Functional areas
To analyze rule checks for different areas of your company in the context of identity audit, you can set up functional areas. Functional areas can be assigned to hierarchical roles and service items. You can enter criteria that provide information about risks from rule violations for functional areas and hierarchical roles. To do this, you specify how many rule violations are permitted in a functional area or a role. You can enter separate assessment criteria for each role, such as a risk index or transparency index.
Example for using functional areas are:
To assess the risk of rule violations for business roles. Proceed as follows:
-
Set up functional areas.
-
Assign business roles to the functional areas.
-
Define assessment criteria for the business roles.
-
Specify the number of rule violations allowed for the functional area.
-
Assign compliance rules required for the analysis to the functional area.
-
Use the One Identity Manager report function to create a report that prepares the result of rule checking for the functional area by any criteria.
To edit functional areas
- In the Manager, select the Business Roles | Basic configuration data | Functional areas category.
-
In the result list, select a function area and run the Change master data task.
- OR -
Click 
in the result list.
-
Edit the function area master data.
- Save the changes.
Enter the following data for a functional area.
Table 8: Functional area properties
|
Functional area |
Description of the functional area |
|
Parent Functional area |
Parent functional area in a hierarchy.
Select a parent functional area from the list in order to organize your functional areas hierarchically. |
|
Max. number of rule violations |
List of rule violation valid for this functional area. This value can be evaluated during the rule check.
NOTE:This input field is available if theCompliance Rules Module exists. |
|
Description |
Text field for additional explanation. |
Related topics
- One Identity Manager Compliance Rules Administration Guide
Attestors
| Installed modules: |
Attestation Module |
In One Identity Manager, you can assign business roles to employees who can be brought in as attestors in attestation cases, provided that the approval workflow is set up accordingly. To do this, assign the business roles to application roles for attestors. A default application role for attestors is available in One Identity Manager. Assign employees that are authorized to attest permissions, requests, or other data stored in One Identity Manager to this application role. You may create other application roles as required. For detailed information about implementing and editing application roles, see the One Identity Manager Authorization and Authentication Guide.
Table 9: Default application roles for attestors
|
Business Role Attestors
|
Attestors must be assigned to the Identity Management | Business roles | Attestors application role or a child application role.
Users with this application role:
- Attest correct assignment of company resource to business roles for which they are responsible.
- Can view master data for these business roles but not edit them.
NOTE: This application role is available if the module Attestation Module is installed. |
To specify attestors
- Select the Business roles | Basic configuration data | Attestors category.
- Select the Assign employees task.
-
In the Add assignments pane, add employees.
TIP: In the Remove assignments pane, you can remove assigned employees.
To remove an assignment
- Select the employee and double-click
.
- Save the changes.
Role approvers and role approvers (IT)
In One Identity Manager, you can assign business roles to employees who can be brought in as approvers in approval processes for IT Shop requests, provided that the approval workflow is set up accordingly. To do this, assign the business roles to application roles for approvers. Default application roles for approvers and approvers (IT) are available in One Identity Manager. Assign employees that are authorized to approve requests in the IT Shop to this application role. You may create other application roles as required. For detailed information about implementing and editing application roles, see the One Identity Manager Authorization and Authentication Guide.
Table 10: Default application roles for approvers
|
Business Role Approvers
|
Approvers must be assigned to the Identity Management | Business roles | Role approvers application role or a child application role.
Users with this application role:
- Are approvers for the IT Shop.
- Approve requests from business roles for which they are responsible.
|
|
Business Role Approvers (IT)
|
IT role approvers must be assigned to the Identity Management | Business roles | Role approvers (IT) application role or a child application role.
Users with this application role:
- Are IT role approvers for the IT Shop.
- Approve requests from business roles for which they are responsible.
|
To specify a role approver or role approver (IT)
- Select the Business roles | Basic configuration data | Approver category.
- OR -
Select the Business roles | Basic configuration data | Approver (IT) category.
- Select the Assign employees task.
- In the Add assignments pane, assign employees.
- OR -
In the Remove assignments pane, remove employees.
- Save the changes.
Editing business roles
Business roles are grouped by role class in the navigation view. Each business role is assigned to exactly one role class. You must define suitable role classes before you can add business roles. For more information, see Role classes.
To edit business roles
- Select the Business roles | <Role class> category.
- Select a business role in the result list. Select the Change master data task.
- OR -
Click in the result list.
- Edit the business role's master data.
- Save the changes.
