Identity Governance relies on authorizations to define a fixed set of access permissions. Identity Governance authorizations can be global or runtime:
Global authorizations are constant within Identity Governance and assigned through the Identity Governance Configuration settings. Identity Governance maintains the set of privileges granted by the authorization. For more information, see Section 2.1.1, Global Authorizations.
Runtime authorizations are those that users assume as needed during an access review and validation cycle. For example, you assign a Review Owner as needed during an access review and validation cycle. You can reassign these authorizations with each review run. For more information, see Section 2.1.2, Runtime Authorizations.
NOTE:When you install Identity Governance, use the bootstrap administrator authorization to collect and publish an initial set of identities. You can then use these identities as authorized users for Identity Governance and assign authorizations to them. If a user does not have the required authorization or does not have an assigned task, the user will be redirected to the Access Request interface. For more information about requesting access, see Section 25.0, Instructions for Access Requesters and Approvers. For more information about the bootstrap administrator, see Understanding the Bootstrap Administrator for Identity Governance
in the Identity Governance 3.6 Installation and Configuration Guide.
After collecting and publishing an initial set of identities, assign the Global Administrator authorization to one of these identities. The Global Administrator can then assign the rest of the global authorizations. For more information, see Section 2.3, Assigning Authorizations to Identity Governance Users.
The Global Administrator is the primary authorization and can:
Perform all Identity Governance actions
Assign all Identity Governance global and runtime authorizations
The Access Request Administrator manages policies that define who can request access in your enterprise. This authorization can:
Create, modify, and delete Access Request Policies
Create, modify, and delete Access Request Approval Policies
Edit the default Access Request Approval Policy
The Auditor has read-only rights to the catalog, reviews, Separation of Duties (SoD) policies and violations, business roles, risk, certification policy, fulfillment status, and the Overview. However, this authorization can configure and run insights queries and an account assigned to the Auditor authorization might also be specified as a Review Auditor in a review definition. For more information, see Section 2.1.2, Runtime Authorizations.
The Business Roles Administrator performs all administrative functions for all business roles. A Business Roles Administrator can delegate administrative privileges. This authorization can:
Administer the business role schema under Data Administration
Mine for business roles and promote role candidates
Create a business role
Modify a business role
Add or change role owners, role managers, fulfillers, and categories
Add or change the business role approval policy
Add users and groups to the business role
Exclude users and groups from the business role
Publish a business role
Delete a business role
Analyze business roles
Configure the business roles default approval policy
Create and modify business roles approval policies
The Data Administrator manages the identity and application data sources. This authorization can:
Create, add, modify, and review data sources
Create custom metrics
Create scheduled collections
Execute data collection and publishing
Create and map attributes in the catalog
Review and edit data in the catalog
Configure and run governance insight queries
Delegate responsibility by assigning application administrators, application owners, or manual fulfillers to applications in the catalog
Assign delegates for users
View data collection, data summary, and system trends in the Overview
Perform data maintenance tasks including archiving and data cleanup
The Governance Insights Administrator manages data queries. This authorization can:
Configure and run governance insight queries
Download and import insight queries
The Fulfillment Administrator manages fulfillment and verification of requests that result from reviews. This authorization can:
Access real time and historical data for provisioning activities, including fulfillment status and verification management
The Report Administrator can access Identity Reporting. This authorization can:
Create, view, and run reports for Identity Governance
The Review Administrator manages the review process but does not have access to data collection or fulfillment settings. This authorization can:
Create, schedule, and start reviews in preview mode or live mode
Modify a review schedule
Assign all the runtime authorizations as part of a review, thereby delegating certain rights pertaining to the review to those authorizations
View reviews in progress
View data summary and system trends in the Overview
View the Catalog, but cannot modify it
The Technical Roles Administrator mines for technical role candidates, creates and manages technical roles.
The Security Officer has read-only rights to the catalog and can:
Assign authorizations for all functions in Identity Governance
View data summary in the Overview
View the Catalog, but cannot modify it
NOTE:Ensure that the users assigned to the Security Officer authorization can also be trusted with global privileges in Identity Governance.
