Skip to main content

Configuring Self-Service Access Management

Overview

In this module, we focus on EmpowerID’s Self-Service Access Management, specifically how to configure and manage access requests through the IAM Shop, which serves as EmpowerID’s self-service portal. This session covers both the conceptual and hands-on aspects of enabling users to request access to organizational resources without requiring IT involvement for every request.

Self-Service Access Management in EmpowerID is built around the idea of empowering users to request access to various types of resources such as groups, applications, management roles, file shares, mailboxes, and more. The IAM Shop is the user interface that facilitates this functionality—it’s a microservice-based UI that behaves similarly to an e-commerce site, where users can browse requestable resources, add them to a shopping cart, and then submit them as a business request.

Purpose of the IAM Shop

The IAM Shop acts as the central interface where users can:

  • Browse resources that they are eligible to request
  • Filter results based on pre-approved or suggested access
  • Shop for themselves or on behalf of others
  • Add selected resources to a shopping cart
  • Submit their requests, which are then routed for approval based on predefined policies

Once submitted, the shopping cart is transformed into a business request—a structured object that handles approvals, fulfillment, and audit logging. Users can track the status of their business requests, including which items are approved, pending, or denied, and who the approvers are.

Configuration Requirements

For any resource to appear in the IAM Shop and be requestable, it must be explicitly configured. The system requires the following three key elements to be in place:

  1. Eligibility Assignments – These define which users or actors (e.g., business role/location, query-based collections) are allowed to request a particular resource.
  2. Access Request Policies – These define parameters such as approval requirements, time constraints, and other request behaviors.
  3. Approval Flow Policies – These define how requests are routed for approval, including who can approve, whether self-approval is permitted, and what steps are required.

All three elements must be configured correctly for a resource to be visible and requestable in the IAM Shop. The eligibility assignment ensures that the right people see the right resources. The access request policy governs how and when the resource can be requested. The approval flow policy defines the routing logic and approvers involved in each request.

Resource Owner Configuration

Resource owners (such as group or application owners) have the ability to manage the request configuration for their own resources via specific management workflows like:

  • Manage Group Wizard
  • Manage Management Role Workflow
  • Manage Application Workflow
  • Manage Mailbox Workflow

These workflows allow resource owners to:

  • Set requestability flags
  • Assign eligible, pre-approved, and suggested assignees
  • Select access request and approval flow policies

This configuration enables decentralized control while maintaining consistency through policy enforcement.

User Experience in IAM Shop

From the user’s perspective, the IAM Shop presents a dynamic catalog of resources filtered according to eligibility and visibility policies. Users can also:

  • Select resource types (e.g., groups, roles)
  • Use filters to refine results (e.g., show only pre-approved or suggested items)
  • Shop for themselves or others
  • Add resources to their shopping cart
  • Submit a business request with justifications

Once submitted, the system evaluates the request against risk and SoD (Segregation of Duties) policies. Based on the configured policies, requests may be automatically approved (for pre-approved users), sent for manual approval, or denied if policy violations are detected.

This module concludes with a walkthrough of the live system, showing the practical steps to make a resource available in the IAM Shop, and how users interact with the portal to request access for themselves or on behalf of others.

What Is the IAM Shop?

The IAM Shop is EmpowerID’s self-service access management interface—a dedicated portal where users can go to discover, request, and gain access to resources they are eligible to access. It acts as the central hub for users to manage access requests in an intuitive, e-commerce-style experience.

From a technical perspective, the IAM Shop is a microservice-based user interface, designed for ease of use and extensibility. It integrates seamlessly with EmpowerID’s role-based access control (RBAC) engine to ensure that users can only see and request what they are permitted to based on organizational policies.

Key Features of the IAM Shop

  • Self-Service Access Request Portal: The IAM Shop allows users to request access to various resource types, including:

    • Security and distribution groups
    • Applications
    • File shares
    • Mailboxes
    • Business roles and locations
    • Management roles
    • Identities (e.g., for delegation)

  • Microservice Architecture: Built as a modern microservice UI, it supports modular deployment and integration into different enterprise environments.

  • Shopping Cart Functionality: Much like an online store, the IAM Shop uses a shopping cart to collect resource requests. Users browse resources, add them to their cart, and then submit their selections in a single transaction.

