Manage Application
What is an Application?
Application is a target system that an enterprise is using and wishes to manage permissions and account of. IDHub can integrate with thousands of applications to manage provisioning and de-provisioning of all enterprise users. For a connected application (for which an active integration is present), IDHub monitors and maintain the connection to manage accounts and their permissions for the application.
Administrator Functions
- Connect applications to IDHub for seamless request accounts and permissions with the application from IDHub platform.
- Add disconnected applications within IDHub along with a list of entitlements for each application that can be manually fulfilled by an IT Team.
- On-board all the applications (both connected and disconnected) via a single file upload.
The application can be customized to the organization's needs. End users can request the application through a centralized catalog repository with a shopping cart like experience. System administrators can use our connectors to connect to other applications. Please refer to the Connector Guide for detailed instructions.
Available Application Integrations
- On cloud applications.
- On premise applications.
- On premise support for applications that exposes APIs publicly for provisioning.
Connected Applications
The system administrator can connect to any applications for which connectors are made or APIs are exposed. The connection can be established by single application On-board or bulk application On-board. In both cases, administrator needs to make sure that the connection is established with a pre-existing connector in IDHub or a custom connector is built by the support team. IDHub asks for credentials for the application to establish the link. IDHub stores the credentials securely and uses it to validate the connection.
While configuring the application, please ensure:
- Attribute-specific synchronization is happened between IDHub and the application.
- Entitlement-specific synchronization is present.
- Customise user response form which is specific to the application that the end-user fills every time they request for the application.
- Customise workflow that can have its own level of approvals with customised forms attached at each level as desired.
Application Management Features
- Automated fulfilment and creation/revocation of accounts.
- Automation fulfilment of user attributes with applications (If the application is a trusted application).
- Automated fulfilment of account's entitlements (permissions) with the application.
- Upstream synchronization:
- Do not update any information.
- Update account only.
- Update user attributes only.
- Update both account and user attributes.
- Downstream synchronization:
- Do not update any information.
- Update account only.
- Update user attributes only.
- Update both account and user attributes.
- There are many organizations which have user information coming from multiple applications. It is important to configure attribute synchronization, keeping in mind that the attribute synchronization does not overlap between those applications.
- For sensitive applications, IDHub provides an option to not be requested by any end-user and the application can be provided via role-based access and certain conditions only.
Application Provisioning
IDHub Application Life Cycle has many functionalities within itself which are as follows:
- Importing application information into IDHub.
- Setting up access request flow for the application.
- Setting up custom forms required in the access-request flow.
- Setup roles associated with the application.
- Configure birth-right rules for a set of applications present in a role.
- Provisioning to and from applications.
- De-provisioning to and from applications.
- Reconciliation of information from application to IDHub and vice versa.
- Disable or enable an application for temporary access-restriction.
- Retiring of an application.
The above functionalities follow the commonly used principle of CRUD (Create, Read, Update and Delete)
user accounts in an application.
Triggers
During the employee life cycle in an organisation, there are various stages in which access related information needs to be updated. Some of them are as follows:
- Joining in the organization.
- Promotions & Demotions.
- Employee position or role change.
- Application license expiration.
- Employee Termination.
- Employee Rehires etc.
During all the above life cycle changes, IDHub roles
and certification
process can be defined to trigger a automatic account update based on the event.
Manage Catalog
As a System Administrator, Manage Catalog
is where you will find yourself most of the time within IDHub Admin app. Please click on Manage Catalog
menu from your IDHub dashboard, you will be redirected to the Manage Catalog
page.
Add Application Button
Add Application Button allows On-board of a single application or multiple applications using a wizard. Choose one of the following from the drop-down options to proceed further.
Single Application On-board
This is to request a single application & on-board it using a wizard. Please refer to On-board Application Guide for detailed instructions.
Bulk Application On-board
You can request bulk application On-boarding using csv file. Please follow the below steps for bulk application upload:
- Download the
sample.csv
file template and review its file header for required application attributes. - Modify sample file to provide application-specific data. Each row within the .csv provides details for a single application. The Total number of rows indicate total applications being on-boarded in batch.
- Save and upload file for processing.
- Validate and request approval of multiple applications with a single file submit.
Create Role Button
Create role button enables you to define a role withing IDHub that defines access to all the applications and entitlements that role will provide to perform a job. As an system administrator you will be responsible for managing the following:
- Development of access policy to that Role that determines who gets access to the role.
- Association of applications and entitlements that are required as part of that role.
- Certification of role memberships on a periodic basis to maintain adherence to organizational and regulatory standards.
Search Bar And Tabs
- The Search bar comprises a search box to enter search criteria to find your desired application or roles.
- Tabs enables you to view:
- All (Both applications and roles).
- Applications.
- Roles.
Application Card
Each application in the result set is displayed in a separate tile and has the following items:
- Application logo.
- Application name.
- Health status.
- If
green
, this means application is completely synced and good to request. - If
neutral
, this means there might be a break in application information either due to form mismatch or workflow errors, no one will be able to request the application unless the error is fixed. To get the exact error, hover over the health indicator alongside application name. - If
red
, this means connection may be broken and you would need to fix the connected application to resume access requests.
- If
- Tags (if any).
- Description (if any).
Application Card Features
- View: Admin can enter the view application section by clicking on the card.
- Edit: Admin can edit the application by clicking on the edit menu. IDHub opens the application wizard in edit mode and allows the system administrator to make changes to the application. On submission after edit, the application goes through the approval request workflow for approved changes to take effect.
- Export JSON: Exports the application data in JSON format.
- Disable: Disables the application. This causes the application to be removed from the search catalog page and is no longer requestable. All accounts with access to the application will have their access disabled.
- Retire Application: Decommissions the application and revokes the application for all accounts.
- Target System Synchronizations: Synchronization is the process of updating of changes to user accounts and entitlements data from IDHub to target system using user identity synchronization. This synchronization detects changes to user attributes and automatically copies over the updates from target systems to IDHub. (This feature will only be present for Connected applications).
- Reconciliation: This is a process of importing data from a disconnected system on a periodic basis. The goal is to verify that actual access of the user aligns with approved access. After an application is On-boarded , reconciliation is enabled. This allows you to fetch user account profiles and their entitlements (permissions) from target systems and publish them in IDHub.
Role Card with Actions
Each role in the result set is displayed in a separate tile and has the following items:
- Role logo.
- Role name.
- Tags (if any).
- Description (if any).
Role Card Features
- View: Admin can enter the view role section by clicking on the card.
- Edit: Admin can edit the role by clicking on the edit menu. IDHub opens the role wizard in edit mode and allows the system administrator to edit the role. On submission after edit, the role goes through the approval request workflow for approved changes to take effect.
- Export JSON: Exports the role data in JSON format.
- Disable: Disables the Role. This causes the role to be removed from the search catalog and is no longer requestable. All accounts with access to the role and it's applications will have their access disabled.
- Retire Role: Decommissions the role and revokes the role and applications and entitlements that got provided due to role assignment for all accounts.