How to define a Request Button in RSA Identity Governance & Lifecycle to allow single or multiple user selection based on Application/Directory name
Originally Published: 2019-06-17
Article Number
Applies To
RSA Version/Condition: 7.0.2, 7.1.0, 7.1.1
Issue
Tasks
PART 1: Restricting the user selection to one or multiple users.
The key here is in the example below. When defining a Request Form (in the RSA Identity Governance & Lifecycle User Interface go to Requests > Configuration > Request Forms tab > Create Form), there are two options under 'Changes apply to:'One user with the following attributes: All
Multiple users with the following attributes: All
Multiple users with the following attributes: All
Toggle 'One user' if you want to restrict the user granting access to only choose one user from the list. Toggle 'Multiple users' if the user granting access may grant access to more than one user on the list. The 'All' attribute may be changed to some other attribute which will restrict who shows on the list. But it does not control how many users may be selected from the list.
PART 2: Restricting the user selection to one or multiple users based on the Application/Directory name.
Create a field on the Request Form with Control Type: "Entitlement Table with Actions" and add an Entitlement Rule that defines the application/directory or applications/directories that you want associated with this form. See example below.Resolution
PART 3: Implementation
Below are some example use cases. This is not an exhaustive list.
Use Case 1:
In this use case, you have applications that require selecting a single user only and applications that allow multiple user selection. Users choose a form based on whether a single or multiple user may be selected.
Create two Global Request Forms as shown above (one that restricts selection to a single user and the relevant applications and one that allows multiple user selection and the relevant applications.) Create a Request Form Button from which either Request Form may be selected (in the RSA Identity Governance & Lifecycle User Interface go to Requests > Configuration > Request Buttons tab > New). Under 'Include' define the two Request Forms.
Create two Global Request Forms as shown above (one that restricts selection to a single user and the relevant applications and one that allows multiple user selection and the relevant applications.) Create a Request Form Button from which either Request Form may be selected (in the RSA Identity Governance & Lifecycle User Interface go to Requests > Configuration > Request Buttons tab > New). Under 'Include' define the two Request Forms.
Result:
When a user clicks on the 'Grant User Access" button they can choose between Single and Multiple forms.
Use Case 2:
Allow the user to choose from a list of applications/directories rather than two different forms. In this case, create a Global Request Form as shown above for each application/directory and add each Request Form to the relevant application/directory Requests tab definition. (In the RSA Identity Governance & Lifecycle User Interface, go to Resources > Applications/Directories > [name of application/directory] > Requests tab > Edit Request Form Associations.) Then create a Request Form Button that presents a list of applications from which to choose (in the RSA Identity Governance & Lifecycle User Interface go to Requests > Configuration > Request Buttons tab > New). Under 'Include:' define each application/directory Request Form.
Result:
Use Case 3:
If there are very few applications/directories that need only one user at a time chosen, you can create a Global Request Form as shown above for just those applications/directories (one for each) and associate the Request Form within the Application/Directory Requests tab. (In the RSA Identity Governance & Lifecycle User Interface, go to Resources > Applications/Directories > [name of application/directory] > Requests tab > Edit Request Form Associations.) Then use a default application/directory form for the other applications/directories and create a Request Form Button that presents a list of applications/directories or default forms from which to choose.
Create the individual Global Request Forms as shown above for each application/directory that requires a single user selection. For the remaining application/directories that allow multiple user selections, create two Request Forms: one of type "Application" and one of type "Directory" and define them in the Requests Configuration as the default Application Form and default Directory Form respectively. (In the RSA Identity Governance & Lifecycle User Interface, go to Requests > Configuration > Settings.) Instead of defining the applications/directories in a field in the Request Form, simply define the application/directories in the Request Button definition under 'Include:' Applications:' and 'Directories.'
Create the individual Global Request Forms as shown above for each application/directory that requires a single user selection. For the remaining application/directories that allow multiple user selections, create two Request Forms: one of type "Application" and one of type "Directory" and define them in the Requests Configuration as the default Application Form and default Directory Form respectively. (In the RSA Identity Governance & Lifecycle User Interface, go to Requests > Configuration > Settings.) Instead of defining the applications/directories in a field in the Request Form, simply define the application/directories in the Request Button definition under 'Include:' Applications:' and 'Directories.'