  • Business Requests: Upon cart submission, EmpowerID creates a business request. This is a formal, trackable object that:

    • Lists all requested items
    • Displays request status (e.g., pending, approved, denied)
    • Shows approval paths and approvers
    • Logs completion details and timestamps

  • Real-Time Approval Status: Users can view detailed information about each item in their business request, including:

    • Which requests are approved
    • Which are waiting for approval
    • Who the current and next approvers are
    • Whether a request was auto-approved due to pre-approval eligibility

Interacting with the IAM Shop

When users enter the IAM Shop, they have several interactive options:

  1. Selecting Resource Types: A filterable selector allows users to choose the type of resource they want to request—such as groups, applications, file shares, etc.

  2. Filtering Available Resources: Users can apply filters like:

    • Suggested roles – Based on their position or department
    • Pre-approved roles – Showing only items they can get without approval
    • Application or business domain
    • Target person – The person for whom they are shopping

  3. Shop for Self or Others: Users can request access either for themselves or on behalf of another person. When shopping for someone else, the eligibility logic is based on the target user, not the person initiating the request.

  4. Just-In-Time Evaluation: Before submission, the system evaluates the entire business request against EmpowerID’s risk engine, including:

    • Segregation of Duties (SoD) policies
    • Risk scoring
    • Other compliance requirements

  5. Approval Routing: Based on the assigned approval flow policy, the system determines who needs to approve each item. Some requests may go through multi-step approvals; others may be auto-approved if the requester is pre-approved.

  6. Status Visibility and Tracking: After submission, users can monitor the progress of their request, including real-time status of each item and action taken by approvers.

Role of Eligibility and Visibility

A key aspect of the IAM Shop is its dynamic presentation of resources based on visibility and eligibility:

  • Resources must be flagged as requestable to appear in the IAM Shop.
  • The system applies a special visibility restriction mode specific to the IAM Shop, separate from default UI restrictions.
  • Eligibility assignments—such as “eligible,” “pre-approved,” and “suggested”—determine which resources a user sees and how requests are handled.

The visibility policy applied in the IAM Shop is typically permissive by default (everyone can see everything), but administrators can define custom visibility restriction policies specific to the IAM Shop experience for more granular control.

Required Configuration for Self-Service Access

In order for a resource to be available for users to request through the IAM Shop, several key elements must be configured. These configurations ensure that only appropriate users can request access, and that each request is handled according to organizational policies. This section explores each of the necessary components in detail, including eligibility, access request policies, approval flow policies, and visibility considerations.

1. Eligibility Assignments

Eligibility is fundamental in determining which users can see and request a resource. EmpowerID uses RBAC (Role-Based Access Control) concepts to define who is eligible through a variety of actor-based mechanisms. A resource cannot be requested unless at least one eligibility assignment exists.

Eligibility can be assigned based on:

  • Individual user (direct assignment)
  • Business Role and Location
  • Management Role
  • Query-Based Collections
  • Membership in another group
  • All objects in a location
  • All objects in a business role

You can define eligibility for a resource (e.g., “Who can request this group?”) or define it from the actor’s perspective (e.g., “Which groups can people in this business role request?”). This bidirectional assignment gives you powerful flexibility to configure access precisely.

Eligibility assignments are configured via workflows such as:

  • Manage Group Wizard
  • Manage Mailbox Workflow
  • Manage Application Workflow

These workflows allow resource owners or administrators to define multiple eligibility types:

  • Eligible – The user can request access, but it follows the approval policy.
  • Pre-Approved – The user can request the resource and it will be auto-approved.
  • Suggested – The resource is flagged as especially appropriate for a user based on their role or position, improving visibility and navigation.

2. Access Request Policies

Each requestable resource must be associated with an Access Request Policy. This policy defines the rules and constraints surrounding how a request can be made and fulfilled. It acts as a wrapper that connects the resource to approval flow logic and request behavior.

Access Request Policies may include:

  • Time restrictions – Define when a resource can be requested or how long it will be assigned.
  • Fulfillment delays – Introduce a delay before the access is granted.
  • Approval Flow Policy reference – Indicates which approval flow policy should be followed.
  • Additional flags and restrictions – May include policies related to automatic revocation, temporary access, or risk scoring.

A resource without an access request policy cannot be properly routed for approval or managed via workflow. This makes it a required configuration element for all self-service access.

These policies are reusable and can be created and managed centrally, allowing consistent governance across resource types.

