Identity Governance relies on authorizations to define a fixed set of authorizations and permissions. Identity Governance authorizations can be global or runtime:
Global authorizations are constant within Identity Governance and assigned through the Identity Governance Administration settings. Identity Governance maintains the set of privileges granted by the authorization. For more information, see Global Authorizations.
Runtime authorizations are those that users assume as needed during an access review and validation cycle. For example, you assign a Review Owner as needed during an access review and validation cycle. You can reassign these authorizations with each review run. For more information, see Runtime Authorizations.
NOTE:When you install Identity Governance, use the bootstrap administrator authorization to collect and publish an initial set of identities. You can then use these identities as authorized users for Identity Governance and assign authorizations to them. If a user does not have the required authorization or does not have an assigned task, the user will be redirected to the Access Request interface. For more information about requesting access, see Section 33.0, Instructions for Access Requesters and Approvers. For more information about the bootstrap administrator, see Understanding the Bootstrap Administrator for Identity Governance.
After collecting and publishing an initial set of identities, assign the Global Administrator authorization to one of these identities. Then the Global Administrator can assign the rest of the global authorizations. For more information, see Assigning Authorizations to Identity Governance Users.
The Global Administrator is the primary authorization and can:
Perform all Identity Governance actions
Assign all Identity Governance global and runtime authorizations
The Access Request Administrator manages defining who can request access in your enterprise. This authorization can:
Create, modify, and delete Access Request Policies
Create, modify, and delete Access Request Approval Policies
Edit the default Access Request Approval Policy
The Auditor has read-only rights to the catalog, reviews, separation of duties policies and violations, fulfillment status, and the Overview. However, an account assigned to the Auditor authorization might also be specified as a Review Auditor in a review definition. For more information, see Runtime Authorizations.
The Business Roles Administrator performs all administrative functions for all business roles. A Business Roles Administrator can delegate administrative privileges. This authorization can:
Administer business role schema under Data Administration
Mine for business roles
Create a business role
Modify a business role
Add or change role owners, fulfillers, and categories
Add or change the business role approval policy
Add users and groups to the business role
Exclude users and groups from the business role
Publish a business role
Delete a business role
Analyze business roles
Configure the business roles default approval policy
Create and modify business roles approval policies
The Data Administrator manages the identity and application data sources. This authorization can:
Create, add, modify, and review data sources
Create custom metrics
Create scheduled collections
Execute data collection and publishing
Create and map attributes in the catalog
Review and edit data in the catalog
Delegate responsibility by assigning application administrators, application owners, or manual fulfillers to applications in the catalog
Assign delegates for users
View data collection, data summary, and system trends in the Overview
The Fulfillment Administrator manages fulfillment and verification of requests that result from reviews. This authorization can:
Access real time and historical data for provisioning activities, including fulfillment status and verification management
The Report Administrator can access Identity Reporting. This authorization can:
Create, view, and run reports for Identity Governance
The Review Administrator manages the review process but does not have access to data collection or fulfillment settings. This authorization can:
Create, schedule, and start reviews in preview or live mode
Modify a review schedule
Assign delegates for users
Assign all the runtime authorizations as part of a review, thereby delegating certain rights pertaining to the review to those authorizations
View running reviews
View data summary and system trends in the Overview
View the Catalog but cannot modify it
The Technical Roles Administrator mines for technical role candidates, creates and manages technical roles.
The Security Officer has read-only rights to the catalog and can:
Assign authorizations for all functions in Identity Governance
View data summary in the Overview
View the Catalog but cannot modify it
NOTE:Ensure that the users assigned to the Security Officer authorization can also be trusted with global privileges in Identity Governance.
The Separation of Duties Administrator creates and manages SoD policies and violation cases.
Assign runtime authorizations when you need them. For more information, see Assigning Authorizations to Identity Governance Users.
Access Request Approvers confirm whether to approve or deny requested access in the Request application. Identity Governance assigns this authorization if an Access Request Approval policy specifies approvers.
The Application Owner manages all assigned applications. This authorization can:
View the catalog
Perform data editing for assigned applications
Review data and access within the assigned applications, depending on selections as a reviewer
(Conditional) Review access entitlements or remediate access policy violations within the application if assigned this responsibility by the review definition
The Application Administrator validates published data and performs data clean-up, or editing, for all assigned applications. This authorization can:
Modify the configuration of a data source
Execute collections for the data source
Edit data within the scope of the data source
Review data and access within the data source
View the catalog but edit only items related to the assigned data source
The Business Role Owner can review a business role and potentially approve a business role depending on whether or not the assigned approval policy specifies Approved by owners. Business role owners cannot edit business roles, they can only view them. For more information, see Section 25.0, Creating and Managing Business Roles.
A Business Role Manager can edit the assigned business roles, create, and delete new draft versions of the role but cannot delete the business role completely.
The Escalation Reviewer is an optional participant in a review. All tasks not completed on time are forwarded to the Escalation Reviewer for resolution. Otherwise, the tasks are forwarded to the Review Owner. This authorization can:
View user, permission, application, and account details in the context of the review
Decide whether to keep, modify, or remove access privileges for a user under review
Edit review decisions before submitting those items
For more information about assigning an escalation reviewer in a review definition, see Specifying Reviewers.
The Fulfiller performs manual provisioning for access changes. This authorization can:
View the changeset, identity, permission, and application details for each fulfillment request
View guidance from collected analytics data about the requested change
View the reason for the requested change and the source of the request, such as a review run, business role fulfillment, or SoD policy
Fulfill, decline to fulfill, or reassign requests
The Review Auditor authorization verifies a review campaign. Each review can have its own Review Auditor. This authorization can:
Accept or reject the review after the Review Owner marks the review complete
View the data related to the review but cannot modify the data
The Review Owner manages all assigned review instances. The Review Owner can view the details of any user, permission, or application entity within the context of the campaign. This authorization does not have general access to the catalog.
The Review Administrator who initiates a review automatically assumes the authorization of Review Owner if no Review Owner is specified.
NOTE:If you assign a new owner to a review, both the previous and new owners can access the review. The previous owner continues to see review instances run before the ownership change. The new owner sees only the instances run after the ownership change.
For an active Review, the Review Owner can:
Start and monitor the review progress
Resolve access policy violations in the review
Reassign certification tasks within the review
Run reports against the review
Declare the review complete
View review status in Overview
View Quick Info details about a catalog item
View fulfillment status of a review item
View run history
The Reviewer authorization reviews sets of access permissions or memberships as part of a review run. This authorization can:
Decide whether to keep, modify, or remove access privileges for a user under review
Decide whether to keep or remove business role membership for a user under review
Change the reviewer for any assigned review items
View user, permission, application, and account details in the context of the review
View a history of review decisions in the context of the review
Edit review decisions before submitting them
For more information about assigning reviewers, see Specifying Reviewers.
The SoD Policy Owner is responsible for managing assigned Separation of Duties policies. This authorization can:
Manage assigned policies
Manage violation cases for assigned policies