The Separation of Duties Administrator creates and manages SoD policies and violation cases.
Assign runtime authorizations when you need them. For more information, see Section 2.3, Assigning Authorizations to Identity Governance Users.
Access Requesters request application access, permissions, and technical role (previously labeled as access profile) assignment. Identity Governance Access Request Administrator and Global Administrator define the Access Request policy that specifies who can request access, what can they request, and for whom can they make their requests.
Access Request Approvers confirm whether to approve or deny requested access in the Request application. Identity Governance assigns this authorization if an Access Request Approval policy specifies approvers.
The Application Owner manages all assigned applications. This authorization can:
View the catalog
Perform data editing for assigned applications
Review data and access within the assigned applications, depending on selections as a reviewer
(Conditional) Review access entitlements or remediate access policy violations within the application if assigned this responsibility by the review definition
The Application Administrator validates published data and performs data cleanup, or editing, for all assigned applications. This authorization can:
Modify the configuration of a data source
Execute collections for the data source
Edit data within the scope of the data source
Review data and access within the data source
View the catalog but edit only items related to the assigned data source
The Business Role Owner can review a business role and approve a business role depending on whether the assigned approval policy specifies Approved by owners. Business role owners cannot edit business roles, they can only view them. For more information about approval policies, see Section 16.0, Creating and Managing Business Roles.
A Business Role Manager is an optional participant in the business role process. This authorization can:
Edit assigned business roles
Submit business role for approval, if approval is required based on approval policy
Promote role candidates
Publish roles
Deactivate roles
NOTE:Role Managers cannot delete a role. Only Global or Business Role Administrators can delete roles.
The Escalation Reviewer is an optional participant in a review. All tasks not completed on time are forwarded to the Escalation Reviewer for resolution. Otherwise, the tasks are forwarded to the Review Owner. This authorization can:
View user, permission, application, and account details in the context of the review
Decide whether to keep, modify, or remove access privileges for a user under review
Edit review decisions before submitting those items
For more information about assigning an escalation reviewer in a review definition, see Section 21.8, Specifying Reviewers.
The Fulfiller performs manual provisioning for access changes. This authorization can:
View the changeset, identity, permission, and application details for each fulfillment request
View guidance from collected analytics data about the requested change
View the reason for the requested change and the source of the request, such as a review run, business role fulfillment, or SoD policy
Fulfill, decline to fulfill, or reassign requests
The Review Auditor verifies a review campaign. Each review can have its own Review Auditor. This authorization can:
Accept or reject the review after the Review Owner marks the review complete
View the data related to the review, but cannot modify the data
The Review Owner manages all assigned review instances. The Review Owner can view the details of any user, permission, or application entity within the context of the review. This authorization does not have general access to the catalog.
The Review Administrator who initiates a review automatically assumes the authorization of Review Owner if no Review Owner is specified.
NOTE:If you assign a new owner to a review, both the previous and new owners can access the review. The previous owner continues to see review instances run before the ownership change. The new owner sees only the instances run after the ownership change.
For an active Review, the Review Owner can:
Start and monitor the review progress
Resolve access policy violations in the review
Reassign certification tasks within the review
Run reports against the review
Declare the review complete
View the review status in Overview
View Quick Info details about a catalog item
View the fulfillment status of a review item
View the run history
The Reviewer authorization reviews sets of access permissions or memberships as part of a review run. This authorization can:
Decide whether to keep, modify, or remove access privileges for a user under review
Decide whether to keep or remove the business role membership for a user under review
Change the reviewer for any assigned review items
View user, permission, application, and account details in the context of the review
View a history of review decisions in the context of the review
Edit review decisions before submitting them
For more information about assigning reviewers, see Section 21.8, Specifying Reviewers.
The SoD Policy Owner is responsible for managing assigned Separation of Duties policies. This authorization can:
Manage assigned policies
Manage violation cases for assigned policies