Chat now with support
Chat with Support

Identity Manager 8.0 - Business Roles Administration Guide

Managing Business Roles Role Mining in One Identity Manager

Managing Business Roles

Business roles map company structures with similar functionality that exist in addition to departments, cost centers, and locations. This might be projects groups, for example. Various company resources can be assigned to business roles, for example, authorizations in different SAP systems or applications. You can add employees to single business roles as members. Employees obtain their company resources through these assignments when the One Identity Manager is appropriately configured.

The One Identity Manager components for managing business roles are available if the configuration parameter "QER/Org" is set.

  • Check whether the configuration parameter is set in the Designer. Otherwise, set the configuration parameter and compile the database.

One Identity Manager Users for Business Roles

One Identity Manager Users for Business Roles

The following users are used for managing business roles.

Table 1: User
User Task

Business roles administrators

Administrators must be assigned to the application role Identity Management | Business roles | Administrators.

Users with this application role:

  • Create and edit business roles.
  • Assign company resources to business roles.
  • Administrate application roles for role approvers, role approvers (IT) and attestors.
  • Set up other application roles as required.

One Identity Manager administrators


  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer, as required.
  • Create system users and permissions groups for non-role based login to administration tools, as required.
  • Enable or disable additional configuration parameters in the Designer, as required.
  • Create custom processes in the Designer, as required.
  • Create and configures schedules, as required.
  • Create and configure password policies, as required.

Business Role Attestors


Attestors must be assigned to the application role Identity Management | Business roles | Attestors or a child application role.

Users with this application role:

  • Attest correct assignment of company resource to business roles for which they are responsible.
  • Can view master data for these business roles but not edit them.

Note: This application role is available if the module Attestation Module is installed.

Hierarchical Role Structure Basics

Hierarchical Role Structure Basics

business roles are arranged hierarchically. Assigned company resources are inherited by members through these hierarchies. Company resource assignments are not made to individual employees, devices or workdesks but centrally and then inherited automatically through a predefined distribution list.

Hierarchies can either be created following the top-down or the bottom-up model in the One Identity Manager. In the top-down model, roles are defined based on the area of activity and the company resources required to fulfill the activities are assigned to the roles. In the case of the bottom-up model, company resource assignments are analyzed and the roles result from this.

Direction of Inheritance within a Hierarchy

The direction of inheritance decides the distribution of company resources within a hierarchy. One Identity Manager knows basically two directions of inheritance:

  • Top-down inheritance

    The default structure within a company is realized through top-down inheritance in One Identity Manager. With its help, a company’s multilevel form can be represented with main departments and respective subdepartments.

  • Bottom-up inheritance

    Where as in "top-down" inheritance assignments are inherited in the direction of more detailed classifications, "bottom-up" inheritance operates in the other direction. This inheritance direction was introduced to map project groups in particular. The aim being, to provide someone coordinating several project groups with the company resources in use by each of the project groups.

The effect on the allocation of company resources is explained in the following example for assigning an application.

Example for Assigning Company Resources Top-Down

In the diagram above a section of a company’s structure is illustrated. Applications assigned to the respective departments are also entered. An employee in retail is assigned all the applications that are allocated to their department and all those on the full structure path. In this case that is internet software, address administration, mail, and text editing.

Figure 1: Assignment through Top-Down Inheritance

Example for Assigning Company Resources Bottom-Up

The next figure shows bottom-up inheritance based on a project framework. Applications assigned to the respective project groups are also entered. An employee from the project group "Project lead" receives applications from the project group as well as those from the projects groups below. In this case, it is project management, CASE tool, development environment, assembler tool and prototyping tool.

Figure 2: Assignment through Bottom-Up Inheritance

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating