1.3 Providing Role-Based Access to Users

Provisioning involves automating the process of adding, modifying and deleting users and their attributes. This includes managing users’ profile attributes, including their role memberships and their associated access rights. Identity Manager lets you provision users based on their roles in the organization.

Identity Manager lets you provision users based on their roles in the organization. You define the roles and make the assignments according to your organizational needs. When a user is assigned to a role, Identity Manager provisions the user with access to the resources associated with the role. Users that have multiple roles receive access to the resources associated with all of the roles, as shown in the following illustration:

You can have users automatically added to roles as a result of events that occur in your organization. For example, you might add to your SAP HR database a new user with the job title of Attorney. If approval is required for adding a user to a role, you can establish workflows to route role requests to the appropriate approvers. You can also manually assign users to roles.In some cases, certain roles should not be assigned to the same person because the roles conflict. Identity Manager provides Separation of Duties functionality that lets you prevent users from being assigned to conflicting roles unless someone in your organization makes an exception for the conflict.

Because role assignments determine a user’s access to resources within your organization, ensuring correct assignments is critical. Incorrect assignments could jeopardize compliance with both corporate and government regulations.