Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email supportadmin@quest.com for assistance

Identity Manager 9.2 - Business Roles Administration Guide

Managing business roles
One Identity Manager users for business roles Hierarchical role structure basic principles Basic principles for assigning company resources Basics of calculating inheritance Preparing business roles for company resource assignments Base data for business roles Creating and editing business roles Assigning identities, devices, and workdesks to business roles Assigning business roles to company resources Analyzing role memberships and identity assignments Setting up IT operational data for business roles Creating dynamic roles for business roles Assigning departments, cost centers, and locations to business roles Defining inheritance exclusion for business roles Assigning extended properties to business roles Creating assignment resources for application roles Dynamic roles for business roles with incorrectly excluded identities Certification of business roles Reports about business roles
Role mining in One Identity Manager

Base data for business roles

The following basic information is relevant for building up hierarchical roles in One Identity Manager.

  • Configuration parameters

    Use configuration parameters to configure the behavior of the system's basic settings. One Identity Manager provides default settings for various configuration parameters. Check the configuration parameters and modify them as necessary to suit your requirements.

    Configuration parameters are defined in the One Identity Manager modules. Each One Identity Manager module can also install configuration parameters. In the Designer, you can find an overview of all configuration parameters in the Base data > General > Configuration parameters category.

  • Role classes

    Role classes form the basis of mapping hierarchical roles in One Identity Manager. Role classes are used to group similar roles together.

  • Role types

    Create role types in order to classify roles. Roles types can be used to map roles in the user interface, for example.

  • Functional areas

    To analyze rule checks for different areas of your company in the context of identity audit, you can set up functional areas. Functional areas can be assigned to roles. You can enter criteria that provide information about risks from rule violations for functional areas and roles. Moreover, functional areas can be used during peer group analysis of requests or attestation cases.

  • Attestors

    In One Identity Manager, you can assign business roles to identities who can be brought in as attestors in attestation cases, provided that the approval workflow is set up accordingly. To do this, assign the business roles to application roles for attestors. For more information about attestation, see the One Identity Manager Attestation Administration Guide.

    A default application role for attestors is available in One Identity Manager. You may create other application roles as required. For more information about application roles, see the One Identity Manager Authorization and Authentication Guide.

  • Role approvers and role approvers (IT)

    In One Identity Manager, you can assign business roles to identities who can be brought in as approvers in approval processes for IT Shop requests, provided that the approval workflow is set up accordingly. To do this, assign the business roles to application roles for approvers. For more information, see the One Identity Manager IT Shop Administration Guide.

    Default application roles for approvers and approvers (IT) are available in One Identity Manager. You may create other application roles as required. For more information about implementing and editing application roles, see theOne Identity Manager Authorization and Authentication Guide.

Detailed information about this topic

Role classes for business roles

Business roles are grouped by role class in the navigation view. Each business role is assigned to exactly one role class. You must define suitable role classes before you can add business roles. You can permit identity, device, workdesk, and company resource assignments for the role classes.

To create or edit role classes

  1. In the Manager, select the Business roles > Basic configuration data > Role classes category.

  2. In the result list, select the role class and run the Change main data task.

    - OR -

    Click in the result list.

  3. Edit the role class's main data.

  4. Save the changes.

Enter the following main data of a role class.

Table 6: Role class properties

Property

Description

Role class

Role class description. The role class is displayed in the Manager under this name in the navigation view. Translate the given text using the button.

Attestors

Applications role whose members are authorized to approve attestation instances for all roles in this role class.

To create a new application role, click . Enter the application role name and assign a parent application role.

NOTE: This property is available if the Attestation Module is installed.

Description

Text field for additional explanation.

Inherited top-down

Direction of inheritance top-down.

Inherited bottom-up

Direction of inheritance bottom-up.

Delegable

Specifies whether memberships in roles of this role class can be delegated.

Assignments permitted

Specifies whether assignments of respective object types to roles of this role class are permitted in general. Configure the permitted assignments in the Manager using the Configure role assignments task.

Direct assignments allowed

Specifies whether respective object types can be assigned directly to roles of this role class. Configure the permitted assignments in the Manager using the Configure role assignments task.

No multiple assignment of identities

Specifies whether an identity can be assigned to only one business role of this role class. If a role class has this option enabled, an identity can be assigned to only one business role of this role class. Assignment of the identity to other business roles belonging to this role class is not allowed.

Related topics

Assigning role types to role classes

For additional classification, you can define role types and assign them to role classes. Note the restrictions given under Role types for business roles.

To assign a role type to a role class

  1. In the Manager, select the Business roles > Basic configuration data > Role classes category.

  2. In the result list, select the role class.

  3. Select the Assign role types task.

  4. In the Add assignments pane, assign role types.

    TIP: In the Remove assignments pane, you can remove assigned role types.

    To remove an assignment

    • Select the role type and click .

Related topics

Role types for business roles

To achieve better classification, you can define role types and assign them to role classes and roles. The following restrictions apply:

  • You can assign a role type to several role classes.

  • If you assign role types to a role class you can only select these role types for the roles of this role class. Other role types are not available for selection.

  • If you do not assign a role type to a role class, you can only use role types that are not assigned to any other role class for roles in this role class.

  • The Business role role type is predefined. This role type cannot be assigned to the Department, Cost center, or Location role classes. Assign this role type to role classes that map business roles.

Example:

The Business role role type is predefined. The Region, Country, Sales, and Development role types are also created.

  • The Business roles role type is assigned to the External projects role class.

    The Business roles role type can also be given to roles of this role class.

  • The Business roles, Region, and Country role types are assigned to the Employee role class.

    The Business roles, Region, and Country role types can also be given to roles of this role class.

  • The Region and Country role types are assigned to the Location role class.

    The Region and Country role types can also be given locations.

  • The Cost center and Department role classes are not assigned any role types.

    The Sales and Development role types can also be given to cost centers and departments.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating