Most companies define their business policies through authorization assignments. Examples of authorizations are groups, roles, and profiles. These authorizations are different depending on each SaaS application. For more information, see Supported Roles and Authorizations.
Authorizations give users access to resources. CloudAccess provides a simple solution that allows you to map your identity source roles (groups) to the SaaS application authorizations and approve or deny access to those authorizations.
Authorization categories are available for the connector types that provision users (Office 365, Google Apps, Salesforce, and ServiceNow). If you use connector types that provide only authentication and they require mapped authorizations for entitlements instead of Public access, their authorizations are available in the Other Applications category.
Policy mapping is an essential step in enabling user access to most applications. By default, the Public access option is disabled for all connectors except the connectors for Basic SSO. When you configure appmarks for a connector, if you leave the Public option disabled, no users can see the appmark on the landing page until you have mapped the application authorizations to desired identity source roles (groups) in Policy Mapping.
NOTE:Although CloudAccess allows you to map roles in social identity sources (such as Facebook) to provisioning SaaS applications (such as Google Apps), those mappings will not work. CloudAccess cannot provision users from any social media accounts, or from SAML 2.0 Inbound authentications. These are not full users in CloudAccess and cannot be provisioned.
The Policy Mapping page maps the authorizations from the SaaS applications to the roles (groups) in the identity sources and allows you to select whether the authorization requires an approval. If approval is required, the Approval page allows you to accept or deny the authorization request.