立即与支持人员聊天
与支持团队交流

Identity Manager 9.2 - Business Roles Administration Guide

Managing business roles
One Identity Manager users for business roles Hierarchical role structure basic principles Basic principles for assigning company resources Basics of calculating inheritance Preparing business roles for company resource assignments Base data for business roles Creating and editing business roles Assigning identities, devices, and workdesks to business roles Assigning business roles to company resources Analyzing role memberships and identity assignments Setting up IT operational data for business roles Creating dynamic roles for business roles Assigning departments, cost centers, and locations to business roles Defining inheritance exclusion for business roles Assigning extended properties to business roles Creating assignment resources for application roles Dynamic roles for business roles with incorrectly excluded identities Certification of business roles Reports about business roles
Role mining in One Identity Manager

Functional areas and risk assessment for business roles

Here, you can enter values to classify the business roles, which analyze the risk of a business role with respect to identity audit.

Table 12: Main data of a business role's functional area
Property Description

Functional area

Department functional area This data is required for department's risk assessment.

Risk index (calculated)

A risk index is calculated for the department risk assessment based on assigned company resources. This input field is only visible if the QER | CalculateRiskIndex configuration parameter is set. For more information about risk assessment, see the One Identity Manager Risk Assessment Administration Guide.

Transparency index

Specifies how well you can trace location assignments. Use the slider to enter a value between 0 and 1.

0: no transparency

1: full transparency

Max. number of rule violations

Number of rule violations allowed in this business role. The value can be evaluated when compliance rules are checked. For more information, see the One Identity Manager Compliance Rules Administration Guide.

NOTE: This property is only available if the Compliance Rules Module is installed.

Turnover for this unit

Business roles turnover.

Earnings for this unit

Business roles earnings.

Related topics

Customizing main data for business roles

Enter any custom master data. Use the Designer to customize display names, formats, and templates for the input fields.

Table 13: Custom main data for a support team
Property Description

Spare field no. 01 ... Spare field no. 10

Additional company-specific information.

Spare date no. 01 ... Spare date no. 03

Additional company-specific information.

Assigning identities, devices, and workdesks to business roles

In order for identities, devices, and workdesks to inherit company resources, you must assign the objects to roles.

TIP: Use dynamic roles to assign identities, devices, and workdesks to business roles automatically.

To add identities, devices, and workdesks to a business role

  1. In the Manager, select the Business roles > <role class> category.

  2. Select the business role in the result list.

  3. Select the appropriate task.

    • Assign identities

    • Assign devices

    • Assign workdesks

  4. In the Add assignments pane, assign objects.

    TIP: In the Remove assignments pane, you can remove object assignments.

    To remove an assignment

    • Select the object and double-click .

  5. Save the changes.
Related topics

Assigning business roles to company resources

The default method of assigning identities, devices, and workdesks is indirect assignment. This allocates an identity, a device or a workdesk to business roles, cost centers, or locations. The total of assigned company resources for an identity, a device or workdesk is calculated from their position within the hierarchy, the direction of inheritance and the company resources assigned to these roles.

Indirect assignment is divided into:

  • Secondary assignment

    You make a secondary assignment by classifying an identity, a device, or a workdesk within a role hierarchy. Secondary assignment is the default method for assigning and inheriting company resources through roles.

    IMPORTANT: You use role classes to specify whether a secondary assignment of company resources is possible.

    If an identity, device or a workdesk fulfills the requirements of a dynamic role, the object is added dynamically to the corresponding company structure and can obtain company resources through it.

  • Primary assignment

    You make a primary assignment using a business role, cost center, or location foreign key reference in identity, device and workdesk objects. Primary assignment inheritance can be enable through configuration parameters.

You must assign company resources to business roles, cost centers, or locations so that identities, devices, and workdesks can inherit company resources. The following table shows the possible company resources assignments.

NOTE: Company resources are defined in the One Identity Manager modules and are not available until the modules are installed.

Table 14: Possible company resource assignments
Company resource Available in Module

Resources

always

Account definitions

Target System Base Module

Groups of custom target systems

Target System Base Module

System entitlements of custom target systems

Target System Base Module

Active Directory groups

Active Directory Module

SharePoint groups

SharePoint Module

SharePoint roles

SharePoint Module

LDAP groups

LDAP Module

Notes groups

Domino Module

SAP groups

SAP R/3 User Management Module

SAP profiles

SAP R/3 User Management Module

SAP roles

SAP R/3 User Management Module

SAP parameters

SAP R/3 User Management Module

Structural profiles

SAP R/3 Structural Profiles Add-on Module

BI analysis authorizations

SAP R/3 Analysis Authorizations Add-on Module

E-Business Suite permissions

Oracle E-Business Suite Module

System roles

System Roles Module

Subscribable reports

Report Subscription Module

Software

Software Management Module

Azure Active Directory groups

Azure Active Directory Module

Azure Active Directory administrator roles

Azure Active Directory Module

Azure Active Directory subscriptions

Azure Active Directory Module

Disabled Azure Active Directory service plans

Azure Active Directory Module

Unix groups

Unix Based Target Systems Module

Cloud groups

Cloud Systems Management Module

Cloud system entitlements

Cloud Systems Management Module

PAM user groups

Privileged Account Governance Module

Google Workspace groups

Google Workspace Module

Google Workspace products and SKUs

Google Workspace Module

SharePoint Online groups

SharePoint Online Module

SharePoint Online roles

SharePoint Online Module

OneLogin roles

OneLogin Module

To add company resources to a hierarchical role

  1. In the Manager, select the Business roles > <role class> category.

  2. Select the role in the result list.

  3. Select the task to assign the corresponding company resource.

  4. In the Add assignments pane, assign company resources.

    TIP: In the Remove assignments pane, you can remove company assignments.

    To remove an assignment

    • Select the company resource and double-click .
  5. Save the changes.
Detailed information about this topic
Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级