3. Approval Flow Policies

Approval Flow Policies define the approval routing logic for any resource that requires manual approval. This includes who approves, under what conditions, and in how many steps.

Elements of an approval flow policy include:

  • Resolver rules – Determine the list of approvers dynamically.
  • Multi-step approval – Support for sequential or parallel approval chains.
  • Self-approval controls – Configurable options to prevent or allow users to approve their own requests or requests they initiate.
  • Escalation options – Automatically escalate to alternate approvers after timeouts or rejections.

The approval process kicks in only after the business request is submitted. The system then uses the linked access request policy to find the correct approval flow and executes it. Some items may be routed to the requester’s manager, while others may require group owners or governance officers to approve the access.

Without an approval flow policy, requests cannot be properly reviewed or approved. Even pre-approved users are routed through the access request policy logic to determine if their request should be auto-approved.

4. Requestable and Visibility Settings

In addition to eligibility and policy configuration, each resource must be explicitly flagged as requestable to appear in the IAM Shop.

  • The “Requestable in IAM Shop” flag must be enabled on the resource.
  • This is done through the IAM Shop settings in the relevant management workflow.
  • A resource not marked as requestable will not show up in the IAM Shop, regardless of eligibility or policy configuration.

IAM Shop Visibility Mode

The IAM Shop applies a special visibility restriction mode that is distinct from the default administrative interfaces. By default, all users are granted visibility to all resources in the IAM Shop unless a specific visibility restriction policy has been assigned.

Administrators can define custom IAM Shop-specific visibility policies to narrow what resources are visible to particular users. These work by:

  • Setting a mode of “IAM Shop” in the visibility policy
  • Assigning the policy to users or roles
  • Controlling what appears based on RBAC context

Important: Visibility and eligibility are both required. A user must be eligible and must have visibility in order for a resource to appear in their IAM Shop view.

Configuring Resource Eligibility

Properly configuring resource eligibility is a critical step in enabling self-service access through the IAM Shop. Without eligibility configuration, users will not be able to see or request resources, even if the resource is marked as requestable and has policies in place. This section provides a detailed breakdown of how eligibility works in EmpowerID and how it can be configured from both the resource and actor perspectives.

What Is Eligibility?

Eligibility defines whether a specific person or group of people are permitted to request a given resource. It does not grant access—rather, it determines who is allowed to initiate an access request in the IAM Shop. EmpowerID uses RBAC actor assignments to manage eligibility, allowing organizations to assign eligibility to individuals or to collections of users based on various roles and attributes.

Eligibility assignments are evaluated at the time of the request, and eligibility affects both what appears in the IAM Shop UI and how the request is processed once submitted.

Eligibility From Two Perspectives

Eligibility can be configured from two angles:

  1. From the resource's perspective:

    • "Who is allowed to request this resource?"
    • For example: “Which users can request the ‘Gym Roster’ group?”

  2. From the actor's perspective:

    • "What resources is this person or group allowed to request?"
    • For example: “Users in the Accounting business role and location can request File Shares A, B, and C.”

This dual approach gives administrators and resource owners powerful flexibility to model access requests according to real organizational structure and policies.

Supported Eligibility Assignment Methods

Eligibility assignments can be made using the following RBAC actor types:

  • Individual Person (Direct Assignment)
  • Business Role and Location
  • Management Role
  • Query-Based Collections
  • Group Memberships
  • All users in a specific location
  • All users in a specific role

These assignments are configured using EmpowerID’s management workflows (e.g., Manage Group Wizard, Manage Application, etc.) or through the classic admin interface.

Types of Eligibility Assignments

EmpowerID supports three distinct types of eligibility, which influence how requests appear in the IAM Shop and how they are processed:

  1. Eligible:

    • The user is allowed to request the resource.
    • The request is routed through the approval flow policy as defined in the access request policy.
    • This is the most common form of eligibility.

  2. Pre-Approved:

    • The user can request the resource and the system will automatically approve the request.
    • No manual approval steps are triggered.
    • Pre-approved resources appear in the IAM Shop and are also visible under the “Manage Access” tab.

  3. Suggested:

    • These resources are highlighted as being especially relevant to a user based on their business role, location, or other attributes.
    • Helps reduce clutter and streamline the shopping experience.
    • Users can filter the IAM Shop to only show suggested resources, making it easier to find what’s appropriate for their role.

