Once you have populated your App inventory and identified your managed apps, you can start using Trelica to manage when and how individuals are given access to those apps.
Managing access to apps via Trelica can help you to:
- Ensure that people always have access to the apps they need to do their work.
- Keep track of open requests for access and changes to users' access levels.
- Record how and when access was granted, including any approvals that were given and the level of access that was granted.
- Facilitate access reviews and remove unnecessary user accounts, thereby reducing license costs and improving security.
How access to an app is managed typically falls into two main groups:
- Birthright apps: These are apps that individuals are given automatically based on their team. Examples include apps used by everyone in your organization, such as your employee benefits system, and apps required by all members of a specific team, such as the accounts system used by the finance department. You can use onboarding workflows to grant new employees and contractors access to birthright apps automatically.
- Requestable apps: These are apps that you have approved for use within your organization and which you want to allow users to access if they decide they need them. This is ideal for apps that are widely used but not always essential, such as business productivity tools or video conferencing platforms. You can enable the App Hub to allow individuals to browse and request access to sanctioned apps.
Apps can fall into both groups. For example, a whiteboarding app might be a birthright app for all members of the product management team and a requestable app for anyone else in your organization.
Configure access policies and levels
Before you can grant individuals access to apps via onboarding workflows and/or the App Hub, you need to define how and when access is granted by configuring access levels and access policies.
From your App inventory, open each of your managed apps and use the Overview tab to configure one or more access levels and policies as required.
We recommend assigning an owner and IT admin to each managed app so that they can take responsibility for approving new app users, actioning provisioning tasks, and reviewing who currently has access to managed apps.
Access levels
Access levels determine how access is granted to an app, including:
- How app users are provisioned when access is requested and approved (if required):
- Direct: If you have connected the app to Trelica and the integration supports it, you can select this option to provision app users automatically. If your Identity Provider (such as Okta) supports provisioning users for the selected app, this option is also displayed. For more information about connecting apps to Trelica, see Grant Trelica access to apps.
- Manual: Creates a provisioning task in Trelica and assigns it to the app's IT Admin. You can view these tasks from the app profile and the person profile, as well as from the Tasks list.
- Off: Select this option if you just want to record when a request for access is made (either via an onboarding workflow or from the App Hub) but you do not want to manage provisioning the user via Trelica.
- The type of license and role that new app users will be given. If an integration is available, you may be able to set the license and/or role as part of direct provisioning. If this option is not available, the license type and/or role are recorded in the provisioning task.
- For some apps, you can also specify other provisioning details, such as whether new app users will be required to change their password on first login.
To begin with, we recommend creating access levels to reflect the most common types of app user. For example, you might have a standard access level with basic permissions that is used for most app users, and an administrator access level for users that require elevated privileges. For apps with multiple license tiers, you may also want to create different access levels for free users and paid users.
Access policies
Access policies define when individuals should be given access to an app, and include a number of settings:
- Teams: An access policy can either apply to everyone in your organization or to members of one or more teams. If you have not set up teams in Trelica, you can still configure access policies that apply to everyone equally.
- Requestable: Allows members of the selected team to request access to the app from the App Hub. The app must also be listed in the App Hub.
- Birthright: Grants new employees or contractors access to the app via an onboarding workflow. When the workflow runs, an access plan is created for all of the the new starter's birthright apps.
- Approval - To require approval by up to two Trelica users before an app user is provisioned (either directly via an integration or manually), either select your default approval process or define a custom approval process for the app. To edit the default approval process for all apps, go to Settings > App Hub > Default approval.
You can create multiple access policies for the same access level. For example, you might create an access level for the Pro tier of Zoom, and use it in both:
- A birthright access policy that grants a Pro license to all members of the leadership team, with no approval required.
- A requestable access policy that allows members of other teams to request a Pro license for Zoom, subject to approval by their line manager and the app owner.
If you also want anyone in your organization to be able to use the Basic tier of Zoom, you could create an access level for the Basic tier and add an access policy that makes the Basic access level requestable by everyone in your organization.
Grant access to requestable apps
If you have configured requestable access policies for any of your managed apps, enable the App Hub and grant everyone in your organization access to it.
From the App Hub, individuals can browse all managed apps (or a subset thereof, depending on your settings). When a user views an app that they can request access to (either because the app is requestable by everyone in the organization, or because they belong to a team identified in the access policy), a "Request access" option is displayed.
Depending on the app access policies, users may either be granted access immediately or they may have to wait for approval and/or manual provisioning. You can view the apps that a user has requested access to and the status of their requests from the Access tab on both the person profile and the relevant app profiles.
For more information about making the App Hub available, see Configure the App Hub.
Trelica users with "Contributor" or "Owner" permissions on the app can also request access from the app profile. This includes the app Owner, IT admin, and Trelica admins users. For more information about permissions, see User roles.
Grant access to birthright apps
If you have configured birthright access policies for any of your managed apps, create an onboarding workflow to grant new employees and contractors access to those apps when they join your organization.
Use the "Generate access plan" workflow step to identify each new starter's birthright apps. You can also customize the access plan further if required using the "Add to access plan" step. Then, use the "Run access plan" workflow step to create the access requests. For more information, see Automate employee onboarding.
Each time the workflow is run for a new starter, the app access requests are recorded on the Access tab of both the person's profile and the relevant app profiles, together with any actions that need to be taken:
- If the access policy requires the request to be approved, a task is created and assigned to the relevant approver(s).
- For access policies with direct provisioning, the user account is created automatically once access has been approved (or immediately if no approval is required).
- If manual provisioning was configured, provisioning tasks are created and assigned to the app IT Admin.
To view the progress of the workflow, open the person's profile page, select the Workflows tab and click the relevant workflow run.
For more information about setting up an onboarding workflow, see Automate employee onboarding.
In some cases you might want to trigger employee onboarding from another system such as Jira (using an API webhook trigger). In this case, you can use use the "Add to access plan" workflow step with a lookup table to generate an access plan based on the apps specified in a Jira ticket. For more information about triggering workflows from Jira, see Provisioning users and applications from a Jira action. For assistance setting up the workflow and lookup table, contact Trelica support and customer success.
Next steps
Once you have configured app access policies, created onboarding workflows and enabled the App Hub, access requests will start to be created for your managed apps. You can view and action these requests from either the person profile or the app profile. For more information, see App access requests.
Comments
0 comments
Please sign in to leave a comment.