1.1 How Role Mapping Works

The Role Mapping Administrator is one part of the Novell role mapping solution. It is dependent on the proper installation and configuration of all role mapping components.The role mapping process is explained in Figure 1-1.

Figure 1-1 How the Role Mapping Administrator Works

  1. The Role Mapping Administrator connects to the Identity Vault and reads the Identity Manager roles stored in the vault.

  2. The Role Mapping Administrator retrieves the managed system authorizations by using the managed system driver to query the managed systems. The retrieved managed system authorizations are added to the Role Mapping Administrator database.

  3. A user of the Role Mapping Administrator maps authorizations to one or more Identity Manager roles. When an authorization is mapped to a role, a resource is created and updated to reflect the authorization mapping. The role is updated in the Identity Vault to map to the newly created resource.

    IMPORTANT:In earlier version of Role Mapping Administrator, roles were mapped directly to the authorizations. With this release onwards, resources are introduced. Roles are mapped to resources that are in turn are mapped to authorizations. When you create a mapping between a role and an entitlement/authorization, resources are automatically created in the Role Mapping Administrator.

    Resources provide the ability for end users to request provisioning of authorizations for themselves or for users that they have a relationship with. With Role Mapping Administrator 1.0, users could not understand what they requested or the status of what they had requested. Providing an interface that conveys this information is critical to the success of the product. Resources provide the ability for administrators to gain better control over the management of user access to entitlements/authorizations, ensuring that the right people have the right access to the right resources.

  4. A user is assigned the role in the Roles Based Provisioning Module, at which point the Role Service driver grants the user an authorization to all managed system authorizations that are mapped to the role.

  5. The managed system driver responds to the entitlement grant by initiating the authorization assignment in the managed system.