Access control items

An access control item (ACI) is data that identifies the permissions users have for a specific type of resource. We create an access control item to specify a set of operations and permissions. We also identify which groups use the access control item. An access control item defines these items:

• The entity types to which the access control item applies
• Operations users might do on entity types
• Attributes of the entity types users might read or write
• The set of users that is governed by the access control item

IBM Security Identity Manager provides default access control items. We can also create a customized access control item. For example, a customized access control item might limit the ability of a specific Help Desk Assistant group to change information for other users. Access control items can also specify relationships such as Manager or Service Owner.

When creating customized reports, also manually create report access control items and entity access control items for the new report. These ACIs permit users who are not administrators, such as auditors, to run the custom report and view data in the custom report.

After creating an access control item or change an existing access control item, run a data synchronization to ensure that other Security Identity Manager processes, such as the reporting engine, use the new or changed access control item.

Parent topic: Resource access from a user's perspective