Role: A role is a collection of entitlements or other roles that enables an identity to access the resources and to perform certain operations within an organization.
By default there are four types of roles configured in IdentityIQ, they are
We will discuss the various possible usages of the role structures in their default configuration as shown below.
Possible Organizational structures could include:
Organization Role creates a familiar and easily navigable framework for managing the business role model. This makes it easier to identify and create the component business roles, and it facilitates finding and managing roles as changes occur in the future.
STEP-1: GO TO Define Roles - > New Role - > Role as shown below.
STEP-2: Click on New Role and select Role, the following screen is displayed. Enter the required fields and click on Submit.
Required Fields on Role Editor Page:
STEP-3: Select Type as Organizational as shown below.
STEP-4: The following page is displayed on selecting the Modify Inheritance as shown below.
STEP-5: Add the Roles you want to inherit into this Organization Role and save it. And the created roles will be viewed under the View Roles tab
For example, within the Financing Organization, there might be an Accountant, 3 Cashiers, and some people under Treasury. This would require the creation of business roles:
Example:
STEP-1: GO TO Define Roles, Click on New Role and select Role the following screen is displayed as shown.
STEP-2: Select Type as Business, the following screen is displayed. Enter the required fields and click on Submit.
Required Fields on Role Editor Page:
Required Roles: Required Roles are the IT roles that an Identity must have when they are associated with that business role.
Add the appropriate IT Roles for the Required Roles and click on Save.
Permitted Roles: Permitted Roles are the ones that the Identity can have but is not required to have when assigned that business role.
Add the appropriate IT Roles for the Permitted Roles and click on Save.
STEP-3: The created Business Roles are listed down under Role Viewer tab as shown below.
NOTE-1: When a Business Role defined with Required Roles is requested to an Identity whose Entitlements do not match with the required Roles will be marked in red color in the identity cube as shown in the below.
NOTE-2: When a Business Role is requested to the identities in Active Directory, automatic provisioning of missing Entitlements in the Required Role is enabled in SailPointIQ.
Role Membership Certifications: The Role Membership Certification is another useful tool in role lifecycle management. This certification focuses on the set of Identities to which one or more selected roles is assigned. Certification responsibility can be Role Management in IdentityIQ assigned to each Identity’s Manager, to the Role Owner, or to a specifically selected certifier – whoever is best equipped to determine whether the roles’ members should hold the roles or not.
Often, this certification type is used during the role creation process to validate the sets of identities grouped together under a mined or manually created business role even before that role is connected to any required or permitted IT roles. This helps validate the role structure and any automatic assignment rules created for the roles before it has any impact on application entitlement provisioning.
STEP-1: GO TO Monitor Certifications - > New Certification - > Role Membership
STEP-2: Select the Owner and the Roles to be certified, check Run now on the Basic page, In this case it is STRATEGY,
STEP-3: GO TO Behavior page; check Enable Provisioning of Missing Role Requirements under the decision tab. This will notify the certifier if any provisioning is required during the approval process.
STEP-4: GO TO Advance page, select the Certifier and click on Schedule Certification
STEP-5: A Work Item is created for certification; the certifier defined in the certification will be able to certify the Work Item is shown below.
STEP-6: Any Identity who’s Roles do not match with the Required Business roles will be identified here as shown in the below.
STEP-7: When the certifier approves the certification, the following window is popped up saying “Provision the Required Roles” or “Approve without provisioning” as shown below.
NOTE-1: Business Roles will be assigned to the Identities automatically by writing the Assignment Rule or by Access requesting in the Access Request option in the IdentityIQ Dashboard.
Business Role Mining: Though business roles can be manually created through the IdentityIQ user interface, role mining can also be used to generate business roles and can often do the task much more efficiently than a manual process. In business role mining, roles are identified based on one or more Identity Attributes in IdentityIQ. For example, if Department is one of the identity attributes, a business role can be created based on each unique Department.
NOTE: Mined business roles are created in a disabled state and must be activated before they can be assigned to any identity, either automatically or through an access request. Mined business roles also automatically contain assignment logic which will automatically assign them to identities whose attributes match the criteria used to identify the role, once the role is activated.
STEP-1: GO TO Define Role - > New Role - > Business Role Mining, the following page is displayed. Enter the required information and click on Save and Execute.
Required fields on Role Mining Page:
STEP-2: After Executing the Role Mining the following page displayed with the list of Role Mines created as shown below.
The Business Role hierarchy can be viewed under Role Viewer Tab as shown in the below.
Role Impact Analysis: Role uniqueness, as well as the role membership impact of a role creation or change, can be measured through a role impact analysis. An impact analysis can be run IdentityIQ user interface.
The impact of any changes to the Role memberships can be analyzed by submitting the role with impact analysis.
Example: Submitting a Business role with Impact Analysis.
STEP-1: GO TO Define Role; select a role, click on Edit Role as shown in the below.
STEP-2: Make any changes to the selected Role in this editor, like Add or Remove any Roles or change Description or inherit any Roles and click on Submit with Impact Analysis, a Work Item is created for Approval as shown below.
