Role overview
A role, also termed an organizational role, is a modeling concept that serves as a convenience in administering policy. The descriptive properties of a role, particularly its name, are significant and imply the purpose of the role. For example, a role might be named manager, designer, or auditor. In IBM Security Identity Manager, a role is used to support user and access provisioning.
A role can be used to support different provisioning models.
- Role-based, to automate and to accelerate the process of granting access to resources. A role-based model lowers the risk of individuals who might gain more system access than required by their job or other relationship to a company.
The operational needs of an enterprise determine the assignment of users to roles. For example, a user might have a role as a help desk assistant or auditor. In a role-based model, users receive a specific set of accounts and access rights based on role membership. When a user is removed from a role, the entire set of accounts and access rights are also removed.
The role might be a child role of another organizational role, which then becomes a parent role. The child role inherits the permissions of the parent role.
- Request-based provisioning, in which a role represents an access to an IT resource that can be directly searched and requested by a user.
The access entitlements of the role are defined by a provisioning policy. Approval processing can be supported for a role request; the user is assigned to the role after the request is approved. When the user is a member of a role, access rights are granted. Removing a user from that role also removes the entire set of access that the role granted.
If a role is a child role of another organizational role in a provisioning policy, then that child role also inherits the permissions of provisioning policy.
Using the processes provided by Security Identity Manager, a user in a business unit might have a role:
To enable the user to access one or more resources, a provisioning policy can be configured so that the reference role in the policy is granted with the set of entitlements for the resources.
Security Identity Manager also supports two ways to define an organizational role: static role and dynamic role. For a static organizational role, assigning a person to a static role is a manual process. For a dynamic role, role membership is specified as a filter in the role definition that selects role members based on some attribute, such as a business title.
Parent topic: Role administration