Business rules
Business rules play a crucial role in HelloID. Using these rules, you can meticulously dictate which accounts and authorisations the Identity & Access Management (IAM) solution writes to your target systems. While some might know these rules as an authorisation matrix, RBAC (Role-Based Access Control) or ABAC (Attribute-Based Access Control) model, within HelloID, these definitions and technologies are collectively referred to as business rules. In this blog post, we guide you through business rules. You will learn all about setting up and managing business rules, as well as the opportunities they provide.
In this article
What are business rules?
A business rule is a principle that dictates under what conditions HelloID should perform certain actions and how these should be executed precisely. This way, you determine which authorisations HelloID writes and to whom the IAM solution assigns them. You are fully in control, deciding in detail on how HelloID will operate for you.
Using business rules, you can have HelloID execute scenarios in great detail. For instance, when a new employee joins the company, you can use a business rule to create an account a few days before their start date. A second business rule can link authorisations to this account. A third business rule ensures HelloID activates the account a day before the new employee starts working.
If desired, you can also combine accounts and authorisations into one business rule. When executing this rule, the order of operations is important; assigning authorisations is only possible after an account has been created. HelloID handles this sequence automatically and intelligently, ensuring correct processing. All you need to do is determine the conditions and manage the entitlements’ additions and subtractions.
How do you manage business rules?
Business rules are managed through the HelloID Provisioning dashboard. To do this, go to Business Rules, where on the left side of the screen under ‘Rules’, you will find an overview of all the set rules. On the right side of the screen, you can immediately see which individuals are affected by these business rules.
A particularly useful feature – especially if you have many business rules set up – is the ability to filter business rules by status or category. This way, you can quickly view all relevant business rules without having to manually sift through the list.
Creating a new business rule
To create a new business rule, click the plus button at the top of the page. Then, under ‘Condition’, you select the scope of the business rule. This is where you specify whether the individual should be active or inactive and, for example, you can select a person attribute, contract attribute, department or function as a criterion. On the right side of the screen, you will see all individuals who fall within the scope of this specific business rule. This allows you to immediately see if the set criteria have the desired effect.
The actions you want to execute within this business rule are specified under ‘Entitlements’. This could involve creating an account in your (Azure) Active Directory, granting authorisations for a specific business application, or logging a ticket in your ITSM package. If an individual falls within the scope of the business rule, HelloID carries out the related actions and, for instance, assigns a specific authorisation. If the individual no longer falls within the scope of the rule, perhaps due to a job change, then the right to the authorisation is automatically revoked.
It is important to assign a clear name and description to your business rules. The number of rules you work with can be substantial. By giving a clear name and description when creating a business rule, you can avoid a lot of searching later on. You can also assign business rules to categories, allowing you to bundle them together. You can then filter by these categories in the business rules overview, giving you immediate visibility of all the rules that fall within these categories.
Publishing a business rule
When you save a business rule, it is by default given the status ‘draft’. HelloID only executes published rules. Therefore, you can safely and without risk work on rules in draft status without them impacting users.
If you want a business rule to be included in HelloID’s evaluations and enforcements going forward, you must first publish it. To do this, click on the ‘Publish’ button.
Then, you can map out the impact of the change on your users through an evaluation. In the case below, the previously shown business rule has been expanded to include the assignment of a Nedap Ons user account. The evaluation reveals that by enforcing this rule, HelloID will create a Nedap Ons account for every individual who falls within the scope of that business rule.
If you have made changes to an existing business rule and wish to revert them, this can also be done at the click of a button; simply click on ‘Revert’.
Adjusting a business rule
In some cases, you may not want to create a new business rule, but rather adjust an existing one.
Consider adjusting the scope of the business rule, as well as the authorisations granted through the rule. To do this, open the existing business rule by clicking on the key icon behind the rule. You can then change all the settings.
Cloning a business rule
There might be situations where you want to reuse an existing business rule and make only a few minor changes. This can be achieved by cloning the rule, which duplicates it. The cloned business rule is initially set to draft status, ensuring that HelloID does not unintentionally execute the rule. You can then proceed to modify the rule. Once the rule is adjusted to your satisfaction, don’t forget to publish it so that HelloID can execute the business rule.
Testen without impact
If you want to test a business rule without any risk, testing on a single individual is an interesting option. You can find guidance on how to set up and execute such a test here.
Additionally, don’t forget to set up a notification for the configured business rule, if desired. This ensures that the right people are kept informed about the actions related to this rule. You can read more about setting up notifications here.
Getting started
Are you ready to start setting up business rules? Then also check out our documentation, where you can learn everything about creating, managing, cloning, publishing and deleting business rules. If you have any questions, please contact us for more information.
Written by:
KaHo Man