GKA authorised BVG
As soon as a user has successfully completed the Access Request process and you are responsible for the access management of the business roles in your office, you will receive the following mail in the IDM role as GKA.| 1 | The mailbox (defined per office) contains the E-Mail generated by eIAM with the users access request information. Copy the user ID (yellow marked example) and click the link given in the e-mail: [Note: You can also authorise users who have not yet requested access. In this case, start directly with step 2. | 2 | The User ID with the corresponding Client should already be set for an access request made by mail, to get the user administration page press Search. Users without an explicit access request by email can be searched for and authorised by entering the user ID or the name (* is possible as a wildcard at the beginning and at the end). | 3 | Click on the User ID | 4 | The user administration page now displayed consists of three blocks: - Data on the identity of the applicant with contact information. - Information on the user's authentication data - Information on the user's profile, which contains their roles. Then click on the User Profile at the bottom of the page | 5 | Now you get to the Authorisation Cockpit for the roles GKA, BVA and BVG . This view consists of three parts 1. IDM roles - serves the GKD's and GKA's for the IDM role administration. 2. Business roles - serves the BVGs for business role administration 3. Roles - is used by the BVA's to manage specialist application roles | 6 | In the IDM role as GKA GKA specific authorisation tasks are done through the IDM roles and User profile management area. Procedure: In eIAM-IDM, a client is broadly understood to be the entire office or organisation for which the GKA and the BVG work. Click on "Add client". This will bring up the client search screen. Entering part or all of the client name will return the clients matching the entry. By selecting the client name, the applicant's view of the data (users, applications, etc.) is restricted to that of the client. 3. Restriction of the SNB role to the Access Management Unit In the current version of eIAM AccessManagement, a trivial organisation is implemented. All persons to be authorised are managed in a unit called "AccessRequest" (user profile filing with the First eIAM User AccessRequest). It is the task of the GKA to authorise access to these users to the SNB. Therefore, the GKA must add the "AccessRequest" section to the BVG role. Otherwise, the users to be authorised will not be visible to the BVG. 4. Assigning the business roles to the BVG role. In this step, the GKA assigns all or specific business roles to the BVG. To do this, the GKA clicks the button Add business roles-. There are several ways to search for one or more business roles: No entry before clicking the search button; all business roles assigned to the client are listed. Entering a part of the name (beginning or ending with the wildcard *); those business roles assigned to the client are listed which contain the specified part of the name. Clicking on the desired business roles adds them to the user. If you want to authorise the user for all business roles as LOB, then it is sufficient to activate the checkbox Authorised for all business roles. 5. Optional: GKA and BVG with "SelfAdmin" role (=>Double roles: GKA + BVG or BVG + business roles) In cases where a person of a client, e.g. holds the role of LOB for Sharepoint and should also use Sharepoint himself at the same time, this BVG cannot authorise himself because the IDM system takes precautions to hide the selection of his person from the search space for security reasons (Chinese wall principle). The GKA can explicitly override this principle by assigning the additional IDM role SelfAdmin to the BVG. The alternative procedure to this would be to appoint a second BVG who grants the first one the business role rights. | 7 | Then inform the new user that the permissions are granted and that access to the business application should be checked. |
Generate revocation of IDM roles and reports
| Revocation of IDM roles Find the user and click on the pencil for the IDM role. In the next window click on 1. Delete role assignment and then 2. confirm with Delete. | Generate reports There are various reports available. To recertify the roles, select "Users per application" and click on "Generate report". Open the Excel table. You will see all users with roles in their office. You can use Filter Data to display only the users of a single application. In the column Last Login you can see when the user last used the application. |
