins Community.

CONFIG TYPE: Text.

Get ARMAdmin Community

“Displaying the Select Employee Panel to Administrators” on page 123

LightsOutDeleteWorkflow Refers to the workflow called in the ss_ProcessScheduledDeletions stored procedure.

CONFIG TYPE: Text.

LightsOutDeleteWorkflow

LoggedInUniqueIDMacro Calls the macro that returns the ProfileUID based on the Active Directory user name.

Accepts a custom macro name.

CONFIG TYPE: Text.

Get LoggedInUniqueID Macro

The ProfileUID is matched against the returned value which is the ProfileUID. The macro should return the ProfileUID based on the Active Directory user name. The macro is resolved when an individual requests access for himself.




More Information


Courion Corporation

MultiUserSearchOption2 Configures the grid displayed on the ADVANCED SEARCH CONTROL popup to find employees for delegation.


“Using the Default Global Configuration to Customize the Search Control Popup” on page 128

ProfileApprovalDisplayFields

Used for display fields for approval of profiles.



ProfileManagerURLLabel Label for the Profile Manager link.

CONFIG TYPE: Text

Launch Profile Manager

“Configuring Items to Add a New Profile” on page 154

ProfileManagerURLText Used to specify the URL to link to the profile management workflow.

CONFIG TYPE: Text

http://SERVERNAME/courion/WebSamples/AccessOptions/HTML/AccountCourier/default.asp?Workflow=WORKFLOW&

“Configuring Items to Add a New Profile” on page 154

RequestAsManagerSearchRestriction



RequestAsResourceOwnerSearchRestriction



ResultsPerPage Configures the number of rows displayed per page in all the grids of the Access Request Manager.

CONFIG TYPE: Text

10




More Information


Courion Corporation

SharedAccessGridColumns

Configures the Access Grid on the REQUEST DETAILS screen.

CONFIG TYPE: Text

“Configuring the Access Grid” on page 96

SystemURL Points to the URL of the machine that hosts the Access Request Manager.

CONFIG TYPE: Text.




More Information


Courion Corporation

Editing Global Configurations Using the Global Configuration Manager

To navigate to the GLOBAL CONFIGURATION MANAGER, select ADMIN > GLOBAL CONFIGURATION MANAGER from the drop-down list.

Figure 12: The Global Configuration Manager

The GLOBAL CONFIGURATION MANAGER appears as shown in Figure 12, and shows the default global configurations.

Editing Global Configurations with Config Type as Text

To edit a global configuration with CONFIG TYPE as TEXT, select EDIT for that global configuration. The EDIT VALUES screen appears, as shown in Figure 13.

Figure 13: Global Configurations with Config Type as Text

Edit the CONFIG VALUE and DESCRIPTION. Click UPDATE when done.

Editing Global Configurations Using the Global Configuration Manager 39

Courion Corporation

Editing Global Configurations with Config Type as Complex

To edit a global configuration with CONFIG TYPE as COMPLEX, select EDIT. For example, select EDIT for the APPROVALPROFILEDISPLAYFIELDS global configuration. The EDIT VALUES screen appears, as shown in Figure 14.

Figure 14: AccessCatalogFields Global Configuration

Select EDIT COMPLEX VALUES. An EDIT COMPLEX VALUE editor appears as shown in Figure 15.

Figure 15: Edit Complex Value Editor

The editor contains a grid that allows you to EDIT values for one or more of the fields, DELETE an entire row, or add a NEW row to the global configuration.

Make the changes you want, and select UPDATE. Select OK to exit from the editor. Modify the text in the DESCRIPTION field, and select UPDATE on the EDIT VALUE screen to save the changes.

The EDIT COMPLEX VALUE editor may display one or more of the following fields for global configurations with CONFIG TYPE as COMPLEX mentioned in Table 1 :

• Order: Accepts an integer. The fields are displayed in the order specified.

• Visible: Accepts a boolean value of true or false. True shows a field and false hides it.

• Column-name: Accepts a string. Depending on the context, it identifies a field from a table or identifies an action.

• Label/Alias: Accepts a string. Enter a user-friendly alias for a field. This alias appears as the field name on the user screens.

• Control: Accepts a string. The data types supported are text, boolean, list and date time. Text displays a textbox, boolean displays a checkbox, list displays a drop-down list, date time displays date time control.

• Clause: Accepts a custom macro name.

• Defaultvalues: Accepts a string. Specify the information you want to appear as default. For example, if the control data type is a list, the user is shown a drop-down list with default values. The values you specify populate the drop-down list.


Courion Corporation

• Required: Accepts a boolean value of true or false. If it is true, user input is required; if it is false, no input is required.

• Require-comment: Accepts a boolean value of true or false. If true, the user is required to enter a comment when some action is performed.

• ImageURL: Accepts a path for an image.

Configuring the Individual Search Control Screens

The SEARCH CONTROL screen appears when you search for a user. Specific global configurations with CONFIG TYPE as COMPLEX enable you to configure the screen, based on the user being searched. For example, the FINDDELEGATORSEARCHOPTION enables you to specifically configure the SEARCH CONTROL screen that appears when you search for delegators on the DELEGATE ACCESS PRIVILEGES screen. Similarly, the following global configurations configure the SEARCH CONTROL screen for the specified user search:

• APPROVEASMANAGERSEARCHOPTION - Delegatee for Approve As Manager access privilege.

• APPROVEASAPPROVERSEARCHOPTION - Delegatee for the Approve as Approver access privilege.

• REQUESTASMANAGERSEARCHOPTION - Delegatee for the Request as Manager access privilege

• FINDDELEGATORSEARCHOPTION - Delegators.

• DISABLEUSERSEARCHOPTION - Users being terminated.

To edit, for example, the DISABLEUSERSEARCHOPTION global configuration, select EDIT. The EDIT VALUES screen appears, as shown in Figure 16.

Figure 16: DisableUserSearchOption

Select EDIT COMPLEX VALUES. An EDIT COMPLEX VALUE editor appears as shown in Figure 15.

Editing Global Configurations Using the Global Configuration Manager 41

Courion Corporation

Figure 17: Edit Complex Value Editor

The editor consists of a panel that enables you to configure the SEARCH CONTROL screen by specifying the following fields:

• HEADING: Specify the header, such as Find User. This header appears in the search panel.

• KEYCOLUMN: Specify the unique field to search on in the table. For example, ProfileUID.

• RESTRICTIONCONFIGURATIONNAME: Enter the name of a default global configuration that implements a restriction. For example, enter DisableUserSearchRestriction. DisableUserSearchRestriction is a restriction global configuration that is available through the GLOBAL CONFIGURATION MANAGER, and contains a CLAUSE column that accepts a custom macro or a SQL clause. Define your restriction in the custom macro and reference the custom macro in the CLAUSE column. The restriction gets implemented when you search for a user using the SEARCH CONTROL screen.

• ISSINGLESELECT: Reserved for future use. (The default value is true).

• ROWSPERRESULTPAGE: Enter the number of rows to display in the results grid.

• RESULTCOLUMNS: Enter a list of comma-separated fields from a table. For example, ProfileUID,FirstName.The fields you specify here appear in the results grid.

The editor also displays a grid to configure the search grid that appears on the SEARCH CONTROL screen. Follow the steps described in the “Editing Global Configurations with Config Type as Complex” on page 39 to configure the search grid.

Specifying Custom Macros in the Edit Complex Value Editor

Typically, the fields in the EDIT COMPLEX VALUE editor described in the section “Editing Global Configurations with Config Type as Complex” accept values of a certain type. The fields are also enabled to accept custom macros. For example, the COLUMN-NAME column for the SINGLEUSERSEARCHKEY global configuration contains a field name from the Profile table, as shown in Figure 18.


Courion Corporation

Figure 18: SingleUserSearchKey without a Custom Macro

You can edit the COLUMN-NAME for the SINGLEUSERSEARCHKEY global configuration to reference a custom macro, as shown in Figure 19,

Figure 19: SingleUserSearchKey with the Custom Macro

The following fields in the EDIT COMPLEX VALUE editor are enabled to accept custom macros and support a return value from the custom macro of the type described for each:

• Order - Integer

• Visible - Boolean (True or False)

• Column-name - String

• Label - String

• Control - String for data types text, boolean, list and date time.

• Required - Boolean (True or False)

• Require-comment - Boolean (True or False)

• Defaultvalues - String (For control = list, the string should be with comma-separated values).

The custom macros enable you to make the fields configurable and conditional.

Adding Global Configurations to the GlobalConfigValues Table 43

Courion Corporation

Adding Global Configurations to the GlobalConfigValues Table

Some global configurations are unavailable to edit through the GLOBAL CONFIGURATION MANAGER, and you may need to add them to the GlobalConfigValues table. This section describes how to add the global configurations for grids and drop-downs.

Note: Regardless of the type of global configuration, the ConfigType is always text when you insert the values described in this section.

Grid Configuration

To add a grid global configuration to the GlobalConfigValues table:

1. Navigate to the location where your Courion database resides.

2. Add the global configuration to the GlobalConfigValues table. For example, to insert Admin.Catalog.SharedRolesGridColumns. add this T-SQL statement:

INSERT INTO GlobalConfigValues (ConfigName, ConfigType, ConfigValue)

VALUES ('Admin.Catalog.SharedRolesGridColumns', 'Text',

'<grid-columns>

<column model-name="RoleId" label="Id" />

<column model-name="Name" label="Name" />

<column model-name="Description" label="Description" />

<column model-name="IsAssignable" label="Enabled">

<attribute name="class" value="k-capitalize" />

</column>

<column model-name="OwnerName" label="Owner" />

<column model-name="Assignments" label="Assignments" filterable="false" sortable=”false”/>

</grid-columns>')

The XML schema for the <column> node supports these attributes:

• Name — This is the object ID used by the system to reference the column name. Do not change the defaults.

• Label — Enter the text you want to display in the grid for the column name.

• Filterable — Accepts true and false. If true, the column is filterable; if false, the column is non-filterable.

Note: Datetime fields are not filterable.

• Sortable — Accepts true and false. If true, the column is sortable; if false, the column is non-sortable.

Note: By default, a column is sortable and filterable if these attributes are not specified in the column node.


Courion Corporation

Adding, Removing and Ordering of Fields in the Global Configuration

To add a column, add a column node. For example, to add a new column:

<column model-name="Location" label="Location" />

To delete a column, include hidden=”true” as shown in this example:

<column model-name=”description” hidden=”true” />

To specify a certain display order for a column, follow this example:

<column model-name="RoleId" label="Id" />



The above example demonstrates that Id will appear first, Name second, and Description third within a grid. To reorder, change the order of the fields within the XML.

Using Custom Macros in <column> Node

The model-name and label attributes of the <column> node can resolve custom macros. To resolve a custom macro in the <column> node, follow this example:

<column model-name=”%Custom Macro.MyMacro%” />

You need to first create a custom macro before you use it in the <column> node. To create the custom macro, refer to the chapter “Using Macros” on page 101.

Drop-Down Configuration

To add a drop-down global configuration to the GlobalConfigValues table:

INSERT INTO GlobalConfigValues (ConfigName, ConfigType, ConfigValue)

VALUES ('Access.ManageUsersAccess.UserMgProfileSearch', 'Text',

'<dropdown-properties minimum-query="2" maximum-results="20" />')

The XML schema for the drop-down global configuration supports the following attributes:

• Minimum-query — The minimum number of characters required to initiate a query to populate a drop-down list.

• Maximum-results — The maximum number of items to present in a drop-down list.


Courion Corporation

Views Used in Global Configurations

This section provides all the views with fields that may be referenced by the global configurations and restriction macros described in the manual. The fields are case sensitive, and should be used as indicated in this section.

Notes: All fields are configurable, unless indicated otherwise. Datetime fields do not support filtering.

The vw_Role View

Table 2 lists all the fields in the vw_Role view.

The vw_Profile View

Table 3 lists all the fields in the vw_Profile view.

Table 2: vw_Role

Fields Data Type

RoleId string

Version integer

Name string

Description string

IsTemplate boolean

IsInheritable boolean

ChangedOn datetime

ChangedBy string

CreatorName string

OwnerName string

IsApproved boolean

Assignments integer

IsEditable boolean

Table 3: vw_Profile

Fields Data Type

ProfileUID string

ManagerID string

RoleID integer

LocationID string


Courion Corporation

FirstName string

LastName string

EmployeeType string

EmployeeNo string

EmployeeStatus string

JobCode string

Company string

Department string

DepartmentDescription string

Division string

BusinessUnit string

Location string

Phone string

JobTitle string

StartDate datetime

LOAReturnDate datetime

TermDate datetime

Email string

Status integer

UserType integer

DeleteHold boolean

Active boolean

SelfQuestion01 string





SelfAnswer01 string

SelfAnswer02 string

SelfAnswer03 string

SelfAnswer04 string

SelfAnswer05 string

Table 3: vw_Profile

Fields Data Type


Courion Corporation

SupportQuestion01 string





SupportAnswer01 string





TOAQuestion01 string





TOAAnswer01 string

TOAAnswer02 string

TOAAnswer03 string

TOAAnswer04 string

TOAAnswer05 string

ProfileRegistration string

EmployeeID string

ContractorEndDate datetime

CustomAttrStr1 string









Table 3: vw_Profile

Fields Data Type


Courion Corporation

The vw_Entitlement View

Table 4 lists all the fields in the vw_Entitlement view.


