1.3 Roles and Attestation
Users often require access to resources based upon their roles in the organization. For example, a law firm’s attorneys might require access to a different set of resources than the firm’s paralegals.
Identity Manager lets you provision users based on their roles in the organization. You define the roles and make the assignments according to your organizational needs. When a user is assigned to a role, Identity Manager provisions the user with access to the resources associated with the role. If a user is assigned multiple roles, he or she receives access to the resources associated with all of the roles, as shown in the following illustration:
Figure 1-7 Role-Based Provisioning of Resources
You can have users automatically added to roles as a result of events that occur in your organization (for example, a new user being with the job title of Attorney added to your SAP HR database). If approval is required for a user to be added to a role, you can establish workflows to route role requests to the appropriate approvers. You can also manually assign users to roles.
In some cases, certain roles should not be assigned to the same person because the roles conflict. Identity Manager provides Separation of Duties functionality that lets you prevent users from being assigned to conflicting roles unless someone in your organization makes an exception for the conflict.
Because role assignments determine a user’s access to resources within your organization, ensuring correct assignments is critical. Incorrect assignments could jeopardize compliance with both corporate and government regulations. Identity Manager helps you validate the correctness of your role assignments through an attestation process. Using this process, responsible individuals within your organization certify the data associated with roles:
-
User profile attestation: Selected users attest to their own profile information (first name, last name, title, department, e-mail, and so forth) and correct any incorrect information. Accurate profile information is essential to correct role assignments.
-
Separation of Duties violation attestation: Responsible individuals review a Separation of Duties violation report and attest to the accuracy of the report. The report lists any exceptions that allow a user to be assigned conflicting roles.
-
Role assignment attestation: Responsible individuals review a report listing selected roles and the users, groups, and roles assigned to each role. The responsible individuals must then attest to the accuracy of the information.
-
User assignment attestation: Responsible individuals review a report listing selected users and the roles to which they are assigned. The responsible individuals must then attest to the accuracy of the information.
These attestation reports are designed primarily to help you ensure that role assignments are accurate and that there are valid reasons for allowing exceptions for conflicting roles.