STEP-3: The Work Item for approval goes to the owner of the Role, in this case Administrator, he can view the changes made to it and the impact it has on the organization, he can approve, reject or forward to appropriate authority or identity.
Policy Validation: The Impact Analysis section of the analysis results also includes a statistic on policy violations detected for the selected role. This statistic is calculated by evaluating the role against the defined Policies in the system and determining if it will cause violations of any of those Policies.
STEP-1: GO TO Define Role; select a role, click on Edit Role as shown in the below.
STEP-2: Click on Check Policy Conflicts, we can find out if this Role has any conflicts with the policies defined in the IdentityIQ.
Example:
In the above figure BUSINESS ANALYST is an IT Role created for the Identities who are all entitled with the Access c3 & c4.
STEP-1: GO TO Define Roles, the following screen is displayed as shown
STEP-2: Click on New Role and select Role, the following screen is displayed. Enter the required fields and click on Submit.
Required fields on Role Mining Page:
STEP-3: To add the entitlements click on Add option under the Entitlements a new window is popped up as shown in the below.
STEP-4: Select the Application from the drop down menu and the Entitlements you want to group as a Role and click on Save and click on Submit.
The roles you have created will be listed down under the Role Viewer menu as shown in the below picture.
NOTE: IT Roles will be automatically detected to the matched Identities on Refreshing the Identity Cube by checking Refresh assigned, detected roles and promote additional entitlements.
Here we will discover creating an IT Role using Profiles in the Advance View option.
STEP-1: GO TO Define Roles - > New Role - > Role.
STEP-2: Select Advance View in the Entitlements window the following screen is displayed Select Create New Profile as shown below.
STEP-3: Edit Entitlement page is displayed, select the Application, add the filters and save it.
STEP-4: It redirects back to the Role Editor page, go ahead and submit it, you can view all the created roles under Role viewer tab.
Profiles can also be created from Entitlement Analysis in Advance View tab in Role Editor Page.
STEP-1: GO TO Define - > Roles - > New Role - > Role.
STEP-2: Select Advance View in the Entitlements window the following screen is displayed Select Create New Profile from Entitlement Analysis as shown below.
STEP-3: Enter the name, description, type, and select the Application, and their Attributes, click on Search as shown below.
STEP-4: The search results are displayed as shown below, select the required Entitlements and click on Create profile and click on Save.
STEP-5: It redirects to the Role Editor page, Click on Submit, IT role is created using Profiles created from Entitlement Analysis. As shown below.
IT Roles can be created automatically by setting up the filters in IT Role Mining.
IT Role Mining: In general, the most efficient way to get started creating IT roles in the IdentityIQ Role Modeler is to generate them through role mining. In role mining, IT roles are generated based on system access current employees already have.
Types of IT Role Mining Activities: Roles can be mined either by performing an IT Role Mining or by running an Entitlement Analysis.
IT Role Mining: IT Role Mining is designed to highlight Identities’ entitlement commonalities. It returns every set of entitlements on the selected applications that are all held by one or more Identities.
We will create an IT role using IT Role Mining as shown in the below steps.
STEP-1: GO TO Define Role - > New Role - > IT Role Mining, the following page is displayed. Enter the required information and click on Save and Execute.
Required fields on Role Mining Page:
STEP-2: After Executing the Role Mining the following page displayed with the list of Role Mines created as shown below.
STEP-3: The results for the Role Mining can be viewed in Role Mining Results tab as shown below.
STEP-4: The results are displayed in Groups; each group in the results represents a set of access held by at least one Identity, Right Click on the required group and select Create Role as shown in the below.
STEP-5: The following window is popped up, enter the required fields and click on Save as shown below.
Requires fields for Create Role Window:
STEP-6: The system generated IT Role through Role Mining will be listed down under the Role Viewer tab as shown.
Entitlement Analysis: Entitlement Analysis is designed to allow maximum flexibility in grouping entitlements into roles by returning each entitlement separately and allowing the administrator to group them in as many combinations as are desired.Entitlement Analysis even allows the creation of roles that represent sets of entitlements no one user currently holds, while IT Role Mining does not. However, Entitlement Analysis does not show the existing connections between entitlements as well as IT Role Mining does.
STEP-1: GO TO Define Role - > New Role - > Entitlement Analysis, the following page is displayed. Enter the required information and click on Search.
Required fields on Role Mining Page:
STEP-2: The search results are displayed as shown in the below.
STEP-3: Select the Entitlements you want to group together and click on Create Role as shown below.
STEP-4: The following screen is displayed, where you enter the name of the Role, select the Type of the Role and description and Save it.
STEP-5: The Role created will be listed down under Role Viewer tab as shown below.
hi,
I created a profile type IT role (costm) and when I tried to assign an identity with the given IT role via My dashboards-> Manage user access, but when we try to remove the role in identity and it does not work
Hello,
I have created a business role that has an IT role in it. 2 entitlements have been added into this IT role. When I try to assign this business role via 'Manage Access' only the business role is getting assigned but the actual entitlements(under IT role) are not. Any solution to this?