Chat now with support
Chat with Support

Identity Manager 8.1.5 - Business Roles Administration Guide

Managing business roles
One Identity Manager users for business roles Hierarchical role structure basic principles Basic principles for assigning company resources Basics of calculating inheritance Preparing business roles for company resource assignments Basic data for structuring business roles Editing business roles Assigning employees, devices, and workdesks to business roles Assigning business roles to company resources Analyzing role memberships and employee assignments Setting up IT operating data Additional tasks for managing business roles Reports about business roles
Role mining in One Identity Manager

Managing business roles

Business roles map company structures with similar functionality that exist in addition to departments, cost centers, and locations. This might be projects groups, for example. Various company resources can be assigned to business roles. For example, authorizations in different SAP systems or Azure Active Directory tenants. You can add employees to single business roles as members. Employees obtain their company resources through these assignments when One Identity Manager is appropriately configured.

One Identity Manager components for managing business roles are available if "QER | Org" is set.

  • In the Designer, check if the configuration parameter is set. Otherwise, set the configuration parameter and compile the database.

One Identity Manager users for business roles

The following users are used for the administration of business roles.

Table 1: Users
User Tasks

Business roles administrators

Administrators must be assigned to the Identity Management | Business roles | Administrators application role.

Users with this application role:

  • Create and edit business roles.
  • Assign company resources to business roles.
  • Administrate application roles for role approvers, role approvers (IT), and attestors.
  • Set up other application roles as required.

One Identity Manager administrators


  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

  • Create and configure password policies as required.

Business Role Attestors


Attestors must be assigned to the Identity Management | Business roles | Attestors application role or a child application role.

Users with this application role:

  • Attest correct assignment of company resource to business roles for which they are responsible.
  • Can view master data for these business roles but not edit them.
NOTE: This application role is available if the module Attestation Module is installed.

Hierarchical role structure basic principles

Business roles are arranged hierarchically. Assigned company resources are inherited by members through these hierarchies. Company resource assignments are not made to individual employees, devices or workdesks but centrally and then inherited automatically through a predefined distribution list.

Hierarchies can either be created following the top-down or the bottom-up model in One Identity Manager. In the top-down model, roles are defined based on the area of activity and the company resources required to fulfill the activities are assigned to the roles. In the case of the bottom-up model, company resource assignments are analyzed and the roles result from this.

Inheritance directions within a hierarchy

The direction of inheritance decides the distribution of company resources within a hierarchy. One Identity Manager basically recognizes two directions of inheritance:

  • Top-down inheritance

    Top-down inheritance maps the standard structure within a company in One Identity Manager. With its help, a company’s multilevel form can be represented with main departments and respective subdepartments.

  • Bottom-up inheritance

    Whereas in "top-down" inheritance, assignments are inherited in the direction of more detailed classifications, "bottom-up" inheritance operates in the other direction. This inheritance direction was introduced to map project groups in particular. The aim being, to provide someone coordinating several project groups with the company resources in use by each of the project groups.

NOTE: The direction of inheritance is only taken into account in relation to the inheritance of company resources. The direction of inheritance does not have any effect on the selection of the manager responsible. The manager with a parent role is always responsible for all child roles.

The effect on the allocation of company resources is explained in the following example for assigning an application.

Example for assigning company resources top-down

In the diagram above a section of a company’s structure is illustrated. In addition, system entitlements are listed that are assigned to the respective department. An employee in dealer sales is assigned all the system entitlements that are allocated to their department and all those on the entire organization path. In this case, theses are the Azure Active Directory groups 1 and 2 and the SharePoint Online groups 1 and 2.

Figure 1: Assignment through top-down inheritance

Example for assigning company resources bottom-up

The next figure shows bottom-up inheritance based on a project framework. In addition, software applications are listed that are assigned to the respective project group. An employee from the "Project lead" project group receives software applications from the project group as well as those from the projects groups below. In this case, it is project management, CASE tool, development environment, assembler tool, and prototyping tool.

Figure 2: Assignment through bottom-up inheritance

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating