立即与支持人员聊天
与支持团队交流

Identity Manager 9.2.1 - Business Roles Administration Guide

Managing business roles
One Identity Manager users for business roles Hierarchical role structure basic principles Basic principles for assigning company resources Basics of calculating inheritance Preparing business roles for company resource assignments Base data for business roles Creating and editing business roles Assigning identities, devices, and workdesks to business roles Assigning business roles to company resources Analyzing role memberships and identity assignments Setting up IT operational data for business roles Creating dynamic roles for business roles Assigning departments, cost centers, and locations to business roles Defining inheritance exclusion for business roles Assigning extended properties to business roles Creating assignment resources for application roles Dynamic roles for business roles with incorrectly excluded identities Certification of business roles Reports about business roles
Role mining in One Identity Manager

Managing business roles

Business roles map company structures with similar functionality that exist in addition to departments, cost centers, and locations. This might be projects groups, for example. Various company resources can be assigned to business roles. For example, authorizations in different SAP systems or Azure Active Directory tenants. You can add identities to single business roles as members. Identities obtain their company resources through these assignments when One Identity Manager is appropriately configured.

NOTE: The Business Roles Module must be installed as a prerequisite for managing business roles in One Identity Manager. For more information about installing, see the One Identity Manager Installation Guide.

The One Identity Manager components for managing business roles are available if the QER | Org configuration parameter is set.

  • In the Designer, check if the configuration parameter is set. Otherwise, set the configuration parameter and compile the database.

    NOTE: If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

One Identity Manager users for business roles

The following users are used for the administration of business roles.

Table 1: Users
User Tasks

Business roles administrators

Administrators must be assigned to the Identity Management | Business roles | Administrators application role.

Users with this application role:

  • Create and edit business roles.

  • Assign company resources to business roles.

  • Attest business roles' main data.

  • Administrate application roles for role approvers, role approvers (IT), and attestors.

  • Set up other application roles as required.

Business Role Attestors

 

Attestors must be assigned to the Identity Management | Business roles | Attestors application role or a child application role.

Users with this application role:

  • Attest correct assignment of company resource to business roles for which they are responsible.

  • Can view main data for these business roles but not edit them.

NOTE: This application role is available if the module Attestation Module is installed.

Business Role Approvers

 

Approvers must be assigned to the Identity Management | Business roles | Role approvers application role or a child application role.

Users with this application role:

  • Are approvers for the IT Shop.

  • Approve requests from business roles for which they are responsible.

Business Role Approvers (IT)

 

IT role approvers must be assigned to the Identity Management | Business roles | Role approvers (IT) application role or a child application role.

Users with this application role:

  • Are IT role approvers for the IT Shop.

  • Approve requests from business roles for which they are responsible.

One Identity Manager administrators

 

One Identity Manager administrator and administrative system users Administrative system users are not added to application roles.

One Identity Manager administrators:

  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

Additional managers

The additional managers must be assigned to the Identity Management | Business roles| Additional managers application role or to a child application role.

Users with this application role:

  • Have permission to manage business roles.

Hierarchical role structure basic principles

Business role are arranged hierarchically. Assigned company resources are inherited by members through these hierarchies. Company resource assignments are not made to individual identities, devices or workdesks but centrally and then inherited automatically through a predefined distribution list.

Hierarchies can either be created following the top-down or the bottom-up model in One Identity Manager. In the top-down model, roles are defined based on the area of activity and the company resources required to fulfill the activities are assigned to the roles. In the case of the bottom-up model, company resource assignments are analyzed and the roles result from this.

Related topics

Inheritance directions within a hierarchy

The direction of inheritance decides the distribution of company resources within a hierarchy. One Identity Manager basically recognizes two directions of inheritance:

  • Top-down inheritance

    In One Identity Manager, top-down inheritance maps the default structure within a company. With its help, a company’s multilevel form can be represented with main departments and respective subdepartments.

  • Bottom-up inheritance

    Whereas in top-down inheritance, assignments are inherited in the direction of more detailed classifications, bottom-up inheritance operates in the other direction. This inheritance direction was introduced to map project groups in particular. The aim being, to provide someone coordinating several project groups with the company resources in use by each of the project groups.

NOTE: The direction of inheritance is only taken into account in relation to the inheritance of company resources. The direction of inheritance does not have any effect on the selection of the manager responsible. The manager with a parent role is always responsible for all child roles.

The effect on the allocation of company resources is explained in the following example for assigning an application.

Example: Assigning company resources top-down

In the diagram above a section of a company’s structure is illustrated. In addition, software applications are listed that are assigned to the respective department. An identity in dealer sales is assigned all the software applications that are allocated to their department and all those on the entire organization path. In this case, they are email, text processing, address management and internet software.

Figure 1: Assignment through top-down inheritance

Example: Assigning company resources bottom-up

The next figure shows bottom-up inheritance based on a project framework. In addition, software applications are listed that are assigned to the respective project group. An identity from the "Project lead" project group receives software applications from the project group as well as those from the projects groups below. In this case, it is project management, CASE tool, development environment, assembler tool, and prototyping tool.

Figure 2: Assignment through bottom-up inheritance

自助服务工具
知识库
通知和警报
产品支持
下载软件
技术说明文件
用户论坛
视频教程
RSS订阅源
联系我们
获得许可 帮助
技术支持
查看全部
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级