RapidIdentity Product Guide: Legacy UI

Extended Tab

The Extended tab contains three content areas:

  1. Data Classification, Category, & Entitlement Management

  2. Workflow Manager

  3. Workflow Email Templates

Data Classification, Category & Entitlement Management

The Data Classification, Category & Entitlement Management drop down area contains three tabs, one for drop-down content area title component.

Data Classification Tab

The Data Classification tab allows administrators to configure the Workflow | Dashboard | My/Team/Other tabs' Data Classification column's visual appearance.

The Data Classification tab interface may appear blank, initially. To add a new classification, click the plus icon.

Legacy_Data_Classification_Tab.png
Table 275. Data Classification Fields

Field Name

Description

Name

Descriptive display name for the data classification level.

Level

Numeric level for this data classification level.

Color

Color to display for this data classification level.

Description

Description of the data classification level.



Categories Tab - Workflow Management

The Categories tab contains two subtabs, General, and Entitlements, allowing administrators to add or remove categories and configure categories, along with the ability to map entitlements to a specific category.

Categories will display in the Workflow > Dashboard > My/Team/Other tabs' grid interface category column.

The Categories > General subtab interface may appear blank, initially. To add a new classification, click the plus icon.

Legacy_Categories_Tab_1.png
Table 276. Category Fields

Field Name

Description

Name

Descriptive display name for the category.

Description

Description of the category.

Status

Active or Inactive.

Enable RBAC

Enables or disables Role Based Access Control.

Role(s)

Role DN for the role allowed to request resources in this category.

Role Exclusion ACL

Role DN of the group not allowed to request resources in this Category.

Enable ABAC

Enables or disables Attribute Based Access Control.

Attribute ACL

Only users who match the specific LDAP attribute will have access to this category.



The Categories > Entitlements subtab allows administrators to classify entitlements as being available or assigned to a category.

Legacy_Categories_Tab_2.png

Entitlements can be moved from one column to another by dragging and dropping.

Entitlements Tab

The Entitlements tab displays available entitlements to map to new and current categories. If entitlements do not exist, the right interface section will appear grayed and inaccessible.

Entitlement contain four subtabs allowing administrators to createremove, and edit Workflow module entitlements.

The Entitlements tab interface may appear blank, initially. To add a new classification, click the plus icon.

Legacy_Entitlements_Tab_-_2nd_1.png

For each newly created entitlement, RapidIdentity Portal requires administrators to name and select the appropriate binding. The available binding choices are:

  1. SINGLE: one instance per user

  2. MULTI_BOUND: multiple instances per user

  3. MULTI_UNBOUND: multiple instances per user, non-binding

  4. COMPOSITE: one instance per user

Composite entitlements function as a group of SINGLE binding entitlements

After selecting a binding and clicking Create, the binding is fixed.

If an error occurs, the entitlement must be removed completely with the minus icon, and the process to create a new entitlement must start over.

Once the name and binding fields are selected, the new entitlement will display in the left interface, and four additional subtabs will display on the right interface. The binding determines additional subtab availability.

Each entitlement will have a fixed ID that is unique within RapidIdentity Portal. The remaining entitlement fields are editable, including the entitlement name, to suit the organization's needs.

Legacy_Entitlements_Tab_-_2nd_2.png

Entitlements General subtab Fields

Table 277. Entitlements Fields

Field Name

Description

Name

Descriptive display name for the category.

Description

Description of the category.

Status

Active or Inactive.

Icon

Icon to associate with the entitlement when it is displayed in the UI. This can be an icon in the icon list or any HTTP location.

Enable RBAC

Enables or disables Role Based Access Control.

Role(s)

Only members of the specified roles will have access to this Entitlement.

Role Exclusion ACL

Only non-members of the specified Role(s) will have access to this Entitlement.

Enable ABAC

Enables or disables Attribute Based Access Control

Filter ACL

Only users matching the specified LDAP attribute will have access to this Entitlement.

Entitlement Owner

Entitlement owners can be individual persons or a predefined Role(s). When a Role is used to own an entitlement, all members of that Role own the entitlement.

Priority

Orders this resource on the dashboard and requests tab. A priority of -1 gives it no special ordering. 1 is the top priority and is listed first.

Expiration

Administrators can choose to have entitlements never expire, expire a selected time from now, or on a selected date.

Click the desired option and, if selecting days or date, click the listed value to configure.

