Skip to main content

EmpowerID Admin Lab 16: Access Management Configuration

Purpose

This lab guides you through the process of configuring groups and management roles to be requestable through the EmpowerID IAM Shop. You will assign appropriate ownership and approval policies, define eligibility for users to request access, and verify the request, approval, and fulfillment workflows. By the end of this lab, you will understand how to make both security groups and provisioning policies available for self-service access management.

Prerequisites

  1. Access to the EmpowerID training environment.
  2. An Active Directory account store with groups located in the "Common Groups" OU.
  3. Familiarity with the IAM Shop interface, provisioning policies, and approval workflows.

Steps

1. Configure Groups in Resource Admin

  1. From the navigation bar, go to Identity Administration > Resource Admin.
  2. Choose Groups, then run the Manage Group workflow.
  3. Browse to the organizational unit path: IT Systems > AD Domain > Common Groups.
  4. Select all the groups under this OU and click Next to proceed to configuration.

Set IAM Shop Configuration

  1. Mark each group as Requestable in the IAM Shop so users can find and request access to them.
  2. Assign the Default Access Request Policy, which defines the approval process and fulfillment workflow.
  3. In the eligibility settings:
    • Specify that any role in the Default Organization can request these groups.
  4. Click Next, review the summary, and confirm the changes.

Set Group Ownership

  1. Rerun the Manage Group workflow on the same set of groups to modify the ownership.
  2. Assign yourself as the Responsible Party—this will make you the default approver for access requests.
  3. Click Next and Submit to apply the changes.

2. Configure Pre-Approved Eligibility (Legacy Admin Interface)

  1. Switch to the Legacy Admin Interface and go to Identity Administration > Groups.
  2. Search for and open the Gym Roster Group.
  3. Go to the Advanced tab and locate the Eligibility section.
  4. Add a new eligibility condition:
    • Select Pre-Approved Eligibility.
    • Assign it to Any Role in the Default Organization.
  5. This setting allows qualified users to activate access without requiring approval.
  6. Confirm that both standard and pre-approved eligibility conditions are listed.

3. Create a Requestable Management Role

  1. Navigate to Role Management > Management Roles and run the Onboard Management Role workflow.
  2. Enter the following:
    • Name: Sales Management System Account Request
    • Location: Temporary
    • Responsible Party: Yourself
  3. Enable the Requestable in IAM Shop option so users can request the role.
  4. Assign the Default Access Request Policy to control approval behavior.
  5. For Eligibility, choose All Employee Roles in All Business Locations.
  6. Skip the permanent membership assignment section.
  7. Click Submit to complete role creation.

4. Assign the Management Role to the Provisioning Policy

  1. Go to Identity Lifecycle > Provisioning Policies.
  2. Open the provisioning policy for the Sales Management System Account.
  3. Scroll to the Assignees section.
  4. Add the Sales Management System Account Request management role.
    • This ensures users assigned to the role will receive the entitlement defined by the policy.
  5. Save your changes.

5. Request Access via IAM Shop

  1. Navigate to IAM Shop > Shop for Access.
  2. Search and verify:
    • Common Groups are now listed and requestable.
    • Gym Roster group displays an Activate button (indicating pre-approval is active).
    • The Sales Management System Account Request role appears.

Shopping for Someone Else

  1. Click the Shop for Someone Else tab.
  2. Select any person from the list as the target person.
  3. Request access for:
    • Social Event Calendar
    • Gym Roster
    • Sales Management System Account Request role
  4. Add items to your cart and provide justifications for each request.
  5. Click Submit to complete the access request.

6. Approve Access Requests

  1. Navigate to Business Requests to review submitted access requests.
  2. Open the submitted request:
    • Pre-approved items (e.g., Gym Roster) will be auto-approved.
    • Items requiring approval (e.g., other groups and roles) will show you as the assigned approver.
  3. Review the justifications, approve each pending item, and click Submit Decisions.
  4. Refresh the page until all items display a status of Approved.

7. Monitor Fulfillment

  1. In the Business Requests page, monitor the Fulfillment Status for each item:
    • Gym Roster: should immediately show Succeeded.
    • Other items: progress from Pending to Succeeded after processing.
  2. Go to Resource Admin > Management Roles.
    • Open the Sales Management System Account Request role.
    • Confirm that your user is now listed as a Member.

8. Validate Policy Effect

  1. Navigate to Provisioning Policies.
  2. Open the Sales Management System Account policy.
  3. Under Resultant Assignees, confirm:
    • Your user appears in the list.
    • Their account will be provisioned by the Resource Entitlement Inbox Processor during the next processing cycle.

Completion

After confirming that all group and role access requests are approved and fulfilled—and that the provisioning policy triggered account creation—this lab is complete. You are now ready to continue with the next EmpowerID lab to deepen your knowledge of access governance and automation.

Video Walk-thru

View a video walk-thru of this lab exercise.