1.2 Identity Applications Administration

You can manage the following tasks with an appropriate Administrator role:

  • Create and manage roles, resources and their assignments.

  • Set the Separation of Duties (SoD) constraints to avoid conflicts between two different roles in the system.

  • Configure the ability for users to approve permission requests through email.

  • Configure the default settings of your identity applications components such as roles, resources, and delegation.

For more information on each identity applications administration options, see:

1.2.1 Understanding Roles

A role represents a set of permissions that allows you to perform defined activities using identity applications. A role can be mapped to one or more roles, resources, and entitlements from different connected systems. You can assign any role to any user in your organization.

Identity Manager Dashboard allows you to create and manage role in your organization.

Administration > Roles

You can map role assignments to resources within a company, such as user accounts, computers, and databases. For more information, see Section 15.0, Creating and Managing Resources.

You can modify the default settings for the roles and their operations in the system that can help you to control creating and managing roles.

Administration > Configuration > Roles and Resources

For more information, see Configuring Default Roles Settings.

1.2.2 Understanding Resources

A resource is any digital entity such as a user account, computer, or database that a business user needs to be able to access.

Each entitlement is mapped to a resource. A resource definition can have no more than one entitlement bound to it. A resource definition can be bound to the same entitlement more than once, with different entitlement parameters for each resource.

Identity Manager Dashboard allows you to create and manage resources in your organization.

Administration > Resources

For more information, see Section 14.0, Creating and Managing Roles.

You can view the default settings for the resources and their operations in the system that controls creating and managing resources.

Administration > Configuration > Roles and Resources

For more information, see Configuring Default Resource Settings.

1.2.3 Understanding Separation of Duties

Separation of duties (SoD) policies help you manage potential conflicts between role assignments. For example, your organization might have two or more roles that could create security problems when assigned to the same individual. When a user requests one of these roles while already having a conflicting role or requests two or more conflicting roles, the identity applications respond according to the SoD policies. For more information, see Section 19.0, Separation of Duties Constraints.

1.2.4 Understanding Email-based Approval

Identity applications allow to send an email notifying users that they need to review a permission request. The notification can include action links that correspond to Approve and Reject so users can respond to the request. Email-based approvals also supports digital signatures to ensure authentication of the message content.

You enable email-based approvals and configure your Provisioning Request Definitions to support the feature.

Administration > Email Based Approval

For more information, see the following sources:

1.2.5 Understanding Controlled Permission Reconciliation Services

Identity applications enable a resource administrator to publish all connected system permission assignments to Identity Manager Resource Catalog through Controlled Permission Collection and Reconciliation Service (CPRS). CPRS helps to keep Resource Catalog up-to-date with connected system permissions at any point of time. For ease of use, CPRS is integrated with the identity applications user interface.

Administration > Permission Reconciliation

For more information, see Section 20.0, Using Controlled Permission Reconciliation Services.