Identity Manager 8.0.2 - Application Roles Administration Guide

One Identity Manager Application Roles

You can use the One Identity Manager role model to control edit permissions for One Identity Manager users. This role model takes into account technical aspects (for example, One Identity Manager tool administrative rights) as well as functional aspects, which result from One Identity Manager user tasks within the company structure (for example, permissions for approving requests). The One Identity Manager makes so-called application roles available.

Application roles have the following aims:

  • Program functions, employees, company resources, approval workflows and approval policies are assigned to fixed application roles. Write permissions for these application roles do not need to be defined specifically for the company. This simplifies administration of access permissions.
  • Enables audit secure internal administration of One Identity Manager users and their write permissions. Permissions can be granted through assignment, request and approval or by calculation on account of specific properties. Furthermore, issuing permissions with the attestation function is integrated into the attestation process.
  • Users are provided with initial permissions, which they required for carrying out their tasks. This is a way, for example, to create initially required user accounts.

Application roles can be limited to permissions groups whose write permissions are predefined by One Identity Manager. Controlling write permissions:

  • Navigation configuration in administration tools
  • Access to objects and their properties
  • Which interface forms and tasks are displayed
  • Availability of special program functionality

Users must be role-based to use application roles for logging in to One Identity Manager. Role-based authentications module finds the valid write permissions from all the user's application roles. This provides the One Identity Manager user with permissions corresponding to their application roles for the One Identity Manager functions when they log onto One Identity Manager tools.

Detailed information about this topic

Application Roles Overview

One Identity Manager supplies default application roles whose permissions are matched to the different task and functions. Assign employees to default applications who take on individual tasks and functions. You can also create your won application roles for custom defined tasks.

NOTE: Default application roles are defined in One Identity Manager modules and are not available until the modules are installed. You cannot delete default application roles.

The following default application roles are defined:

Application Roles for Basic Functions

NOTE: This application role is available if the Identity Management Base Module is installed.

The following application roles are available to you for the basic functionality in One Identity Manager.

Table 1: Application Roles
Application Role Description

Administrators

 

Administrators must be assigned to the application role Base roles | Administrators.

Users with this application role:

  • Administer application roles for administrators.
  • Assign employees to administrator application roles.
  • Can other employees to the application role Base roles | Administrators and edit conflicting application roles.
  • See the master data for the other application roles.

Everyone (change)

 

The application role Base roles | Everyone (change) is automatically assigned to every user.

Users with this application role:

  • Can edit certain employee master data in the Web Portal.

Should every user be automatically assigned to a custom permissions group when they log in, then this permissions group can be added to the application role.

Members of this application role are determined through a dynamic role.

Everyone (lookup)

 

The application role Base roles | Everyone (Lookup) is automatically assigned to every user.

Users with this application role:

  • Obtain read access to objects in the Web Portal.

Should every user be automatically assigned to a custom permissions group when they log in, then this permissions group can be added to the application role.

Members of this application role are determined through a dynamic role.

Employee managers

 

The application Base roles | Employee managers is automatically assigned to a user if the user is a manager or supervisor of employees, departments, locations, cost centers, business roles or IT Shops.

Users with this application role:

  • Can edit master data for the objects they are responsible for and assign company resources to them.
  • Can edit master data for their employees in the Web Portal.
  • Can add their staff members to the IT Shop.
  • Employee and department managers can add new employees in the Web Portal.
  • Can view their staff's compliance rule violations in the Web Portal.

Members of this application role are determined through a dynamic role.

Birthright Assignments

The application role Base roles | Birthright assignments is used to provide birthrights to employees which are provided to establish their working environment. The application roles are allocated all the resources marked for automatic assignment to all employees. All internal employees are assigned to this application role and obtain the resources. Internal employees are found through a dynamic role.

Operations support.

Employees that use the Operations Support Web Portal, must be assigned the application role Base roles | Operations support.

Users with this application role:

  • Monitor handling of Job queue processes.
  • Monitor handling of the DBQueue.
  • Create access codes.
Related Topics

Compliance & Security Officer

NOTE: This application role is available if Attestation Module, Compliance Rules Module or Company Policies Module is installed.

Compliance and security officers must be assigned to the application role Identity & Access Governance | Compliance & Security Officer.

Users with this application role:

  • View all compliance relevant information and other analysis in the Web Portal. This includes attestation policies, company policies and policy violations, compliance rules and rule violations and risk index functions.
  • Edit attestation polices
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents