Defining operations
Select the operations to be performed on resources to define what will happen once a pre-defined request is approved.
Note
If adding a resource will cause the pre-defined request to be in violation of a segregation of duties rule, adding the resource will be disallowed or its default operation will be changed to Delete.
To define operations for a pre-defined request:
Navigate to the Pre-defined request information page for a PDR (General tab).
Select the Operations tab.
Select the sub-tab link for:
Existing account to add operations for existing accounts (e.g., update, enable, disable, delete, move).
New account to add operations to create accounts based on a template account.
Managed group to add operations to join, leave, or edit managed groups.
Role to add operations to assign or revoke roles.
Profile to add operations to enable or disable profiles.
Configuration object to add operations to create a configuration object or add an entitlement member.
Custom to add custom operations.
This type of operation may be used, for example, in scripted solutions for onboarding of systems and accounts, and collecting target credentials for systems being onboarded.
Define operations on specified entitlements or resources, where applicable.
Define operations on either all or user-selected entitlements, where applicable.
For Profile operations, determine whether the enable or disable profile operation is required or optional.
Operations on specified entitlements/resources
To define operations on specified groups, accounts, or roles:
Click Select… in the upper table.
Select one or more target systems (for existing accounts), template accounts (for new accounts), managed groups, or roles, then click Select.
Select an Operation from the drop-down list next to the entitlement, if options are available.
For operations that add a group membership, account, or role, determine whether the new entitlement or resource is required or optional by selecting appropriate option in the Necessity column.
Click Add operation next to an entitlement or resource to add more operations, if applicable.
Click Update.
It helps to understand how the necessity column will work if you run the pre-defined request from a report, or from the View and update profile (IDR) module. The table below shows the impact of the required and optional setting on the pre-defined request:
Necessity | Submitted via report output | Submitted by an end user |
Required | Attributes are mapped automatically to the report output. | The operation cannot be removed from a request. |
Optional | You will be prompted to map the pre-defined request attributes to the report output. | The operation is optional. |
Operations on either all or user-selected entitlements
If you select an operation from the checklist in the lower table and click Update, this has one of two effects, depending on whether it applies to ’All’ or ’User-selectable’ entitlements (not all operations have both):
All means the operation will be performed on all entitlements of one type.
If ’All’ is selected for update accounts, only the accounts with an account attribute mapped to the modified profile attribute will be updated.
User-selectable means the operation will only be performed on entitlements selected by the requester, who can choose from all entitlements of one type.
For example, if you select ”Assign group” for managed groups, users will be able to join or leave any managed group on any target system.
Note
There is no place in the user interface to configure authorizers for enable/disable profile operations. You must use the authorizer criteria modification plugin to add authorizers on the request or set the number of authorizations required. Enable/disable operations in requests are affected by the MIN AUTHORIZERS variable.
Next:
Select attributes to be displayed on the request form.