Configure an Execution Plan
Execution Plan defines the target permission rules that are associated with a role. Currently, you have to define the rules for each target permission that you create. With an execution plan, you can associate the plan with any number of target permissions.
cis141
Execution Plan defines the target permission rules that are associated with a role. Currently, you have to define the rules for each target permission that you create. With an execution plan, you can associate the plan with any number of target permissions.
Target permission rules define the following:
- The type of access request that can be performed on permissions. The options are: Add, Modify, and Remove.
- The form that is displayed for the end user when clicking Add, Modify, or Remove.Note:Forms are linked to a task, which means the selected form controls both the screen that the user sees and the backend task/workflow that is triggered.
- The scenario in which the configured options and forms are displayed. Multiple rules can be configured for the same target permission. For example: one rule that applies to all users from a specific department and they are allowed to request to add or remove with a specific form and with manager approval. Second rule that applies to all managers and they are allowed to request to only add with a specific form that does not require approval.Note:Target permissions must have rules configured so that they can be displayed to the end user.
Example:
A manager can add and remove "Network access" permissions for an employee using the "Add Network Access by manager" and "Remove Network access by manager" tasks respectively. The employee can request to add the Network Access permission using the "Request your manager network access" task.
To implement this logic, two rules have to be defined on the target permission which provides the network access.
- Rule 1– Manager acting on the employee. For this rule, the relationship between the requester (manager) and the target user (the employee) has to be defined. An attribute in the subordinate's user profile defines these relationships. The resulting rule looks like this: "user.getValue("Manager") = requester.getValue("userId"). Once the rule is configured, the next step is to define which task to execute when the Add/Modify/Delete actions are selected. In this example, the "Add Network Access by manager" task is linked to the Add action, and "Remove Network access by manager" is linked to the Remove action.
- Rule 2– Every employee can request the permission for themselves. This is useful when the executed task is configured with a workflow, requiring an approval of a supervisor. To configure this rule, define an expression which identifies the employee such as Requester['User Type'] = 'Employee'. Then configure the Add operation with the "Request your manager network access" task.
Follow these steps:
- Navigate to theAdmin UI.
- ClickElements,Execution Plans,Create.
- Specify a name for the execution plan.The Tag value is populated automatically.
- Select the Type of Execution Plan, The plan can be for asinglerequest orbulkaccess request.
- Select the Connector that has the task that you want to execute.
- Click theRulestab.
- ClickAdd rule.
- Specify a descriptive name for the rule.
- Provide a priority for the evaluation of this rule (lower number has a higher priority).
- Select the mode for this rule. Following modes are available:
- Access Rights– These rules are evaluated when the access request is for existing user/s (depends if the execution plan is single or bulk).
- Onboarding Access Rights–These rules are evaluated when the access request is for a user/s which are about to be created (depends if the execution plan is single or bulk). This requires that the user to continue from a create operation to an access right operation.
- In Rule Expression, edit the condition for which this rule applies.
- In Expression Editor, select an editing mode from the following options:
- Always trueThis rule applies to all users (requesters and subjects of a request).
- Expression BuilderSelect the appropriate values to create an expression.
- CustomThis rule applies to the users matching the condition defined using a custom JavaScript.Example:manager of a useruser.getValue("Manager").equals(requester.getValue("userId"))Note:For more information about building complex customer expressions, see the Programming section.
- Select the forms that can be added, modified, and removed in this execution plan.Example:To add a form, select Add Form and then select the form to add from the dropdown list.
- ClickCreate.The Execution Plan is created.