Access provisioning models
IBM Security Identity Manager provides role-based and request-based access provisioning models.
- Role-based
- Access to managed services are provisioned automatically based on the user’s roles in the organization. To some degree, role-based provisioning can support a role-based access control model. Role-based provisioning can be used when access control is not centrally managed by a common access control system. The automation between the role and accounts and groups on the target resource, and strict enforcement of role relationships, ensures that access to the IT resource is based on the role of the user.
- Request-based
- Access entitlements are authorized to a user based on the user’s roles in the organization. Entitlements enable the user or other managers or administrator to request the account or access.
Request-based provisioning is often used to support Discretionary Access Control (DAC) and Mandatory Access Control (MAC) access control with a combination of appropriate approval processes. Sometimes, there might be mixed usage of the two models for different sets of users in the organization or for different sets of target services.
Parent topic: Role planning