立即与支持人员聊天
与支持团队交流

Identity Manager 9.0 LTS - Business Roles Administration Guide

Managing business roles
One Identity Manager users for business roles Hierarchical role structure basic principles Basic principles for assigning company resources Basics of calculating inheritance Preparing business roles for company resource assignments Base data for business roles Creating and editing business roles Assigning employees, devices, and workdesks to business roles Assigning business roles to company resources Analyzing role memberships and employee assignments Setting up IT operational data for business roles Creating dynamic roles for business roles Assign organizations Defining inheritance exclusion for business roles Assigning extended properties to business roles Creating assignment resources for application roles Dynamic roles for business roles with incorrectly excluded employees Reports about business roles
Role mining in One Identity Manager

Functional area and risk assessment for business roles

Here, you can enter values to classify the business roles, which analyze the risk of a business role with respect to identity audit.

Table 12: Main data of a business role's functional area
Property Description

Functional area

Department functional area This data is required for department's risk assessment.

Risk index (calculated)

A risk index is calculated for the department risk assessment based on assigned company resources. This field is only visible if the QER | CalculateRiskIndex configuration parameter is set. For more information about risk assessment, see the One Identity Manager Risk Assessment Administration Guide.

Transparency index

Specifies how well you can trace location assignments. Use the slider to enter a value between 0 and 1.

0: no transparency

1: full transparency

Max. number of rule violations

Number of rule violations allowed in this business role. The value can be evaluated when compliance rules are checked. For more information, see the One Identity Manager Compliance Rules Administration Guide.

NOTE: This property is only available if the Compliance Rules Module is installed.

Turnover for this unit

Business roles turnover.

Earnings for this unit

Business roles earnings.

Related topics

Customizing main data for business roles

Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

Assigning employees, devices, and workdesks to business roles

In order for employees, devices, and workdesks to inherit company resources, you must assign the objects to roles.

To add employees, devices, and workdesks to a business role

  1. In the Manager, select the Business roles > <role class> category.

  2. Select the business role in the result list.

  3. Select the appropriate task.

    • Assign employees

    • Assign devices

    • Assign workdesks

  4. In the Add assignments pane, assign objects.

    TIP: In the Remove assignments pane, you can remove object assignments.

    To remove an assignment

    • Select the object and double-click .

  5. Save the changes.

TIP: Use dynamic roles to assign employees, devices, and workdesks to business roles automatically.

Related topics

Assigning business roles to company resources

The default method of assigning employees, devices, and workdesks is indirect assignment. This allocates an employee, a device or a workdesk to business roles, cost centers, or locations. The total of assigned company resources for an employee, a device or workdesk is calculated from their position within the hierarchy, the direction of inheritance and the company resources assigned to these roles.

Indirect assignment is divided into:

  • Secondary assignment

    You make a secondary assignment by classifying an employee, a device, or a workdesk within a role hierarchy. Secondary assignment is the default method for assigning and inheriting company resources through roles.

    IMPORTANT: You use role classes to specify whether a secondary assignment of company resources is possible.

    If an employee, device or a workdesk fulfills the requirements of a dynamic role, the object is added dynamically to the corresponding company structure and can obtain company resources through it.

  • Primary assignment

    You make a primary assignment using a business role, cost center, or location foreign key reference in employee, device and workdesk objects. Primary assignment inheritance can be enable through configuration parameters.

You must assign company resources to business roles, cost centers, or locations so that employees, devices, and workdesks can inherit company resources. The following table shows the possible company resources assignments.

NOTE: Company resources are defined in the One Identity Manager modules and are not available until the modules are installed.

Table 13: Possible company resource assignments
Company resource Available in Module

Resources

always

Account definitions

Target System Base Module

Groups of custom target systems

Target System Base Module

System entitlements of custom target systems

Target System Base Module

Active Directory groups

Active Directory Module

SharePoint groups

SharePoint Module

SharePoint roles

SharePoint Module

LDAP groups

LDAP Module

Notes groups

Domino Module

SAP groups

SAP R/3 User Management module Module

SAP profiles

SAP R/3 User Management module Module

SAP roles

SAP R/3 User Management module Module

SAP parameters

SAP R/3 User Management module Module

Structural profiles

SAP R/3 Structural Profiles Add-on Module

BI analysis authorizations

SAP R/3 Analysis Authorizations Add-on Module

E-Business Suite permissions

Oracle E-Business Suite Module

System roles

System Roles Module

Subscribable reports

Report Subscription Module

Software

Software Management Module

Azure Active Directory groups

Azure Active Directory Module

Azure Active Directory administrator roles

Azure Active Directory Module

Azure Active Directory subscriptions

Azure Active Directory Module

Disabled Azure Active Directory service plans

Azure Active Directory Module

Unix groups

Unix Based Target Systems Module

Cloud groups

Cloud Systems Management Module

Cloud system entitlements

Cloud Systems Management Module

PAM user groups

Privileged Account Governance Module

Google Workspace groups

Google Workspace Module

Google Workspace products and SKUs

Google Workspace Module

SharePoint Online groups

SharePoint Online Module

SharePoint Online roles

SharePoint Online Module

OneLogin roles

OneLogin Module

To add company resources to a hierarchical role

  1. In the Manager, select the Business roles > <role class> category.

  2. Select the role in the result list.

  3. Select the task to assign the corresponding company resource.

  4. In the Add assignments pane, assign company resources.

    TIP: In the Remove assignments pane, you can remove company assignments.

    To remove an assignment

    • Select the company resource and double-click .
  5. Save the changes.
Detailed information about this topic
Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级