GKA authorises BVA

As soon as a user has successfully completed the Access Request process "Request access" and you are responsible for the access management of this specialist application, you will receive the following mail in the IDM role as GKA.

1 The mailbox (defined for each user application) contains the E-Mail generated by eIAM with the user's request information.
E-Mail with the user's application information. Copy the user ID (yellow marked example) and click the link given in the e-mail:


Note: You can also authorise users who have not yet requested access. In this case, start directly with step 2.
2 The User ID with the corresponding Client should already be set for an access request made by mail, to get the user administration page press Search.
Users without an explicit access request by email can be searched for and authorised by entering the user ID or the name (* is possible as a wildcard at the beginning and at the end).
3 Click on the User ID
4 The user administration page now displayed consists of three blocks:
- Data on the identity of the applicant with contact information.
- Information on the user's authentication data
- Information on the user's profile, which contains their roles.

Then click on the User Profile at the bottom of the page

5 Now you get to the Authorisation Cockpit for the roles GKA und BVA.

.
This view consists of three parts
1. IDM roles - serves the GKD's and GKA's for the IDM role administration.
2. Business roles - serves for business role administration (currently not used)
3. Roles - is used by the BVA's to manage specialist application roles
6 In the IDM role as GKA
GKA specific authorisation tasks are carried out via the IDM roles and the user profile administration. Here, the roles "BVA" and "AppOwner" are identical. The difference is that the BVA cannot archive users and the AppOwner cannot generate reports.

Procedure:
1. assignment of IDM role BVA- or AppOwner

2. Restriction of the BVA or AppOwner role to the client .
In eIAM-IDM, a client is broadly understood to be the entire office or organisation for which the GKA and BVA work.
Click on "Add client". This will bring up the client search screen. Entering part or all of the client name will return the clients matching the entry. Selecting the client name restricts the applicant's view of the data (users, applications, etc.) to that of the client.


3. Restriction of the BVA or AppOwner role to the Access Management unit.
In the current version of eIAM AccessManagement, a trivial organisation is implemented. All persons to be authorised are managed in a unit called "AccessRequest" (user profile filing with the First eIAM User AccessRequest). It is the GKA's task to authorise access to these users to the BVA. Therefore, the GKA must add the department "AccessRequest" to the role BVA/AppOwner. Otherwise, the users to be authorised will not be visible to the BVA.


4. Assign the application(s) to the BVA or AppOwner role.
In this step, the GKA assigns one or more applications to the BVA/AppOwner. To do this, the GKA clicks the Add Applications- button.
There are several ways to search for one or more applications:
No input before clicking the search button; all applications assigned to the client are listed. Entering a part of the name (beginning or ending with the wildcard *); those applications assigned to the client are listed which contain the specified part of the name. Click on the desired application to add it to the user. If you want to authorise the user as BVA for all applications, then it is sufficient to activate the checkbox Authorised for all applications.


5. Optional: GKA and BVA with "SelfAdmin" role (=>Double roles: GKA + BVA or BVA + subject application role)
In cases where a person of a client, e.g. holds the role of BVA for Sharepoint and at the same time should also use Sharepoint himself, this BVA cannot authorise himself, because the IDM system takes precautions to hide the selection of his person from the search space for security reasons (Chinese wall principle). The GKA can explicitly override this principle by assigning the additional IDM role SelfAdmin to the BVA. The alternative procedure to this would be to appoint a second BVA who grants the first one the subject application rights.
7 Then inform the new user that the permissions have been granted and that access to the specialist application is to be checked.

Generate revocation of IDM roles and reports


Revocation of IDM roles
Find the user and click on the pencil for the IDM role. In the next window click on
1. Delete role assignment and then
2. confirm with Delete.
Generate reports
There are various reports available.
To recertify the roles, select "Users per application" and click on "Generate report".
Open the Excel table. You will see all users with roles in their office. You can use Filter Data to display only the users of a single application. In the column Last Login you can see when the user last used the application.