Business Rules
Business rules play an important role in HelloID. Using these rules, you precisely define which accounts and authorizations the Identity & Access Management (IAM) solution writes to your target systems. While others may know these rules as an authorization matrix, an RBAC model, or an ABAC model, these definitions and technologies are collectively referred to as business rules within HelloID. In this blog, we help you get started with business rules. You will learn how to configure and manage business rules, including the opportunities they offer.
What are Business Rules?
A business rule defines the conditions under which HelloID must perform specific actions and how these actions must be executed. For example, you determine which authorizations HelloID writes and to which persons the IAM solution assigns them. You remain fully in control and determine in detail how HelloID operates.
With business rules, you can have HelloID execute scenarios in detail. Is there a new employee? Then, using a business rule, you can create an account a few days before the start date. With a second business rule, you link authorizations to this account. A third business rule ensures that HelloID activates the account the day before the new employee starts.
If desired, you can also combine accounts and authorizations in a single business rule. When executing this business rule, the order of operations matters; granting authorizations is only possible once an account has been created. HelloID handles this sequencing intelligently and automatically, and ensures correct processing. All you need to do is define the conditions and add or remove entitlements.
How Do You Manage Business Rules?
You manage business rules through the HelloID Provisioning dashboard. Go to Business Rules on the left side of the screen, under 'Rules', to see an overview of all configured rules. On the right side of the screen, you can immediately see which persons are affected by these business rules.
A useful option, especially if you have many business rules configured, is the ability to filter business rules by status or category. This gives you an instant overview of all relevant business rules and removes the need to sift through the list manually.
Create a New Business Rule
To create a new business rule, click the plus button at the top of the page. Then, under Condition, select the scope of the business rule. You can specify whether the person must be active or inactive, and select a person attribute, contract attribute, department, or job as the criterion. On the right side of the screen, you see all persons who fall within the scope of this specific business rule. You can immediately verify whether the configured criteria have the intended effect.
Specify the actions you want to perform within this business rule under 'Entitlements.' Examples include creating an account in your (Azure) Active Directory, granting authorizations for a specific business application, or creating a ticket in your ITSM platform. If a person falls within the scope of the business rule, HelloID performs the related actions, such as granting a specific authorization. If the person no longer falls within the scope of the rule, for example, due to a job change, the authorization right is automatically removed.
It is important to assign clear names and descriptions to your business rules. The number of rules you work with can grow substantially. By assigning a clear name and description when creating a business rule, you avoid a lot of searching later. You can also assign business rules to categories, which allows you to group them. You can filter on these categories in the business rules overview, which gives you instant visibility into all rules within that category.
Publish a Business Rule
As soon as you save a business rule, it is assigned the 'draft' status by default. HelloID only executes published rules. You can therefore work safely and without risk on rules with draft status, with no impact on users.
If you want HelloID to include a business rule in evaluations and enforcements going forward, you must publish the business rule first. Click the 'Publish' button.
Next, you can map the impact of the change on your users by running an evaluation. In the example below, the previously shown business rule has been extended with the assignment of a Nedap Ons user account. The evaluation shows that when enforcing this rule, HelloID will create a Nedap Ons account for every person within the scope of that business rule.
Have you made changes to an existing business rule and want to roll them back? This is also possible with a single click; simply click 'Revert.'
Edit a Business Rule
In some cases, you may not want to create a new business rule, but instead edit an existing rule.
Consider the scope of the business rule, as well as the authorizations you assign through the rule. Open the existing business rule by clicking the wrench icon next to the rule. You can then change all settings.
Clone a Business Rule
You might want to reuse an existing business rule and make only a few small changes. This is possible by cloning the rule, which duplicates it. The cloned business rule has draft status by default, so you can be sure that HelloID does not execute the rule unintentionally. You can then proceed to modify the rule. Is the rule configured as desired? Do not forget to publish it so that HelloID actually executes the business rule.
Test Without Impact
Do you want to test a business rule without risk? Then testing on a single person is a useful option. How to set up and run such a test can be found here.
Also, remember to configure a notification for the configured business rule, if desired. This ensures that the right people are kept informed about the action this rule covers. You can read more about configuring notifications here.
Get Started
Do you want to start configuring business rules? Review our documentation, where you will learn everything about creating, managing, cloning, publishing, and deleting business rules. Do you have questions? Contact us for more information.