CustomAttrDecimal1 decimal





CustomAttrDateTime1 datetime





CustomAttrBit1 boolean





Table 4: vw_Entitlement

Column Data Type

Entitlement_Id string

Name string

Value string

IsEditable boolean

SingleValueAttribute boolean

Automated boolean

CustomControl boolean

ControlLabel string

ControlType string

Required boolean

Table 3: vw_Profile

Fields Data Type


Courion Corporation

The vw_Tag View

Table 5 lists all the fields in the vw_Tag view.

The vw_Entitlement_Tag View

Table 6 lists all the fields in the vw_Entitlement_Tag view.

HelpText string

Provisioner string

ProvisionerEmail string

ClosedLoop boolean

UserVisible boolean

C_changed_on datetime

C_changed_by string

Description string

BusinessName string

Table 5: vw_Tag

Column Data Type

Tag_ID string

Name string

Description string

Owner string

State boolean

ChangedOn datetime

ChangedBy string

Table 6: vw_Entitlement_Tag

Column Data Type

Target_ID string

Table 4: vw_Entitlement

Column Data Type


Courion Corporation

The vw_Role_Tag View

Table 5 lists all the fields in the vw_Role_Tag view.

Name string

Note: If you use this in a macro, use BusinessName as this column is derived from the Entitlement table.

Value string

IsEditable boolean

EntitlementId string

Description string

Table 7: vw_Role_Tag

Column Data Type

RoleID string

Name string

Description string

Owner string

IsActive string

IsApproved string

Tag_Id string

TagName string

OwnerName string

Table 6: vw_Entitlement_Tag

Column Data Type

51

Courion Corporation

Chapter 5: Configuring Picklists

This chapter describes how to configure the picklist, and it includes the following sections:

• “Using the Picklist Admin” on page 52

52 Configuring Picklists

Courion Corporation

Using the Picklist Admin

You can create and manage picklists through the PICK LIST ADMIN. A picklist enables you to create a list of pre-defined values from which you can select only one.

This section lists the default picklist types available to you, and describes the general procedure to add a list of values to them.

Using the Picklist Admin 53

Courion Corporation

Default Picklist Types and Values

Table 8: The Default Picklist Types

Default Picklist Types

PickList Values Supported

Where is the PickList Value

UsedDescription

ApprovalType Manager, Secondary, and ProfileApproval

System Use If the Business Manager approves a request, then the approval type is Manager.

If a second-level approver approves the request, the approval type is secondary.

Severity High, Medium, and Low. Populates the SEVERITY drop-down list for access levels on the APPLICATION/ACCESS MANAGER.

Status Pending - the request is submitted and awaiting approval.

Approved - the request is approved.

Denied - the request is denied.

On Hold - the request is on hold if there are multiple levels of approvals.

Processing - the request is in processing until AccountCourier or manual action is taken on the request.

Ready - the request is ready to be provisioned.

Complete - the request is complete if AccountCourier or manual action is taken on the request.

Displayed on the View Request and Admin - View All Requests screens.

Defines the different states of a request.


Courion Corporation

Adding a Picklist Value

To add a picklist value for a default picklist type, follow these steps:

1. Click ADMIN > ACCESS REQUEST MANAGER, and select PICKLIST CONFIGURATION from the drop-down list. The PICKLIST ADMIN appears, as shown in Figure 20.

Figure 20: PickList Admin

2. Select ADD PICKLIST ITEM, as shown in Figure 21.

UserStatus Active and Inactive Used to indicate the status in the Active column of the Profile table. If the Active column is true, the User Status is Active; if the Active column is false, the User Status is Inactive.

Defines the state of a profile request. The User Status is Active if the request was approved. The User Status is Inactive if the profile request is waiting to be approved.

Table 8: The Default Picklist Types

Default Picklist Types

PickList Values Supported

Where is the PickList Value

UsedDescription

Using the Picklist Admin 55

Courion Corporation

Figure 21: Add PickList Value and Type

Configure the following fields:

PICKLIST VALUE: Add a customized value for the picklist type. For example, add Sales.

3. Click INSERT to add it to the PICK LIST ADMIN.

Click the Edit icon to edit, or the Delete icon to delete a picklist value.


Courion Corporation

57

Courion Corporation

Chapter 6: Adding Access Items

Before a requester can request access, you need to configure the access items required to create an access request. This chapter describes how to configure and manage roles and access entitlements through the MANAGE ACCESS CATALOG.

This chapter includes the following sections:

• “Adding a Role” on page 58

• “Editing an Existing Role” on page 63

• “Approving New and Modified Roles” on page 64

• “Enabling or Disabling a Role” on page 65

• “Adding Access Entitlements” on page 66

• “Assigning Tags to Access Entitlements” on page 67

Definition of an Access Entitlement

An access entitlement is the combination of an attribute name, an attribute value, and a target name.

Definition of a Role

A role is defined as a collection of one or more access entitlements, and can also include other roles.

Definition of an Access Item

An access item is a term used to collectively refer to roles and access entitlements in this manual.

58 Adding Access Items

Courion Corporation

Adding a Role

To add a new role, go to ADMIN > ACCESS REQUEST MANAGER > MANAGE ACCESS CATALOG. The MANAGE ACCESS CATALOG screen appears with the ROLES and ENTITLEMENTS tabs.

Figure 22: Manage Access Catalog

Click on the ADD NEW ROLE button to add a new role. The MANAGE ACCESS CATALOG - ADD/MODIFY screen appears with the ROLE and ACCESS tabs.

Adding Information on the Roles Tab

The ROLES tab (see Figure 23) enables you to:

• Add general information about a role

• Assign approvers for role definition or utilization (access request approval)

• Categorize the role with tags to facilitate search for this role later

Figure 23: Add New Role

Adding General Information About Role

In the GENERAL INFORMATION section (see figure), complete the following details:

• ROLE NAME — Enter a descriptive name for the role.

• OWNER — Select a role owner by typing a search criteria in the textbox. You can also click on the ADVANCED SEARCH button to search for more profiles, and an ADVANCED SEARCH popup appears similar to Figure 24

Adding a Role 59

Courion Corporation

• DESCRIPTION — Enter a user-friendly description to provide more information about the role.

The checkbox determines whether a role is enabled (checked) or disabled (unchecked) after the role definition is approved. By default, the checkbox is unchecked. Disabled roles cannot be used in other role definitions or assigned to users even if they have been approved.

Adding Definition and Access Approvers

In the APPROVERS section, select one or more approvers for the role definition and access request approvals. Enter your search text in the Search Profiles textbox, and select an approver. The selected profile is automatically added to the Approver grid. Use the ADVANCED SEARCH popup to add more than one approver.

Figure 24: Advanced Search

Select one or more approvers, and click ADD SELECTED on the ADVANCED SEARCH popup. Exit the popup, and the selected profiles are automatically added to the Approver grid.

Once you have selected the approvers, you can check the Definition and Access checkboxes for an individual approver.


Courion Corporation

Figure 25: Approvers

Check the Definition checkbox for one or more users, if you want them to be Definition approvers. All the users for whom the Definition checkbox is checked for a role constitute the group of Definition approvers. At least one person from this group needs to approve a role definition for the role to be approved. Hence, the first approver from this group to take action determines whether the role definition is approved or denied for the entire group.

Check the Access checkbox for one or more users, if you want them to be Access approvers. All the users for whom the Access checkbox is checked for a role constitute the group of Access Request approvers. At least one person from this group needs to approve the access request for the role. Hence, the first approver from this group to take action determines whether or not the role is assigned to a user.

A user for whom the Definition or Access checkbox is unchecked, that user is removed from the Definition approvers group or Access approvers group, respectively, when the role is submitted for approval.

Note: The absence of at least one user with a checked box for Definition or Access in the approvers grid eliminates the need for a Definition or Access Approvers group, respectively, for a role.

For additional information about the approval process, refer to “Editing an Existing Role” on page 63.

Assigning Tags to Categorize Roles

In the TAGS section, you can create new tags, and associate new or existing tags to a role. By using tags, you categorize roles to facilitate future searches for a role. To associate tags to a role, create new tags. The newly created tags are added to the TAGS grid. Once the role is approved, all the tags added to the TAGS grid will be associated with the role.

To associate existing tags to a role, enter the search text in the Search Tags textbox, and select a tag from the drop-down list. The tag you select is added to the TAGS grid.

To create new tags and associate them to a role, click ADD TAG. In the ADD TAG popup, enter a name and description for the tag. Click ADD, and the tag is added to the TAGS grid.

Note: The new tags are added to the Tag catalog, and you can use these later to tag other roles.

To remove tags associated with a role, select an individual tag or check the Select All checkbox, and click REMOVE. The tags are removed from the TAGS grid and disassociated from the role.

Adding a Role 61

Courion Corporation

Figure 26: Tags

Adding Information on the Access Tab

After you add the general information for the role with the optional approvers and tags, add the access entitlements and roles to complete the role definition on the ACCESS tab as shown.

Figure 27: Access

Use the FIND ACCESS BY drop-down list to search for access by ROLE, INTELLIGENT MODELING or ENTITLEMENT. Yes, in

Selecting Role or Entitlement enables you to search for access from the Role or Entitlement catalog, respectively. You can search the catalogs by entering the search text, and clicking SEARCH. For roles, the search is against the role name or role description. For access entitlements, the search is against the target ID, attribute name or attribute value. If the search string is contained in any of the fields, the search is successful. To narrow the search results further, select and filter by tags. Select the roles or access entitlements from the grid, and click ADD SELECTED. The selected roles or access entitlements appear in the ROLE DEFINITION grid.

To search for access based on the current access of one or more existing profiles, you can search by Intelligent Modeling. If you select this option, a secondary SEARCH PROFILES drop-down list appears as shown.


Courion Corporation

Figure 28: Intelligent Modeling

Select a profile from the drop-down list, and the search results will show a user profile with all the accesses related to that profile. Filter additional profiles as needed. The profile appears in the left grid with the access in the right grid. The access may be a role or an access entitlement, depending on the icon shown against it. The Entitlement icon represents an access entitlement type and a Role icon represents a role type.

As you select more profiles, the percentages in the Access grid will vary depending on how many profiles contain a specific access. For example, assume you select User1 and User2 profiles. If User1 and User2 share Business1, the percentage will show 100%; if Business1 only belongs to User 1, the percentage will show 50%. To find out the distribution of accesses across profiles, expand an access by clicking on the arrow in the Access grid.

Select one or more accesses from the grid, or select all using the Select All checkbox. Click ADD SELECTED to add the accesses to the ROLE DEFINITION grid.

Submit the role definition for approval by clicking on SUBMIT. Click CANCEL to exit without saving the role definition. For additional information about approving roles, refer to “Editing an Existing Role” on page 63.

Editing an Existing Role 63

Courion Corporation

Editing an Existing Role

To edit an existing role, go to ADMIN > ACCESS REQUEST MANAGER > MANAGE ACCESS CATALOG, and click on the ROLES tab. Click on the EDIT button next to the role you prefer to modify. After you make the modifications, submit the modified role definition for approval.

Once the modified role definition is submitted for approval, the role is shown as read-only on the MANAGE ACCESS CATALOG screen. Click the VIEW button next to the role in the DETAILS column to view the original role definition.

Note: The original role definition is available for use within another role definition or access request.

You can enable a role definition by clicking ENABLE, and disable by clicking DISABLE on the MANAGE ACCESS CATALOG. Enabled roles are always available for use within another role definition or access request.

To view the modified role, go to ACTIONS > VIEW REQUEST, and click on VIEW next to your request to modify the role definition.

The modified role definition is immediately available for use in another role definition or access request if it is approved. If the modified role definition is denied, the modifications are lost and the original definition becomes editable and available for use in another role definition or access request.

For additional information about role approval, refer to the section “Approving New and Modified Roles” on page 64.


Courion Corporation

Approving New and Modified Roles

To approve new or modified roles, refer to the chapter “Configuring the Approval Workflows” on page 89.

Enabling or Disabling a Role 65

Courion Corporation

Enabling or Disabling a Role

Individual roles can be enabled or disabled through the MANAGE ACCESS CATALOG - ADD/MODIFY screen while creating or modifying a role. In addition, you can simultaneously enable or disable multiple roles through the MANAGE ACCESS CATALOG screen after the roles have been created and approved. To enable one or more roles, select the roles and click ENABLE. To disable one or more roles, select the roles and click DISABLE. The ENABLED column shows a Yes or No depending on whether or not the role is enabled.

Figure 29: Enable or Disable Roles

Only approved and enabled roles can be used in other role definitions or access requests.

Note: A role that is approved, but disabled is not available for future role definitions or access requests.

The ASSIGNMENTS column in Figure 29 shows the number of users who have been assigned a role. As you assign an enabled role to more users, the number increases. When an enabled role is disabled, the ASSIGNMENTS column will show the number of assignments prior to its status change to disabled.


Courion Corporation

Adding Access Entitlements

To add access entitlements, go to ADMIN > ACCESS REQUEST Manager > MANAGE ACCESS CATALOG, and click on ENTITLEMENTS.

Click on the ADD NEW ENTITLEMENT button to add a new access entitlement. The ADD NEW ENTITLEMENT popup appears as shown in Figure 30.

Figure 30: Add New Entitlement

Configure the following fields on the popup:

NAME — Enter a business-friendly name to identify an access entitlement. This name appears on both the MANAGE ACCESS CATALOG and MANAGE USER ACCESS when you search for access entitlements.

DESCRIPTION — Enter a user-friendly description to provide more information about the role.

TARGET SYSTEM — Enter a target name. If the target already exists, then the access entitlement is mapped to the target name. If the target does not exist, an entry for the target is created first and then mapped to the access entitlement.

