After the authorizations load, map the SaaS application authorizations to the identity source roles (groups). You can use filters in the search fields at the bottom of the window to filter applications and identity source roles.
NOTE:If you use wildcards such as an asterisk (*) or question mark (?) in the search filter field, CloudAccess does not correctly filter results. Filters must be full regular expressions. If you want to use wildcards, they must be regular expression wildcards. If the filter does not start with '^' and '.*', then '.*' is added to the filter. If the filter does not end with '$' and '.*', then '.*' is added to the filter. Thus, a filter for "test" would end up as the regular expression ".*test.*".
To map authorizations:
Log in with an appliance administrator account to the administration console at https://appliance_dns_name/appliance/index.html.
Click Policy at the top of the page.
In the right pane of the Policy Mapping page, click the down arrow, then select the desired SaaS connector, or select Other Applications and select the application.
In the Role Name column on the left, select the role (group) from the identity source you want to map to an authorization from the selected SaaS connector.
In the right pane, drag and drop the desired authorization from the SaaS connector to the left mapping pane.
or
In the left pane, drag and drop the desired group from the identity source to the right mapping pane.
(Optional) Click the Approvals icon to specify that an approval is required to grant access.
NetIQ recommends a maximum of 2,000 simultaneous approvals. For more information about approvals, see Section 9.8, Approving Requests.
Click OK to map the SaaS authorization to the identity source group.
The mapping grants access for users who are members of the identity source roles to the SaaS application authorization. When you add new users to the role (group) that is mapped to a SaaS account authorization, and the request is then approved (if approval is required), the users will see the associated appmark on the landing page or the MobileAccess application page. If the Prompt users for an existing account before provisioning option is enabled (available only for Salesforce), users are prompted to create a new SaaS account or to claim an existing account the first time they click or tap the appmark. If that option is not enabled, the accounts are provisioned automatically. For information, see How CloudAccess Provisions User Accounts
in the NetIQ CloudAccess Connectors Guide.
NOTE:If you map a group to a role in CloudAccess and the group is subsequently removed from scope or deleted from the identity source, CloudAccess removes the policy mappings as well. If you recreate the group or add it back to the scope, you must remap the group to the appropriate role on the Policy Mapping page in CloudAccess.