Time-based

The entitlement expires a selectable time (years, months, weeks, days, hours, minutes) from now.

Campaign-based

The entitlement expires on the selected date every year.

Force Expiration

Administrators can force entitlement expiration to occur on a selectable time (years, months, weeks, days, hours, minutes) from now or on a selectable date, similar to time- and campaign-based expiration.

Disable certification and extension

When checked, the entitlement can neither be certified nor extended.

May not be requested in the UI

When checked, the entitlement will not display to users in the Requests tab when the entitlement is neither granted nor revoked. If the box is checked and the entitlement is in the process of being granted, the entitlement displays in the Requests tab.

Grant Workflow

The Workflow Definition to use when the Entitlement is being granted.

Grant Workflow Form

If the Grant Workflow has forms defined, you may pick a form that should be used for the Entitlement grant process.

Revoke Workflow

The Workflow Definition to use when the Entitlement is being revoked. If not chosen, it defaults to the Grant Workflow. This option is not available for MULTI_UNBOUND Entitlements since those are not revokable.

Revoke Workflow Form

If the Revoke Workflow has forms defined, pick a form that should be used for the Entitlement revoke process. This option is not available for MULTI_UNBOUND Entitlements since those are not revokable.

Data Classification

The Data Classification associated with the Entitlement.



Entitlement Categories

Available Categories

List of categories in which this resource belongs.

Assigned Categories

It is possible to place newly created categories into this interface using drag-and-drop.

Entitlements | Conflicts/Dependencies subtab Sections

Available Entitlements

List of resources that a user must not have before requesting this resource

Entitlement Dependencies

List of resources that a user must have in the grant state before they can request this resource

Entitlements Associated Entitlements subtab

Workflow Manager

The Workflow Manager displays defined workflows and allows administrators to create, edit, duplicate, import, and export new and existing workflows. Exported workflows are in JSON format; similarly, only JSON format is supported for importing a workflow.

Legacy_Workflow_Manager_1.png

Administrators can import Workflows from RapidIdentity Depot or create a custom Workflow definition.

The Workflow Definition Editor is the interface to define workflows.

Legacy_Workflow_Manager_2.png

All workflows must begin with a start action and terminate with an end action. Administrators may configure or update intermediate actions as necessary.

Actions are logic allowing for specific events to occur.

Forms allow field additions to the Request and or Approval steps and only apply to the Request (start action) and Approval actions.

Workflow Definitions Editor Actions

The Actions tab allows administrators to define a specific action sequence with respect to a specific workflow. The editor supports a drag-and-drop interface.

While it is not possible to edit the unique RapidIdentity Portal action ID nor the action type, administrators can edit any of the remaining fields to suit the intended need(s). The full list of possible Workflow Definition Editor action options is shown below.

Workflow Definition Editor
  • Name (descriptive name for the workflow definition)

  • Description (description of the workflow definition)

  • Status (Active or Inactive)

  • Available Actions (A list of actions the workflow module is capable of executing)

  • Approval Action (Action step that requires a user or group to approve the granting of the resource)

    • Display Name

    • Description

    • Next Action (Next action to take on approval)

    • Approver (DN of user or group that must approve. If a group, only one member of that group must approve.)

    • Next Action on Deny (Next action to take on deny)

    • Days before approval expires (Number of days until the request expires. -1 disables expiration.)

    • Days before automatic escalation (Number of days before request is escalated)

    • Escalation Approver (User or Role that can approve after the number of escalation days passes)

  • Condition Action (Determine flow based on attributes and regular expressions)

    • Display Name

    • Description

    • Next Action (Next action on evaluation to true)

    • Operand 1 (Expression or Regular Expression)

    • Operation (Determines how operands are used)

    • Operand 2 (Expression or Regular Expression)

    • Next Action on False (Next action on evaluation to false)

  • Fail Action

    • Display Name

    • Description

    • Next Action

    • Log Message

  • Email Action (Send an email)

    • Display Name

    • Description

    • Next Action

    • From Address

    • To Address

    • BCC Address

    • Edit Email

  • Connect Actions (Calls a RapidIdentity Connect Action Set)

    • Display Name

    • Description

    • Next Action (Next action to take after completion)

    • RapidIdentity Connect Base URL (Base URL of the RapidIdentity Connect System)

    • Action Username (Username to authenticate to RapidIdentity Connect)

    • Action Password (Password to authenticate to RapidIdentity Connect)

    • Action Name (RapidIdentity Connect Action Name)

    • Value Pairs (Data to send to RapidIdentity Connect)

    • Validation Regular Expression (Regular expression to validate the results from RapidIdentity Connect with. If the expression matches then the action is considered successful.)