ATTRIBUTE NAME and VALUE — Enter a name and value for the attribute. The value you enter becomes editable on the MANAGE USER ACCESS screen, if EDITABLE is checked.

USER VISIBLE — If checked, the value is set to true, and the access entitlement is visible on the MANAGE USER ACCESS screen.

EDITABLE — Enables the requester to edit the attribute value on the MANAGE USER ACCESS screen, if this is checked.

SINGLE VALUE ATTRIBUTE — This may be used for provisioning beyond the scope of the Access Request Manager.

Assigning Tags to Access Entitlements 67

Courion Corporation

Assigning Tags to Access Entitlements

Select the access entitlements to which you want to assign tags, and click ASSIGN TAGS.

You can assign a tag to one or more access entitlements. An access entitlement may be associated with one or more tags.

Figure 31: Access Entitlements

You can later use these tags as a filter to search for the tagged access entitlements.


Courion Corporation

69

Courion Corporation

Chapter 7: Configuring the Manage Access Catalog

This chapter describes how to configure the MANAGE ACCESS CATALOG using the global configurations, and includes the following sections:

• “Configuring Items on Roles Tab” on page 70

• “Configuring Items on Entitlements Tab” on page 78

Before you configure the grids and drop-downs, review “Using the Global Configuration Manager” on page 29 that describes the global configurations in general and how to add or edit them.

Note: The global configurations described in this chapter for the grids and drop-downs are not visible in the GLOBAL CONFIGURATION MANAGER by default. To add them to the GlobalConfigValues table, follow the steps described in the section “Adding Global Configurations to the GlobalConfigValues Table” on page 43.

To configure the restriction macros for the MANAGE ACCESS CATALOG, see the chapter “Using Macros” on page 101.

70 Configuring the Manage Access Catalog

Courion Corporation

Configuring Items on Roles Tab

This section describes the global configurations that are applicable to the grids and drop-downs on the ROLES tab, and the ADD/MODIFY screen for roles.

Configuring the Roles Grid

The Roles grid (see Figure 32) shows all the roles that were created with details including the role owner and whether or not a role is enabled. You can configure this grid using the ADMIN.CATALOG.SHAREDROLESGRIDCOLUMNS global configuration. The fields are from the vw_Role view.

Figure 32: Roles Grid

The default XML is as follows:

<grid-columns>



<column model-name="OwnerName" label="Owner" />

<column model-name="Assignments" label="Assignments" filterable="false" />

<column model-name="DisplayChangedOnDate" label="Last Modified" filterable="false"/>

<column model-name="IsAssignable" label="Enabled">

<attribute name="class" value="k-capitalize" />

</column>

</grid-columns>

For additional information, refer to the section “Adding Global Configurations to the GlobalConfigValues Table” on page 43.

Configuring Items on Roles Tab 71

Courion Corporation

Configuring the Search Tags Drop-down on Assign Tags Popup

Configure the Search Tags drop-down list to search for tags with the ADMIN.CATALOG.SHAREDTAGSEARCHPROPERTIES global configuration on the ASSIGN TAGS popup. This configuration allows you to set the minimum number of characters required to initiate a query and the maximum number of items to present in a drop-down list.


<dropdown-properties minimum-query="2" maximum-results="20" />


Configuring Items on the Add/Modify Screen

This section describes all the configurable items on the ADD/MODIFY screen for roles.

Configuring the Advanced Search Grid To Search for Owners on Roles Tab

You can use the ADVANCED SEARCH (see Figure 33) to search for a role owner. The Search Result grid that appears on the ACCESS SEARCH shows results based on your search criteria. Use the ADMIN.CATALOGMODIFY.ROLEOWNERPROFILESEARCH global configuration to configure the fields. The global configuration uses the vw_Profile view. To view the fields from the vw_Profile view, refer to the section “Adding Global Configurations to the GlobalConfigValues Table” on page 43.

Figure 33: Search Results for Owners



Courion Corporation

<grid-columns>

<column model-name="FirstName" label="First Name" />

<column model-name="LastName" label="Last Name" />

<column model-name="Department" label="Department" />


<column model-name="ManagerID" label="Manager" />

<column model-name="JobCode" label="Job Code" />

</grid-columns

Configuring the Owners or Approvers Drop-down on Roles Tab

Configure the Search Profiles drop-down list to search for a role owner or an approver (see Figure 33) with the ADMIN.CATALOGMODIFY.SHAREDPROFILESEARCHPROP global configuration. This configuration allows you to set the minimum number of characters required to initiate a query and the maximum number of items to present in a drop-down list.




Configuring the Advanced Search Grid To Search for Approvers on Roles Tab

You can use the ADVANCED SEARCH (see Figure 34) to search for a access and definition approvers. The Search Result grid that appears on the ACCESS SEARCH shows results based on your search criteria. Use the ADMIN.CATALOGMODIFY.ROLEAPPROVERPROFILESEARCH configuration to configure the fields. The global configuration uses the vw_Profile view. To view the fields from the vw_Profile view, refer to the section “Adding Global Configurations to the GlobalConfigValues Table” on page 43.


Courion Corporation

Figure 34: Search Results for Approvers


<grid-columns>







</grid-columns>

Configuring the Search Tags Drop-down on Roles Tab

Configure the Search Profiles drop-down list (see Figure 35) on the ASSIGN TAGS popup to search for tags with the ADMIN.CATALOGMODIFY.SHAREDTAGSEARCHPROPERTIES global configuration. This configuration allows you to set the minimum number of characters required to initiate a query and the maximum number of items to present in a drop-down list.





Courion Corporation

Configuring the Tag Grid on Roles Tab

The TAG grid (see Figure 35) in the TAGS section shows the tags you select using the Search Tags filter or the new tags you create using the ADD TAG button. Use the ADMIN.CATALOGMODIFY.SHAREDTAGSEARCHCOLUMNS global configuration to configure the grid. The fields are from the vw_Tag view.

Figure 35: Tag Grid


<grid-columns>

<column model-name="Name" label="Tag" filterable="false" />

<column model-name="Description" label="Description" filterable="false" />

</grid-columns>


Configuring the Search Profiles Drop-down on Access Tab

Configure the Search Profiles drop-down list (see Figure 36) for Intelligent Modeling with the ADMIN.CATALOGMODIFY.SHAREDPROFILESEARCHPROP global configuration. This configuration allows you to set the minimum number of characters required to initiate a query and the maximum number of items to present in a drop-down list.





Courion Corporation

Configuring Advanced Search Grid for Intelligent Modeling on Access Tab

You can use the ADVANCED SEARCH (see Figure 36) to search for users for intelligent modeling. The Search Result grid that appears on the ACCESS SEARCH shows results based on your search criteria. Use the ADMIN.CATALOGMODIFY.ACCESSCATALOGPROFILESEARCH configuration to configure the fields. The global configuration uses the vw_Profile view. To configure the grid from the vw_Profile view, refer to the section “Adding Global Configurations to the GlobalConfigValues Table” on page 43.

Figure 36: Search Results for Intelligent Modeling


<grid-columns>







</grid-columns>

Configuring the Profile Grid for Intelligent Modeling

The Profile grid (see Figure 37) for Intelligent Modeling on the ACCESS tab uses the ADMIN.CATALOGMODIFY.SHAREDPROFILEGRIDCOLUMNS global configuration. This grid shows the users selected for Intelligent Modeling, and the fields are from the vw_Profile view.


Courion Corporation

Figure 37: Profile Grid for Intelligent Modeling


<grid-columns>




</grid-columns>


Configuring the Role Definition Grid

The Role Definition grid appears (see Figure 38) at the bottom of both the ROLE and ACCESS tabs when you add or modify a role through the MANAGE ACCESS CATALOG - ADD/MODIFY screen. The grid is populated when you select access items (roles and access entitlements) from the ACCESS tab during role definition of a new role or while editing an existing role.

This virtual grid contains configurable fields that include Name, Description, and OwnerName. These fields are configurable using the ADMIN.CATALOGMODIFY.ROLEDEFACCESSGRID global configuration. The Type column is non-configurable.

Figure 38: Role Definition


<grid-columns>


Courion Corporation

<column model-name="BusinessName" label="Name" filterable="true" />

<column model-name="Description" label="Description" filterable="true" />

<column model-name="Name" label="Attribute Name" filterable="true" />

<column model-name="Value" label="Attribute Value" filterable="true" />

</grid-columns>



Courion Corporation

Configuring Items on Entitlements Tab

This section describes the configurations available on the ENTITLEMENTS tab.

Configuring the Entitlements Grid

The Entitlements grid (see Figure 39) shows the access entitlements from the Entitlement catalog. This grid is configurable using the ADMIN.CATALOG.SHAREDENTITLEMENTSGRIDCOLUMNS global configuration. the fields are from the vw_Entitlement view.

Figure 39: Entitlements Grid


<grid-columns>


<column model-name="TargetID" label="Target" />

<column model-name="Name" label="Attribute Name" />

<column model-name="Value" label="Attribute Value" />

<column model-name="IsEditable" label="Editable" />

</grid-columns>


79

Courion Corporation

Chapter 8: Configuring the Manage User Access

Using the MANAGE USER ACCESS screen you can create the access request workflow, which includes creating a request by selecting recipients, adding or removing access items, and submitting the request for approval.

This chapter describes how to configure the MANAGE USER ACCESS screen for the access request workflow, and it includes the following sections:

• “Configuring Items for Selecting Recipients” on page 80 - Describes how to configure the ROLES and ACCESS tabs to enable a requester to select recipients.

• “Configuring Access Items for Managing User Access” on page 86 - Describes how to add roles and access entitlements.

• “Configuring Items for Submitting the Request for Approval” on page 87


Note: The global configurations described in this chapter for the grids and drop-downs are not visible in the GLOBAL CONFIGURATION MANAGER by default. To add them to the GlobalConfigValues table, follow the steps described in the section “Adding Global Configurations to the GlobalConfigValues Table” on page 43.

To configure the restriction macros for the MANAGE USER ACCESS, see the chapter “Using Macros” on page 101.

80 Configuring the Manage User Access

Courion Corporation

Configuring Items for Selecting Recipients

This section describes the configurations available on the USERS AND ACCESS tabs to enable a requester to search for recipients consistent with the policies specific to your enterprise. The requesters can select themselves as the recipients or select direct reports if the requester is a manager.

Populating the Acting As Drop-Down List on Manage User Access

When a user logs in, he can select who he can act as based on the selection from the ACTING AS drop-down list, as shown in Figure 40. The user acts as himself, as by default the MYSELF option is selected. If the user is delegated with Request as Manager or Request as Owner access privileges, the drop-down list will show the names of the delegators who have delegated their access privileges.

Figure 40: Acting As Drop-Down List

The Get Request Delegators custom macro populates the drop-down list with the names of the delegators who have delegated their access privileges. For more information about delegation, refer to “Using Delegation” on page 121.

Configuring the Managed Users Drop-down on Users Tab

Configure the MANAGED USERS drop-down list (see Figure 41) with the ACCESS.MANAGEUSERSACCESS.SHAREDPROFILESEARCHPROP global configuration. This configuration allows you to set the minimum number of characters required to initiate a query and the maximum number of items to present in a drop-down list.

Figure 41: Managed Users Drop-Down




Configuring Items for Selecting Recipients 81

Courion Corporation

Configuring the Managed Users Grid With Recipient Information

The MANAGED USERS grid (see Figure 42) shows the recipients you select for the access request. This grid is configurable using the ACCESS.MANAGEUSERSACCESS.SHAREDPROFILEGRIDCOLUMNS global configuration. The fields are from vw_Profile view.

Figure 42: Managed Users


<grid-columns>




</grid-columns>


Configuring the Grid for Role and Access Entitlement Details on Users Tab

The Current Access grid shows all the roles and access entitlements that the recipients currently have, and you can view additional details for an access item by clicking on it. The details are shown through a popup, as in Figure 43. The grid within the popup is configurable using the ACCESS.MANAGEUSERSACCESS.CURRENTUSERSDETAILSENTITLEMENTSCOLUMNS global configuration. This global configuration uses the vw_ManagedUsersCurrentAccessDetails view for the configuration. For additional information, refer to the section “Adding Global Configurations to the GlobalConfigValues Table” on page 43.


Courion Corporation

Figure 43: Details of Selected Access Entitlement or Role


<grid-columns>

<column model-name="EntitlementName" label="Entitlement" />

<column model-name="Target" label="Target" />

<column model-name="AttributeName" label="Attribute Name" />

<column model-name="AttributeValue" label="Attribute Value "/>

</grid-columns>

Configuring the Advanced Search Grid on Users Tab

A requester uses the ADVANCED SEARCH (see Figure 44) to search for one or more recipients on the USERS tab. The Search Result grid that appears on the ACCESS SEARCH shows results based on the requester’s search criteria. Use the ACCESS.MANAGEUSERSACCESS.USERMGPROFILESEARCH global configuration to configure the fields. The global configuration uses the vw_Profile view, described in the section “Adding Global Configurations to the GlobalConfigValues Table” on page 43.


Courion Corporation

Figure 44: Search Results


<grid-columns>







</grid-columns>

Configuring the Search Profiles Drop-down on Access Tab

Configure the Search Profiles drop-down list (see Figure 45) for Intelligent Modeling with the ACCESS.MANAGEUSERSACCESS.SHAREDPROFILESEARCHPROP global configuration. This configuration allows you to set the minimum number of characters required to initiate a query and the maximum number of items to present in a drop-down list.


Courion Corporation

Figure 45: Search Profiles Drop-Down for Intelligent Modeling




Configuring the Profile Grid for Intelligent Modeling

The Profile grid (see Figure 46) shows the users you select through Intelligent Modeling. This grid is configurable using the ACCESS.MANAGEUSERSACCESS.SHAREDPROFILEGRIDCOLUMNS global configuration. The fields are from vw_Profile view.

