[MUSIC PLAYING] In a previous video, we showed how to create a business role from the web UI. As you may remember-- so I click on Business Roles, and here you can see that I have the role, user acceptance tester. We also added entitlements to the role, and we also added a couple of members to the role. Now we're going to make this role requestable so that any user should be able to request access to this role.
To do this, we need to use one of the tools in Identity Manager, the manager tool. So I opened that one up and I click on Business Roles, and I will see the list of roles that exist in the system. And at the end here, there is this recently created role called user acceptance tester. Now to make it requestable in IT shop, we need to make a couple of decisions here. We need to create some object to make it requestable, but we also need to decide where to place it in the IT shop structure. The structure really determines who should have the possibility to request it, and also what kind of approval policy and approval workflow applies to the request.
So to do this in the manager tool, I select the role, the user acceptance tester. And in the Tasks pane here in the middle of the screen, there is something called Create Assignment Resource, and this is something we do for business roles when we want to publish them in the IT shop. And this is a wizard, so it's fairly straightforward. So on the first screen, I press Next. I just press Next on the next screen as well because I don't have to bother about the values here on the assignment resource page.
The next screen, however, is the important one. This is what the product will be called when the user wants to request it. So I will actually add user acceptance tester role, and a description of course. And also I need to determine what kind of category this role should belong to because the categories are things that the users see when they log on to the web UI. And I will select a category called Requestable Roles that I already configured previously.
And that's sort of finalized the wizard itself. Now if I refresh the screen, I will see that it now has something we call an assignment resource. The next thing I would like to do is to click on that assignment resource, and say I want to add this to the IT shop. I click on Add to IT shop, and I have already a shop here called Employee Shop, where I will select a shelf called Manager Approval. I
Named the shelf Manager Approval, so I know as an administrator that when I put the product on that shelf, it will be accessible for all the employees and the approval policy will be something called Manager Approval, which means that it's the line manager needs to approve it. Once I click Save. Now, this product is now being, in the background, published in the IT shop. And any end user who logs onto it will be able to request that role.
So if I go to the web user interface, I log out, I select a user, and I log in, now to request something, it's similar doesn't really matter what you request. Simply click on Start a New request, and as you may remember, we selected the Requestable Roles category, so if I select the Requestable Roles category, I will now see that the user acceptance tester role is requestable. If I click on the menu on the right-hand side. I can also see the description I entered when I publish it into the IT Shop-- assign access to the user acceptance tester.
And to request a role, I simply press on Add to Cart. And then I can submit my request. Once you have submitted a request, as the requester you can always look at your Request History. And you can see that the status for this request is in status request. It means that it's being requested, but it's being processed. And if I click on the workflow, I can see that it's awaiting approval now from this user's manager, who happens to be the user Hans Patterson.
What happened now is that Hans Patterson received an email, and from that email he'd get notified that you need to either approve or deny that request. What we will do here, we will log on to the portal with that manager, and when he logs on, he can immediately see on his home page that there is one pending request. He clicks on pending request, and he will see that there is a role, user acceptance tester role, and as it was requested by Leonard Johnson. And the recipient is this the same person, also Leonard Johnson. And now we can take a decision to either deny this or to approve this.
And he will obviously say, I'm going to approve this. He can say it's from this date. He can say it's valid until this date. He can also enter a reason for his approval. He's not going to do anything of that right now. He's just going to say Save. Now in the background, provisioning is going to happen because that was the only approval needed for this request.
So in a couple of minutes, the user Leonard J will also have that role membership. And since I'm being logged on as his manager, I can just click on My Direct Reports, I can search for that user. And I can look at his entitlements and I can look at the user's request directly here if I like. So I can just look at the request, and I can see that it's now being assigned to. And I can look at the workflow. I can also see my own decision. I granted the approval at distance. So from this view, you can always see why the user have this access, who requested it for that user, and who approved it
In the previous video, we saw when we made an existing roll requestable so people can request access to that specific role. Regardless of what you can request access to, it's very common that you want to be able to collect more information during the request. And a perfect example is, let's say that you want to request a role, but you don't want the user to have that role forever. You want to use it to be forced to specify an end date for the role assignment.
And to do this, we use something we call configurable request properties. And this is done also from the manager tool. So I will open up the manager tool. I would go to my IT shop structure. And in the basic configuration data, there is something called Request Properties. I will create a new one now. The name is not that really important. We can just call it Request Properties. And in this specific request property, I want to be able to specify the until date, valid until. I can say a specific display value here. And I can say enter until date, for instance. And I can also check this as mandatory. I can also say that the approver can specify a different date then given by the requester.
And I save these properties, and then I go back to my role. You remember the road we made requestable? I will open up the service item. The service item is what the end user actually sees when they request whatever they request from the IT shop, or the end user interface. And down the line here, I can select Request Properties. As you remember I just call it Request Properties here. I put it in, and I save it. Now this specific roll request will have a mandatory parameter that the user have to specify an end date.
So now if the user goes to the portal. We take another user this time. The user logs in, starts a new request. You remember it was under requestable roles. And he just selects add with the user acceptance tester role. It will prompt you have to specify. And you can see on the asterisks here on the screen that you have to specify the end date. So let's put it a month from now. You say OK. And now as you can see, it's filled in, and you can't have it. You have to specify it.
I submit my request. Again, I can look at my Request History to see who is the approver for this role. And I look in the workflow, and I can see it's going to be this individual who needs to approve it, which happens to be the manager of the requester. So that person logs on to the portal, and now he can see he now has a new pending request.
He clicks on pending requests. And he can either allow or approve it. When you say I'm going to allow this, he will also see that it now has an until date. He can change it if you like, because we configure the properties to allow the approver to change the value, but when you save that decision now the provisioning will happen. And a month from now roughly, the user will actually lose that role membership automatically.
[MUSIC PLAYING]
10:42