The Eligibility Widget is a Registry Dashboard plugin that allows for self service management of COU Memberships.
Availability
The Eligibility Widget is available in COmanage Registry version 4.4.0.
Description
In some IAM infrastructure deployments, Society Memberships translate to eligibility for access to restricted instances/resources. These Society Memberships are obtained via Organizational Identity Sources, which are generally queried via Enrollment Flows, at initial signup and then later to add additional society memberships on demand. Eligibilities
translate to CO Person Roles in a specific COU.
The Enrollment Flow process, in particular for additional society memberships, is heavy and not particularly amenable to Self Service. It is tightly coupled to email address collection for historical reasons. As a result, it is desirable to decouple Society Membership from Enrollment Flow execution, and to facilitate self service.
Features
Process 1: Request Registration of an Open Society Membership
An Open Society Membership is indicated by a CO Person Role linked to a COU. The plugin configuration allows selecting zero or more COUs that can be added through self-service, with user-friendly descriptions displayed rather than the COU names.
Dashboard Widget Functionality:
- Join Button: When rendered, any eligible COUs that the CO Person is not currently a member of (i.e., no Active or Grace Period status in the specified COU) will display a Join button. Clicking this button will create a new CO Person Role within the specified COU and set its status to Active.
- Leave Button: COUs of which the CO Person is currently a member will display a Leave button. Clicking this button will set the relevant CO Person Role to Expired by assigning a valid through date of one second before the current time.
This functionality is similar to the existing Service Portal "Service Group" feature but applies to CO Person Roles instead of CO Groups.
Process 2: Request Registration of an Automatic Society Membership
Automatic Society Memberships generally involve those associated with an Active Organizational Identity Source configured in Query Sync Mode. When a matching verified email address is found in the relevant Society Database, an Org Identity is created from that backend and linked to the CO Person via a Pipeline.
Plugin Configuration:
- It allows selecting zero or more Org Identity Sources that are Active and in Query Sync Mode, eligible for self-service query with user-friendly descriptions.
Dashboard Widget Functionality:
- Verify Eligibility Button: Upon rendering, the plugin will check for any Organizational Identities associated with the configured OIS. If none are found, a Verify Eligibility button will be displayed.
Not all Active, Query Sync Mode OIS configurations are eligible for self-service usage as some might be reserved for testing purposes.
Configuration
This is a non-core plugin, see Installing and Enabling Registry Plugins for more information. The plugin is found at app/AvailablePlugin/EligibilityWidget.
- The Eligibility Widget must be attached to a suitable Dashboard, create one if there is not one already available.
- Add a new Dashboard Widget, with the Plugin set to EligibilityWidget.
- On the plugin configuration page,
- set the
Registration Mode
to:- Allow OIS Registration
- Allow COU Registration
- Choose the list of Organizational Identity Sources in order to add Communities/Cous.
the OIS plugin instances are assumed to have been already configured
- Foreach Organizational Identity Source add a
- description, the friendly name used by the widget's drop down list
- order, in which order the OIS will be processed
- set the
Screenshots
- Add/Edit the list of memberships the user can join
Plugin's main configuration view.
- Select the mode
- Preview list of available Communities the user can
join
- Widget view. Present list of:
- available membership, can request membership
- active memberships, has already joined