4.15.4 ZTrust (SSP) – Self Role Request and Approval Workflow

The ZTrust Self-Service Portal (SSP) provides users with a centralized interface to view and request access to roles assigned within the system.

1. View Assigned Roles

   Users can easily review the roles currently assigned to their account. The SSP provides two perspectives for better visibility:

   • Application / Client-based View Users can see roles assigned to them for specific applications or clients.

   • Realm-based View Users can view roles that are assigned at the realm level, which apply across the environment.

   This helps users clearly understand what permissions they currently have and where they apply.

2. Request Additional Roles

   If a user requires access to a role that is not currently assigned, they can submit an access request directly through the Self-Service Portal.

   The portal supports requesting both:

   • Client / Application Roles – Roles specific to an application.

   • Realm Roles – Roles that apply across the entire realm.

Prerequisites

Before using the Role Access and Request feature in the ZTrust Self-Service Portal (SSP), ensure the following configurations are completed:

1. SMTP Configuration

   1. SMTP must be configured in the system to enable email communication.

   2. This is required for sending notifications related to role requests and approvals.

2. Role Availability

   1. The realm or application (client) must have roles configured.

   2. Only roles that exist in the system can be requested through the SSP.

Step-by-Step Guide

You can access the Self-Service Portal (SSP) at:

https://{your-host-url}/realms/{your-realm-name}/account

Replace {your-host-url} with your ZTrust server base URL.

Replace {your-realm-name} with the actual realm name configured in ZTrust.

Step 1: Login to the Portal

1. Open the ZTrust Self-Service Portal (SSP).

2. Login using your registered credentials.

3. After successful authentication, the SSP dashboard will be displayed.

Step 2: Navigate to Applications

1. From the left-side navigation menu, select Applications. This will navigate you to the Applications section.

2. This will navigate you to the Applications section.

In this section, you will see the list of applications integrated with ZTrust within the realm that you have access to.

Step 3: Select an Application

1. The application list displays all applications available to the user.

2. The SSP will also indicate which application is currently being used.

3. Select any application from the list.

After selecting an application, a popup window will appear displaying the role details for that application.

Step 4: View Role Types

Inside the popup, you will see two types of roles:

• Realm Roles

• Client Roles

For this example, select Realm Roles.

Step 5: View Available and Assigned Roles

Under the selected role type, two sections will be displayed:

Available Roles

These are the roles that exist in the realm but are not currently assigned to you.

Assigned Roles

These are the roles that are already assigned to you, meaning you currently have access to them.

Step 6: Request a New Role

If you require access to a role that is not assigned:

1. Click Request a New Role.

   
2. Select the role you want to request from the available roles list.

3. Provide a reason for requesting the role.

   
4. Click Submit Request.

Step 7: Role Request Submitted

Once the request is submitted:

1. Your role request is successfully sent from the Self-Service Portal.

   
2. The request will be reviewed by administrators or approvers.

Step 8: Role Request – Pending State

After submitting a role request, the requested role will move to a Requested state.

• The Requested state indicates that the request has been successfully submitted and is waiting for administrator review.

• While the request is in the Requested state, the same role cannot be requested again.

• The role will appear as non-selectable (disabled) in the role request list until the administrator approves or rejects the request.

Important Notes

• Users cannot submit duplicate requests for the same role while it is pending.

• Once the administrator approves or rejects the request:

  • If approved, the role will appear under Assigned Roles.

  • If rejected, the user may submit a new request again if required.

Admin Approval Flow

Step 9: Role Request Notification to Admin

After a user submits a role request from the ZTrust Self-Service Portal (SSP), the administrator receives an email notification containing the request details.

This email provides the administrator with the necessary information about the requested role and the reason provided by the user.

Step 10: Admin Reviews the Request

1. The administrator clicks the Admin Console link provided in the email.

2. This redirects the administrator to the ZTrust Admin Console.

3. The admin can view:

   1. The requested user

   2. The requested role

   3. The reason provided by the user

   4. The current request status

The admin will be presented with two actions:

• Approve

• Deny

Step 11: Approve the Request

If the administrator selects Approve:

• The requested role will be assigned to the user.

• The user will now have access to the approved role.

• The request status will be updated to Approved.

• The user will receive an email notification confirming the approval.

Step 12: Deny the Request

If the administrator selects Deny:

• The requested role will not be assigned to the user.

• The request status will be updated to Rejected.

• The user will receive an email notification informing them that the request has been rejected.

After rejection, the user may submit a new request again if access is still required.

Important Note

All role request activities and responses (including request submission, approval, and rejection) are communicated through email notifications to ensure transparency and proper tracking of access requests.