Hope you all are doing good!!!
In our last post, we have discussed about Entitlement Management’s Administrator And Catalog Creator roles. Today in this article, we will continue with one more very important role of Entitlement Management. The role is Access Package Manager. We’ll explore all responsibilities of this role with practical example also we will see how can we create and manage an Access Package.
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Azure AD Entitlement Management Roles :
As we discussed in our previous article, in a big organisation, to manage and handle Entitlement Management, organizations delegates users with different roles. So that, specific user with special role, can perform their task without involving IT personal. In our last article we have discussed on Administrator and Catalog Creator roles. Today we will explore Access Package Manager Role.
Azure AD Entitlement Management Access Package Manager Role :
Edit and manage all existing access packages within a catalog. Access package is a bundle of resources that a team/project needs and it govern by policy. As an Access Package Manager, the user should have information like, who needs the access, for which resources for how long. Followings are the responsibilities of Access Package Manager. Let’s go through one by one.
Create A New Access Package – In our last article we have seen, how a catalog owner/ catalog creator can delegate a Access Package Manager role to user ‘email@example.com’. In this article we will login with ‘Prasham1′ as Access Package Manager and proceed to create and manage Access Package under Knowledge Junction Catalog. As we know, if we don’t select a catalog when creating an access package, that access package will be created in the built-in General catalog.
To create Access package, the user must have at least one of the following role.
- Global administrator
- User administrator
- Catalog creator/Catalog owner
- Access package manager
To create a new Access package under Knowledge Junction Catalog , let’s go through following steps.
Step 1 – Log-in to Azure Portal with our access package manager account > Azure Active Directory > Identity Governance > Entitlement Management > Catalogs > select Knowledge Junction Catalog as shown in the above figure.
Step 2 – As shown in the following figure, Click on +New access package link to create a new access package.
Step 3 – In the New Access package window, as we can see in the following figure, there are 5 different tabs to configure the access package.
Basics Tab - is to collect basic information like Name and Description.
Step 4 –
Resource Role Tab – Here in this tab, we need to select the resources to include in the access package. As we discussed in our last articles, we can include groups, applications, and SharePoint Online sites as access package resource. Let’s move to Resource Roles tab and click the resource type we want to add from Groups and Teams, Applications, or SharePoint sites type. we can also select predefined resources shipped with catalog as in the following figure, we have done to select Group and Teams type. Here we select “Only see Group and Team(s) in the ‘Knowledge Junction Catalog’ catalog check box” , It will show all Groups included into the catalog ,when it was created. In this case we had only one “Database Group”
Step 5 – Click on + Application or + SharePoint Site if we cant to add resource from those types a shown in the following figure. Also we can see in the following figure that, if we want to delete the resource or modify the role assignment of resource, we can easily coming back to the page and click the delete sign to delete the resource or modify the drop-down list value to change the role for assignment for the resource.
Step 6 –
Request Tab – Here in this page, we create the first policy of the access package to specify who can request the access package and also approval settings, if required.
First let’s configure “Users who can request access“. As we can seen in the following figure, there following 3 different options to configure who an request the access. Access package manager can select different options in different policies to fulfill the requirement.
- For users in your directory
- For users not in your directory
- None (administrator direct assignment only)
Access package manager can add specific users or groups, who can request the access In this example we have selected the first option For users in your directory and added MsTechs group so that all member of the group can access the resources. In the Approval section, we specify whether an approval is required when users request this access package or not. The following figure showing request without Approver.
Now let’s re-configure and add approver for the request. We can add a user as approver of the access package. So that, when user send a request for access, the request will go for the approval and approver needs to approve the request, then only user can access the resources. There is one more configuration option for Fallback. This configuration will ask to configure an user account for fallback so that, if the request doesn’t find the selected approver then the request will go to the fallback user for approval. Access package manager also configure the number of approval stage. If we set How many stages to 2 then we need to provide the approver for second stage. In this example we have configured 1 stage for this property.
Later, we can create more request policies to allow additional groups of users to request the access package with their own approval settings.
Step 7 –
Lifecycle Tab - On the Lifecycle tab, we can specify when a user’s assignment to the access package will expires. we can also specify whether users can extend their assignments as shown in the following figure we have allowed user to extend the access.
Step 8 –
Review + create Tab – On this tab we can review our settings and check for any validation errors before click the create button. Once verified click Create button to complete the access package creation. As showing in the following figure, our Access Package is created successfully.
Share Link To Request An Access Package – User can can sign in to the My Access portal and automatically see a list of access packages they can request. But for external users that are not yet in our directory, we will need to send them a link that they can use to request an access package.
To find the link, log-in to Azure portal, > Azure Active Directory > Identity Governance > Catalog > Select catalog, where required access package resides > click on required Access Package > On the Overview page, copy the My Access portal link.
once we found the My Access portal link., Email or send the link to our external Users. They can share the link with their users to request the access package.
Change Resource Roles For An Access – Access package manager, can change the resources in an access package at any time without worrying about provisioning the user’s access to the new resources, or removing their access from the previous resources.
Change Request And Approval Settings For An Access Package – Access package manager, can change the users who can request an access package at any time by editing the policy or adding a new policy. we can also change the approval settings.
Change life-cycle settings for An Access Package – Access package manager can change lifecycle settings for an access package at any time by editing an existing policy. If we change the expiration date for a policy, the expiration date for requests that are already in a pending approval or approved state will not change.
View Requests For An Access Package – In Azure AD entitlement management, we can see who has requested access packages, their policy, and status. Here as a member of MSTech Group, Ganesh has sent request for the access and it has approved by the approver.
View, Add, And Remove Assignments For An Access Package – In Azure AD entitlement management, we can see who has been assigned to access packages, their policy, and status. we can also directly assign user to an access package, by Clicking +New Assignment link , if we are sure about the policy and to whom, we are assigning the access package. In the following figure we can see, ‘ Ganesh ‘ has assigned the access.
Hide Or Delete An Access Package – By default Access packages are visible to user if a policy allows that user, to request the access package. User will automatically see the access package in My Access portal. However, we can configure the Hidden setting so that the access package is not listed in user’s My Access portal.
An access package can only be deleted if it has no active user assignments. As showing in the following figure we can go to list of access packages and select 3 dots and delete the access package.
I hope, this article helps you to get basic information about Azure AD Entitlement Management. Specially about Access Package Manager and Create Access Package . In our next article we are covering both Requestor and Approver role.
As I am exploring the Azure Identity and Access Management (IAM) in a deep level. Please let me know if I missed anything important or if my understanding is not up to mark.
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
Thanks for reading 🙂