Enrollment on behalf can be done in the home tenant of the operators or for the "foreign" tenant (from the operator point of view). The configuration should be done this way: create configuration in AC (privileges, profiles) and IGA (invitation templates) in the tenant where this on behalf enrollment should work. Then add permission to whatever operators from whatever tenants who will work with this invitations templates and who will enroll users on behalf to the tenant.
The configuration includes steps in both Admin console and IGA-Governance console:
start at Admin console:
- assign privilege [ANT ID OPERATIONAL CONSOLE] user enroll to enroll user for target tenant in Admin console to operator's role for home tenant and/or for target tenants
- create operator enrollment profile on home or target tenant in AC -> switch to target tenant and create enrollment profile
- give permission for users from executing tenant in AC - open Permission feature in the new operator enrollment profile and grant permissions for the group of operators
then continue to IGA - Governance console
- create EXT invitation - create new EXT invitation template and set enrollment type ON_BEHALF
- give permission for invitation template for operators from home and/or foreign tenant - on new template go to OPERATOR PERMISSIONS tab and grant permission to home operators and/or foreing operator so they can enroll users with this new template to this tenant
1. How to grant privilege for the ON BEHALF enrollment |
Admin Console / Tenant configuration / Roles / edit privileges
Assign privilege [ANT ID OPERATIONAL CONSOLE] user enroll to enroll user for target tenant in Admin console to operator's role for home tenant and/or for target tenants
2. How to create new enrollment profile for ON BEHALF enrollment |
Admin Console / Tenant configuration / Enrollment configuration / new enrollment profile - OPERATOR
parameter |
description |
value |
Enrollment Name |
|
On behalf enrollment |
Description |
|
Normal self enrollment (minimum 1 info + 1 token) |
Priority |
If the user is assigned into more groups, and there might be more enrollment profiles for each group, the profile with the lowest number in priority will be selected (1>30) |
0 |
Minimum required tokens |
|
1 |
Default profile |
checkbox |
False |
User fields section |
List of user field - checked user fields will be available on the on behalf enrollment form. |
|
Tokens section |
List of available token types - only Virtual/SMS/Email or HW tokens can be enrolled on behalf - checked tokens will be available on the on behalf enrollement form. |
|
3. How to set permissions for new enrollment on behalf profile |
Admin Console / Tenant configuration / Enrollment configuration / {specific profile} / Permissions
Select the tenant and the group.
The users from selected tenant and the group will be able to use this particular profile to enroll new users to the tenant - could be used for operators from the same tenant to enroll users on behalf, or could be used for operators from another tenant to enroll users on behalf.
For example:
- tenant A is main tenant and tenant B is service tenant for tenant A that sometimes substitute activity of operators from tenant A
- create enrollment profile in tenant A and grant permissions for operators from tenant A so they can use this profile to enroll new users on behalf to tenant A
- also grant permissions for operators from tenant B so they can also enroll new users to tenant A
Now operator from both tenant (A+B) can use this profile to enroll new users on behalf for the tenant A.
4. How to create invitation template for new enrollment on behalf profile |
1 |
Open the IGA - Governance section and go to the Invitation configuration. |
|
2 |
The list of invitation templates will be displayed. |
|
3 |
Press the ADD TEMPLATE button and fill the template with the following parameters. |
Parameter |
Description |
Example value |
Template name |
input box |
template name |
Description |
input box |
description for better recognizing the template in the onboarding process |
Onboard type |
options:
|
LDAP |
Enrollment type |
options:
|
ON_BEHALF |
Require email address within onboarding |
The checkbox for managing the collecting of contact details neccessary for successful invitation. The behaviour is partially driven by the type of enrollment (see above):
|
|
Require phone number within onboarding |
The checkbox for managing the collecting of contact details neccessary for successful invitation. The behaviour is partially driven by the type of enrollment (see above):
|
|
Authentication type |
options:
|
OTP |
OTP Address type |
options for the OTP code receive within the onboarding process
|
SMS |
External resource |
LDAP resource where the users are created (to obtain stored information necessary for the onboarding process) |
defined resource |
5. How to add operator permission to use the template - part of enrollment on behalf feature |
1 |
Go to the OPERATOR PERMISSIONS tab on the relevant template.
|
|
2 |
The list of users or groups with the permission to use this template is displayed. |
|
3 |
Press the ADD PERMISSION button. |
|
4 |
Select which tenant is this template for - which operators or group of operators can use this template to enroll user on behalf - and select user of group of users to obtain the permission. |
|
5 |
Press CONFIRM button to save the permission. |
|
6 |
The newly granted permission will be displayed on the list of permissions. |