Figure 46: Intelligent Modeling with Profiles


<grid-columns>




</grid-columns>



Courion Corporation

Configuring the Advanced Search Grid on Access Tab

The ADVANCED SEARCH grid enables you to select users for Intelligent Modeling, as shown in Figure 47). The Search Result grid that appears at the bottom of the ACCESS SEARCH shows the results based on the requester’s search criteria. Use the ACCESS.MANAGEUSERSACCESS.USERACCESSPROFILESEARCH global configuration to configure the fields in the grid. The global configuration uses the vw_Profile view. To view the fields in this view, refer to the section “Adding Global Configurations to the GlobalConfigValues Table” on page 43.

Figure 47: Search Results


<grid-columns>







</grid-columns>


Courion Corporation

Configuring Access Items for Managing User Access

Once the requester selects recipients for whom the access is being requested, the requester can manage their current access or select new access items (roles and entitlements).

You need to first add roles and entitlements to the Role and Entitlement Catalogs, respectively, before the requester can start managing user access. For additional information about adding access items, refer to the chapter “Adding Access Items” on page 57.

Configuring Items for Submitting the Request for Approval 87

Courion Corporation

Configuring Items for Submitting the Request for Approval

Requesters can review roles and access entitlements selected for modifications, removal or additions in the Access Modifications grid before they submit the request for approval.

The Access Modifications grid appears at the bottom of the USERS and ACCESS tab. This virtual grid shows the roles and access entitlements selected for modification or removal on the USERS tab, and new roles and access entitlements selected on the ACCESS tab. This grid shows several fields, including some that are configurable using the ACCESS.MANAGEUSERSACCESS.SHAREDACCESSMODIFICATIONGRIDCOLUMNS global configuration. The configurable fields include Description, Attribute Name, and AttributeValue. The non-configurable fields include Access, ActionType (Type), and BusinessName (Name). By default, the non-configurable fields precede the configurable fields.

Figure 48: Access Modifications Grid


<grid-columns>


<column model-name="Name" label="Attribute Name" />

<column model-name="AttributeValue" label="Attribute Value" />

</grid-columns>



Courion Corporation

89

Courion Corporation

Chapter 9: Configuring the Approval Workflows

This chapter describes how to configure the approval workflows for both the roles and user access approvals, and includes the following sections:

• “Adding Definition Approvers for Role Approval” on page 90

• “Adding Access Approvers for Access Approval” on page 91

• “Configuring the Approval Requests”

• “Approving New and Modified Roles”

• “Approving Requests” on page 99


Note: Some global configurations may not be visible in the GLOBAL CONFIGURATION MANAGER by default. To add them to the GlobalConfigValues table, follow the steps described in the section “Adding Global Configurations to the GlobalConfigValues Table” on page 43.

90 Configuring the Approval Workflows

Courion Corporation

Adding Definition Approvers for Role Approval

During a role definition, the role creator may select definition approvers who approve roles if the DEFINITION approval is checked for them.

You can configure the definition approvers through the MANAGE ACCESS CATALOG. For additional information on adding approvers, refer to the section “Adding Definition and Access Approvers” on page 59.

For additional information about the role approval workflow, refer to the section “Approving New and Modified Roles” on page 98.

Adding Access Approvers for Access Approval 91

Courion Corporation

Adding Access Approvers for Access Approval

Requests submitted by requesters in the access request workflow are sent to approvers for approval. Managers of the recipients are by default the first-level approvers. The access approvers, who are the second-level approvers are then notified about the request for their approval.

Note: Access approvers receive a notification only if the ACCESS approval is checked for them during role definition.

You can configure the access approvers through the MANAGE ACCESS CATALOG. For additional information on adding approvers, refer to the section “Adding Definition and Access Approvers” on page 59.

For additional information about the access request workflow, refer to the section “Approving Requests” on page 99.


Courion Corporation

Configuring the Approval Requests

Approvers can view all the pending approval requests on the APPROVE REQUESTS screen. The items that you can configure on the APPROVE REQUESTS screen include:

• The delegator list

• The Pending Requests grid

• The grids on the Request Details screen based on the request type

• The editing of access entitlement values

Populating the Acting As Drop-Down List

If the logged in approver is delegated with Manager Approval or Access Approval access privileges, the Acting As drop-down list displays names of delegators. The approver selects the name of the delegator he is acting as to approve any outstanding requests pending for that delegator. To know more about delegation, refer to the chapter “Using Delegation” on page 121.

This drop-down list is populated by the Get Approval Delegators custom macro, which you can modify.

Showing Pending Requests Based on Selection from Acting-As Drop-Down List

If the approver selects Myself from the ACTING AS drop-down list, the approver sees pending requests requiring his approval.

If the approver selects a delegator, the pending requests shown are based on the access privilege of the delegator. For example, if the delegator is a Manager, pending requests for only Manager Approval are shown.

The Get Delegatee ApprovalTypes custom macro determines which pending requests are shown, based on the selection from the ACTING AS drop-down list.


Enabling Delegatees to Approve Their Own Requests

By default, delegatees who are delegated with Manager Approval and Access Approval access privileges cannot approve requests that were made by them. If you need to enable delegatees to approve their own requests, set the ALLOWSELFAPPROVAL to true.


Configuring the Approval Requests 93

Courion Corporation

Setting Up Fields for Pending Requests

The approver can see the pending requests in the Pending Requests grid. Specify the fields for this grid by configuring the APPROVALQUEUEDISPLAYCOLUMNS global configuration. The fields are from the RequestItem table.

Table 9 shows the default values for ApprovalQueueDisplayColumns.

Setting Up Fields for Request Details

The approver can see additional information about a particular request on the REQUEST DETAILS screen. The REQUEST DETAILS screen changes based on the request type. The request types include Role Definition, access Request, and Profile.

The approver can approve or deny the request. You can configure the fields that appear within the respective grids on this screen.

Setting Up Fields To View Requester Details For All Request Types

The approver can see details about the requester in the REQUEST grid. This grid is common for all the request types. The information is from the RequestItem table. To specify the fields from the RequestItem table, use the EDIT COMPLEX VALUES button for the APPROVALREQUESTDETAILFIELDS global configuration.

Table 10 shows the default values for ApprovalRequestDetailFields.

Table 9: ApprovalQueueDisplayColumns Default Values

Column-name Order Visible Label

RequestItem_Id 0 True Request

Provisioner 1 True Requestor

RequestDate 2 True Submitted

RequestType 3 True Request Type

FirstName 4 False First Name

LastName 5 False Last name

ManagerID 6 False Manager ID

Status 7 True Details

Table 10: ApprovalRequestDetailFields Default Values


RequestItemId 0 True Request

RequestDate 1 True Submitted


Courion Corporation

Configuring Items for Role Definition

This section describes the grids specific for role definition.

Setting Up Fields For the Role Characteristics Panel

The Role Definition request includes a ROLE CHARACTERISTICS panel with information about the role owner, and the definition and access approvers.

To configure this panel to show the role details, such as the role owner and role name, use the APPROVALROLECHARACTERISTICSDISPLAYFIELD global configuration. The fields are from the Role table.

Table 11 shows the default values for APPROVALROLECHARACTERISTICDISPLAYFIELD.

Table 12 shows the default values for APPROVALROLECHARACTERISTICSAPPROVERSDISPLAYFIELDS to show information about the definition and access approvers.

The fields for this grid are from the RoleApprover table.

Provisioner 2 True Requestor

UserType 3 True User Type

Table 11: Role Characteristics with Role Details

Column-name

Order Visible Label

Name 1 True Role Name

Owner 2 True Owner

Description 3 True Description

isAssignable 4 True Enabled

Table 12: Role Characteristics with Definition and Role Approvers


Profile.LastName 1 True Last Name

Profile.FirstName 2 True First Name

IsDefinitionapprover 3 True Definition

IsAccessApprover 4 True Access

Table 10: ApprovalRequestDetailFields Default Values



Courion Corporation

Setting Up the Role Definition Grid

The ROLE DEFINITION grid shows details about the role definition, such as the access entitlements used to construct the role. To configure this grid, use the APPROVALROLEDEFINITIONDISPLAYFIELDS global configuration. The columns are from this Entitlement table.

Table 13 shows the default values for APPROVALROLEDEFINITIONDISPLAYFIELDS to show information about the role definition.

Configuring Items for Access Request

This section describes the grids specific for access request.

Setting Up Fields to View Recipient Details for Access Request

The approver can see the recipient information in the EMPLOYEE grid for the access and profile request type. The information is from the Profile table. To specify the fields from the Profile table, use the EDIT COMPLEX VALUES button for the APPROVALPROFILEDISPLAYFIELDS global configuration.

Table 14 shows the default values for APPROVALPROFILEDISPLAYFIELDS.

Enabling Editing of Access Entitlement Values for Access Request

The approver can edit an access entitlement value for an access entitlement before approving a request.

Table 13: Role Definition


BusinessName 1 True Business Name

Description 2 True Description

Name 3 True Attribute Name

Value 4 True Attribute Value

Table 14: ApprovalProfileDisplayFields Default Values

Column-name

Order Visible Label

FirstName 0 True First Name

LastName 1 True LastName

StartDate 2 True Start Date

Location 3 True Office Location


Courion Corporation

To enable the approver to change the access entitlement value, configure the ALLOWATTRIBUTEVALUEEDITINGONAPPROVAL global configuration by changing the CONFIG VALUE to TRUE. The default CONFIG VALUE is FALSE, which makes the access entitlement value read only.

Note: An access entitlement value is editable only if the USER VISIBLE is set to true, and EDITABLE is checked when you create an access entitlement. For additional information about making the access entitlement value user visible and editable, refer to the “Adding Access Entitlements” on page 66 section.

Configuring the Access Grid

The ACCESS grid shows the access items requested for the recipient. You can configure this grid using the SHAREDACCESSGRIDCOLUMNS global configuration.

The default XML for the global configuration:

<grid-columns>

<column model-name="ActionStatus" label="Status"/>

<column model-name="ApprovalAction" label="Action"/>

<column model-name="AccessType" label="Type"/>

<column model-name="Name" label="Name"/>

<column model-name="Comment" label="Comment"/>

</grid-columns>


Configuring Items for Profile Request

To configure the EMPLOYEE grid, refer to “Setting Up Fields to View Recipient Details for Access Request” on page 95.

Configuring the Approve and Deny Action Buttons

The approver can approve or deny a request by clicking the action buttons.

To set up the APPROVE button, configure the APPROVALACTIONAPPROVE global configuration. Table 15 shows the default values for APPROVALACTIONAPPROVE.

Table 15: ApprovalActionApprove Default Values

Column-name

LabelRequire-comment

Approve Approve False


Courion Corporation

To set up the DENY button, configure the APPROVALACTIONDENY global configuration. Table 16 shows the default values for APPROVALACTIONDENY.

If the require-comment field is set to true, the approver is required to provide a comment. If the field is set to false, the comment is optional.

Note: The COLUMN-NAME in APPROVALACTIONAPPROVE and APPROVALACTIONDENY identifies an action.

Table 16: ApprovalActionDeny Default Values

Column-name

LabelRequire-comment

Deny Deny True


Courion Corporation

Approving New and Modified Roles

If you create a new role, the role needs to be first approved and enabled before it can be used in a role definition of another role or in an access request. Follow the steps in “Adding Access Items” on page 57 to create and submit a new role for approval.

Similarly, if a role is modified it needs to be approved before it can be used in another role definition or access request. For information about editing roles, refer to “Editing an Existing Role” on page 63.

When a role definition is sent for approval, the approver can either approve or deny the entire request.

The approval workflow for new and modified roles involves a sequential process as follows:

1. In the first step of role approval, the role owner (RO) always takes the first action to approve or deny the role.

2. In the second step of approval, any role definition approver (RDA) can approve or deny the role. Since the role definition may include several role definition approvers, the first RDA to take the action determines if the role is approved or denied.

The approval workflow fails if either the role owner or any role definition approver denies a role definition.

The approval workflow for new and modified role depends on the role definition indicated in Table 17 .

Note: Only enabled roles can be assigned to users after they are approved. A role that is approved, but disabled cannot be assigned to users or used to create other roles.

Table 17: Role Approval

Who Created or Modified the Role

First Step of Role Approval

Second Step of Role Approval

Role Approval Status

User Role Owner (RO) approves

A Role Definition Approver (RDA) approves

Role is approved

User RO approves RDA denies Role is denied

User RO approves No second step approval if no RDAs are specified

Role is approved

User RO denies No second-step approval

Role is denied

Role Owner First step is automatically approved since the user is also the RO

RDA approves Role is approved

Role Owner First step is automatically approved

RDA denies Role is denied

Role Owner First step is automatically approved

No second step approval if no RDAs are specified

Role is automatically approved

Approving Requests 99

Courion Corporation

Approving Requests

Any bulk request that the requester submits is split and shown as individual requests for each recipient. For example, if a Manager selects three recipients for an access item in a request, the approver receives three individual requests.

The approval workflow varies depending on who requested access. The workflow works as described in the table.

Note: Once the Manager approves a request, the request is then sent in parallel to all access approvers. If there are multiple access approvers, the first one to act approves or denies the request.

Table 18: Approval Workflow for Access Requests

Who Requested Access

First Step of Access Request Approval

Second Step of Request Approval

Request Status

User himself Manager approves No access approver defined

Request is approved

User himself Manager approves Access approver approves (if defined)

Request is approved

User himself Manager approves Manager is defined as the access approver. Second step is auto approved.

