Layer 7 Identity Management

Expand all | Collapse all

CA Identity Portal - Access Request flow

Jump to Best Answer
  • 1.  CA Identity Portal - Access Request flow

    Posted 09-05-2018 11:09 PM

    User can make request from CA Identity Portal, let said user select "VPN" access by click "+" icon,then required to fill up their mobile number(user have to keyin mobile no. manually) and check out (IM assign the VPN access & update the mobile number been used into target VPN system).


    Let said now, user want to change the mobile number been used in VPN access, what should be the flow ?

    a) Do I build custom form(in Portal) for user just to change their mobile number used in VPN access ?

    b) Is there another way ?

    Note: As I understand, in Access Request ->Users can only select "+" or "-" to add or remove access but there is no "Modify" access....



  • 2.  Re: CA Identity Portal - Access Request flow

    Posted 09-06-2018 12:21 PM

    Hi William, 

     

    If the mobile number is part of the user's attributes, it may be best to add it into your modify user form to allow users to update it this way. Or, if the attribute is stored elsewhere you can create a new form for modifying. I think you're correct that it won't be possible to modify the number in the add/remove access page. 

     

    Thank you, 

    Jennifer



  • 3.  Re: CA Identity Portal - Access Request flow

    Posted 09-06-2018 10:20 PM

    Hi Jennifer,

    I aware that mobile number can be a user attribute. My concern is more on how to handle additional attribute(on target application) to be fill up during access request. This is very common in customer env.  Anyway thanks for the clarification. 

     

    regards,

    William



  • 4.  Re: CA Identity Portal - Access Request flow
    Best Answer

    Posted 09-12-2018 08:23 AM

    The form seen in the access request is the form defined in the execution plan.

    Fined the permissions you need to change:

    Find target permission element

    When you edit the permission, you will see the execution plan

    The execution plan is tied to a forms

    In those forms you can define the attributes you want to fill. All attributes available in the userstore definitions, as well as LAH will be available.



  • 5.  Re: CA Identity Portal - Access Request flow

    Posted 09-12-2018 10:11 PM

    Hi Gil,

    Just to confirm, u are saying that i can enable the "Modify Form" point to a task. Then i can allow users to modify their mobile number. Meaning that beside "+" or "-' icon, i can allow user to make modification on their existing access ?

     

     

    regards,

    William



  • 6.  Re: CA Identity Portal - Access Request flow

    Posted 09-13-2018 03:29 AM

    Yes. Every Portal form is linked to a task, which is an IM task.



  • 7.  Re: CA Identity Portal - Access Request flow

    Posted 09-24-2018 11:27 PM

    Just to share, after I enable the Modify Form. I can see this(a "repair tool icon") in Portal.

    Which mean I can modify my existing Role and change the attributes(Mobile Number) that link to it.  

     



  • 8.  RE: Re: CA Identity Portal - Access Request flow

    Posted 06-27-2019 09:16 AM
    Hi All,

    I am new to CA Identity Portal and need some help. I am trying to implement the Access Module.
    1. Created a Target Permission
    2. Assigned that to a Role
    3.  I have added an execution plan and in that plan I have selected Add and Remove options

    When I login as an end user, I can see the role available, but there are no +(add) or -(remove) buttons available. Am I missing something?


  • 9.  RE: Re: CA Identity Portal - Access Request flow

    Posted 06-27-2019 09:21 AM
    For this to happen:

    1. The user needs to be an administrator of the provisioning role with a user scoping authority to assign the role to self (where userID = admin's userID)


    2. The user needs to have an admin role with a permission scope to execute the task that adds/revokes the provisioning role.

    The easiest wait to test scoping and authority is to login to CA Identity Manager UI as the normal user and try to assign the role to self. If you can do this from the Identity Manager UI, then you will see the +/- signs in the entitlements access catalog.





  • 10.  RE: Re: CA Identity Portal - Access Request flow

    Posted 06-27-2019 09:35 AM
    Yes, I am trying to add using an administrator.
    The user can add/remove members from the role in CA Identity Manager but the add/remove button is not available in the Portal.

    Also, what role do forms play? I have added a form to the add action and linked it to modifyProvisioningRole task. Still no luck. See below screenshot - No add button



  • 11.  RE: Re: CA Identity Portal - Access Request flow

    Posted 06-27-2019 10:43 AM
    Edited by IYES DENDENI 06-27-2019 10:45 AM
    Forms provide essentially 2 main capabilities:

    1. They map user attributes in the access request to the back-end user attributes in the corporate directory
    2. They are linked to the specific tasks that you need to execute in the back-end Identity Management engine.

    The flow is as follows:

    1. Define a Provisioning Role in CA Identity Manager (linked to an account template and an endpoint type instance, etc.) 

    2. Restart the CA Identity Manager main connector from the Identity Portal Admin UI

    3. Create a Target Permission in IP that is linked to the newly imported Provisioning Role (Mod Type is ADD - see screenshot)



    4. Define your Execution Plan for this Target Permission (select a previously defined Execution Plan):

    5. Your Execution Plan Calls a Form (you previously created) - make sure you define which Forms to call for adding and Removing the role:


    6. The Forms that you call in the Execution Plan (to handle the Add and Remove of the Target Permission) will in turn call specific tasks to execute the Add and Remove actions in the back-end Identity Manager system. The screenshot below shows the details of the Form 'Assign Role Manager Approval' and the task that it calls:



    7. The additionOperation and removalOperation in the task definition should be directChange and *not* executeTask





  • 12.  RE: Re: CA Identity Portal - Access Request flow

    Posted 07-03-2019 01:49 PM
    Mukul,

    You may find this relationship map helpful.




  • 13.  RE: Re: CA Identity Portal - Access Request flow

    Posted 07-03-2019 07:18 PM
    Hi Mukul, if missing "+" or "-" mean that u are missing the configuration for execution plan. 
    U need to specify "Add form" in ur execution plan, in order to show "+" sign.


  • 14.  RE: Re: CA Identity Portal - Access Request flow

    Posted 07-08-2019 10:28 AM
    Thank you Iyes, William and Jeremy. The flow help me understand and implement the Access Module.

    Regards,
    Mack


  • 15.  RE: Re: CA Identity Portal - Access Request flow

    Posted 08-07-2019 11:09 AM
      |   view attached
    I built a quick start guide to help navigate the process. Please ensure that you apply your site specific scoping for proper security. This example allows anyone to request for themselves.

    ------------------------------
    Thanks,
    Jeremy
    ------------------------------

    Attachment(s)



  • 16.  RE: Re: CA Identity Portal - Access Request flow

    Posted 08-07-2019 09:37 PM
    Thanks Jeremy for sharing this very useful documentation on Access Request. 
    This documentation, should be part of docops :)


  • 17.  RE: Re: CA Identity Portal - Access Request flow

    Posted 08-08-2019 02:09 AM
    As part of our improvement plan, we already have an item to improve Access Request documentation. Jeremy has already shared this content (pdf) with us.
    Surely, we will plan to update DocOps with the improved Access Request content.

    Regards
    Shamlee