Entity types used by access control items
Access control items focus on target entity types.
IBM Security Identity Manager provides default access control items that target a protection category. We can also assign a specific object class, such as the erPosixLinuxAccount object class, to an access control item.
Access control items focus on an entity such as an account, organization, or role. Some access control items require the selection of an entity subclass. An access control item can focus on these categories of entity types.
- Account
- Represents a user's access to a managed resource. Install the service profile for the managed resource on which the accounts we want reside. Then, create an access control item for the account object class.
- Account Default Template
- Provides default values for account attributes when requesting an account on a service.
- Admin Domain
- Subsidiary part of an organization as a separate entity with its own policies, services, and access control items. Identification includes an administrator whose actions and views are restricted to that domain.
- Business Partner Organization
- Business partner organization. Typically a company outside the organization that has an affiliation, such as a supplier, customer, or contractor.
- Business Partner Person
- Represents an employee of an outside entity with which the organization is affiliated, such as a supplier or customer.
- Credential
- Represents a credential in the credential vault.
- Credential Lease
- Represents the lease for a user to use a credential for a limited time period.
- Credential Pool
- Provides a way to group credentials with similar access privileges. This grouping can be defined as a service group or a set of service groups.
- Dynamic Organizational Role
- Selects users based on the attributes in an LDAP filter, such as the title of a user. When a user is added to the system and the LDAP filter parameters are met, the user is automatically added to the dynamic role.
- Identity Manager User
- Represents an account of the ITIM Service.
- Identity Policy
- Defines who has access based on an identity policy.
- ITIM Group
- Specifies a collection of users with accounts on ISIM service.
- Location
- Specifies a container that is different geographically but contained within an organization entity.
- Organizational Unit
- Subsidiary part of an organization, such as a division or department. An organizational unit can be subordinate to any other container, such as organization, organizational unit, location, and business partner organization.
- Password Policy
- Defines who has access based on a password policy.
- Person
- Specifies a person whose identity record is managed as an account by ISIM.
- Provisioning Policy
- Defines who has access based on a provisioning policy.
- Recertification Policy
- Defines who has access based on a recertification policy.
- Report
- Specifies report access control items for groups that are allowed to run a specific type of report. For example, the service owner group might have access to run the Orphan Accounts Report. The auditor group might have access to run the Recertification Change History Report.
- Separation of Duty Policy
- Represents a logical container of separation rules that define mutually exclusive relationships among roles.
- Service
- Identifies a managed resource, such as the Windows Service, and IBM Security Identity Manager itself.
- Service Group
- Specifies a collection of users with user accounts on a specific service, such as an accounting application. A service group is related to groups, not services. In other words, a service group is not a set of services.
- Credential Service
- Specifies information about the resource for a credential in the vault.
- Service Selection Policy
- Defines who has access based on a service selection policy.
- Shared Access Policy
- Defines who has access to the credentials or credential pools.
- Static Organizational Role
- Subset of one or more privileges that can be assigned to users. For example, the ITIM Administrators role is a predefined role.
If a role is a member of another organizational role, then that role member inherits the permissions of the organizational role. All members of the organizational role and its role members have the same set of privileges.
- Workflow Design
- Defines who can create or modify account and access entitlement workflows.
Parent topic: Access control item management issues