Request is approved

User himself Manager denies No second-step approval

Request is denied

User himself Manager approves Access approver denies (if defined)

Request is denied

Manager First step is auto approved

No access approver defined

Request is approved


Access approver approves

Request is approved


Access approver denies

Request is denied.


Manager is defined as the access approver. Second step is auto approved

Request is approved


Courion Corporation

101

Courion Corporation

Chapter 10:Using Macros

This chapter describes how to add, edit or delete macros through the MANAGE MACROS screen. It also describes the custom and restriction macros used on the MANAGE ACCESS CATALOG and MANAGE USER ACCESS SCREENS.


• “Adding a New Macro” on page 102

• “Editing or Deleting an Existing Macro” on page 104

• “Using Restriction Macros” on page 105

• “Using Custom Macros” on page 117

102 Using Macros

Courion Corporation

Adding a New Macro

To add new macros or edit existing macros, navigate to ADMIN > MACRO CONFIGURATION. The MANAGE MACROS screen appears, as shown in Figure 49.

Note: You need an AccountCourier® or a ComplianceCourier™ license to access the MANAGE MACROS screen.

Figure 49: Manage Macros

Click ADD NEW MACRO. The MANAGE MACROS screen expands to display the fields required to add a new macro as shown in Figure 50.

Figure 50: Add a New Macro

Configure the following fields:

MACRO NAME: Enter a name for the new custom macro you want to create

Adding a New Macro 103

Courion Corporation

MACRO DESCRIPTION: Brief description about what the custom macro does.

CONNECTOR NAME: The name of the connector against which the custom macro is resolved. For example, AD Connector.

TARGET NAME: The name of the configured target for the specified connector. For example, Active Directory.

IS MACRO CACHEABLE: Accepts a boolean value of true or false. Check the checkbox to enable caching. Uncheck the checkbox to disable caching.

MACRO QUERY: A query that runs against the target system. For example, if the target is Active Directory, the query is against this target.

Click SAVE to create a new macro. The newly created macro appears in the MANAGE MACROS screen.

Click CANCEL if you prefer to close the panel without creating a new macro.

104 Using Macros

Courion Corporation

Editing or Deleting an Existing Macro

To edit an existing macro, select the Edit icon . The screen expands to show the configured fields as shown in Figure 51.

Figure 51: Edit a Macro

Edit the fields you want, and click SAVE.

To delete a custom macro, click the Delete icon .

Using Restriction Macros 105

Courion Corporation

Using Restriction Macros

Restriction macros restrict information in the UI elements, including drop-down lists and search filters. Use restriction macros to restrict what a user can or cannot access.

The restriction macros are used on both the MANAGE ACCESS CATALOG and MANAGE USER ACCESS screens.

Naming a Restriction Macro

A restriction macro needs to conform to the following naming convention:

Restriction.<restriction macro name>

Other Macros Used Within Restriction Macros

The followin%Restrictions-DelegatedUser%g two macros are automatically available for use within restriction macros:

• Restrictions-IsArmAdmin — A boolean value that is represented as a string in lowercase. It indicates whether the logged-in user is an ARM administrator. The value is either set to true or false.

• Restrictions-LoggedInUser — The ProfileUID of the logged in user.

• %Restrictions-DelegatedUser% — If the user (delegatee) is acting as the delegator, then the ProfileUID is of the delegator. Otherwise, the value is null.

• %Restrictions-EffectiveUser% — If the user is acting as a delegatee for another user (delegator), the value is the ProfileUID of the delegatee. Otherwise, the value is the ProfileUID of the logged-in user. This value is never empty.

By default, the restriction macros are VBScript macros.

106 Using Macros

Courion Corporation

Restrictions Available On Manage Access Catalog

This section describes the restriction macros available for the MANAGE ACCESS CATALOG screen.

Restricting the Roles Grid on Roles Tab

By default, the roles grid on the ROLES tab shows all the roles that were created and approved. To restrict the roles that appear, use the RESTRICTIONS.MANAGE ACCESS CATALOG ROLES macro. This restriction macro applies to the vw_Role view.

By default, the ARM administrator can see all the roles, while role owners only see the roles they own.

Figure 52: Roles Grid

Restricting the Access Entitlements Grid on Entitlements Tab

The access entitlements grid on the ENTITLEMENTS tab shows all the entitlements to a logged in user. By default there is no restriction applied to this grid. To apply a restriction, you need to create a macro with the name RESTRICTIONS.MANAGE ACCESS CATALOG ENTITLEMENTS. This restriction macro applies to the vw_Entitlement view.

To create the macro, refer to the section “Adding a New Macro” on page 102.

Figure 53: Access Entitlements Grid

Restrictions on the Manage Access Catalog - Add/Modify

The MANAGE ACCESS CATALOG - ADD/MODIFY screen contains the Roles and Access tabs. Use the restriction macros described in this section, to restrict the grids on these tabs.


Courion Corporation

Restricting Profiles to Search for Role Owners on Roles Tab

The OWNER drop-down list in GENERAL INFORMATION shows profiles from which you can select a role owner. The RESTRICTIONS.MANAGE ACCESS CATALOG SEARCH OWNER macro restricts the profiles shown in this drop-down list. This restriction macro applies to the vw_Profile view.

By default, the list shows all the active profiles.

Figure 54: Owner Drop-Down List

Restricting Profiles to Search for Approvers on Roles Tab

The approver drop-down list in Approvers shows profiles from which you can select one or more approvers. Use the RESTRICTIONS.MANAGE ACCESS CATALOG SEARCH APPROVERS macro to restrict the profiles shown in this drop-down list. This restriction macro applies to the vw_Profile view.

By default, the list shows all the active profiles, except the logged in user creating the role.

Figure 55: Approver Drop-Down List

Restricting Search for Tags on Roles Tab

By default there is no restriction applied to the Search Tags filter in the Tags section. To apply a restriction, you need to create a macro with the name RESTRICTIONS.MANAGE ROLE SEARCH TAGS. This restriction macro applies to the vw_Tag view.


108 Using Macros

Courion Corporation

Figure 56: Search Tags Filter

Restricting Search for Roles on Access Tab

A user searches for roles using the FIND ACCESS BY drop-down list to create a new role. By default, RESTRICTIONS.MANAGE ACCESS CATALOG SEARCH ROLES shows the ARM administrator all the roles, while role owners only see the roles they own. Modify the restriction macro to change the default restriction. This restriction macro applies to the vw_Role_Tag view.

Figure 57: Find Access By Roles

Restricting Search for Entitlements on Access Tab

A user searches for access entitlements using the FIND ACCESS BY drop-down list to create a new role. By default, there are no restrictions. To apply a restriction, create a macro with the name RESTRICTIONS.MANAGE ACCESS CATALOG SEARCH ENTITLEMENTS. This restriction macro applies to the vw_Entitlement_Tag view.


Figure 58: Find Access By Entitlements


Courion Corporation

Restricting Search for Profiles on Access Tab

To create a role, a user searches for profiles using the FIND ACCESS BY drop-down list, and selecting INTELLIGENT MODELING. The Search Profiles filter appears with the profiles from which the user can select.

By default, RESTRICTIONS.MANAGE ACCESS CATALOG SEARCH USERS shows direct reports only to a Manager, and the profiles need to be active.

This restriction macro applies to the vw_Profile view.

Figure 59: Find Access By Intelligent Modeling

110 Using Macros

Courion Corporation

Restrictions Available On Manage User Access

This section describes the restriction macros available for the MANAGE USER ACCESS screen.

Restricting Search for Recipients on Users Tab

A logged in user can search for profiles using the Search Profiles filter to add or modify access for self or other users. The RESTRICTIONS.MANAGE ACCESS FIND RECIPIENTS macro restricts the profiles that appear. The ARM administrator sees all users, while a Manager only sees his direct reports. The direct reports may be active or inactive. This restriction macro applies to the vw_Profile view.

Figure 60: Search Profile

Restricting Search for Roles on Access Tab

A logged in user searches for roles using the FIND ACCESS BY drop-down list to assign for self or others. By default, the search shows all the roles. To apply a restriction, create a macro with the name RESTRICTIONS.MANAGE ACCESS SEARCH ROLES to restrict the roles that appear. This restriction macro applies to the vw_Role_Tag view.


Figure 61: Find Access By Roles


Courion Corporation

Restricting Search for Access Entitlements on Access Tab

A user searches for access entitlements using the FIND ACCESS BY drop-down list to assign to self or others. By default, there are no restrictions. By default, the search shows all the access entitlements. To apply a restriction, create a macro with the name RESTRICTIONS.MANAGE ACCESS SEARCH ENTITLEMENTS to restrict the access entitlements that appear.


Figure 62: Find Access By Entitlements

Restricting Search for Profiles on Access Tab

To assign access modeled on another profile, a logged in user searches for profiles using the FIND ACCESS BY drop-down list, and selecting INTELLIGENT MODELING. The Search Profiles filter appears with the profiles the user can select. By default, RESTRICTIONS.MANAGE ACCESS SEARCH USERS shows only direct reports to a Manager. The profiles need to be active.

This restriction macro applies to the vw_Profile view.

Figure 63: Find Access By Intelligent Modeling

112 Using Macros

Courion Corporation

Defining Filter Expressions in Restriction Macros

The restriction macros use a Filter element to filter data. The filter expression you create needs to adhere to the syntax described in this section.

The filter declaration needs to start with the Filter element, and it is case-sensitive. For example:

<Filter>



</Filter>

Note: The restriction macros can be of any type, such as Javascript, but they must return a valid XML document with a root node called Filter. The minimum allowable return document is <Filter/>.

See Table 19 for the comparison predicates that you can use within a filter expression. A comparison predicate contains one or more conditions, and the condition may be true or false.

Note: The comparison predicates are case-sensitive.

Table 19: Comparison Predicates

Comparison Predicate

Description Format Example

Not Contains a condition which needs to be false.

<Not>

<!--a single filtering predicate>

</Not>

<Filter>

<Not>

<EqualTo>

<ColumnName>Role_Id<

/ColumnName>

<Value>Fred’s Role</

Value>

</

EqualTo>

</Not>

</Filter>

Courion Corporation

And Contains a set of conditions, all of which need to be true.

The number of contained conditions may be arbitrary.

<And>



</And>

<Filter>

<And>

<EqualTo>

<ColumnName>role_id<

/ColumnName>

<Value>32</Value>

</EqualTo>

<Not>

<EqualTo>

<ColumnName>Owner</

ColumnName>

<Value>buser1</

Value>

</EqualTo> </Not>

</And>

</Filter>

Or Contains a set of conditions, of which at least one needs to be true.

The number of contained conditions may be arbitrary.

<Or>



</Or>

EqualTo A single condition in which a comparison between the first and second operands results in equality.

The comparison may be between two column names, values or between a column name and a value. The values you compare may be a macro that needs to be resolved.

Comparison between a column name and value:

<EqualTo>

<ColumnName/>

<Value/>

</EqualTo>

Comparison using a macro:

<EqualTo>

<ColumnName>Owner</ColumnName>

<Value>%Restriction-LoggedInUser%</Value>

</EqualTo>

<Filter>

<EqualTo>

<ColumnName>Role_Id</ColumnName>

<Value>Fred’s Role</Value>

</EqualTo>

</Filter>

114 Using Macros

Courion Corporation

Contains A single condition in which the first string contains within it a second string.

This predicate contains two operands. The first may be a column name or value, and the second is a value.

<Contains>

<ColumnName/>

<Value/>

</Contains>

StartsWith A single condition in which the first string starts with the second string.


<StartsWith>

<ColumnName/>

<Value/>

</StartsWith>

EndsWith A single condition in which the first string ends with the second string.


<EndsWith>

<ColumnName/>

<Value/>

</EndsWith>





Courion Corporation

In A single condition in which the first operand contains an element from the list represented by remaining operands. The number of list items may be arbitrary.

The first operand may contain a column name or value. At least one list item needs to contain a string.

An In condition with exactly one ListItem functions similar to EqualTo.

<In>

<ColumnName/>

<ListItem/>

<ListItem/>

</In>

<Filter>

<In>

<ColumnName>tag_id</ColumnName>

<ListItem>4</ListItem>

<ListItem>5</ListItem>

</In>

</Filter>

IsNull A condition which tests where a column name or value is null.

The operand of an IsNull may contain a column name or value.

<IsNull>

<ColumnName/>

</IsNull>

<Filter>

<IsNull>

<ColumnName>role_id</ColumnName>

</IsNull>

</Filter>

If the operand contains a value with a true return:

<Value xsi:nil = “true”/>




116 Using Macros

Courion Corporation

GreaterThan A condition which tests whether a column name or value is greater than another column name or value.

Either operand may contain a column name or value. The values to be compared may be a macro that needs to be resolved.

GreaterThan in a Not condition, is equivalent to LessThan or EqualTo.

<GreaterThan>

<ColumnName/>

<Value/>

</GreaterThan>

<Filter>

<GreaterThan>

<ColumnName>Assignments</ColumnName>

<Value>12</Value>

</GreaterThan>

</Filter>

LessThan A condition which tests whether a column name or value is less than another column name or value.

Either operand may contain a column name or value. The values to be compared may be a macro that needs to be resolved.

LessThan in a Not condition, is equivalent to GreaterThan or EqualTo.

<LessThan>

<ColumnName/>

<Value/>

</LessThan>

<Filter>

<LessThan><ColumnName>Assignments</ColumnName>

<Value>1</Value>

</LessThan>

</Filter>




Using Custom Macros 117

Courion Corporation

Using Custom Macros

Custom macros retrieve data from a connector resource based on a specific search criteria. These macros, for example, determine what is shown or hidden on a screen from a user.

