Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email supportadmin@quest.com for assistance

Identity Manager 9.2 - Business Roles Administration Guide

Managing business roles
One Identity Manager users for business roles Hierarchical role structure basic principles Basic principles for assigning company resources Basics of calculating inheritance Preparing business roles for company resource assignments Base data for business roles Creating and editing business roles Assigning identities, devices, and workdesks to business roles Assigning business roles to company resources Analyzing role memberships and identity assignments Setting up IT operational data for business roles Creating dynamic roles for business roles Assigning departments, cost centers, and locations to business roles Defining inheritance exclusion for business roles Assigning extended properties to business roles Creating assignment resources for application roles Dynamic roles for business roles with incorrectly excluded identities Certification of business roles Reports about business roles
Role mining in One Identity Manager

Creating and editing role types

For additional classification, you can create and edit role types. You cannot edit default role types.

To create role types

  1. In the Manager, select the Business roles > Basic configuration data > Role types category.

  2. Click in the result list.

  3. Enter the following information:

    • Role type: Role type name. Translate the given text using the button.

    • Description: (Optional) Text field for additional explanation.

    • No multiple assignment of identities: Specifies whether an identity is only assigned one business role of this role type. If a role type has this option enabled, an identity can only be assigned one business role of this role type. Assignment of the identity to other business roles belonging to this role type is not allowed.

      NOTE: This option does not work for departments, cost centers, and locations.

  4. Save the changes.

To create role types

  1. In the Manager, select the Business roles > Basic configuration data > Role types category.

  2. Select the role type in the result list.

  3. Select the Change main data task.

  4. Edit the main data.

  5. Save the changes.
Related topics

Assigning role classes to role types

For additional classification, you can define role types and assign them to role classes. Note the restrictions given under Role types for business roles.

To assign role classes to a role type

  1. In the Manager, select the Business roles > Basic configuration data > Role types category.

  2. Select the role type in the result list.

  3. Select the Assign role classes task.

  4. In the Add assignments pane, select the role class and assign business roles.

    TIP: In the Remove assignments pane, you can remove assigned business roles.

    To remove an assignment

    • Select the business role and double-click .

  5. Save the changes.

Related topics

Functional areas

To analyze rule checks for different areas of your company in the context of identity audit, you can set up functional areas. Functional areas can be assigned to hierarchical roles and service items. You can enter criteria that provide information about risks from rule violations for functional areas and hierarchical roles. To do this, you specify how many rule violations are permitted in a functional area or a role. You can enter separate assessment criteria for each role, such as a risk index or transparency index.

Moreover, functional areas can be replaced by peer group analysis during request approvals or attestation cases.

Example: Use of functional areas

To assess the risk of rule violations for business roles. Proceed as follows:

  1. Set up functional areas.

  2. Assign business roles to the functional areas.

  3. Define assessment criteria for the business roles.

  4. Specify the number of rule violations allowed for the functional area.

  5. Assign compliance rules required for the analysis to the functional area.

  6. Use the One Identity Manager report function to create a report that prepares the result of rule checking for the functional area by any criteria.

To create or edit a functional area

  1. In the Manager, select the Business Roles > Basic configuration data > Functional areas category.

  2. In the result list, select a function area and run the Change main data task.

    - OR -

    Click in the result list.

  3. Edit the function area main data.

  4. Save the changes.

Enter the following data for a functional area.

Table 7: Functional area properties

Property

Description

Functional area

Description of the functional area

Parent Functional area

Parent functional area in a hierarchy.

Select a parent functional area from the list for organizing your functional areas hierarchically.

Max. number of rule violations

List of rule violation valid for this functional area. This value can be evaluated during the rule check.

NOTE: This property is available if the Compliance Rules Module is installed.

Description

Text field for additional explanation.

Related topics
  • One Identity Manager Compliance Rules Administration Guide

Attestors

NOTE: This function is only available if the Attestation Module is installed.

In One Identity Manager, you can assign business roles to identities who can be brought in as attestors in attestation cases, provided that the approval workflow is set up accordingly. To do this, assign the business roles to application roles for attestors. For more information about attestation, see the One Identity Manager Attestation Administration Guide.

A default application role for attestors is available in One Identity Manager. You may create other application roles as required. For more information about application roles, see the One Identity Manager Authorization and Authentication Guide.

Table 8: Default application roles for attestors
User Tasks

Business Role Attestors

 

Attestors must be assigned to the Identity Management | Business roles | Attestors application role or a child application role.

Users with this application role:

  • Attest correct assignment of company resource to business roles for which they are responsible.

  • Can view main data for these business roles but not edit them.

NOTE: This application role is available if the module Attestation Module is installed.

To add identities to default application roles for attestors

  1. In the Manager, select the Business Roles > Basic configuration data > Attestors category.

  2. Select the Assign identities task.

  3. In the Add assignments pane, add identities.

    TIP: In the Remove assignments pane, you can remove assigned identities.

    To remove an assignment

    • Select the identity and double-click .

  4. Save the changes.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating