Access Builder Settings
    • PDF

    Access Builder Settings

    • PDF

    Article summary

    Important
    The Access Builder feature is enabled only on request. Please reach out to your customer success point of contact to enable this.

    Britive Access builder helps users request access to existing Britive profiles reducing overhead on administrators who create and manage Britive profiles. This feature also lets users create their own profiles with available permissions. Administrators control which applications and permissions are available for users to request access to and which users/tags can request access to which applications. Approvals can be configured so that profile access requests are reviewed by various stakeholders before any profile access is granted to requesters. 

    There are two ways to request access: 

    • Users can request access to the existing profiles and associated policies. In this case, the profiles and policies are already created by an administrator. 
    • Users can create new profiles using existing roles and permissions in the target environment and then request access to those profiles.

    Access Builder Settings (Admin configuration)

    The administrator needs to make the following configuration so that users can request access to the profiles of a particular application. 

    1. Login to Britive with administrator privileges.
    2. Click on Admin -> Application and Access Profile Management.
    3. Click on the application and select Access Builder Settings from the navigation menu.
    4. Check Allow Access Builder to enable the Access Builder feature. This can be enabled only if Association Approvers and Notifications settings are completed.
    5. Association Approvers: This is a mandatory configuration. Define a combination of an association and an approver group.
      1. Click on Add Approver Group to add a group of approvers for profile requests generated under the app. The members of the approver group approve the profile request.
        1. Enter the Name of the approver group.
        2. Select the Approval Condition:
          1. All members: All members of the approver group must approve the request so that the user can checkout the profile for access.
          2. Any member: Any member of the approver group can approve the request.
            1. Click Add Users to add individual users to the approver group.
            2. Click Add Tags to add tags to the approver group.
        3. Click Save.
        4. Edit, Delete, or View Members from the list of approvers group. An approver group can not be deleted if it is mapped to one or more association(s).
      2. Click on Add Assignment to configure Associations. You must add at least one approver group to add assignment.
        1. Enter the Name of the association. 
        2. Check the environments from the Associations section which users can request access to. All the profiles associated with this environment are available for access requests.
        3. Click on Select Approver Group to select approver groups for this assignment.
      3. Approval Timeout: This is a mandatory configuration.  Specify the time for approval from the approver group. The access request is not valid if it is not approved within this timeout.
      4. Maximum allowed profile expiration timeout: This is a mandatory configuration. This is the maximum allowed value for the Expiration Timeout in value when creating a profile. 
    6. Notifications: This is a mandatory configuration. Configure to send the notification to the approvers when a profile access/creation request is submitted.
      1. Click on Add Notification to add a new notification medium.
        1. Select a notification medium from the dropdown list of notifications and click Add
    7. Requesters: This is an optional configuration. Configure which users can request access. All users can request access to profiles if this configuration is not specified.
      1. Click Add Users and/or Add Tags to configure the list of requesters.
      2. Select Include or Exclude to either include or exclude a particular user/tag from requesting access.

    Was this article helpful?

    What's Next