Custom Macros for Manage Access Catalog

The custom macros described here are available on the MANAGE ACCESS CATALOG to determine whether or not roles, access entitlements or intelligent modeling are available to a logged in user.

To show or hide a value on this screen, follow these steps:

1. Go to MACRO CONFIGURATION.

2. Navigate to the specific macro for which you need to change the value. For example, to hide roles from showing on the Manage Access Catalog screen, find the Has Catalog Find Access by Roles custom macro and click on the Edit icon. Follow the steps in the “Editing or Deleting an Existing Macro” on page 104.

3. Change the Macro Query value to true if it is false, and click SAVE. The roles will now show on the MANAGE ACCESS CATALOG screen for the logged in user.

Show or Hide Roles

The HAS CATALOG FIND ACCESS BY ROLES custom macro determines whether or not the logged in user has access to Roles on the FIND ACCESS BY drop-down list on the ACCESS tab. To show Roles, change the value in the macro query to true. A value of false hides the Roles from the logged in user.

Show or Hide Access Entitlements

The HAS CATALOG FIND ACCESS BY ENTITLEMENTS custom macro determines whether or not the logged in user has access to Entitlements on the FIND ACCESS BY drop-down list on the ACCESS tab. To show Entitlements, change the value in the macro query to true. A value of false hides the Entitlements from the logged in user.

Show or Hide Intelligent Modeling

The HAS CATALOG FIND ACCESS BY INTELLIGENT MODELING custom macro determines whether or not the logged in user has access to Intelligent Modeling on the FIND ACCESS BY drop-down list on the ACCESS tab. To show Intelligent Modeling, change the value in the macro query to true. A value of false hides the Intelligent Modeling from the logged in user.

118 Using Macros

Courion Corporation

Custom Macros for Manage User Access

The custom macros described here are available on the MANAGE USER ACCESS to determine whether or not roles, entitlements or intelligent modeling are available to a logged in user.

To show or hide a value on this screen, follow these steps:

1. Go to MACRO CONFIGURATION.

2. Navigate to the specific macro for which you need to change the value. For example, to hide roles from showing on the Manage Access Catalog screen, find the Has Catalog Find Access by Roles custom macro and click on the Edit icon. Follow the steps in the “Editing or Deleting an Existing Macro” on page 104.

3. Change the Macro Query value to true if it is false, and click SAVE. The roles will now show on the MANAGE ACCESS CATALOG screen for the logged in user.

Show or Hide Roles

The Has Access Find Access By Roles custom macro determines whether or not the logged in user has access to Roles on the FIND ACCESS BY drop-down list on the ACCESS tab. To show Roles, change the value in the macro query to true. A value of false hides the Roles from the logged in user.

Show or Hide Access Entitlements

The Has Access Find Access By Entitlements custom macro determines whether or not the logged in user has access to Entitlements on the FIND ACCESS BY drop-down list on the ACCESS tab. To show Entitlements, change the value in the macro query to true. A value of false hides the Entitlements from the logged in user.

Show or Hide Intelligent Modeling

The Has Access Find Access By Intelligent Modeling custom macro determines whether or not the logged in user has access to Intelligent Modeling on the FIND ACCESS BY drop-down list on the ACCESS tab. To show Intelligent Modeling, change the value in the macro query to true. A value of false hides the Intelligent Modeling from the logged in user.

Using Custom Macros 119

Courion Corporation

Other Macros Used with Custom Macros

This section describes the macros that you can use with custom macros described in the section “Using Custom Macros” on page 117 to retrieve user information. To use the macros, use the % sign to enclose them. For example:

IF '%EffectiveUserId%' = 'buser2'

Select 'true' as Value

ELSE

Select 'false' as Value

Retrieving the User ID of Logged in User

Use the LoggedInUserID macro to retrieve the ProfileUID of the logged-in user.

Retrieving the User ID of the Acting as User

Use the EffectiveUserID macro to retrieve the ProfileUId of the acting as user. For example, a user authenticates in to the Portal with his username. If the user is delegated with other access privileges, he may act as the delegator or as himself to request access. This macro identifies who is the acting as user in this scenario.

Retrieving the User ID of the Delegator

Use the DelegatingUserID macro to retrieve the ProfileUID of the delegator.

120 Using Macros

Courion Corporation

121

Courion Corporation

Chapter 11:Using Delegation

This chapter describes how users can delegate their access privileges to others using the DELEGATE ACCESS PRIVILEGES screen. It also describes how to configure the SEARCH CONTROL popup so that a user can search for delegators (in case of administrators), and delegatees.

Before you configure the SEARCH CONTROL popup, review the chapter “Using the Global Configuration Manager” on page 29 that describes the global configurations used in this chapter and how to edit them.


• “Delegating for Other Delegators” on page 122

• “Delegating as Self” on page 124

• “Checking for Access Privileges” on page 125

• “Displaying Delegatee Information” on page 127

• “Using the Default Global Configuration to Customize the Search Control Popup” on page 128

• “Auditing Delegation” on page 133

The delegation feature enables authorized users to delegate their access privileges to others for the request and approval workflows.

Users who delegate access privileges to others are called delegators. Users who receive delegated access privileges are called delegatees.

Delegation can happen in two ways:

• An administrator, on behalf of the delegator, assigns the delegator’s access privileges to a delegatee.

• Delegators assign their privileges to delegatees themselves.

122 Using Delegation

Courion Corporation

Delegating for Other Delegators

If you are an administrator, you can delegate the access privileges of a delegator to a delegatee. For example, if Anna Baron is travelling, then you can delegate on her behalf by:

1. Finding Anna Baron (the delegator) using your administrator privileges through the DELEGATE ACCESS PRIVILEGES screen.

2. Assigning the privileges of Anna Baron to another user (the delegatee).

Note: Only users who belong to the ARM Admins community can delegate on behalf of a delegator.

To start delegating, select ACTIONS > DELEGATION > ACCESS. The DELEGATE ACCESS PRIVILEGES screen appears as shown in Figure 64.

Figure 64: Delegate Access Privileges

Select a delegator by clicking the Search icon next to SELECT EMPLOYEES. In the SEARCH CONTROL popup that appears, enter the search criteria in the search fields to find the delegator, and select SEARCH as shown in Figure 65.

Figure 65: Search Control

A Search Results grid appears with the results at the bottom of the popup. Select the delegator and click OK to continue. Selecting CANCEL closes the screen.

Delegating for Other Delegators 123

Courion Corporation

The delegator you selected now appears in the SELECT EMPLOYEE textbox of the DELEGATE ACCESS PRIVILEGES screen. When you click FIND DELEGATIONS, a new grid appears with the access privileges entitled to the delegator under DELEGATION TYPE as shown in Figure 66.

The delegation types include:

• Request Access

• Manager Approval

• Access Approval

• Profile Approval

Figure 66: Access Privileges

For more information about access privileges and how to customize the options, refer to the section “Checking for Access Privileges” on page 125.

Click the Search icon to search delegatees for each access privilege. The SEARCH CONTROL popup appears for you to select the delegatee using the search criteria.

Once you have selected the delegatee, the information appears on the DELEGATE ACCESS PRIVILEGES screen.

You can now enable or disable delegation for the delegatees. First, check the Select All or individual checkboxes. Then, click ENABLE SELECTED to enable or DISABLE SELECTED to disable; the ENABLED column displays TRUE for enabled and FALSE for disabled.

Note: Either you or the delegator can disable delegation for the selected delegatees.

The CLEAR SELECTED permanently deletes the selected delegatees of the logged-in user.

Displaying the Select Employee Panel to Administrators

The SELECT EMPLOYEE panel on the DELEGATION page is only visible to users who belong to the ARM Admins community. The Get ARMAdmin Community custom macro checks if the user belongs to the ARM Admins Community before the panel appears to search for delegators. If you want to check for another community, customize this custom macro.


Courion Corporation

Delegating as Self

If you have access privileges that you want to delegate, select ACTIONS > DELEGATION > ACCESS. The DELEGATE ACCESS PRIVILEGES screen appears.

The grid automatically shows the access privileges (under DELEGATION TYPE) entitled to you. For more information about access privileges and how to customize the options, refer to the section “Checking for Access Privileges” on page 125.

Follow these steps to delegate your access privileges:

1. Click the Search icon to search delegatees for each access privilege (Delegation Type). The SEARCH CONTROL popup appears for you to select the delegatee using the search criteria.

2. Once you have selected the delegatee, the information appears on the DELEGATE ACCESS PRIVILEGES screen.

You can now enable or disable delegation for the delegatees. First, check the Select All or individual checkboxes, and then click ENABLE SELECTED to enable. To disable, click DISABLE SELECTED. The ENABLED column displays TRUE when delegation is enabled, and FALSE when delegation is disabled.

The CLEAR SELECTED deletes the selected delegatees from the grid for the logged-in user.

Checking for Access Privileges 125

Courion Corporation

Checking for Access Privileges

The Access Request Manager supports the following access privileges available to a delegator:

• Request Access

• Manager Approval

• Access Approval

• Profile Approval

An access privilege determines the extent to which a user interacts within the Access Request Manager. For example, if a delegator has Access Approval, it means that this delegator is selected as an access approver for role and entitlement assignment. If an access approver delegates his Access Approval access privilege to a delegatee, the delegatee can approve or deny access requests on behalf of the delegator.

Custom macros are used to check whether or not delegators are entitled to access privileges. These custom macros are described further in this section.

Custom Macros to check for Access Privileges of a Delegator

Request Access

If a Manager is delegating access privileges, the delegatee inherits the Manager’s privileges. The access privilege, Request Access, determines how a delegatee requests access acting as a Manager. The delegatee can request access only for direct reports of the delegator. For example, if David Larson delegates his access privileges to John Smith, then John Smith can request access only for David Larson’s direct reports.

The IsManagerRequestDelegationAvailable custom macro checks if the delegator is entitled to the Request Access access privilege. This custom macro is specified in the isAvailable field of the AccessPrivilege table. It returns true if the delegator has the Request Access access privilege or else returns false.

Manager Approval

If a Manager delegates his access privileges, the delegatee inherits the Manager’s privileges to approve requests for a direct report. The Manager Approval access privilege determines how a delegatee approves acting as a Manager. The delegatee can only approve pending requests for which the delegator is responsible. For example, if a request is made for a direct report of David Larson by another user, then David Larson does the first-level approval. With delegation enabled, a delegatee would do the first-level approval for David Larson’s direct reports.

The IsApproveAsManagerDelegationAvailable custom macro checks if the delegator is entitled to the Manager Approval access privilege. This custom macro is specified in the isAvailable field of the AccessPrivilege table. It returns true if the delegator has the Manager Approval access privilege, else returns false.


Courion Corporation

Access Approval

If an access approver delegates his access privileges, the delegatee inherits the access approver’s privileges. The Access Approval access privilege determines how a delegatee approves acting as an access approver. The delegatee can only approve pending requests that require the second-level approval of the delegator. For example, if Aaron Biggs delegates his access privileges to John Smith, then John Smith can approve pending requests for which Aaron Biggs is responsible.

The IsApproveAsApproverDelegationAvailable custom macro checks if the delegator is entitled to the Access Approval access privilege. This custom macro is specified in the isAvailable field of the AccessPrivilege table. It returns true if the delegator has the Approve as Approver access privilege, else returns false.

Profile Approval

If a Manager (or a user) creates a new profile, the immediate Manager of the requester needs to approve the profile. The Profile Approval access privilege determines how a delegatee approves profile requests when acting as Manager. The delegatee can only approve profile requests. For example, if Aaron Biggs delegates his access privileges to John Smith, then John Smith can approve pending requests for which Aaron Biggs is responsible.

The IsApproveAsApproverDelegationAvailable custom macro checks if the delegator is entitled to the Profile Approval access privilege. This custom macro is specified in the isAvailable field of the AccessPrivilege table. It returns true if the delegator has the Profile Approval access privilege, else returns false.

Displaying Delegatee Information 127

Courion Corporation

Displaying Delegatee Information

Once you select a delegatee, the delegatee’s information appears in the DELEGATEE INFO column of the DELEGATE ACCESS PRIVILEGEs screen. The custom macros that provide this information are described in this section.

The AccessRequest.ProfileID macro returns the ProfileUID of the selected delegatee. This macro does not support customization.

The Get Profile Info custom macro checks for the delegatee information, based on the input from the AccessRequest.ProfileID. The DELEGATEE INFO column is populated with the delegatee information in the format specified in the custom macro. To display customized information, such as Last Name with Department of the delegatee, modify this macro.


Courion Corporation

Using the Default Global Configuration to Customize the Search Control Popup

To search for a delegator or delegatee, you click the Search icon and use the SEARCH CONTROL popup. You can customize this screen by configuring the default MULTIUSERSEARCHOPTION2 global configuration.

