Scope of governing entities in the organization tree
Most IBM Security Identity Manager policies allow specifying the scope of the governing services in the organization tree. The specification is based on association of the policy with the business unit. A dynamic role supports the scope of governing users based on its association with the organization tree. An access control item supports the scope for the protecting object types based on its association with the organization tree. The scope of policies, roles, and workflows differ in their effects in an organization hierarchy.
Entity Type Scope of Governing Entity Identity policy Services associated with the same business unit or in the subtree. Password policy Services associated with the same business unit or in the subtree. Provisioning policy Services associated with the same business unit or in the subtree. Service selection policy Provisioning policies associated with the same business unit or in the subtree. Static role Users in the entire organization to which the role belongs. Dynamic role Users associated with the same business unit or in the subtree. Workflow Service or Access in the entire organization. Access control item Objects (based on the protected object type) associated with the business unit or in the subtree. Shared access policy Credentials or credential pools associated with the same business unit or in the subtree. See:
- Provisioning policies
- Service selection policies
- Identity and password policies
- Workflows
- Access control items
- Customization and bulk loading of identity data
Parent topic: Organization tree planning