For example, all members of the Accounting department may be eligible to request dozens of resources, but only a subset of those—such as the Finance Reports File Share or Accounting Software Application—may be marked as “suggested.”

Eligibility and Target Users

When shopping for access, eligibility is applied to the target user—that is, the person for whom the access is being requested.

  • If a user shops for themselves, the system checks their own eligibility.
  • If a user shops on behalf of another person, the system evaluates the eligibility of that target user, not the person initiating the request.

This ensures that delegated access requests follow the same security and policy constraints as if the target user were making the request themselves.

Where Eligibility Is Configured

Eligibility is typically configured using the IAM Shop settings tab in a resource’s management workflow:

  • From the resource (e.g., a group):
    • Navigate to the Manage Group Wizard
    • Open the IAM Shop Settings
    • Mark the resource as requestable
    • Select an Access Request Policy
    • Assign Eligible, Pre-Approved, and Suggested Assignees

Users can view and edit current eligibility assignments and add new ones. Assignments can be broad (e.g., “All employees”) or narrow (e.g., “Members of the IT Helpdesk group in New York”).

Eligibility can also be managed in the classic admin interface, which provides a more technical and granular approach:

  • Administrators can assign eligibility both:
    • To the resource (who can request it)
    • To members of the resource (what they are allowed to request)

This flexibility allows, for example, assigning members of a group the right to request access to a related system, thereby supporting workflows like tiered access, team-based provisioning, or role-specific delegation.

Configuring Resource Eligibility

Eligibility is a cornerstone of EmpowerID’s self-service access management model. It defines who is allowed to request a specific resource and determines what appears in the IAM Shop interface for any given user. Without eligibility configuration, a resource will not be visible or requestable, even if it is properly flagged and assigned policies.

This section explores how eligibility is assigned, how it is evaluated based on the shopping context, and how it is managed through both the modern resource admin interface and the classic administrative tools.

Understanding Eligibility in EmpowerID

Eligibility is not the same as permission. Rather, it is the system’s way of determining who is allowed to submit an access request for a resource via the IAM Shop. If a user is not eligible, they will not see the resource in the shop and cannot request it—even if the resource is technically requestable.

Eligibility controls the scope of users who can request a resource and helps keep the IAM Shop experience clean, relevant, and secure.

Where Eligibility Is Configured

Eligibility settings are configured through the IAM Shop settings section within resource management workflows. For example, when configuring a group:

  • Use the Manage Group Wizard.
  • Navigate to the IAM Shop Settings tab.
  • Set the “Requestable in IAM Shop” flag.
  • Assign an Access Request Policy.
  • Define Eligible, Pre-Approved, and Suggested Assignees.

The same pattern applies to other requestable resource types using their respective management workflows—such as mailboxes, applications, roles, etc.

Eligibility Types in Detail

EmpowerID supports three types of eligibility, each with distinct behaviors in the IAM Shop:

1. Eligible

  • The most common type.
  • Users can request the resource.
  • The request follows the standard approval flow policy defined in the access request policy.
  • The resource appears in the IAM Shop search results when eligibility and visibility criteria are met.

2. Pre-Approved

  • Bypasses the approval process.
  • Users assigned this eligibility type will have their requests automatically approved.
  • These resources also appear in the Manage Access tab of the IAM Shop.
  • Users can filter the shop to show only items they are pre-approved for.

This is useful for streamlining access to low-risk resources or enabling just-in-time provisioning without approval delays.

3. Suggested

  • These resources are marked as recommended for a user.
  • Based on RBAC context such as Business Role & Location or other actor-based attributes.
  • Suggested items can be filtered using the “Suggested” filter in the IAM Shop.
  • They help guide users toward appropriate resources for their department or job function.

For example, a user in the Accounting department might be eligible for dozens of groups and apps, but only a few are marked as “suggested” to highlight what's most relevant.

Eligibility Logic Based on Shopping Context

Eligibility is not evaluated based on the current user but on the target user for whom access is being requested:

  • If shopping for yourself, your own eligibility is used.
  • If shopping for someone else, eligibility is determined for the person you are shopping for.

This is crucial for scenarios where managers or support staff request access on behalf of other users. The IAM Shop dynamically updates to reflect what is available to the target user.