The default values for the MULTIUSERSEARCHOPTION2 are as follows:

• HEADING: Find Employee

• KEYCOLUMN: ProfileUID

• RESTRICTIONCONFIGURATIONNAME: MultiUserSearchRestriction2

• ISSINGLESELECT: True

• ROWSPERRESULTPAGE: 5

• RESULTCOLUMNS: ProfileUID, FirstName, LastName, Location, Department, StartDate

Using the MultiUserSearchRestriction2 to Implement Restriction

The MultiUserSearchRestriction2 global configuration enables you to create a custom macro to implement a restriction for the MultiUserSearchOption2. The default values include:

• NAME: MultiUserSearchOption2 Restriction

• VISIBLE: False

• LABEL: MultiUserSearchOption2 Restriction

• CLAUSE: Accepts a custom macro or a SQL clause

• DEFAULTVALUES: True

Table 20: MultiUserSearchOption2 Default Values for the Grid

Column-name

Order Visible Label Control

ProfileUID 0 True Employee ID Text

FirstName 1 True First Name Text

LastName 2 True Last Name Text

StartDate 3 True Start Date DateTime

Using the Default Global Configuration to Customize the Search Control Popup 129

Courion Corporation

Customizing the Individual Search Control Popups for Delegator and Delegatee Search

If you use the default MULTIUSERSEARCHOPTION2 global configuration, the configuration applies uniformly to both the delegator and delegatee SEARCH CONTROL popups. If you prefer to customize the individual SEARCH CONTROL popups for the delegator and delegatee search (by access privilege), use the global configurations described in this section.

• FINDDELEGATORSEARCHOPTION for delegator search. The default values for this global configuration include:

HEADING: Find Employee - Delegator

KEYCOLUMN: ProfileUID

ISSINGLESELECT: True

RESTRICTIONCONFIGURATIONNAME: FindDelegatorSearchRestriction

ROWSPERRESULTPAGE: 5

RESULTCOLUMNS: ProfileUID, FirstName, LastName, Location, Department, StartDate

• REQUESTASMANAGERSEARCHOPTION for the Request Access access privilege. The default values for this global configuration include:

HEADING: Find Employee - For Request Access



RESTRICTIONCONFIGURATIONNAME: RequestAsManagerSearchRestriction



Table 21: FindDelegatorSearchOption Default Values for the Grid

Column-name






Table 22: RequestAsManagerOption Default Values for the Grid

Column-name







Courion Corporation

• APPROVEASMANAGERSEARCHOPTION for the Manager Approval access privilege. The default values for this global configuration include:

HEADING: Find Employee - For Manager Approval



RESTRICTIONCONFIGURATIONNAME: ApproveAsManagerSearchRestriction



• APPROVEASAPPROVERSEARCHOPTION for the Access Approval access privilege. The default values for this global configuration include:

HEADING: Find Employee - For Access Approval



RESTRICTIONCONFIGURATIONNAME: ApproveAsApproverSearchRestriction



• PROFILEAPPROVALSEARCHOPTION for the Profile Approval access privilege. The default values for this global configuration include:

HEADING: Find Employee - For Profile Approval



RESTRICTIONCONFIGURATIONNAME: ApproveAsApproverSearchRestriction


Table 23: ApproveAsManagerSearchOption Default Values for the Grid

Column-name






Table 24: ApproveAsApproverSearchOption Default Values for the Grid

Column-name






Using the Default Global Configuration to Customize the Search Control Popup 131

Courion Corporation


Table 25: ProfileApprovalSearchOption Default Values for the Grid

Column-name







Courion Corporation

Default Values in the Restriction Global Configurations For Delegation

Table 26 provides the default values for the restriction global configurations in the SEARCH CONTROL popups for delegator and delegatee search.

Table 26: Default Values in the Restriction Global Configurations

Name of the Restriction Default Column Values

FindDelegatorSearchRestriction NAME - Find Delegator

VISIBLE - False

LABEL - Find Delegator

CLAUSE - SQL clause or custom macro

DEFAULTVALUES - True

RequestAsManagerSearchRestriction NAME - Request Access

VISIBLE - False

LABEL - Request Access



ApproveAsManagerSearchRestriction NAME - Manager Approval

VISIBLE - False

LABEL - Manager Approval



ApproverAsApproverSearchRestriction NAME - Access Approval

VISIBLE - False

LABEL - Access Approval



Auditing Delegation 133

Courion Corporation

Auditing Delegation

When a delegator delegates access privileges, the Access Request Manager maintains an audit record of each instance of delegation at the following points:

• When a delegator delegates access privileges to a new delegatee.

• When a delegator disables delegation for an existing delegatee.

• When a delegator enables delegation for an existing delegatee

• When a delegator withdraws access privileges for delegation from a delegatee.

The audit record is stored in the AuditTransactions table with the following fields:

• Acting User – Who is performing the delegation

• Action - Delegation

• Action Type – Create or Update

• Action Date Time – When the action was performed

• Client IP – The IP address of the client

• Table Name – Delegations table

• Primary Key Field – The primary key of the Delegations table

• Primary Key Value – The primary key value of the Delegations table

• Field Name – The modified field

• Current Value – The current value of the modified field


Courion Corporation

135

Courion Corporation

Chapter 12:Disabling Access For Terminated Users

This chapter describes how to immediately disable access for users who are being terminated.

You can disable access for a user by selecting ACTIONS > PRIORITY DISABLE. The DISABLE USER screen appears, as shown in Figure 67.

Figure 67: Disabling Access with Priority Disable

Click the Search icon to search for the user whose profile needs to be disabled. The SEARCH CONTROL popup enables you to select the profile using the search criteria.

Enter any comments you may have, and select the checkbox to SUBMIT.

Configuring the Search Control Popup

The SEARCH CONTROL popup appears when you search for unique identifiers on the DISABLE USER screen. Use the DISABLEUSERSEARCHOPTION global configuration to configure the fields that appear on the SEARCH CONTROL popup. Refer to “Using the Global Configuration Manager” on page 29 that describes how to edit the global configuration.

The default values for the DISABLEUSERSEARCHOPTION are as follows:

• HEADING: Find User

• KEYCOLUMN: ProfileUID

• ISSINGLESELECT: True

• RESTRICTIONCONFIGURATIONNAME: DisableUserSearchRestriction

• ROWSPERRESULTPAGE: 5

136 Disabling Access For Terminated Users

Courion Corporation

• RESULTCOLUMNS: ProfileUID, FirstName, LastName, Location, Department, StartDate

Using the DisableUserSearchRestriction to Implement Restriction

The DisableUserSearchRestriction global configuration enables you to create a custom macro to implement a restriction for the DisableUserSearchOption. The default values include:

• NAME: Priority Disable Restriction

• VISIBLE: False

• LABEL: Terminated Employees

• CLAUSE: Accepts a custom macro or a SQL clause

• DEFAULTVALUES: True

Table 27: DisableUserSearchOption Default Values

Column-name






137

Courion Corporation

Chapter 13:Setting Up Email Notifications

This chapter describes how to configure email notifications that are sent when a request is submitted for approval, using the EMAIL TEMPLATES MANAGER.

Email notifications are sent to all the relevant users: the requesters, the Business Managers (first-level approvers), and the second-level approvers who participate in the approval of a request.

Note: The Business Managers by default are the first-level approvers.

The EMAIL TEMPLATES MANAGER offers default email templates for Access Requests, Profile Requests, Role Definition, Priority Disable, and Delegation as shown in Table 28 .

Table 28: The Default Email Templates for Notification

Default Email Type Sent To Notification is Sent

AccessApproval Requesters, Business Managers, Second-level approvers

If an access item is approved, notification is sent with information about the access item and the approver.

Note: Notifications are sent for every access item in a request. For example, if a requester submits a request with three access items and an approver approves two of them, notifications are sent for each approved access item.

AccessDenial Requesters, Business Managers, Second-level approvers

If an access item is denied, notification is sent with information about the access item and the approver.

Note: Notifications are sent for every access item in a request. For example, if a requester submits a request with three access items and an approver denies two, notifications are sent for each denied access item.

RequestSubmission Requester When a request is submitted.

138 Setting Up Email Notifications

Courion Corporation

ManagerApproval Business Manager (first-level approver)

If the requester is other than the Business Manager of the recipient, then the Business Manager receives notification for first-level approval.

Note: Notification is sent for every single recipient selected in a request. For example, Business Managers receive two notifications if two of their direct reports are selected in a single request.

If Business Managers submit requests for their direct reports, the first-level approval is complete.

SecondaryApproval Second-level approvers Once the first-level approval is complete, notification is then sent to all second-level approvers.

ProfileRequestSubmission Requester When a profile request is submitted.

ProfileApproval Business Managers When an approval is required for a new profile.

ProfileApproved Requester When a profile is approved.

ProfileDenied Requester When a profile is denied.

RoleDefinitionRequestSubmission

Requester When a role definition request is submitted.

RoleDefOwnerPending Requester When a role definition is pending approval from a role owner.

RoleDefApproverPending Requester When a role definition is pending approval from an approver.

RoleDefSolicitOwner Owner (if first-level approver) Solicits the owner to take action on the pending approval.

RoleDefSolicitApprover Second-level approvers Solicits the approver to take action on the pending approval.

RoleDefapprover Requester, Owner, Second-level approvers

When a role definition request is approved.

RoleDefDeny Requester, Owner, Second-level approvers

When a role definition request is denied.



139

Courion Corporation

Editing a Default Email Template

To customize a default email template:

1. Click ADMIN > ACCESS REQUEST MANAGER, and select EMAIL TEMPLATE CONFIGURATION from the drop-down list. The EMAIL TEMPLATES MANAGER appears as shown in Figure 68.

Figure 68: Email Templates Manager

2. Click the Edit icon to edit the subject or the body text of the email template you selected. See Figure 69.

RoleDefComplete Requester When all the approval are done and the role definition is completed.

PriorityDisableRequestSubmission

Requester When a request is submitted to disable access for a terminated user.

DelegateAssigned Delegators and Delegatees When delegation is enabled

DelegateWithdrawn Delegators and Delegatees When delegation is disabled



140 Setting Up Email Notifications

Courion Corporation

Figure 69: Add New Email Template

Customize the following fields:

SUBJECT: Enter the topic of the email you want to display to the requester or the approver.

BODY: Enter the message you want to send as a notification. The email template macros specified in the %<macros may be used>% retrieve information from the Profile table.

3. Click Save to save the message or CANCEL to reset to the previous message.

You can customize the data display in the EMAIL TEMPLATES MANAGER grid. To customize, refer to the chapter “Using the Global Configuration Manager” on page 29.

141

Courion Corporation

Chapter 14:Customizing the Access Request Manager User Interface

This chapter describes how to customize the Access Request Manager user interface using the AccessReqMgrResources.resx resource file. This resource file is found in the [courion-installation-folder]\CourionARMS\App_GlobalResources folder. Use any text editor to edit the resource file.

The resource file enables you to customize the text displayed for buttons, tabs, and dialog boxes for a specific language or culture by editing the <name>/<value> pair of the XML data tag in the resource file.

For example, change the <value> string as indicated:

<data name="lblRequiredField" xml:space="preserve">

<value>What are you acting as?</value>

<comment>Required label</comment>

</data>

Customize the <value> tag to display new text:

<data name="APPROVAL_ACTING_AS" xml:space="preserve">

<value>Acting As:</value>

<comment>Required label</comment>

</data>

The APPROVE REQUESTS screen shows “Acting As” as the new text.

Displayed Text in the Resource File

Table 29 lists the displayed text available to you for editing in the resource file.

Table 29: Strings in the Resource File

Name Displayed Text Type Location

APPROVAL_ACCESS_ NO_LONGER_EXISTS

Access has been deleted.

Message appears in the ACCESS column if an access level was deleted before approval.

REQUEST DETAILS

142 Customizing the Access Request Manager User Interface

Courion Corporation

For additional information about the Multi Language Framework (MLF), refer to The Access Assurance Suite Implementation Guide.

APPROVAL_ACTING_AS Acting As: Help Text APPROVE REQUESTS

APPROVAL_APP_NO_ LONGER_EXISTS

Application has been deleted.

Message appears in the APPLICATION column if an application was deleted before approval.

REQUEST DETAILS

DELEGATION_SELECT_ALL_TOOL_TIP

Select or Deselect all Tool Tip DELEGATE ACCESS PRIVILEGES

DROPDOWN_SELECT_ TEXT

----------Select---------- Text displayed in a drop-down list

As needed

PENDING_APPROVAL_ TEXT

Requests Pending Approval

Label for the grid that shows the pending requests

APPROVAL QUEUE

Table 29: Strings in the Resource File

Name Displayed Text Type Location

143

Courion Corporation

Chapter 15:Managing Access to the Access Request Manager Web Pages

This chapter describes the communities and entitlements that are available to access the Access Assurance Portal.

It also describes how to restrict access to the Access Request Manager web pages based on entitlements, using the SECURITY ADMINISTRATOR.


• “Communities and Entitlements in the Access Assurance Portal” on page 144

• “Securing Access to Web Pages in the Access Request Manager” on page 149

Adding Communities and Entitlements

If you need to add new communities or entitlements, refer to the Support_Note_8.2 document in the www/Docs folder.

144 Managing Access to the Access Request Manager Web Pages

Courion Corporation

Communities and Entitlements in the Access Assurance Portal

Communities and entitlements enable you to access web pages within the Access Assurance Portal. These communities and entitlements are briefly described in this section.

Community

A community is a set of users that have a common set of privileges. The Access Assurance Portal supports the following communities:

• Everyone

• Business Managers

• Owners

• Approvers

• ARM Admins

• Business Users

• Compliance Analysts

• Courion Admins

• Courion Users

• Domain Admins

• IDM Admins

When users authenticate into the Access Assurance Portal, a macro determines the community to which the users belong by matching the community to their Active Directory group membership. To match a community to an Active Directory group, you must create a corresponding group with the same name in the Active Directory Domain. For more information about configuring Active Directory groups, refer to the chapter “Configuring the Access Request Manager” on page 17.

Table 30 lists the community and the corresponding AD group.

