IDHub currently has two modules, which are used by two different user bases: End-users & Administrators. To utilize all functionalities, the primary user should perform the below functions:
Step 1 : Setting up User Base
This is a three step process:
Milestone 1: Federating the User Base Application
- Before on-boarding your first application, you need to setup Keycloak, to fetch users in your IDHub Keycloak instance. This is required to perform continuous synchronizations with your user data authentication source. Application Management Explained.
Milestone 2: Setting up Your First Application
- After users are connected and entered into the IDHub Keycloak instance, you will need to connect those users to IDHub applications, in order for them to use IDHub.
- Add an Application Explained.
- This Application should be one for which all user (or employee) information will be synchronized within IDHub on a timely manner. This should be a connected Application.
- In the event you do not have an existing application for your existing user base, you can onboard a disconnected application.
- The following user fields are mandatory for your trusted application:
- Login - This field will be used by all the users, to login to IDHub.
- Email Address - This field will be used to send all related notifications within IDHub.
- Manager Login - This field will be used to send tasks to respective managers upon requests, depending on the workflow.
- Display Name - This field will help in showing user information in the Search Catalog.
- Manager Display Name - This field will be used for adding proxies.
In the event that one Application does not contain all the necessary fields and information, you would then need to create multiple Applications to fetch the above information, from across various places.
E.g.: You are getting:
- From LDAP - user login and display name, which is only your trusted user data source
- From Workday (or any other HR Application) - user email address, manager login, and manager display name, which is also your trusted data source
- IDHub advises to add two Applications, both as trusted applications for various user fields.
However, things to be taken care of are:
- Trusted fields should not be same in both Applications, as there can be data overrides which may happen, due to mismatch of data between the two trusted Applications.
Milestone 3: Reconciling the Data
- For Connected Applications:
- You'll need to schedule the synchronization and auto-reconciliation - IDHub Scheduled Jobs Explained.
- For Disconnected Applications:
- You'll need to prepare and upload the file in your on-boarded Application to synchronize users - Manual Reconciliation Explained.
Step 2: Setting up Existing Accesses of Users
Milestone 1: Collect All Applications and Entitlements in the Organization
- For setting up accesses already present in the users, you need to list out all Applications and permission levels within each Application.
- Next, you'll need to map all users in the organization, with each of those accesses.
- New Features of IDHub:
- Custom Forms in applications
- Custom Workflows
Need help in Implementations?
If you need any assistance to perform the above tasks, contact our IDHub Implementation Team. Our experts are happy to assist with IDHub!
Milestone 2: Bulk On-board
- You'll need to on-board all Applications and Entitlements into IDHub, with our Bulk On-board functionality - Bulk Upload Applications Explained.
Step 3: Create a Role Based Access Control (RBAC) System
Milestone 1: Freeze Roles in the Organization
- Create an xls sheet with Role names, Role Owner, and a list of Applications and Entitlements for each.
- Create a condition to which each Role can be auto-assigned. (If any rule exists: example - only US Illinois branch users will receive Role no. 45)
- Map each user to the Roles
Milestone 2: Onboard Bulk Roles
- Insert information of Roles in the bulk Role template in Admin Module of IDHub
- Approve and on-board the Roles into IDHub
Step 4: Make Administrators
Milestone 1: Request 'System Administrator' Role for other users
- Go to Search Catalog
- Search for "System Administrator" Role
- Add to cart
- Click on cart and proceed to cart details page
- Add users who you'd like to make administrators
- Submit justification and request for Admin Access
- Go to tasks page for approving the admin access request (As an 'Access Manager')
This should create new admins with their dedicated Keycloak credentials and Admin Module access.
Step 5: Share IDHub with Admins and Users
Milestone 1: Share IDHub Login and Password with All Administrators and Users
- Get IDHub Login page URL
- Get the user credentials from Keycloak (only userids should be fine)
- Share the information with all the admins and users of your organization
Congratulations! Every Admin and User will now be able to use IDHub.
Once the setup is completed, each user base can get started. To know more about those go to the respective "Getting Started" sections - Getting Started as a System Administrator and Getting Started as an End-User
The following roles are found in a typical IDHub Environment:
System Administrator Role (An Admin Role)
Users with this Role, receive access to the IDHub Admin Module.
Administrator Role privileges are listed below:
- Explore the Admin Dashboard
- Explore & Manage Catalog items
- Create new Application
- Create New Roles
- Review Requests
- Reconcile access data for your application
- Create custom workflows for Applications, Role and Service Requests
- Create custom forms for application, roles or service requests
- Create New Service Request
- Manage Out-of the box roles and service requests
- Manage email notifications
- Create and manage certifications processes
- Setup administrative configurations, emails and other settings
- Login to Keycloak and manage User Federations
Users who need approval rights, without being an Admin, can be assigned this Role.
Access Manager Role privileges are listed below:
- Approve New Application requests
- Approve Modification requests for Application
- Approve New Role requests
- Approve Modification requests for Role
- Approve New Service Request requests
- Approve Modification requests for Service Request
- Approve New Certification definition requests
- Approve Modification requests for certification definitions
Users who do not require approval rights, can be assigned this Role.
End-User Role privileges are listed below:
- Login & Home Page
- View your Profile in IDHub
- Search Catalog
- Access Request
- Approve/ Reject Tasks
- Certify Users
- Save & Share List
- Manage Proxies
- Revoke Accesses