Multiplier handles provisioning of applications by assigning the requester user to a group connected to the application. An application might be connected to multiple groups with different levels of privileges.
When configuring an application for self serving provisioning through the catalog, you can specify zero, one, or more different types of access, and for each type of access, you can specify none or multiple groups in your identity provider.
At the moment of provisioning the application for a user, the user will be assigned the groups connected to the selected access type.
For instance, for a given application you might want to offer a Regular access type, which will grant access to low privileges groups, and an Admin access type, which might grant elevated permissions. Furthermore, you might want the provisioning for a regular access type to be granted immediately, while requiring approval for Admin access.
How to Set it Up?
When you open the Applications' page, by clicking Apps > Multiplier in the Jira Nav Bar, you will find the list of all the applications we have discovered from your Identity Providers, along with any custom applications you might have created.
In this example, we can see there are some applications connected to Okta, and some custom applications. What follows is identical for both idP sourced and custom applications.
By clicking on the name of an application, its profile will be displayed. Lets open the configuration screen for Microsoft Office 365.
The application's page will allow you to edit some attributes of the application. One particularly useful piece of information is the Identity Groups property. If the application was found in your identity provider, the list of groups connected to the application will be listed there.
Let us head to the Provisioning tab.
As you can see, no provisioning groups have been created yet. Lets click on the Plus sign button to create a new one. We will call it "Regular", to represent a low level regular access. The click on the Assign Group selector.
When the Group selector expands, it will display all the connected identity providers, specifying in which ones the application has been found. In this case, it was only found in Okta, so we will pick a group from there, but you are allowed to select another provider in which the application hasn't been found.
Once you click on the provider, the selector will retrieve the list of groups for it.
Since the application was indeed found in the provider, and it was connected to some groups, the selector will first display the groups with access to the application. You can select more than one group, and you can even select groups from different providers. Lets select a few, and also create an Admin type of access.
When more than one Access Type has been created, the user will be prompted to select one while requesting the application. By default, they will only be able to select one. If you want them to be able to select more than one access type, make sure to check the "Allow users to select multiple access types" checkbox.
Time Based Provisioning
Multiplier allows for time based provisioning. When this is enabled, the user will be prompted to select (if there is more than one time frame enabled), the duration of the provisioning. Once the provisioning time frame has elapsed, the requested Access Types will be automatically deprovisioned.
You can select any time you want, from 1 minute to basically infinity.
Once you are happy with your selections, click the Update button.
Requiring Approval
As mentioned above, you might want some access types to require approval before the provisioning actually happen. Once you have saved the created access types, head to the Approvals tab.
Here you will be able to select one or more approvers for your Access Types. If none is selected, provisioning will happen as soon as the user submits the provisioning request.
When there is one or more approvers selected for an access type, they will be set as approvers for the created request. Once the issue has been approved, the provisioning will take place.
An approver could be:
The application's owner.
A Jira User.
The manager of the user in the identity provider (if the application is connected to an idP)
It is important to note that you will only be able to configure Approvals if the Approval Workflow has been enabled in the configuration.
Once you are happy with your configuration, click Update to save the changes.