Visibility and Eligibility Work Together

Even if a user is eligible to request a resource, the visibility policy must allow the resource to appear in the IAM Shop UI. Visibility for IAM Shop is governed by a special visibility restriction mode, which:

  • Defaults to showing all resources to all users.
  • Can be restricted with custom IAM Shop visibility policies.
  • Works alongside eligibility to filter what a user can see and request.

Advanced Configuration: Classic Admin Interface

For technical administrators or scenarios requiring greater control, the classic admin interface provides additional options:

  • You can view and edit eligibility from both directions:
    • Who is eligible to request this resource?
    • What resources can members of this group request?
  • You can assign actor eligibility from the Advanced tab, including:
    • Adding eligible assignees
    • Assigning a group as an actor to request other resources

This approach is ideal for cross-resource delegation scenarios, such as granting a team the ability to request access to a related system based on their group membership.

Requesting Access in IAM Shop

Requesting access in EmpowerID’s IAM Shop is designed to be intuitive for end users while supporting complex enterprise policies behind the scenes. The process closely mimics the experience of online shopping—browsing for available items, adding them to a cart, and checking out—while also enforcing eligibility, approval flows, risk evaluation, and auditing.

This section walks through the complete request flow from a user’s perspective, including interface behaviors, shopping options, approval paths, and behind-the-scenes processing logic.

The Request Flow Overview

The typical end-to-end flow for requesting access in IAM Shop includes the following steps:

  1. Entering the IAM Shop interface
  2. Selecting the resource type
  3. Applying filters (suggested, pre-approved, etc.)
  4. Choosing whether to shop for yourself or someone else
  5. Adding requestable items to the cart
  6. Providing a justification
  7. Submitting the cart to generate a business request
  8. Monitoring the request status and approval flow

Step-by-Step Process

1. Select the Resource Type

Upon entering the IAM Shop, the user is presented with a resource type selector. This filter allows users to specify the category of resources they want to request. Available types include:

  • Management Roles
  • Groups
  • Applications
  • File Shares
  • Mailboxes
  • Identities (for delegation)
  • Computers (in some deployments)

This initial step scopes the list of requestable items displayed in the interface.

2. Apply Filters

The IAM Shop provides powerful filtering options to help users narrow down large sets of resources:

  • Show Suggested: Displays only items flagged as suggested for the user, based on eligibility and RBAC context.
  • Show Pre-Approved: Filters to resources the user is pre-approved to request.
  • Business Domain: Helps locate resources tied to a specific area of the organization.
  • Application Type: Narrows results by application-specific filters.
  • Shop for Person: Initiates request on behalf of another individual.

Filters update the visible list in real time, allowing users to browse only what's relevant or immediately accessible.

3. Choose Shopping Target: Self or Someone Else

Users can initiate requests for themselves or for another person. A selector at the top allows the user to switch between:

  • Myself (default)
  • Other Person (selectable via search)

When shopping for someone else, the IAM Shop re-evaluates all eligibility assignments based on the target user. The list of visible and requestable resources updates accordingly, ensuring that users can only request items that the target user is eligible for.

This distinction is critical for delegated access scenarios—such as team leads requesting resources for team members.

4. Add Items to the Cart

Each requestable item has an “Add to Cart” or “Request Access” link. Clicking this link:

  • Opens a detail pane about the resource
  • Provides any applicable metadata (such as description, ownership, policies)
  • Allows the user to add time constraints (if configured in the access request policy)

Once added, the item appears in the user's shopping cart.

5. Review and Submit the Cart

After all desired items have been added to the cart:

  • The user opens the cart view
  • Enters a justification for the request (required)
  • Reviews the list of items and constraints
  • Clicks “Evaluate Request”

At this point, EmpowerID evaluates the contents of the cart using risk management and policy enforcement, which includes:

  • Segregation of Duties (SoD) checks
  • Risk scoring
  • Compliance rules
  • Request conflict detection

If no violations are detected, the system proceeds to the next step. If conflicts exist, they may trigger warnings or block submission.

6. Business Request Submission

The user enters a Business Request Name and clicks Submit.

EmpowerID now transforms the cart into a Business Request, a structured object that:

  • Tracks all items in the request
  • Logs requestor, target, date/time, and justification
  • Initiates approval flows for each item
  • Displays item-by-item request status

Users receive immediate confirmation and can view request details via a link.