Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email supportadmin@quest.com for assistance

Identity Manager 9.2 - Business Roles Administration Guide

Managing business roles
One Identity Manager users for business roles Hierarchical role structure basic principles Basic principles for assigning company resources Basics of calculating inheritance Preparing business roles for company resource assignments Base data for business roles Creating and editing business roles Assigning identities, devices, and workdesks to business roles Assigning business roles to company resources Analyzing role memberships and identity assignments Setting up IT operational data for business roles Creating dynamic roles for business roles Assigning departments, cost centers, and locations to business roles Defining inheritance exclusion for business roles Assigning extended properties to business roles Creating assignment resources for application roles Dynamic roles for business roles with incorrectly excluded identities Certification of business roles Reports about business roles
Role mining in One Identity Manager

Dynamic roles for business roles with incorrectly excluded identities

In the Manager, you can obtain an overview of all the dynamic roles with conflicting entries in the exclude list. This means that for at least one item in the list the following applies:

  • The dynamic role condition does not apply.

    For example, this might occur if the dynamic role condition was changed after an identity was entered in the exclude list.

    - OR -

  • The excluded identity is also assigned to the role in another way

    such as through inheritance or direct assignment.

Check these entries and correct the assignments.

To check conflicting entries of business roles in the exclusion list

  1. In the Manager, select the Business Roles > Troubleshooting > Dynamic roles with potentially incorrect excluded identities category.

  2. Select the dynamic role in the result list.

  3. Select the Exclude identities task.

    In the exclusion list you can see which identities are affected by the given conditions.

For more information about editing the dynamic roles' exclusion list, see the One Identity Manager Identity Management Base Module Administration Guide.

Related topics

Certification of business roles

NOTE: This function is only available if the Attestation Module is installed.

The certification status of business roles can be set manually or by regular attestation. To set certification status by attesting, configure the attestation policies accordingly.

To manually change the certification status of a business role

  1. In the Manager, edit the business role's main data.

  2. In the Certification status field, enter the required value.

  3. Save the changes.

To change the certification status of business roles by attestation

  1. In the Manager, select the Attestation > Attestation policies category.

  2. In the result list, select the attestation policy whose attestation runs will adjust the certification status.

  3. If the certification status is to change to Certified when attestation is approved, enable the Set certification status to "Certified".

  4. If the certification status is to be changed to Denied when attestation is denied, enable Set certification status to "Denied".

  5. Save the changes.

One Identity Manager provides default procedures for managers to quickly attest and certify the main data of newly added business roles in the One Identity Manager database. Attestation is performed only for business roles with the New certification status. If the attestation is approved, the certificate status of the attested business role is set to Certified and otherwise, to Denied. If attestation was granted approval, it disables the Identities do not inherit option.

Attestation and certification is started automatically for business roles that were added with the Analyzer tool if the QER | Attestation | OrgApproval configuration parameter is set.

NOTE: If the attestation was denied, only the certification status changes. Other behavioral changes, for example in the inheritance calculation, are not associated with this and can be implemented on a custom basis.

This function is only available if the Target System Base Module is installed. For more information about certifying new roles and organizations, see the One Identity Manager Attestation Administration Guide.

Detailed information about this topic

Reports about business roles

One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. The following reports are available for business roles.

NOTE: Other sections may be available depending on the which modules are installed.

Table 17: Reports about business roles
Report Description

Overview of all assignments

This report finds all the roles in which identities from the selected business roles are also members.

Show historical memberships

This report lists all members of the selected business role and the length of their membership.

Show products still to be approved

The report shows all products for a business role whose requests can be approved by the business role's members.

Business roles with high risk level

The report lists all business roles with a risk index equal or higher that the configurable risk index. The result can be limited to a specified role class. You can find this report in the Manager in the My One Identity Manager category.

Related topics

Role mining in One Identity Manager

Business roles can be formed in two ways:

Analyzer uses the One Identity Manager program to make its own tools available for analyzing user accounts and permissions. The Analyzer supports analysis of business roles as well as the analysis of data quality with respect to the question: how well suited is the permissions data to partially automated role mining?

The Analyzer offers:

  • Automatic analysis of permissions assignments base on cluster analysis algorithms with different weighting.

  • Automatic analysis of existing structures and permissions of identities assigned in them

  • Manual analysis of certain identity groups for role mining

The aim of role mining is to replace direct permissions, which previously were only granted to users in individual application systems, with indirect ones. This allows permissions, which users obtain through role association to be defined across the application system. Analyzer’s aim is not only pure role mining but also classification of roles in a simple to administer hierarchical system. This can reduce the administration workload further and increase security for granting permissions.

To use role mining in One Identity Manager

  • In the Designer, set the QER | Org | RoleMining configuration parameter.

NOTE: To use Analyzer for analyzing permissions, at least the Target System Base Module must be installed.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating