Skip to content

Configuring Apps

Applications, or apps, are used in access requests and in password management.

  • For access requests, applications group a source's access profiles to help your users find and request the access they need.
  • For password management, you must define an application to support password changes for a source.

In most cases, you will define your own custom applications to represent your enterprise systems, though you can also use and customize the pre-defined apps included on the administrative Applications page.

Naming Your Apps

The names you choose for applications should be the system names recognized by your end users. Often, that simply means creating an application with the same name as its source.

You can also define multiple applications for a single source. This is common for directory systems like Active Directory, which often contain entitlements that manage access to other enterprise systems.

For example, if users are authorized to use your Expense system through Active Directory groups, they would need to request AD groups to get access to the Expense system. Since users might not realize this, you can help them by creating an application called Expense, choosing Active Directory as its account source, and associating the relevant access profiles on AD with the Expense application. Then, when users need to request Expense system access in the Request Center, they search for the access profiles they need under the name they know, Expense, instead of Active Directory.

Grouping access under application names that your users understand helps them find and request the access they need.

Important

Typically, when you define multiple applications for a source, you create a primary application named after and representing the source itself in addition to secondary applications that represent other systems managed through the source. This primary app is especially important for password management.

Creating a New App

Create apps to support password management or access profile requests.

  1. Go to Admin > Applications.

  2. Select + New, provide an app name and description, and select Continue.

    The app name can be a maximum of 128 characters. Refer to Naming Your Apps for guidance.

  3. On the Configuration tab, set App Accounts Created By to Admin (IT).

    Note

    App Accounts Created By Users is a setting that applied only to legacy single sign-on functionality.

  4. Under Account Source, select the source that holds the account and entitlement data for this application.

  5. Select Save.

    Note

    You must select Save on each tab before changing tabs or exiting the page.

  6. (Optional) Configure your application to be used for access requests.

  7. (Optional) Configure your application to be used for password management.

Configuring an App for Access Requests

You must enable the app for access requests and configure attributes to support requests. Then add access profiles to the application.

  1. Select Visible in the Request Center and Allow Access Requests to make an application and its access profiles appear in the Request Center.

  2. Select Save.

  3. Select the Settings tab.

  4. (Optional) Under General Settings, edit the App Name and App Description as needed. These are shown to users in the Request Center.

  5. (Optional) Select the Edit icon next to App Icon to upload an image. This image is displayed with the application name in the Request Center.

    Image Requirements

    • The image must be a PNG or JPG.
    • The image must be smaller than 5MB.
    • Use a 1:1 width:height ratio to avoid distortion in the icon.
  6. In App Owner, begin typing the name of a user in your system to select a user as the owner for the app. The app owner can be configured as an access request reviewer for access profiles associated with this app.

You must then add one or more access profiles to configure access requests with applications.

Adding Access Profiles to Apps

Adding access profiles to an application groups them together within the application in the Request Center. Access profiles are also individually requestable.

  1. Select the application's Access tab.

  2. Begin typing an access profile name in the Add Existing Access Profiles box to search for an access profile in your system. Select the access profile from the list. Repeat for all access profiles you want to associate with the application.

  3. Select Save.

    Note

    If you need to create an access profile for this app, select + New. You will be redirected to the Access Profile creation page. When you are done defining the access profile, you can return here and select it to add it to the application.

  4. When you are ready to make this application visible to users in the Request Center, return to the Configuration or Settings tab, change Enable For Users to ON, and select Save.

    This setting also enables the app for password management.

Configuring an App for Password Management

To support password management for a source, you need to configure the primary application, representing the source itself and all of its accounts, with these settings:

  1. On the application's Configuration tab, under Account Source, select All Users from Source. This allows all users with an account on that source to manage their passwords through this app.

    Note

    When you have multiple applications defined for a source, refer to Passwords and Multi-Application Sources for details about configuring secondary applications with the Specific Users from Source option.

  2. Select Save.

  3. The password-related sections at the bottom of this tab are read-only fields.

    • The Password Source is automatically the source you selected as the Account Source.
    • The Password Policy is the primary password policy selected in the source definition.

    To view or modify the source or the password policy, select the Edit icon next to the field. You will be redirected away from this page. When you finish your changes, return here to complete the remaining steps.

  4. (Optional) On the Settings tab, under General Settings, select the Edit icon next to App Icon to upload an image. This image is displayed with the application name on the Password Manager page.

    Image Requirements

    • The image must be a PNG or JPG.
    • The image must be smaller than 5MB.
    • Use a 1:1 width:height ratio to avoid distortion in the icon.
  5. Select Save.

  6. When you are ready to make this application visible to users for password management, set Enable For Users to ON and then select Save. This option appears on both the Configuration and Settings tabs.

Passwords and Multi-Application Sources

Passwords are managed per source. When you have multiple applications defined for the same source, those applications share the same password, so Password Manager groups all applications for each source together to show that relationship.

Typically, only the applications the user has access to should appear in that list. To ensure that only the relevant users see these secondary applications:

  1. On the Configuration tab, under Account Source, choose Specific Users from Source for those applications.
  2. Select Save.

    Note

    The Specific Users from Source option depends on the access profiles associated with the application. When you save this configuration, if you have not yet added access profiles, you will see a warning that the app needs additional configuration. You must add one or more access profiles to define which users from the source should have this application.

Consider the Expense example from the Naming Your Apps section. While all users might have AD accounts and should be able to reset their AD passwords, only some AD users might have access to the Expense system through AD groups. Choosing Specific Users from Source for the Expense application means only users with one or more of the Expense access profiles have the Expense application included in their Password Manager list.

For users with Expense system access, both applications appear under the Directory source in Password Manager:

Two apps grouped with one source for password changes

For users with an AD account who don't have Expense system access, only the Directory application is listed:

Single app for source for password changes

Important

The primary application for the source should always specify All Users from Source unless you only want password management to be available to a subset of users on the source.

Editing an App

App settings can be changed for any of your custom apps or the predefined ones.

  1. Go to Admin > Applications.
  2. In the search box, search for any part of the app name to filter the list of apps.
  3. Select the app you want to edit.
  4. Modify the attributes as described in preceding sections, and select Save on each tab as you make changes.

Applying Changes for Applications

If you are using access profiles to constrain which users can reset passwords for your applications, you must update your users' password management applications when you change the list of access profiles associated with your applications.

On the Applications list page, select Apply Changes to initiate identity processing for all identities in your organization and update your users' password management applications.

For best system performance, wait to select Apply Changes until you are ready to apply the whole set of configuration changes to your whole set of identities. Selecting it for roles, access profiles, or applications automatically processes all three.

Hiding an App from Users

Disable an app to temporarily remove it from the Request Center and the Password Management list.

  1. Go to Admin > Applications.
  2. Select the app you want to edit.
  3. On the Configuration tab, set Enable For Users to OFF.
  4. Select Save.

Note

  • This setting overrides the Visible in the Request Center and Allow Access Requests checkboxes.

Seeing a User's Apps

You can view what apps a user has access to.

  1. Go to Admin > Identity Management > Identities.
  2. Select the name of the user whose apps you want to see.
  3. Select the Applications tab to see the apps available to the user.

If the user has any of the access profiles associated with an application, or if they have an account on an application that you have configured for all users from source, that app is listed on this page.