Chat now with support
Chat with Support

Identity Manager 8.0 - Application Roles Administration Guide

Application Roles for Employees

NOTE: This application role is available if the Identity Management Base Module is installed.

The following application role is available for employee administration:

Table 8: Application Roles
Application Role Description

Administrators

Employee administrators must be assigned to the application role Identity Management | Employees| Administrators.

Users with this application role:

  • Can edit master data for all employees
  • Can assign a manager.
  • Can assign company resources to employees.
  • Check and authorize employee master data.
  • Create and edit risk index functions.
  • Edit password policies for employee passwords

Application Roles for the IT Shop

Application Roles for the IT Shop

NOTE: This application role is available if the Identity Management Base Module is installed.

The following application roles are available for the IT Shop administration:

Table 9: Application Roles
Application Role Description

Administrators

Administrators must be assigned to the application role Request & Fulfillment | IT Shop | Administrators.

Users with this application role:

  • Create the IT Shop structure with shops, shelves, customers, templates and service catalog.
  • Create approval policies and approval workflows.
  • Specify which approval procedure to use to find attestors.
  • Create products and service items.
  • Set up request notifications.
  • Monitor request procedures.
  • Administrate application roles for product owners and attestors.
  • Set up other application roles as required.
  • Create extended properties for company resources of any type.
  • Edit the resources and assign them to IT Shop structures and employees.
  • Assign system authorizations to IT Shop structures.

Product owners

The product owners must be assigned to the application roles Request & Fulfillment | IT Shop | Product owners or an application role below that.

Users with this application role:

  • Approve through requests.
  • Edit service items and service categories under their management.

Attestors

Attestors must be assigned to the application role Request & Fulfillment | IT Shop | Attestors.

Users with this application role:

  • Attest correct assignment of company resource to IT Shop structures for which they are responsible.
  • Can view master data for these IT Shop structures but not edit them.

Note: This application role is available if the module Attestation Module is installed.

Chief approval team

The chief approver must be assigned to the application Request & Fulfillment | IT Shop | Chief approval team

Users with this application role:

  • Approve through requests.
  • Assign requests to other approvers.

NOTE: Approvers in charge are determined through approval procedures. Other application roles may be applied here. Application roles for approvers are defined in different modules and are available there.

Application Roles for Target Systems

NOTE: Application roles are dependent on the target system and are contained in One Identity Manager modules. Application roles are not available until the modules are installed.

The following application roles are available for target system administration:

Table 10: Application Roles
User Task

Target system administrators

 

Target system administrators must be assigned to the application role Target system | Administrators.

Users with this application role:

  • Administrate application roles for individual target systems types.
  • Specify the target system manager.
  • Set up other application roles for target system managers if required.
  • Specify which application roles are conflicting for target system managers
  • Authorize other employee to be target system administrators.
  • Do not assume any administrative tasks within the target system.

Target system managers

 

Target system managers must be assigned to the application role Target systems | <target system> or a sub application role.

Note: There is at least one application role per target system for target system managers. This application role is available if the target system module is installed.

Users with this application role:

  • Assume administrative tasks for the target system.
  • Create, change or delete target system objects, like user accounts or groups.
  • Edit password policies for the target system.
  • Prepare system entitlements for adding to the IT Shop.
  • Configure synchronization in the Synchronization Editor and defines the mapping for comparing target systems and One Identity Manager.
  • Edit the synchronization's target system types and outstanding objects.
  • Authorize other employees within their area of responsibility as target system managers and create child application roles if required.
Target system managers for Unified Namespace

Target system managers must be assigned to the application role Target systems | Unified Namespace or a sub application role.

Users with this application role:

  • Obtain view of the objects in the connected target systems across all target systems.
  • Can create reports across all target systems.

If the users are also target system managers of the basic underlying target systems, you can manage these target systems through the Unified Namespace.

Application Roles for the Universal Cloud Interface

Application Roles for the Universal Cloud Interface

NOTE: Application roles are available if the Universal Cloud Interface Module is installed.

The following application roles are available for managing cloud systems.

Table 11: Application Roles
User Task

Cloud administrators

Administrators must be assigned to the application Universal Cloud Interface | Administrators or a sub application role.

Users with this application role:

  • Manage application roles for the Universal Cloud Interface.
  • Set up other application roles as required.
  • Configure synchronization in the Synchronization Editor and define the mapping for comparing tcloud applications and One Identity Manager.
  • Edit cloud application in the Manager.
  • Edit pending, manual provisioning processes in the Web Portal and obtain statistics.
  • Obtain information about the cloud objects in the Web Portal and the Manager.

Cloud operators

Operators must be assigned to the application role Universal Cloud Interface | Operators or a sub application role.

Users with this application role:

  • Edit pending, manual provisioning processes in the Web Portal and obtain statistics.

Cloud auditors

Auditors must be assigned to the application role Universal Cloud Interface | Auditors or a sub application role.

Users with this application role:

  • Can view manual provisioning processes in the Web Portal and obtain statistics.
Related Documents