  • Connect Action (Advanced)

    • Display Name

    • Description

    • Next Action (Next action to take after completion)

    • RapidIdentity Connect Action Name

    • Edit Value Pairs

    • Connect Base Value Pair (optional)

    • Connect Action Username (optional)

    • Connect Action Password (optional)

    • Enable Trace (Sets the trace log to be detailed and accessed through RapidIdentity Connect | Files [Module] | log)

  • Update Form Action

    • Display Name

    • Description

    • Next Action (Next action to take after completion)

    • Edit Form Update Rules (Allows additional Form ID and Form Item Values with the option to add blank values and overwrite existing values)

Using Expressions in Workflow Actions

Several fields within workflow actions can use custom expressions. These expressions provide values from various inputs into the workflow process.

There are several valid expression prefixes, and any suffix may be appended to a prefix. The suffix should reference a valid attribute. For instance, when referencing the recipient of a resource, the request suffix should refer to a valid attribute related to the person within LDAP.

Note

These expressions, when used, must be surrounded by single quotes, e.g. '%{recipient.givenName}'

Valid Expression Prefixes

  • recipient - Refers to the recipient user of the workflow request

  • requestor/requester - Refers to the user who initiated the workflow request

  • addressee - Refers to the User or Group assigned to the current approval task for the workflow

  • approver - Refers to the User who responded to an approval task

  • approval - Refers to a particular approval response

  • resource - Refers to the Entitlement being granted/revoked

  • dss - Refers to a response value received from an Advanced RapidIdentity Connect Action

  • form - Refers to the form associated with the workflow request

The following items are currently available when using the 'resource' prefix:

  • name - The name of the Entitlement

  • description - The description of the Entitlement

  • binding - The binding of the Entitlement

  • icon - The icon URL for the Entitlement

  • owner - The User who is the owner of the Entitlement

Form Prefix

  • %{grant.form.<id>} - Refers to the form associated with the current grant request, and is only available during REVOKE workflows. %{grant.form.<id>} is the unique form id.

User/Group Prefixes may refer to any directory attribute on that target object, with support for chaining if the attribute is a DN and references another valid directory object.

  • %{recipient.givenName} - Returns the value of the “givenName” attribute for the recipient of the workflow

  • %{requester.mail} - Returns the value of the “mail” attribute for the User who requested the workflow

  • %{recipient.manager} - Returns the value of the “manager” attribute on the recipient’s directory entry

  • %{recipient.manager.fullName} - Returns the value of the “fullName” attribute on the object pointed to by the recipient’s “manager” attribute

  • %{recipient} - Returns the idautoID of the recipient

  • %{recipient.id} - Returns the idautoID of the recipient

  • %{recipient.idautoID} - Returns the idautoID of the recipient

  • %{recipient.dn} - Returns the DN of the recipient

  • %{addressee.idautoID} - Returns the idautoID of the User/Group assigned to the current approval task

Approver/Approval Prefixes can optionally have an index so that information about approval steps beyond the first can be referenced.

  • %{approver.mail} - Returns the value of the “mail” attribute for the User who approved/denied the first approval task

  • %{approver0.mail} - Returns the value of the “mail” attribute for the User who approved/denied the first approval task

  • %{approver1.givenName} - Returns the value of the “givenName” attribute for the User who approved/denied the second approval task

  • %{approval1.comments} - Returns the comments (if any) from the approver of the second approval task

‘comments’ are currently the only information available when using the ‘approval’ prefix.

Miscellaneous Expressions

  • %{request.type} - Refers to the current workflow request. The only type that can be used with the request prefix is type, and the only types are GRANT and REVOKE.

Workflow Definitions Editor Forms tab

Legacy_Workflows_1.png
Legacy_Workflows_2.png
Workflow Email Templates

Workflow Email Templates allow administrators the ability configure predetermined Workflow Action–Entitlement Revoked, New Request for Approval, etc.–Messages that are automatically sent once the Workflow action occurs.

To learn more about Email Templates, consult the Configuration Module User Interface Overview.