After the authorizations load, map the SaaS application authorizations to the identity source roles (groups).
Log in with an appliance administrator account to the Admin page at https://appliance_dns_name/appliance/index.html.
Click Policy at the top of the page.
In the right pane of the Policy Mapping page, click the down arrow, then select the desired SaaS connector, or select Other Applications and select the application.
In the Role Name column on the left, select the role (group) from the identity source you want to map to an authorization from the selected SaaS connector.
In the right pane, drag and drop the desired authorization from the SaaS connector to the left mapping pane.
or
In the left pane, drag and drop the desired group from the identity source to the right mapping pane.
(Optional) Click the Approvals icon to specify that an approval is required to grant access.
NetIQ recommends a maximum of 2,000 simultaneous approvals. For more information about approvals, see Section 6.8, Approving Requests.
Click OK to map the SaaS authorization to the identity source group.
The mapping grants access for users who are members of the identity source roles to the SaaS application authorization. When you add new users to the role (group) that is mapped to a SaaS account authorization, and the request is then approved (if approval is required), the users will see the associated appmark on the landing page or the MobileAccess application page. If Prompt Before Provisioning is not enabled, the accounts are provisioned automatically. If Prompt Before Provisioning is enabled (available for Salesforce and Google Apps only) users are prompted to create a new SaaS account or to claim an existing account the first time they click or tap the appmark. For information, see How CloudAccess Provisions User Accounts
in the NetIQ® CloudAccess Connectors Guide.