Access entitlements and access control items

Access entitlements and access control items

Access control items defined for Service, Service Group, and Account control a user's access privilege for access configuration and user access management that is based on service group.
Access control items defined for role, dynamic role, and Person control the access privilege for access management and user access management for access based on an organizational role.
IBM Security Identity Manager provides default access control items that target access entitlements, as described in Table 1.
For more infomation on default access control items for the shared access module, see the IBM Security Privileged Identity Manager product documentation.

Who is permitted Default access control items related to access management Effect

All users Service group - read all access attributes
Static role - search and modify attribute.
Dynamic role - search attribute.
Person - modify and use the erroles attribute read/write for sel.
Account - search, add, view, and remove group member for sel.
Allow users to request that new access authorization and to view and remove their own access.

Manager or supervisor or the account owner Service group - search and read all access attributes
Static role - search and modify attribute.
Dynamic role - search attribute.
Person - modify and use the erroles attribute read/write for subordinate.
Account - search, add, view, and remove group member for subordinate.
Allow a manager to view, request, or remove access of a subordinate.

Help desk assistant Service group - search and read all access attributes
Static role - search and modify attribute.
Dynamic role - search attribute.
Person - modify and use the erroles attribute read/write for al.
Account - search, add, view, and remove group member for al.
Allow all help desk users to view, request, or remove access for all users in the organization.

Service owner or access owner of the service on which the account resides Service group - all access control item operations
Account - all access control item operation.
Allow service owners or access owners to search a group, define access, and recertify access. Allow service owners or access owners to manage accounts and group members for a service or defined access that they own on the service.

Sponsor of the business partner organization in which the account resides Service group - search or read all access attributes
Account - search, and add, view, or remove group membe.
Allow a sponsor to view, request, or remove access of a subordinate.

Auditor group Service group - search
Account - search and read all access attribute.
Allows members of the auditor group to view access reports.

Service owner or auditor group Reports (access) - run an operation Allows members of the service owner or auditor groups to view the access report.

Auditor, manager, or service owner groups Reports (individual, access) - run an operation Allows members of these groups to view the individual access report.

Privileged Administrator group Static role - all access control item operations
Dynamic role - all access control item operation.
Reports (individual, access) - run an operatio.
Allow all privileged administrators to view, add, or remove access in the organization. Allows members of these groups to view the individual access report.

Parent topic: Access control item management issues

Who is permitted	Default access control items related to access management	Effect
All users	Service group - read all access attributes Static role - search and modify attribute. Dynamic role - search attribute. Person - modify and use the erroles attribute read/write for sel. Account - search, add, view, and remove group member for sel.	Allow users to request that new access authorization and to view and remove their own access.
Manager or supervisor or the account owner	Service group - search and read all access attributes Static role - search and modify attribute. Dynamic role - search attribute. Person - modify and use the erroles attribute read/write for subordinate. Account - search, add, view, and remove group member for subordinate.	Allow a manager to view, request, or remove access of a subordinate.
Help desk assistant	Service group - search and read all access attributes Static role - search and modify attribute. Dynamic role - search attribute. Person - modify and use the erroles attribute read/write for al. Account - search, add, view, and remove group member for al.	Allow all help desk users to view, request, or remove access for all users in the organization.
Service owner or access owner of the service on which the account resides	Service group - all access control item operations Account - all access control item operation.	Allow service owners or access owners to search a group, define access, and recertify access. Allow service owners or access owners to manage accounts and group members for a service or defined access that they own on the service.
Sponsor of the business partner organization in which the account resides	Service group - search or read all access attributes Account - search, and add, view, or remove group membe.	Allow a sponsor to view, request, or remove access of a subordinate.
Auditor group	Service group - search Account - search and read all access attribute.	Allows members of the auditor group to view access reports.
Service owner or auditor group	Reports (access) - run an operation	Allows members of the service owner or auditor groups to view the access report.
Auditor, manager, or service owner groups	Reports (individual, access) - run an operation	Allows members of these groups to view the individual access report.
Privileged Administrator group	Static role - all access control item operations Dynamic role - all access control item operation. Reports (individual, access) - run an operatio.	Allow all privileged administrators to view, add, or remove access in the organization. Allows members of these groups to view the individual access report.