Table 30: Communities and their AD Groups

Community AD Group

Approvers Approvers

ARM Admins ARM Admins

Business Managers Business Managers

Business Users Business Users

Compliance Analysts Compliance Analysts

Courion Admins Courion Admins

Courion Users Courion Users

Domain Admins Domain Admins

Communities and Entitlements in the Access Assurance Portal 145

Courion Corporation

Entitlements

Entitlements determine the menu items that appear on the Access Assurance Portal and the web pages displayed to the user.

The Access Assurance Portal supports the following entitlements:

• Basic Access

• Business Manager

• Resource Owner

• Access Approver

• ARM Admin

• Business User

• Compliance Analyst

• Admin

• IDM Admin

An entitlement consists of zero or more communities. For example, the Business Manager entitlement consists of the Business Managers community. At installation, the default entitlements are mapped to the menu items.

Table 31 lists the default for entitlements, the related communities, AD Groups, and the associated menu items in the Access Assurance Portal.

Everyone All users in Active Directory

IDM Admins IDM Admins

Owners Owners

Table 31: Entitlements with the Related Communities, AD Groups and Menu Items

Entitlement Community AD Group Menu Item

Basic Access Everyone All users in Active Directory

ACTIONS > MANAGE USER ACCESS, VIEW REQUEST, DELEGATION

Role.Approvechange Approvers and ARM Admins

Approvers and ARM Admins

ACTIONS > APPROVE REQUESTS

Access.Approvechange Approvers and ARM Admins

Approvers and ARM Admins

ACTIONS > APPROVE REQUESTS

Table 30: Communities and their AD Groups

Community AD Group


Courion Corporation

ARM Admin ARM Admins ARM Admins ADMIN > ACCESS REQUEST MANAGER > APPLICATION/ACCESS, ROLE/ACCESS MAPPING ACCESS CATEGORIES CONFIGURATION

GLOBAL CONFIGURATION MANAGER

PICK LIST CONFIGURATION

EMAIL TEMPLATE CONFIGURATION SECURITY ADMIN

MACRO CONFIGURATION

ACTIONS >

ADMIN VIEW ALL REQUESTS

PRIORITY DISABLE

DOCUMENTATION

Entitlement.Catalog Owners and ARM Admins

Owners and ARM Admins

ADMIN > MANAGE ACCESS CATALOG

Role.Catalog Owners and ARM Admins

Owners and ARM Admins

ADMIN > MANAGE ACCESS CATALOG

Access.Find Everyone Everyone ACTIONS >

MANAGE USER ACCESS

Business User Business Users Business Users ACTIONS >

MY CERTIFICATION

Compliance Analyst Compliance Analysts

Compliance Analysts

ADMIN > COMPLIANCECOURIER > REVIEWCYCLES



Communities and Entitlements in the Access Assurance Portal 147

Courion Corporation

Admin Domain Admins Courion Admins

Domain Admins Courion Admins

REPORTS >

PASSWORD RESETS

COMPLIANCE ACTIVITY

USER LIFECYCLE

ALL ACCOUNTS BY TARGET

ALL ACCOUNTS BY USER

REQUESTS SUBMITTED BY DATE

ADMIN > COMPLIANCECOURIER >ADMINISTRATION MANAGER

TREE VIEW

FLOW CHART VIEW

ADMIN > ACCOUNTCOURIER > ADMINISTRATION MANAGER

TREE VIEW

FLOW CHART VIEW

ADMIN > PASSWORDCOURIER > ADMINISTRATION MANAGER

TREE VIEW

FLOW CHART VIEW

ADMIN > PASSWORDCOURIER > PASSWORDCOURIER CLASSIC

CUSTOMIZATION MANAGER




Courion Corporation

For example, a user who belongs to the Business Managers AD group is in the Business Managers community. Since the Business Managers community resides in the Business Manager entitlement, all menu items associated with this entitlement are displayed to the user. If a user belongs to multiple groups, the user sees all the related menu items.

Admin Domain Admins Courion Admins

Domain Admins Courion Admins

ADMIN > PROFILECOURIER > ADMINISTRATION MANAGER

TREE VIEW

FLOW CHART VIEW

ADMIN > PROFILECOURIER > PROFILECOURIER CLASSIC

CUSTOMIZATION MANAGER

UTILITIES >

ENABLE USERS

SECURE FIELDS

MIGRATION UTILITY

IDM Admin IDM Admins IDM Admins REPORTS >

MAPPING OVERVIEW

MAPPING REPORTS

ADMIN > IDENTITY MAPPING >

DATA FEEDS

MAPPING RULES



Securing Access to Web Pages in the Access Request Manager 149

Courion Corporation

Securing Access to Web Pages in the Access Request Manager

The entitlements also determine the web pages displayed to the user. Follow the steps in this section to give access to specific web pages in the Access Request Manager

Note: The default is no access.

Select ADMIN > ACCESS REQUEST MANAGER > SECURITY ADMIN. The SECURITY ADMINISTRATOR appears as shown in Figure 70.

Figure 70: Managing Access with the Security Administrator

Click ADD ENTITLEMENT. A screen appears for you to add the entitlement and an alias, as shown in Figure 71.

Figure 71: Add Entitlement

Enter the ENTITLEMENT into textbox, such as Business Manager. Enter an ALIAS, such as Business Managers. Click INSERT.

Next, click ADD PAGE to assign a web page to the entitlement you just added. Enter the web page in the PAGE field to which you want to enable access, as shown in Figure 72.


Courion Corporation

Figure 72: Add Web Page

For example, add accessrequest.aspx. Select the ENTITLEMENT alias from the drop-down list, for example Business Managers. Select INSERT to add the web page to the SECURITY PAGES. Only those users who belong to the Business Managers community can see the page you added.

Entitlement and Web Page Pairs in the Access Request Manager

Table 32 lists the default entitlement and web page pairs in the Access Request Manager.

Table 32: Web Pages and the Entitlements

Entitlement Web page

Basic Access accessrequest.aspx

Basic Access viewrequest.aspx

Access.approvechange approvalqueue.aspx

ARM Admin rolemanager.aspx

ARM Admin disableuser.aspx

ARM Admin globalconfigurationmanager.aspx

ARM Admin manageapplications.aspx

ARM Admin editapplication.aspx

ARM Admin manageemailtemplates.aspx

ARM Admin picklistadmin.aspx

ARM Admin admin/viewrequest.aspx

ARM Admin securityadmin.aspx

ARM Admin editrole.aspx

ARM Admin roledetails.aspx

ARM Admin editemailtemplate.aspx

Role.approvechange approvalqueue.aspx

Basic Access DelegateAccessPrivileges.aspx

ARM Admin editemailtemplate.aspx

Role.Catalog Manage Access Catalog

Entitlement.Catalog Manage Access Catalog

Securing Access to Web Pages in the Access Request Manager 151

Courion Corporation

Adding Web Pages For a New Entitlement

If, for example, you want to add a new Active Directory group, such as HR Managers and provide access to the Priority Disable page so they can disable access for a terminated user, follow these steps:

1. Create HR Managers in the Active Directory domain.

2. Add the HR Managers AD group to the AD account of all HR Managers who you want to allow to use the Priority Disable web page.

3. Create an HR Managers community and add the HR Managers AD group to it.

4. Create an HR Manager entitlement and add the HR Managers community to it.

5. Assign the PRIORITY DISABLE menu item to the new HR entitlement. To do this, you need to contact Courion Professional Services at:

http://www.courion.com/contact/index.html

6. Follow the steps in “Securing Access to Web Pages in the Access Request Manager” on page 149 to add the web page disableuser.aspx for the HR Manager entitlement.


Courion Corporation

153

Courion Corporation

Chapter 16:Creating Profiles

This chapter describes how to add a new profile and the items for creating and approving a new profile. It includes the following sections:

• “Configuring Items to Add a New Profile” on page 154

• “Configuring DefaultApproverProfileUID Global Configuration” on page 155

• “Approval Workflow for New Profiles” on page 156

• “Access Request Approval Workflow for a New Profile” on page 157

154 Creating Profiles

Courion Corporation

Configuring Items to Add a New Profile

A requester can create a new profile by launching the Profile Manager through the ACTIONS > ADD USER link.

Use the PROFILEMANAGERURL global configuration to provide the link to Profile Manager. The default URL contains the following link:

http://SERVERNAME/courion/WebSamples/AccessOptions/HTML/AccountCourier/default.asp?Workflow=WORKFLOW&

Replace the SERVERNAME with the correct machine name, and update the WORKFLOW with the name of the default AccountCourier® or custom workflow.

This link does not appear by default since the Is Profile Manger custom macro is set to false. The link appears only when the Is Profile Manager custom macro resolves to true.

The Profile Manager connects to the default AccountCourier® workflow, which enables you to create or modify a profile. Any AccountCourier® or custom workflow that you create needs to satisfy the following requirements:

• Point to the Profile table to enable adding of a new profile with a unique ProfileUID.

• Create a row in the IdentityMap table that points to the newly created ProfileUID.

• Call the CreateProfileChangeRequest stored procedure.

The requester can submit a request for the newly created profile. The request status, however, remains on hold until the profile is approved and the Active column in the Profile table is set to true.

Providing a Label for the Profile Manager Link

Use the PROFILEMANAGERURLLABEL global configuration to change the default ADD USER label.

Configuring DefaultApproverProfileUID Global Configuration 155

Courion Corporation

Configuring DefaultApproverProfileUID Global Configuration

Use the DEFAULTAPPROVERPROFILEUID global configuration to configure an approver, by inserting this value in to the GlobalConfigValues table. Navigate to the GlobalConfigValues table in the [courion-installation-folder], and add the following values: DefaultApproverProfileUID in the ConfigName column, the approver ProfileUID in the ConfigValue column, and Text in the ConfigType column.


Courion Corporation

Approval Workflow for New Profiles

A Manager can create a profile for a user through the ACTIONS > CREATE/MODIFY PROFILE screen. A profile approval may include the following scenarios:

• If the Manager specifies a Manager ID on the CREATE/MODIFY PROFILE screen for the AccountCourier® workflow, the profile approval is sent to the specified Manager.

• If the Manager (requester) specifies his own ProfileUID as the ManagerID, then the approval is sent to the requester’s Manager.

• If the Manager does not specify a Manager ID, the approval is sent to an approver specified in the DEFAULTAPPROVERPROFILEUID global configuration. To specify a value, refer to the section “” on page 157.

• If the Manager does not specify a Manager ID, and there is no approver configured through the DEFAULTAPPROVERPROFILEUID global configuration, then the profile approval is sent to the requester’s Manager.

Note: Based on the scenarios, notifications are sent accordingly to the requesters and recipients. However, if the Manager specifies one or more approvers, the profile approval is sent only to the specified approvers overriding the above scenarios.

Access Request Approval Workflow for a New Profile 157

Courion Corporation

Access Request Approval Workflow for a New Profile

If the Manager requests access for the new profile that he created, the profile needs to be approved first. Once the profile is approved, the access request workflow for a new profile follows these steps:

1. Manager B creates a profile for a direct report. A notification is sent to Manager A (Manager of Manger B) to approve the profile.

2. Meanwhile, Manager B requests access for the direct report. The access request is On Hold until the profile is approved.

3. Manager A approves the profile request. Once the profile is approved, the following action may result:

• The access request is automatically approved if there is no access approver defined for the second-level approval. This happens since the Manager requested access and, hence, the first-level is automatically approved.

• The access request remains pending if an access approver is defined. The request is approved if the access approver approves it.


Courion Corporation

159

Courion Corporation

Index

Aabout

Access Request Manager 7Access Approval 125Access approver 60, 91Access Assurance Portal 7

authenticate 24Access Assurance Suite 7access entitlement

add 66access entitlement definition 57access item

add 57access item definiton 57Access Keys 8access privilege

definition 125Request as Business Manager 125

access privileges 125Access Approval 125Manager Approval 125Profile Approval 125Request Access 125

access request 10, 12Active Directory groups 18add

access entitlement 66access item 57macro 101profile 153, 154

administrator 7Approval workflow 10approval workflow 89, 121approve

profile 153role 64

approver 10first-level 91, 137second-level 91, 137

assigntags 67

Bbulk request 15

Cconnection string 19Courion Notification Service 19, 21Courion Request Service 19, 20create

profile 153custom macros 125

DDefinition approver 60definition approver 90delegatees 121delegation 121

audit 133authorized users 121

delegators 121disable

role 65

Eedit

email template 139macro 101role 63

Edit Complex Value editor 39email template

edit 139Email Templates Manager 26enable

role 65Entitlement 145

Ffirst-level approver 91, 137Function 144

Gglobal 29global configuration 29

add, GlobalConfigValues table 43complex 39drop-down 44edit 38grid 43text 38views 45

Global Configuration Manager 26global configurations 30GlobalConfigValues table 29

Mmacro

add 101delete 104edit 101, 104

Macro Configuration 26Manage Access Catalog 26Manage User Access workflow 10Manager Approval 125

Nnotifications 137

PPick List Admin 52Pick List Configuration 26picklist 51, 52

default values 53picklists

add 54defaults 53values 53

profile

160

Courion Corporation

add 153, 154Profile Approval 125profile approval 156

Rrecipient 10request 10, 12Request Access 125request workflow 69, 79, 121requester 10resource file 141role

approve 64disable 65edit 63enable 65

role definition 57role owner 58

SSearch Control 40, 128second-level approver 91, 137Security Admin 26

Ttags

assign 67

XXML data tag 141

Configuring the Access Request Manager Solution · 2013. 6. 10. · Configuring the AccountCourier...

Documents

Transcript of Configuring the Access Request Manager Solution · 2013. 6. 10. · Configuring the AccountCourier...