Skip to main content

Editing Azure Application IAM Settings

This document provides detailed instructions for managing IAM Shop settings for Azure applications in EmpowerID. Each configuration section includes implementation details and organizational impact to help you make informed decisions during setup.

Editable IAM Shop Settings

You can modify the following settings following the instruction in this article:

  • Requestable in IAM Shop: Specifies whether users can request access to the application in the IAM Shop.
  • Access Request Policy: Defines the policy governing access requests, including routing and approval requirements.
  • Eligible Assignees: Identifies users or groups eligible to request access.
  • Pre-Approved Assignees: Lists users or groups pre-approved for access, requiring only activation.
  • Suggested Assignees: Recommends memberships to specific users or groups in the IAM Shop.

Step 1: Navigate to the IAM Shop Settings

  • Log in to Resource Admin.
  • Select Applications from the Resource Type menu and search for your target application.
  • Click the gear icon on the application record and select Manage Application Wizard.
  • Under Select Options, choose Edit IAM Shop settings.
  • Click Next to proceed to the Edit IAM Shop Settings form.

Step 2: Configure IAM Settings

Follow the configuration steps carefully while Configuring each setting.

  • Requestable in IAM Shop: This true or false setting determines whether eligible users can request access to the application in the IAM Shop. In the below image, the setting is true. To remove the application from the IAM Shop, deselect the setting.

  • Access Request Policy: This setting specifies the policy for enforcing how the system fulfills access requests for the application and whether those requests need to route for approval before being fulfilled. To change the policy, clear the current policy and then search for and select the new one.

  • Adding and Removing Eligible Assignees This setting allows you to specify who is eligible to request access to the application. Eligible assignees can include the following:

    • Under Eligible Assignees, select the assignee type from the Choose Type dropdown.
    • Search for and select the appropriate assignee. For example, if assigning eligibility to a Management Role, search for and select the specific role.
    • Click Add.
    • Repeat the above steps to add other eligible assignees as needed.
    To Remove Eligible Assignees
    • Under Eligible Assignees, locate the record for the eligible assignee you want to remove.
    • Toggle Keep to Remove.
    • Repeat the above steps to remove other eligible assignees as needed.
    Details

    What are Eligible Assignees This setting allows you to specify who is eligible to request access to the application. Eligible assignees can include the following:

    • Person: You can assign eligibility to individual people within your organization.
    • Group: You can assign eligibility to groups. When selected, members of those groups can request access.
    • Set Group: You can assign eligibility to Set Groups. When selected, members of those Set Groups can request access.
    • Management Role: You can assign eligibility to Management Roles. When selected, members of those Management Roles can request access.
    • Management Role Definition: You can assign eligibility to Management Role Definitions. When selected, all members of Management Roles derived from the Management Role Definition can request access.
    • Business Role and Location: You can assign eligibility to Business Roles and Locations. When selected, members of those Business Roles and Locations can request access.

  • Pre Approved Assignees This setting allows you to specify who is pre-approved for the application. Users who are pre-approved simply need to activate their access. No further approvals are needed. To Add Pre-Approved Assignees

    • Under Pre-Approved Assignees, select the assignee type from the Choose Type dropdown.
    • Search for and select the appropriate assignee. For example, if assigning pre-approval status to a Business Role and Location, search for and select the specific role and location.
    • Click Add.
    • Repeat the above steps to add other pre-approved assignees as needed.
    To Remove Pre-Approved Assignees
    • Under Pre-Approved Assignees, locate the record for the assignee you want to remove.
    • Toggle Keep to Remove.
    • Repeat the above steps to remove other pre-approved assignees as needed.
    Details

    What are Pre-Approved Assignees? This setting allows you to specify who is pre-approved for the application. Users who are pre-approved simply need to activate their access. No further approvals are needed. Pre-approved assignees can include the following:

    • Person: You can assign pre-approval status to individual people within your organization.
    • Group: You can assign pre-approval status to groups. When selected, all members of those groups are pre-approved.
    • Set Group: You can assign pre-approval status to Set Groups. When selected, all members of those Set Groups are pre-approved.
    • Management Role: You can assign pre-approval status to Management Roles. When selected, all members of those Management Roles are pre-approved.
    • Management Role Definition: You can assign pre-approval status to Management Role Definitions. When selected, all members of Management Roles derived from the Management Role Definition are pre-approved.
    • Business Role and Location: You can assign pre-approval status to Business Roles and Locations. When selected, all members of those Business Roles and Locations are pre-approved.

  • Suggested Assignees This setting allows you to specify who sees the application as suggested in the IAM shop.
    To Add Suggested Assignees

    • Select the assignee type from the Choose Type dropdown.
    • Search for and select the appropriate assignee. For example, if assigning eligibility to a Set Group, search for the specific Set Group.
    • Click Add.
    • Repeat the above steps to add other suggested assignees as needed.
    To Remove Suggested Assignees
    • Under Suggested Assignees, locate the record for the assignee you want to remove.
    • Toggle Keep to Remove.
    • Repeat the above steps to remove other suggested assignees as needed.

Step 3: Finalize Updates

  • After making the needed updates to the IAM Shop Settings, click Next.
  • Once the wizard completes the request, you should receive an Operation Execution Summary message stating the request was executed successfully.
  • Click Submit to close the summary message.
  • When prompted with Would you like to manage another application?, select Yes to manage another application or No to exit the wizard. In this case, select No to exit.